By Akhil Mahesh, National University of Advanced Legal Studies, Kochi
“Editor’s Note: The internet has revolutionised the way we think today and brought the world one click away. However, every boon comes with a side-effect. Breach of privacy on the internet is a common occurrence and has legal implications. There are a number of international legislations, including EU Directives, as well as domestic laws of countries. In India, the Constitution accords the right to privacy of every individual, and internet privacy is protected by the Information Technology Act, 2000. This paper analyses laws relating to the right to privacy on the internet.”
Just as the 17th and 18th centuries are referred to as the Age of Enlightenment, today’s time can rightfully be referred to as the Age of Technology. The past decade or so has witnessed a boom in information technology as well as internet related technology which has completely redefined society and our way of life. From its humble beginnings, the internet has come a long way with even entire businesses being set up online to meet the needs of the modern day consumer. While this incremental development in the field of technology is definitely a boon for humankind, it can also be misused, which means that one’s personal data and privacy are under constant threat in cyberspace. Computers have become indispensable to us in all aspects of life and there is a prevailing misconception that the internet is an anonymous world and that any and all information posted by an individual online remains private. But this is a massive fallacy. Information posted online can be accessed through a myriad of data collection services and other techniques that more often than not, operate without the knowledge or consent of the user. Hence, the concerns pertaining to breach of individual privacy on internet are well founded and are of tantamount importance.
In 2012, the United Nations Human Rights Council affirmed that freedom of expression on internet is a basic human right which implies that the rights of an individual existing offline must also be protected online. Here in India, the right to privacy is a fundamental right under Article 21 of our Constitution and therefore, one’s privacy in cyberspace also must be safeguarded as in the case of privacy in general sense.
The world’s population exceeds 6.8 billion and according to the UN telecommunication agency, nearly a third of this number is a regular user of the internet. The internet has proved time and time again to be a perfect setting for advertising and marketing which in turn has significant effects on the privacy of users. Thus there is a growing need to have a well-defined law to regulate the activities in cyberspace. Individual privacy can be infringed upon in many ways on the internet through cookies, spyware, malware, web bugs and even by seemingly innocuous activities like browsing via a search engine Privacy can be defined in various ways. It is a notion that differs from person to person. The simplest way to explain it would be as the right to have an one’s personal information safeguarded from the prying eyes of governments and other organisations seeking to use such personal information for trade, profit or any other reason, without the consent of the individual, except in extremely extenuating circumstances as laid down by law. In India, the right to privacy has not been expressly mentioned as a fundamental right but it has been carved out by the Supreme Court through an interpretation of right to life under Article 21 of the Constitution.
Interest in the right to privacy in the virtual world began developing in the 1960s due to the fact that technology was developing in leaps and bounds. It was realized that technology in general and computers specifically have a rather vast potential for surveillance and this necessitated a system of governance for the collection and handling of personal information. The birth of modern legislation in this field has been traced back to the first data protection law in the world enacted in the Land of Hesse in Germany in 1970 and was subsequently followed by national laws in Sweden (1973), the United States (1974), Germany (1977), and France (1978).[i]
Two international happenstances of utmost importance evolved from these legislations. The Council of Europe’s (COE) 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data and the Organization for Economic Cooperation and Development’s (OECD) Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data[ii] articulate specific rules covering the handling of electronic data. These two documents form the crux of the data protection laws of many countries in the world today. Over eighteen countries have adopted the COE convention and another six have signed it but have formally adopted it and made it a law. In addition, the OECD guidelines have been widely used as a basis for legislation, even outside OECD nations.
The degree of protection afforded to data and personal information in various declarations and laws shows quite a bit of variation. That said, the basic standards that all the laws and declarations require are that all information obtained must be:
-used only for the originally specified purpose;
-relevant and not excessive to purpose;
-accurate and up to date;
-accessible to the subject;
-kept secure; and
-destroyed after it is utilized.
Reasons for Adopting Comprehensive Laws
The three eminent reasons for the development of laws related to protecting data privacy are as follows:
-To remedy past injustices. Countries, specifically ones in Central Europe, South America and South Africa, have been rapidly evolving laws to remedy violations of privacy that occurred under the previously existing authoritarian and totalitarian regimes.
-To promote the growth of electronic commerce. Countries, especially those in Asia and North America have realized that it is in their interests that the development of electronic trade and commerce is promoted and continued. Consumers are wary of disclosing personal information and it being broadcasted throughout cyberspace. The setting up of uniform rules with respect to electronic commerce are intended to simplify as well as to secure the process for the ease of the consumers.
-So as to conform to the norms predominant in Europe, countries in Central and Eastern Europe have been adopting laws based on the Council of Europe Convention and the European Union Data Protection Directive. This is happening as a result of these countries’ desire to join the European Union in the near future. Countries in other regions too are adopting new laws so as to ensure the continuity of trade without being affected by the regulations imposed by the E.U. Directives.
EU Directive 95/46/EC[iii]
The European Union put into effect Directive 95/46/EC in 1995, whose sole aim was to consolidate and maintain the privacy of the member nations of the EU. The requirements necessitated by this directive were that data must be collected for explicitly legitimate purposes, and only maintained during the operation of that purpose. As soon as the data has been utilized, either all information about the user supplying it must be removed, or the data must be deleted in its entirety. Inaccurate or outdated data was also liable to be corrected, updated or removed completely.
