3rdInternal Assignment

Essay on
Right to Privacy in Cyberspace

SUBJECT: Information Technology Law

 ~~ Internal Assignment - III~~

Table of Contents

Introduction ............................................................................................................................ 2

Background ............................................................................................................................ 2

Online Information Privacy ................................................................................................... 3

The IT (Reasonable Security Practises and Procedures and Sensitive Personal Data or
Information) Rules, 2011 ................................................................................................... 3

The Key Mandatory Compliances ......................................................................................... 4

1. Creation of a privacy policy....................................................................................... 4
2. Disclosure of collection of information ..................................................................... 4
3. Transfer of information .............................................................................................. 4
4. Reasonable security practises and procedures ........................................................... 4
Penalties for Non Compliance ................................................................................................ 5

Analysis.................................................................................................................................. 5

Conclusion ............................................................................................................................. 6

Bibliography & References........................................................................................................ 7

Books or Journals or Articles:................................................................................................ 7

Online Source: ....................................................................................................................... 8

Page | 1
 ~~ Internal Assignment - III~~

Right to Privacy in Cyberspace

INTRODUCTION
Globally, laws are being enacted to ensure that there is no abuse of sensitive information in
the cyberspace by protecting the privacy rights of the internet users. In India, there is no
independent law for the regulation of online data. However, Information Technology Act,
2000 sets out express code for data protection, where both civil and criminal relief can be
sought for misuse of data1. Besides, general law such as contract law may also be applied by
the Court for enforcing the rights of the data subject. However, these statutes have several
limitations, apart from the basic premise that they are not data protection legislation per se.2

In this essay, the emphasis is given to legislations which provide for data protection laws and
ensure right to privacy is exercised in cyberspace in India. The primary legislation which
provides for the sane is the Information Technology Act, 2000 (“IT Act”) and particularly in
the Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules 2011 (“Privacy Rules”) notified under the IT Act.
Moreover, it is also to be noted that the data protection principles and compliances in the IT
Act apply equally to all operations irrespective of usage of technology.3

BACKGROUND
When IT Act was enacted the preamble of the Act clearly stated that the main object of the IT
Act was to provide legal recognition to electronic commerce.4 The intention of the legislation
is to facilitate business by recognizing digital signatures etc. and to provide for penalties for
abuse or misconduct in such transactions.5 The IT Act was not intended to govern the use of
internet by public. However, with popularization of internet and advancement in technology
there was a need for some legislation to safeguard against abuse of internet access in general.6
Hence, the government instead of making a separate act, it was included in the IT Act

1
Diwan, Parag and Kapoor, Shammi, Cyber and E-Commerce Laws, Bharat Publishing House, (2000).
2
'Information Technology Law: An Introspection.' Cochin University Law Review. Vol. 26, 2002.
3
Goldsmith, JackL. And Sykes, Alan O., "The lntemet and the Dormant Commerce Clause," The Yale Law
Journal, Vol. 110, March 2001
4
Shiv Shankar Singh, Privacy and Data Protection in India: A Critical Assessment, 53 JILI (2011) 663.
5
Ghatak P. and others, "Digital Rights Management: An Integrated Secure Digital Cotnent Distribution
Technology," JIPR, 9, 2004.
6
Regulation of Data in The Cyberspace—Drawing Roadmap for India, CNLU LJ (2) [2011-2012] 99 at page
102

Page | 2
 ~~ Internal Assignment - III~~

through an amendment in 2009. This 2009 amendment provided for statutory recognition to
“Online Information Privacy”.7

ONLINE INFORMATION PRIVACY

Data may be defined as a representation of information. In the cyber world, data signifies that
information which is prepared in a formalized manner and processed in the computer system
or computer network.8 It may be stored in the memory of the computer or it may be in the
form of computer printouts, punched cards, etc.9 Specific provisions and rules which provide
for online information privacy are as follows:
 Section 43A: Compensation for failure to protect data.
 Section 72A – Punishment for disclosure of information in breach of lawful contract.
 The IT (Reasonable Security Practises and Procedures and Sensitive Personal Data or
Information) Rules, 2011
 The IT (Intermediary Guidelines) Rules, 2011
 The IT (Guidelines for Cyber Cafe) Rules, 2011

The IT (Reasonable Security Practises and Procedures and Sensitive Personal Data or
Information) Rules, 2011

Data as defined under the rules may be classified as “Personal Data” and “Sensitive Personal
Data”.10 The former relates to the data by which a particular person can be identified with the
help of information like identification number or with the help of the factors specific to an
individual like physical, physiological, mental, economic, cultural or social identity. 11 The
base for initiating the application of Privacy Rules is collection, possession, handling/dealing
or transfer of “personal” information as defined under rule 2(1)(i) of the Privacy Rules.12