Article 7[iv] restricted the methodology of data collection that could be employed. Express consent of the individual was made an essential prerequisite for any method of data collection, though there was an exception made if the data collected was in the larger interests of the public[v]. Member states and collecting parties must inform the subject about the collectors of data, the receivers of the data and the use to which the data will be put along with the amount of information required to be supplied.
Article 13[vi] lays the foundation for what has now become routine. Article 13 says a member state may adopt measures to waive the rights in the interests of national or public security. This eventually gave way to Directive 2006/58/EC.
EU Directive 2002/58/EC[vii]
This Directive was passed as a result of the United States passing the USA PATRIOT Act in the wake of the World Trade Centre attacks of September 2001. This was a directive focussing on privacy and electronic communications and designed to supplement and expand the 1995 directive, and lay more scrutiny on internet related activities. The internet was quite new at the time and hence the measures in this directive are not entirely comprehensive in nature.
This directive extended the same primary measures of protection from the data protection act to the internet as well as other modes of electronic communications. These included e-mail, cell phone calls, and any other internet traffic.
When data is sent from person to person, it rests with the network until the receiver views and accepts the data. Article 6[viii] lays down that all data must be erased as soon as it has been transmitted and is hence unnecessary. Data is only allowed to be stored for a longer period for the purpose of billing or if it absolutely essential from a marketing perspective but only the information about the data can be preserved, not the data itself.
The same exemptions apply from Article 13[ix] of 95/46/EC. Data is allowed to be retained for the protection of national security but no methodology of doing so has been specified, leaving it up to the discretion of the member states[x].
EU Directive 2006/24/EC – Data Retention Directive[xi]
Up until this point in time the internet was largely unregulated and could be exploited to devastating effects as was seen in the attacks in Madrid, Spain and London, England. In the aftermath of these attacks, it was claimed by the authorities in the respective countries that stored personal details played a rather vital role in the apprehension of the perpetrators. Directive 2006/24/EC, the Data Retention Directive, was passed within two months of these dastardly attacks, and it overturned a number of the provisions stated in the 1995 and 2002 directives.
This directive was passed with the objective of expanding the capabilities of law enforcement agencies. As a result of the provisions of the 2002 directive, information could only be collected once an investigation commenced, which meant that there existed no data trail for the various law enforcement agencies to track down. This directive sought to remedy this situation.
Telecommunications companies were mandated to store all information related to the data they were transmitting for a period between six months and two years[xii]. As per the 1995 directive, corporations were permitted to only retain the information regarding the data processed by them and not the actual data itself. For instance, in the case of e-mail, the senders IP address and the recipients IP address; for telephone calls or faxes, the telephone numbers that were involved were to be retained and not a log of the actual communication that occurred. A log of the dates and times of the commencement and cessation of the communications also had to be maintained. For email, this corresponded to recording the login and logout times of the users involved[xiii].
The member states had until March, 2009 to enforce this directive within their territory or face the problem of being unable to exchange data with other nations who had enforced it. The only member states where this directive hasn’t yet been enacted are Austria, Ireland, Poland, Sweden and Greece. It has been partially implemented in the United Kingdom and Luxembourg, but has not been fully enacted yet.
Legal Scenarios Across The World
The rights to privacy, data protection and secrecy of communication are recognised by the Articles 23, 24 and 25 of the Constitution of the Russian Federation[xiv]. In addition to this, provisions protecting privacy also exist in the Civil Code[xv]and Criminal Code[xvi]. A significant legislation on the subject was enacted in 1995[xvii]. This piece of legislation encompasses the government as well as the private sector and lays down licensing norms for the handling and processing of personal data by the private sector. Using personal information to “inflict economic or moral damage on citizens” is prohibited by this law, as is the use of information about one’s social status, race, nationality, linguistic capacity, religious outlook or political affiliation. Citizens possess the inherent right to access any and all documents pertaining to them so as to correct it or supplement it.
Efforts are being made so as to update the laws regarding data protection to make it compliant to the norms laid down by the Council of Europe’s Convention and the E.U. Directive.
The right to secrecy of communications has been protected in the 1995 Communications Act. Tapping of telephone conversations, interception and scrutiny of electronic communications, delay, inspection and confiscation of post and correspondence, receipt of information therein on, and other limitation of communications secrets are allowed only on the basis of a court decision[xviii]. Previously, the security services were in the habit of conducting illegal wiretaps of politicians throughout Russia. In June 1998, it was revealed that the Federal Security Service was in framing a legislation known as SORM-2(Systems for Ensuring Investigative Activity) that would require Internet Service Providers to install surveillance devices and high speed links to the Federal Security Service in their systems agencies which would entail direct police access to the communications of their users without a warrant[xix]. In summer 1999, this hadn’t yet been passed but the Russian secret services exerted incessant pressure on service providers to install the surveillance devices or face termination of licenses. The one service provider that defied the directive was promptly shut down[xx].
The secrecy and privacy of communications has been protected by Article 36(4) of the Constitution[xxi].The Federal Act of Data Protection of 1992 regulates the handling and utilization of personal information in the possession of both government and private bodies[xxii]. The Act sets standards for the fair collection of data and limits its use as well as disclosure to third parties. Unregistered private firms are not permitted to process sensitive information or be involved in the transfer of data to third parties. Transfer of information to other nations must be registered and the recipient nation must have enacted equivalent laws. Citizens have the right to correct information pertaining to them that is found to be incorrect, and all federal databases must necessarily be registered. Criminal penalties have been listed out for any infringement. There are also separate data protection acts for the Cantons (states). In June 1999, the E.U. Data Protection Working Party, after an in-depth analysis, declared that Swiss law was adequate under the E.U. Directive[xxiii].
The Act created a Federal Data Protection Commission to maintain and publish the Register for Data Files, supervise federal and private bodies, issue recommendations and reports, and conduct investigations. The commissioner works in tandem with the private sector, consulting with them on a wide variety of topics.
Telephone tapping is regulated by the Penal Code and Penal Procedure Code and requires a court order for every wiretap.
The right to privacy has not been explicitly protected in the French Constitution of 1958, but a Constitutional Court held in 1994 that the right of privacy was implicit in the Constitution.
The Data Protection Act was enacted in 1978 and relates to personal data in the possession of government agencies as well as private entities[xxvi]. Compulsory registration is the norm for anyone wishing to process or obtain personal data, be it for public purposes or medical research. Informed consent is a requisite before the collection of any data can commence so that individuals have a chance to raise objections. Fines, as well as imprisonment may be imposed for violators of these laws. The law is in the process of amendment so as to make it conform with the E.U. Directive.
The Commission Nationale de L’informatique et des Libertes (CNIL) is an independent agency which possesses the authority to enforce the Data Protection Act alongside other relevant legal provisions[xxvii]. The Commission has been tasked with taking complaints, issuing rulings, layingdown guidelines, conducting audits and issuing reports.
Electronic surveillance is regulated by a 1991 law which states that the express permission of the investigating judge is required before a wiretap can be installed. It also states that the duration of the wire tap is four months but it can be renewed[xxviii]. The law created the Commission National de Control des Interceptions de Securite (CNCIS), which regulates the wiretaps by conducting annual reviews.
The European Court of Human Rights’ 1990 decision in Kruslin v. France resulted in the enactment of the 1991 law[xxix]. In the recent past, France was fined 25,000 francs for violation of protocol with respect to wiretapping. The CNCIS had estimated the existence of over 100,000 illegal taps conducted by private companies and individuals alike in 1996, most of which were to fulfil the needs of government organizations.
The tort of privacy was first recognized in France as far back as 1858, and was then added to its Civil Code in 1970[xxx]. In addition to this, there are laws regarding the various other aspects of privacy which have been incorporated in the Penal Code[xxxi].
Article 10 of the Basic Law protects for the secrecy of communications. Post the reunification process, attempts to ament the Basic Law so as to include a right to data protection were discussed but were successfully opposed. In 1983, the Federal Constitutional Court, in a matter involving a government census law, officially acknowledged an individual’s “right of informational self-determination” which has to be limited by the “predominant public interest.” The verdict said that,
“Who cannot certainly overlook which information related to him or her is known to certain segments of his social environment, and who is not able to assess to a certain degree the knowledge of his potential communication partners, can be essentially hindered in his capability to plan and to decide. The right of informational self-determination stands against a societal order and its underlying legal order in which citizens could not know any longer who what and when in what situations knows about them.”
This landmark court decision also stated that the “right of informational self-determination” arose directly from Article 2 of the German Constitution that declares protective personal rights.
The first law relating to data protection in the world was passed in Germany in the Land of Hessen in 1970. This was followed by the Federal Data Protection Law in 1977 which was subsequently reviewed in 1990[xxxii]. The aim of this enactment was “to protect the individual against violations of his personal right by handling person related data.” The law’s ambit covers collection, processing and utilization of personal information by the authorities, as long as there is no regulation by the state, and of non-public offices, as long as the data is processed and used for commercial or professional aims within its ambit. The German government is in the process of amending the law so as to be consistent with the E.U. Directive.
The Federal Data Protection Commission has the authority to ensure compliance with the norms of the Data Protection Act[xxxiii]. There are also commissions in each of the Landers that enforce the respective Lander data protection acts.
Every wiretap must essentially have a legal order mandating it, especially in criminal matters. In 1999, the Court issued a verdict on a 1994 law which authorized warrantless wiretaps of international communications by the intelligence service (BND) to prevent terrorism and the illegal trade in drugs and weapons[xxxiv]. It was held that the procedure in question did indeed violate the privacy rights protected by the Basic Law but that the surveillance and screening could continue as long as the information was not passed on to the local authorities. It has also been reported that the BND had at one time, 1,400 agents monitoring satellite communications[xxxv].
After a prolonged debate that lasted over five years, the German Parliament, by a two-thirds majority, ratified a change to Section 13 of the Constitution in April 1998 which made it legal for the authorities to conduct electronic surveillance even inside private homes with a court order. The change effected was the provision for the “Law for the enhancement of the fight against organized crime,” which came into force on May 9, 1998.
Rights to privacy do exist in the Chinese Constitution but are extremely limited and are liable to be infringed in the interests of state security[xxxvi]. China lacks a specific data protection law and as a result the government has a free rein to interfere with the citizen’s privacy. The nation also has a history of meticulously monitoring its citizens and their activities. According to expert W.J.F. Jenner,
“Chinese states by the fourth century BC at latest were often remarkably successful in keeping records of their whole populations so that they could be taxed and conscripted. The state had the surname, personal name, age and home place of every subject and was also able to ensure that nobody could move far from home without proper authorization.”[xxxvii]
The rising number of users of the internet led to a severe crackdown by the Chinese officials through various legal restrictions. China has, with the technical expertise of a few American corporations like Bay Networks, developed a “Great Firewall” which restricts online traffic via the Internet outside China to only three gateways[xxxviii]. This firewall also restricts access to western news websites such as BBC, New York Times and the Voice of America, along with popular search engine Google as well as social networking sites such as Facebook and Twitter. In February 1999, the government announced the creation of the State Information Security Appraisal and Identification Management Committee which, according to the official Xinhua state news agency, would be responsible for the protection of confidential files on the internet that has vested interests of the government of commercial value, and defining rights and responsibilities of users. The move was supposedly intended to guard both individual and government users, while protecting vital information and keeping it from unauthorized use.