7
Devadatt Kamat, Information Technology Act- A Contractual Perspective, 1 Supreme Court Cases 11 (2004).
8
Ahmed Farooq, Cyber Law in India, Delhi New Era Publication, (2005).
9
S. 2(o) of the Information Technology Act, 2000.
10
Arka Mookerjee and Soumya Ray Chowdhury, Information Privacy or Data Protection Laws- Scope and
Ambit, 10 Corporate Law Adviser 233 (2004).
11
S. 2(f) of the Personal Data Protection Bill, 2006 (India); See also R. Ryder, Guide To Cyber Laws, 3d ed.,
2007.
12
Faizan Mustafa, Privacy Issues in Data Protection : National and International Laws, 2004 PL WebJour 16.

Page | 3
 ~~ Internal Assignment - III~~

THE KEY MANDATORY COMPLIANCES

Following are certain mandatory compliances that the “body corporate” has to fulfill as per
the Privacy Rules:

1. Creation of a privacy policy

Rule 4 of the Privacy Rule require issuing of a privacy policy. This requirement is not limited
to SPDI because the relevant rule mentions “personal information or sensitive personal data
or information”. Further, such policy should also be published on the website of the body
corporate.13

2. Disclosure of collection of information

Rule 5 requires disclosure of following information:
 The fact that information14 is being collected;
 The purpose of collection;
 The people who may receive such collected information and;
 Details of the persons collecting and storing the information.

1. Transfer of information
Rule 7 gives data subjects the right to consent to transfer of information as well as the right
for no greater information than “necessary” to be transferred. Similar to collection, it appears
that the consent has to be restricted to “necessary” purpose.15 In contrast to collection, for
transfer there is compliance for the entire pool of “information” i.e. not restricted to SPDI.16

2. Reasonable security practises and procedures

Rule 8 requires implementation as well as documentation of reasonable security practices and
procedures (“RSPPs”). In effect, the IS/ISO/IEC 2011 standards must be followed with
regard to RSPPs as the government has till date not notified any other standards for the same.
An annual audit of the RSPPs standards must be carried out by a “government approved”
auditor.17

13
Regulation of Data in The Cyberspace—Drawing Roadmap for India, CNLU LJ (2) [2011-2012] 99 at page
102
14
The term information is defined in Section 2(1)(r) of the IT Act.
15
Regulation of Data in The Cyberspace—Drawing Roadmap for India, CNLU LJ (2) [2011-2012] 99 at page
102.
16
Arka Mookerjee and Soumya Ray Chowdhury, Information Privacy or Data Protection Laws- Scope and
Ambit, 10 Corporate Law Adviser 233 (2004).
17
Justice Narayana, P.S., "Cyber World - New Challenges," AIR Journal, 2002.

Page | 4
 ~~ Internal Assignment - III~~

Penalties for Non Compliance

• Section 43A, which provides compensation for failure to protect data including
sensitive personal data or information.
• Section 72, which provides penalty for breach of confidentiality and privacy.
• Section 72A, which provides punishment for disclosure of information in breach of
lawful contract when such disclosure is done intentionally or knowingly.

ANALYSIS
The term “body corporate” is a misnomer as its definition includes a firm, a commercial or
professional sole proprietorship besides a company.18 Further, extra-territorial application of
the IT Act is limited by Sec. 75 of the IT Act to offences which involve a computer, computer
system or network is located in India.19 For civil remedies for data protection is provided
under Section 43-A of IT Act which provides for compensatory liability of the body
corporate dealing with sensitive personal data or information. There is no limit to such
amount by virtue of Sec. 43A. When Sec. 43A is r/w Sec. 85 of the IT Act, it provides all
persons responsible for conduct of its business in company will be held guilty in case offence
was committed by a company unless no knowledge or due diligence to prevent the
contravention is proved.
For Criminal Remedies for Unlawful Disclosure of Information is provided under Section
72A of IT Act, which provides punishment for disclosure of personal information in breach
of lawful contract with the intention or knowledge likely to cause wrongful loss or wrongful
gain.
Moreover, Section 66-E provides for violation of privacy. It lays down punishment for a
person who intentionally or knowingly publishes or transmits the image of the private area of
any person without his/her consent. 20 This section is relevant for online data protection
because data includes information and it hardly needs any mentioning that images and
pictures are often the subject of misuse on the internet.
Limitation of the IT Act, which could affect in exercising the right of privacy in cyberspace.
Few of them enumerated below:
1. Sec. 43A provides only protection for sensitive personal information.