Under Article 7 of the Computer Information Network and Internet Security, Protection and Management Regulations “the freedom and privacy of network users is protected by law. No unit or individual may, in violation of these regulations, use the Internet to violate the freedom and privacy of network users[xxxix].” Article 8 states:
“Units and individuals engaged in Internet business must accept the security supervision, inspection, and guidance of the public security organization. This includes providing to the public security organization information, materials and digital document, and assisting the public security organization to discover and properly handle incidents involving law violations and criminal activities involving computer information networks.”[xl]
Articles 10 and 13 stipulate that every user of the internet must have a registered account with the public security organization and these accounts are strictly non-transferrable. Sections 285 to 287 of the Criminal Code prohibit intrusions into computer systems and punishes violations of the same.
Secrecy of communications has been named in the constitution but is put into little practice. In reality, telephone conversations, faxes, electronic mail, and Internet communications of foreigners, businessmen, diplomats, and journalists, as well as Chinese troublemakers, activists, and others are routinely monitored[xli]. In a rather high profile instance, the then UK Prime Minister Tony Blair put it on record that he would never want to visit Beijing again as he was extremely upset with the wiretapping and surveillance of his rooms during his state visit to China in 1998[xlii].
The United Kingdom
The United Kingdom (UK) does not follow a written constitution. In 1998, the Parliament ratified the Human Rights Act that incorporated the European Convention of Human Rights into domestic law, a process served to establish an enforceable right of privacy[xliii].
The Data Protection Act (1998) was ratified by the Parliament in July 1998[xliv]. This Act amended the earlier 1984 Data Protection Act[xlv] so as to conform to the norms of the European Union’s Data Protection Directive. The Act relates to records held by government agencies as well as private entities. It provides limitations on the use of personal information, access to records and requires that organizations that maintain records are registered with the Data Protection Commissioner. The Office of the Data Protection Commissioner is an independent agency that has the authority to enforce the provisos of the Act[xlvi].
The privacy picture in the UK is in a quagmire[xlvii]. In some areas there exists a rather strong public recognition and the protection of the right to privacy. For instance, proposals to establish a national identification card have routinely ended prematurely. On the other and, crime and public order laws passed in recent years placed considerable restrictions on numerous rights, including freedom of assembling, privacy, freedom of movement, right of silence and freedom of speech[xlviii]. There has been a proliferation of Closed Circuit Television (CCTV) cameras within Britain. This network of cameras is partly funded by the government and can be accessed by the police, local authorities or some select private organizations.
The Interception of Communications Act of 1985 is a piece of legislation that places a limitation on the surveillance of telecommunications. Telephone taps can only be obtained by the police after obtaining a signed warrant from the Home Secretary. Wiretaps required in the interests of national security and wellbeing can be authorized only by the Foreign Minister. In June 1999, the Home Office issued a Consultation Paper on wiretapping which proposed numerous changes to the existing law, including requiring Internet Service Providers to facilitate wiretappings, lengthening the times for taps to three months and authorizing the use of roving wiretaps[xlix].
In 1985, the European Court of Human Rights ruled that police interception of individuals’ communications was a violation of Article 8 of the European Convention on Human Rights[l]. The decision resulted in the adoption of the Interception of Communications Act 1985 to limit the use of surveillance methodology. The European Court of Human Rights ruled in 1997 that police eavesdropping of a policewoman violated Article 8[li]. In September 1998, it was revealed that there were meetings between the Association of Chief Police Officers (ACPO) and representatives of Internet Service Providers (ISPs) with the sole aim of reaching a “memorandum of understanding” to give the police access to personal information of the citizens in possession of the ISPs[lii].
In late 1997, a report of the European Parliament, prepared by the UK based research group Omega Foundation, confirmed that Britain was a key contributor to massive global intelligence operation controlled by the U.S. National Security Agency (NSA)[liii]. The report stated that the U.S. and the UK were involved in the routine interception of massive amounts of sensitive data through a process of keyword scanning. This operation was carried out from a number of secret locations within the UK, one of which was the Menwith Hill base in northern England. This report led to widespread debates throughout the continent of Europe, and in September 1998, the European Parliament, during its session in Strasbourg, took the unprecedented step of openly discussing the venture. This led to a “compromise resolution” being framed which called for greater accountability and certain “protective measures” over such intelligence gathering[liv].
The United States of America
America, as a nation, has a history of protecting the privacy of its citizens from each other as well as the government itself. Tort law in America covers defamation of character, and the Fourth Amendment provides protection from search and seizure of tangible property, but the sudden growth of the internet and the number of its users has changed the way these laws have to be be applied. As neither the internet not the data being transmitted through it are intangible entities, lawmakers have been struggling to adapt the existing laws and apply it to cyberspace.
To be able to completely comprehend internet privacy laws existing in the United States, the privacy laws before the advent of the Internet must be understood. Foreign Intelligence Surveillance Act[lv] and the Electronic Communications Privacy Act[lvi] are the foundation for the present internet privacy legislations in existence even though neither act specifically refers to any new technology (both were passed before the ’90’s, and are therefore technologically outdated). These Acts have been interpreted and used as foundations for more recent laws, such as the Patriot Act[lvii], the Protect America Act,[lviii] and the FISA Amendments Act[lix].
FISA, the Foreign Intelligence Surveillance Act[lx], which was passed in 1978, allowed the government to electronically spy on foreign nations, or agents of foreign powers. FISA established the FISC, the Foreign Intelligence Surveillance Court, which reviewed FISA orders and ruled on whether or not surveillance was to be conducted.
ECPA, the Electronic Communications Privacy Act[lxi], was passed in 1986, and referred to slightly more current technology. The ECPA restricted the government from monitoring electronic communications that were in transit, or that were stored with a network, but this did not apply to public communications. It also required “electronic communications services and remote computing services” to reveal a subscriber’s details, upon a court order. This was mostly applied to telecommunications and rarely applied to internet activities.
Neither of these Acts directly mention the internet, or any such technology, for the simple reason that these Acts were passed much before such technological advances occurred. Yet, these Acts have a strong influence on the legislation currently in existence. Legislators used these precedent-setting acts as a basis for the creation of the later privacy acts. They updated the language in to suit the new technology, and modified the spirit of the law to match what the public expected at the time.
The best example of an Act passed in accordance with public opinion is the USA PATRIOT Act[lxii] commonly referred to as PA. It is actually an acronym, which stands for United and Strengthening America by Providing Appropriate Tool Required to Intercept and Obstruct Terrorism Act. There was widespread panic among American citizens as to national security and wellbeing in the aftermath of the 11th September, 2001 attacks. As a result, there was a huge public outcry for drastic measures to ensure that nothing of that magnitude happened again.
The Patriot Act gave federal and other law enforcement agents and unprecedented increase in power. The prevailing hysteria meant that the citizens were willing to surrender their Constitutional rights in order to ensure public safety. The masses wanted stricter legislations to deal with national, and that was what was enacted, even though some termed this Act unconstitutional.
The PATRIOT Act was built on the foundation of both FISA and ECPA. It expanded FISA, changing the wording of the surveillance standard required. Under the PA, the surveillance for the collection of foreign intelligence no longer had to be the “primary” purpose of the investigation, but merely a “significant” purpose.
Furthermore, PA permitted the different branches of the government to communicate and share intelligence with one another. Also, any counterintelligence information gleaned through an investigation could be shared with foreign intelligence agencies so as to allow different government agencies to cooperate to accomplish a common goal.
Under the provisions of the Patriot Act, roving surveillance was extended to cover computer equipment, and it even permitted surveillance on third parties coming into contact with the person under surveillance. Additionally, even credit card or bank details would have to be made available via subpoena.
The PATRIOT Act was not the final Act passed in the United States regarding internet privacy. Most sections were scheduled to end in 2005 and some of them were renewed, but it was clear that changing technology required new legislation.
PAA, the Protect America Act[lxiii], was passed in 2007 as an attempt to update past acts, specifically FISA, to keep legislation up to date with advancing technology. Supporters of PAA argued that the terminology used in FISA was outdated, and was hence restricting intelligence officers from collecting intelligence on foreign agents located outside the country. To remedy this, the wording of FISA was amended. The meaning of “foreign intelligence” in FISA was retained in its entirety in PAA, but the meaning of the term electronic surveillance was amended. PAA states that electronic surveillance as stated under FISA would not be considered so if it entails surveillance directed towards a person believed to be outside the United States. PAA allows the president to authorize warrant-less surveillance for up to a year, subject to certain conditions. The prevailing notion is that under the PAA, American citizens would have more privacy, and that only the liberties of foreign nationals would be infringed upon.
The FISA Amendments Act, or FAA[lxiv], passed in 2008, is a legislation directly based on FISA, and makes some vital changes to the original Act. Under the provisions of this Act, the government cannot spy on anyone known to be within United States territory, nor a United States citizen located outside the United States. More importantly, it specifically forbids reverse targeting, which is essentially watching someone outside American soil to gain information about a target located within the boundaries of America itself.
The FISA Amendments Act clearly demarcates the difference between entirely foreign communications which are routed through the United States, and international communications; it provides that no warrant is necessary to intercept the former, while the latter is subject to FISC ruling. The Act does not specify which technology is to be surveilled, but it does authorize the government to get necessary information with the assistance of an electronic service provider.
This Act includes serious federal oversight, requiring each agency to be answerable to Congress and FISC annually, so as to ensure cooperation with the each provision of the Act. The inclusion of such a clause shows the lack of trust in self-governance of the governmental agencies. Each government organization is answerable to not only the Director of National Intelligence and the Attorney General, but to Congress and FISC as well. Reports submitted must include the use of the information obtained, and the number of suspects later proved to be within United States territory when surveillance was in progress.
Online Privacy in India
The main piece of legislation in India dealing with the world of cyberspace is the Information Technology Act, 2000 (hereinafter, IT Act, 2000) which lays down the penalties for various cyber-crimes and other offences concerning technology committed via digital or electronic media. This Act was not passed for the purpose of protecting individuals’ data but is in fact a generic legislation covering a broad range of technology related issues like digital signature, e–governance, cyber contraventions, cyber offences, confidentiality and privacy. The issue of online privacy has been summarily addressed in the IT Act, 2000 and further elaborated on in the Information Technology (Amendment Act, 2008) and the Data Privacy Rules, 2011 which safeguard personal and sensitive data.