18
Archana Vaidhyanathan, The Data Protection Regime in India- Need for an Overhaul, CRIMINAL LAW
CASES 35 (2007).
19
Faizan Mustafa, Privacy Issues in Data Protection : National and International Laws, 2004 PL WebJour 16.
20
Arka Mookerjee and Soumya Ray Chowdhury, Information Privacy or Data Protection Laws- Scope and
Ambit, 10 Corporate Law Adviser 233 (2004).

Page | 5
 ~~ Internal Assignment - III~~

2. Section 43A has laid tough standards for establishing guilt as the principle for the
guilt “imputing negligence”, “cause of wrongful loss or wrongful gain to any person”.
However, ideally breach should be presumed to be guilt on part of body corporate and
burden of proof should be on the body corporate.21
3. No bargaining power left to the consumers. If the consumers has to use the
application or website, the consumers are “automatically bound by terms of use”.
4. The IT Act does not cover a majority of crimes committed through mobiles.22

CONCLUSION
By giving information, sometimes we may end up compromising our right to privacy. Since
there is no separate data protection law in India, it is difficult to regulate misuse of data in the
cyberspace. There are conflict of interests on one hand it is ‘right to know’ and on the other
it is “right to be left alone” or the right not to share personal information Hence, there
should be a law pertaining to data protection which should primarily reconcile these
conflicting interests as none of the said rights is absolute in nature. It is high time that Indian
legislature takes some positive steps because cyberspace has come to stay. Work also needs
to be done in terms of making the users aware of the issues involved, communicating and
educating them regarding the proper usage and adoption of the proper handling procedures so
that the society at large can reap the benefits of a new revolution.

21
Chaubey, Cyber Crime and Cyber Law, Kolkata Kamal Law House, (2001).
22
Anvit Srivastava, Over 500 cops get ready to fight crime with a mouse: Cyber Teams and Cells at all Police
Stations and Districts, TIMES OF INDIA ,Gurgaon edn., (2016)

Page | 6
 ~~ Internal Assignment - III~~

Bibliography & References

BOOKS:
 Ahmed Farooq, Cyber Law in India, Delhi New Era Publication, (2005).
 B.L. Wadehra, Law relating to Cyberspace, 4th ed. Delhi Universal, (1999).
 Chaubey, Cyber Crime and Cyber Law, Kolkata Kamal Law House, (2001).
 Commer Douglas E., Internet Book, 3rd ed. Delhi Pearson Education, ( 2003).
 Dasgupta , M., Cyber Crime in India, Eastern Law House, (2009).
 Diwan, Parag and Kapoor, Shammi, Cyber and E-Commerce Laws, Bharat Publishing
House, (2000).

JOURNALS OR ARTICLES:
 Ghatak P. and others, "Digital Rights Management: An Integrated Secure Digital
Cotnent Distribution Technology," JIPR, 9, 2004.
 Goldsmith, JackL. And Sykes, Alan O., "The lntemet and the Dormant Commerce
Clause," The Yale Law Journal, Vol. 110, March 2001.
 Justice Narayana, P.S., "Cyber World - New Challenges," AIR Journal, 2002.
 Karki, MMS, "Personal Data Privacy and Intellectual Property," JIPR, 10,2005.
 'Information Technology Law: An Introspection.' Cochin University Law Review.
Vol. 26, 2002.
 Regulation of Data in The Cyberspace—Drawing Roadmap for India, CNLU LJ (2)
[2011-2012] 99 at page 102
 Dr. Shiv Shankar Singh, Privacy and Data Protection in India, (2012) PL February S2.
 Shiv Shankar Singh, Privacy and Data Protection in India: A Critical Assessment, 53
JILI (2011) 663.
 Samuel Warren & Louis D. Brandeis, “The Right to Privacy” Harvard Law
Review 193 (1980).
 Faizan Mustafa, Privacy Issues in Data Protection : National and International Laws,
2004 PL WebJour 16.
 Anvit Srivastava, Over 500 cops get ready to fight crime with a mouse: Cyber Teams
and Cells at all Police Stations and Districts, TIMES OF INDIA 10 (Gurgaon edn., 19
November 2016)

Page | 7
 ~~ Internal Assignment - III~~

 Archana Vaidhyanathan, The Data Protection Regime in India- Need for an Overhaul,
CRIMINAL LAW CASES 35 (2007).
 Arka Mookerjee and Soumya Ray Chowdhury, Information Privacy or Data
Protection Laws- Scope and Ambit, 10 Corporate Law Adviser 233 (2004).
 Devadatt Kamat, Information Technology Act- A Contractual Perspective, 1 Supreme
Court Cases 11 (2004).

ONLINE SOURCE:
o Manupatra
o SCConline
o Indiakanoon
o Jstor

Page | 8