Position under the Information Technology Act, 2000
The following provisions of the IT Act, 2000 address the issue of privacy in cyberspace:
- Breach of confidentiality and privacy (Section 72)
Section 72 of the IT Act, 2000 entails penalty for breach of confidentiality and privacy and is vital for safeguarding internet privacy. It provides imprisonment of a maximum of two years, or with fine upto one lakh rupees, or with both that if any person in pursuance of the powers conferred under the Act secures access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned and discloses such electronic record etc. to any other person. This section imposes criminal liability ie imprisonment upto 2 years or fine upto one lakh rupees for an individual breaching the privacy or confidentiality of another individual.
This Section of the IT Act, 2000 is rather narrow in its scope as it specifically states “person who in pursuance of any of the powers conferred under this Act…” while the infringement need not be committed by a person authorised by law. This means that any user of the internet is allowed to make an infringement for which there exists no legal remedy. For instance six million passwords of LinkedIn users were released by hackers on the internet via a Russian web forum. This can definitely be classified as a breach of privacy without the consent of the person but the hacker would not be liable under Section 72 of the IT Act, 2000 since this particular Section covers only those individuals with whom powers have been have been vested by this Act.
Disclosure of information in breach of lawful contract (Section 72A)
This Section was added as a measure to further strengthen data privacy laws by the IT (Amendment) Act, 2008. It lays down punishment for disclosing information in breach of a lawful contract. This section prevents any person from disclosing personal information obtained from a user without the consent of that particular user and is thus an additional safeguard of online privacy.
- Cyber Voyeurism (Section 66 E)
Section 66 E is a Section added by the IT (Amendment) Act, 2008 is another provision with the intention to protect online privacy and provide punishment for a violation of said privacy. As the title suggests, this section is a safeguard against cyber voyeurism which results in a breach of privacy. It provides a punishment of upto 3 years or fine of upto two lakh rupees in case of any intentional capturing, publishing or transmitting the image of a private area of any person without his or her consent. Privacy as used in this section has been understood in the physical sense without any regard being given to personal information. Voyeurism not only infringes the privacy of the person but also is a serious violation of human dignity.
Failure to protect data (Section 43A)
Section 43A provides that a corporate body must adequately compensate the injured parties for its failure to protect their private data. A corporate body, possessing, dealing or handling any sensitive personal data through a computer resource who is negligent in the maintenance of reasonable security practices and thus causes wrongful loss or wrongful gain to any person, it is held by law to be liable to pay compensation to the individuals affected. The provision is quite wide in its ambit and the corporation is made liable for mere possession of personal data if the manner in which this data or information is handled is not up to the standards expected from a reasonable person. This section specifically deals with only sensitive personal data but at the same time does not lay down criteria for differentiating sensitive personal data from the rest.
Online Privacy and National Security (Section 69)
The right to privacy and confidentiality has to be balanced with the need to safeguard national security. No right is ever absolute, i.e. every right has certain limitations and restrictions placed upon it by law. Not even the right to life contained in the Constitution of India is exempt from this rule. Due to the volatile nature of the global scenario, the primary duty of the State is to protect national interests and as a result the protection and enforcement of all other rights become secondary. Section 69 provides for online surveillance by the Central and State Governments by means of intercepting, monitoring and decrypting any manner of electronic communication. This Section was amended in 2008 and was consequently given a wider scope. Another change which has been brought is that it mandates procedural safeguards to be adhered to so as to avoid arbitrariness. Also, reasons must be recorded in writing before exercising the powers under the section. Communication over the internet is a means of utilizing the freedom of speech and expression we possess and hence unless absolutely necessary or in extenuating circumstances, this Section cannot be applied by the Central and State Governments. On a multitude of occasions, the Supreme Court stated that individual privacy can be compromised to further national and public interests.
The Government has been given vast amounts of power when it comes to surveillance. But these powers are exercised with the utmost caution as there is much scope for its misuse for politically motivated reasons.
The intention behind Section 69 is more of a public policy measure and should thus be limited to only that purpose. The defining argument justifying the government’s power of surveillance is that if investigations of crimes committed in the physical world can invade the privacy of citizens’ lives when necessary, then the same principle should be applicable when it comes to online resources too. The constitutionality of this section has been contended repeatedly. It is yet to be seen whether it is challenged in the courts but since there is a system of checks and balances in place to regulate the interception of communications, it is rather unlikely that this Section will be struck down as unconstitutional. A similar line of reasoning was used when the Supreme Court upheld the constitutional validity of MCOCA, 1999 as there were sufficient procedural mechanisms in place so as to prevent it from being misused.
Data Privacy Rules, 2011: A Step Forward
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter, Data Privacy Rules, 2011) came into effect in April, 2011. These Rules are meant to supplement the empowerment of the legislative under Section 43A and aims to further the field of data protection. In a nutshell, it is aimed at protecting sensitive data and personal information of individuals while simultaneously regulating the methods of collection and disclosure of such information. Sensitive personal data or information of a person has been clearly listed out as information pertaining to:
- Financial information;
iii. Condition of physical as well as mental health;
- Sexual orientation;
- Medical records;
- Biometric information;
vii. Any information relating to the above subjects as provided to corporate bodies while availing a service;
viii. Any information received under the above clauses by corporate bodies.
These Rules safeguard users’ personal information by making it necessary for corporates to procure permission from users before disclosing their personal information to any third party, except in cases where the due disclosure of information is a legal obligation.
The framing of the Data Privacy Rules, 2011 is positive step towards the conformity of Indian rules regarding the protection of users in cyberspace to that followed by other nations. These Rules have one fundamental flaw. Their implementation as well as the penalty for their infringement is obscure. Until these grey areas are removed, legal recourse is available via Section 45 of the IT Act that requires anyone flouting the norms laid down by the Act to pay a compensation of Rs. 25,000 which is clearly a paltry and insufficient sum. Also, these Rules are only applicable to corporate bodies located within the territory of India.
It is clearly observed that private individuals are not the only residents of cyberspace. Governments have been trying to control and monitor the activities occurring through this relatively new medium since the advent of the internet itself, and because of the absence of a clear definition of what is acceptable, many questions have been raised about the legality of government actions. Ensuring the safety and wellbeing of citizens is one of the primary responsibilities of the government but they must also respect the privacy of citizens unless they have just and probable cause. Although there are many well defined laws and precedents for how to handle invading a person’s life, the laws for monitoring private digital life are very much a grey and ambiguous field. While intercepting and reading a piece of posted mail is a tedious and hard to disguise task, it is a simple and easy to read electronic mail, and it is almost undetectable as well. With this ease and difficulty of stopping interception of online communications arises the very real fear that governments will soon begin to pry into every aspect of human life, all in the name of national security. even in India, pending the launch of the Central Monitoring System(CMS) project, Lawful Intercept and Monitoring (LIM) systems, which have been deployed by the Centre for Development of Telematics (C-DoT) to monitor citizens’ activities on the internet, and sometimes this occurs by blatantly flouting the rules.[lxv]This is the sentiment that gave rise to the the phrase “Big Brother is watching”. Great care has to be taken to ensure the safety of citizens, while still maintaining their privacy.
- Colin J. Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States, Cornell University Press (1992).
- Sipho Hlongwane, Internet will change our definition of privacy — and the law with it, 02 August 2013, available at <http://www.bdlive.co.za/opinion/columnists/2013/08/02/internet-will-change-our-definition-of-privacy–and-the-law-with-it>
- Apar Gupta, Commentary on the Information Technology Act, 2000, Wadhwa and Company(2007)
- Ian Walden, Computer Crimes and Digital Investigations, Oxford University Press(2007)
- Sharon K. Black, Telecommuncation Law in the Internet Age, Morgan Kauffman Publishers(2002)
Edited by Sinjini Majumdar
[i] David Flaherty, Protecting Privacy In Surveillance Societies (1989).
[ii] Organization for Economic Cooperation and Development (OECD), Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data (Paris, 1981).
[iii]CouncilDirective 95/46/EC, 1995, available at<https://www.odpr.org/restofit/Legislation/DirectivelDirective_Contents.html>.
[iv]Id. at Article 7.
[vi]Id. at Article 13.
[vii]Council Directive 2002/58/EC, 2002, available at<http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2002L0058:20091219:EN:PDF>.
[viii]Id. at Article 6.
[ix]Supra note 1 at Article 13.
[x] Supra note 4 at Article 15.
[xi]Council Directive 2006/24/EC, 2002, available at<http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF>
[xii] Id. at Article 6.
[xiii]Id. at Article 3.
[xiv] Konstitutsiia RF [Constitution of the Russian Federation] [Konst. RF] (1993),available at<https//www.friends-partners.orgoldfriends/constitution/russian-const-ch2.html>.
[xv] Civil Code, Article 19. RF Act No. 51-FZ Adopted By The State Duma on Oct. 21, 1994
[xvi] The Criminal Code of the Russian Federation No. 63-FZ of June 13, 1996
[xvii] Russian Federation Federal Act No. 24-FZ, Law of the Russian Federation on Information, Informatization and Information Protection (Jan. 25, 1995)
[xviii] RF Communications Act Russian Federation Federal Act No. 15-FZ Adopted by theState Duma on Jan. 20, 1995.
[xix]Russia Prepares To Police Internet, The Moscow Times, July 29, 1998. Englishtranslation of the Bill isavailable at <http’/www.fe.msk.ru/libertarium/sorm/sormdocengl.html>
[xx]Russian ISP Refuses To Spy On Customers, Data Communications, Marina Moudrak, July 26, 1999.
[xxi]Constitution Federale [Constitution ofSwitzerland], available at <https://www.uniwuerzburg.de/law/szO0t__.html>.
[xxii]Loi federale sur la protection des donnees (“LPD”), 19th June1992, available at <https://www.admin.ch/ch/f/rs/235_1/index.html>.
[xxiii] Working Party on the Protection of Individuals with Regard to the Processing ofPersonal Data, Opinion 5/99on the level of protection of personal data in Switzerland(June 7, 1999), available at <http://europa.eu.int/comm/dgl5/en/media/dataprotwpdocs/wp22fr.pdf>.
[xxiv] § 28 of the Civil Code, Dec. 10, 1907
[xxv]Code Penal, Titre troisi~me: Infractions contre l’honneur et contre le domaine secret ou le domaine prive, Art 173-179
[xxvi] Law No. 78-17 of Jan. 7, 1978, J.O., Jan. 25, 1978 (relating to information privacyand freedom) (modified by Law No. 88-227 of Mar. 11, 1988, art. 13, relating to the financialinformation of politicians, J.O., Mar. 12, 1988; Law No. 92-1336 of Dec. 16, 1992, J.O., Dec.23, 1992; and Law No. 94-548 of July 1, 1994, J.O., July 2, 1994) (Fra.)
[xxvii]Commission Nationale de L’informatique et des Libertes (“CNIL”), Home Page <http://www.cnil.fr>.
[xxviii] Law No. 91-636 of July 10, 1991(relating to telecommunications privacy) (Fra.)
[xxix] Kruslin v. France, 176-A, Eur. Ct. H.R. (ser. A) (1990).
[xxx] C. Clv., Art. 9, Stat. No. 70-643 [Civil Code] (July 17, 1970) (Fra.).
[xxxi] C. PPN. [Penal Code], art. 368 (Fra.)
[xxxii] Federal Act on Data Protection, Jan. 27 1977 (Bundesgesetzblatt, Part I, No 7, 1Feb. 1977, amended 1990), available at Datenschutz und Recht (visited Nov. 12, 1999)<http’/www. Datenschutz-berlin.de/gesetze/bdsg/bdsgeng.htm>.
[xxxiii] Resolution of the Conference of Data Protection Commissioners of the Federationand the Laender, Apr. 29, 1996, available at Datenschutz und Recht <http://www.datenschutz-berlin.de/sonstige/behoerde/bundes.htm>.
[xxxiv] BverfGE 93, 181 – Rasterfahndung (July 5, 1995)
[xxxv]German Phone Taps are Routine, Imre Karacs, The Independent, July 15, 1999
[xxxvi] Const. P.R.C. (1993) (adopted at the 5th Sess., 5th Nat People’s Cong., promulgated for implementation,Procl. Natl People’s Cong., Dec. 4, 1982, as amended at the 1stSess., 7th Nat’l People’s Cong., Apr. 12, 1988, and at the 1st Sess., 7th Natl People’s Cong.,Mar. 29,1993).
[xxxvii] W.J.F Jenner, China and Freedom, Kelly & Reid, Asian Freedoms (1998).
[xxxviii] Gary Chapman, China Represents Ethical Quagmire in High-Tech Age, L.A. Times, Jan. 27, 1997, at D1.
[xxxix] Chinalaw Computer Information Network and Internet Security, Protection andManagement Regulations <https://www.qis.net/chinalaw/prclaw54.htm> (approved by the State Council on Dec.11, 1997, promulgated by the Ministryof Public Security, Dec. 30, 1997).
[xl]Id. at Article 8
[xli] U.S. Department Of State, Bureau Of Democracy, Human Rights, And Labor,China Country Report on Human Rights Practices for 1998, Feb. 26, 1999; Amnesty International, 1999 World Report: China
[xlii] Blair: I Never Want to Visit Beijing Again; Blair Claims He was Bugged by China’s
Secret Police, The Mirror, Oct. 12, 1998.
[xliii] Human Rights Bill, CM 3782, Oct. 1997 <https://www.official-documents.co.uk/document/hoffice/rights/rights.htm>.
[xliv] Data Protection Act 1998 available at <https://www.hmso.gov.uk/acts/acts1998/19980029.htm>.
[xlv] Data Protection Act 1984 available at <https://www.hmso.gov.uk/acts/acts1984/1984035.htm>.
[xlvi] Data Protection Registrar, Homepage<https://www.open.gov.uk/dpr/dprhome.htm>
[xlvii] Simon Davies, Big Brother (Pan Books, 1996), available at Privacy International, United Kingdom <https://www.privacy.orgpi/countries/uk/>.
[xlviii] Criminal Justice and Public Order Act of 1994
[xlix] Secretary of State for the Home Department, Interception of Communications inthe United Kingdom: A Consultation Paper (June 1999) <https://www.homeoffice.gov.uk/oicd/ioc.htm>
[l] Malone v. United Kingdom (A/95): (1991) 13 EHRR 448, Apr. 26, 1985
[li] Halford v. United Kingdom (Application No 20605/92), 24 EHRR 523, June 25,1997
[lii] Police Tighten the Net, The Guardian Online (Sept. 17, 1998) <http’//online.guardian.co.uk/theweb/905960359-privacy.html>.
[liii] European Commission, Science and Technology Options Assessment Office (STOA), Assessing the Technologies of Political Control (Brussels, 1997) <https://www.jya.com/>.
[liv] European Commission, Science and Technology Options Assessment Office(STOA), Assessing the Technologies of Political Control (Brussels, 1997) <https://www.jya.com/>.
[lv]Foreign Intelligence Surveillance Act 1978, available at <http://www.law.cornell.edu/uscode/text/50/chapter-36>
[lvi] Electronic Communications Privacy Act 1986, available at <http://www.justice.gov/jmd/ls/legislative_histories/pl99-508/act-pl99-508.pdf>
[lvii] Uniting And Strengthening America By Providing Appropriate Tools Required To Intercept And Obstruct Terrorism (USA PATRIOT Act) Act Of 2001, available at < http://www.gpo.gov/fdsys/pkg/PLAW-107publ56/pdf/PLAW-107publ56.pdf>
[lviii] Protect America Act of 2007, available at < http://www.govtrack.us/congress/bills/110/s1927/text>
[lix] FISA Amendments Act of 2008, available at < http://www.govtrack.us/congress/bills/110/hr6304/text>
[lx] Supra note 55
[lxi]Supra note 56
[lxii]Supra note 57
[lxiii]Supra note 58
[lxiv]Supra note 59
[lxv] Shalini Singh, Govt. violates privacy safeguards to secretly monitor Internet traffic, The Hindu, 9th September, 2013.