AUTHOR:

Prof. Surya Saxena,
Professor,
Delhi Metropolitan Education

CO-AUTHOR:

Mr. Rishabh Jain,
Student,
Delhi Metropolitan Education.

ABSTRACT

At this juncture, where the countries around the globe are devising ways of tackling the ‘COVID – 19 pandemic’, a common strategy that has been incorporated by all nations is the “social distancing” norm which is  believed to slow down the spread of the virus amongst the communities. But this has led to hindrance of physical movement. Thus, to overcome this grave situation, several corporations and educational institutions world-wide continued their working through the use of video conferencing. It was also reported that some institutes and organisations used various mechanisms to keep a vigil on the students and their employees which resulted in unnecessary invasion into their privacy. This intrusion ranged from monitoring the browsing history to usage of the device. The trouble did not end here and the video conferencing/chatting apps further breached the privacy of individuals who made use of the app because of sub-standard and weak cyber security measures. Whether organisations have the right to breach the privacy of the individuals leaves us pondering!

With hardly any alternatives available, people are left with no choice but to accept the unilaterally imposed terms and conditions of the apps. Denying them permission, will only cause inconvenience to the users.

Now, the question that hits out is whether these acts of violation of privacy should be allowed to continue? And if affirmative, then to what extent shall it be acceptable? Shouldn’t the Indian government develop certain measures to stop this violation? Can there be some alternative to such applications? To what degree are our privacy laws in tandem with the rest of the world?

Key Words: Covid – 19, Work from Home, Video Conferencing, Breach of Privacy

INTRODUCTION

We are presently at the crossroads of history, and an anxious future awaits. It’s been barely less than four months since the first case was confirmed, the Covid-19 (Corona Virus) has spread its wings to more than 184 countries. Nations across the North – South are grappling with an increasing probability of the economy being pushed beyond the brink, India has taken some strict measures to tackle the emergent situation.

This pandemic has restricted the physical movement of people to their houses and hence many corporations including the education sector have adopted policies and remote work practices that require or allow their employees to work from home (“WFH”) in situations where responsibilities can be managed off premise.

It is imperative to note that owing to technological advancements, remote working and WFH have become viable and gained popularity as an option for employers for the past few years. This became even more evident during the prevalent Covid – 19 crisis. Various institutions, companies and industries must have realised the benefits that have accrued because of providing the facility of ‘WFH’ which include reduction of fixed costs and some companies may even incorporate this as a permanent feature of their work culture.

But one major consideration is to cater to the various issues surrounding privacy and data protection. There are instances when employees WFH have access to substantial information belonging to their employer. On the contrary, the employers have put in place certain additional mechanisms to track the working of their employees. It is pertinent to note that the mediums of communications used to conduct the task of WFH itself will pose numerous challenges which will need urgent attention.

THE RECENT MISSHAPING WITH ZOOM APP

There are numerous privacy issues which have been reported by people using ZOOM, such as zoom-bombing, selling of data to other organisations[1], concealing its privacy and security flaws[2], etc. Due to these incidents, many countries have put partial or absolute bans on the usage of zoom apps in their territory. For instance, India has banned the use of zoom app for governmental use, Singapore suspended its usage for online education[3], Germany has also restricted the use of the app[4] and Taiwan has banned the app in toto[5]. Many other countries have issued warnings in regard to the usage of the app. Some major companies like Google and SpaceX have also restricted their employees from using the zoom app. It was also reported that the hackers were selling the data on the Dark web for some considerations[6] (both monetary and non-monetary). Various suits have already been filed against the owners of Zoom for breaching the privacy norms and a class-action suit has been instituted by the shareholders for not revealing the truth about their privacy policies and flaws in the app which led to a radical downfall in the price of their shareholdings.

REGULATORY FRAMEWORK FOR PRIVACY AND DATA PROTECTION IN INDIA

As compared to most of the nations around the globe, India is lacking in terms of having any legislation which specifically deals with protection and/or violation of privacy. Having said that, it is also important to mention that there are certain provisions in a few legislations which deal with the aspect of privacy to a limited extent.

Constitutional Provisions

Even though there is no ‘express provision’ in the Indian Constitution that recognises right to privacy as a fundamental or a legal right, but in a catena of judgments it has been laid down by various courts that right to privacy is a part of right to freedom of speech and expression and right to life and personal liberty as enumerated under Article 19(1)(a) and Article 21 of the Constitution (Indo Jain v. Forbes Incorporated[7]; R. Rajagopal v. State of Tamil Nadu 1995[8]; Umesh Kumar v. State of Andhra Pradesh[9]; K.S. Puttaswamy v. Union of India[10]; Joseph Shine v. Union of India[11])

In the case of K.S. Puttaswamy v. Union of India[12], the Supreme Court interpreted the concept of right to privacy in a different manner altogether. Before this judgment, it was considered to be a right to protect a particular interest but, in this matter, ‘right to privacy’ was declared to be a right in itself, thereby removing the ambiguity. Therefore, the apex court expanded the scope of right to privacy and advocated for the legislature to intervene to protect right to privacy by way of a codified statute. In response to this, a committee was constituted to prepare a draft bill for the protection of data. In July 2018, the Committee submitted a draft bill along with its report. On 11th December, 2019, after extensive deliberations a bill was introduced in People’s House titled as “Personal Data Protection Bill, 2019”.[13]

Statutory Provisions

In India, Information Technology Act, 2000 (hereinafter referred to as IT Act, 2000) is the only codified law in India which deals explicitly with substantial provisions relating to privacy infringement and tries to, a greater extent, prohibit the breach of privacy and prescribes penal sanction on those who violate the law. A few of the provisions can be enlisted as follows:

  1. Section 43 of the IT Act, 2000 provides that if any person accesses a computer, computer system or computer network without permission of the owner, or downloads, copies and extracts any data, or causes disruption of any system inter-alia, they will be liable to pay damages by way of compensation to the person affected. The offence of hacking is covered under the above described acts.
  2. Section 43A of the IT Act, 2000 provides uncapped compensation for failure to take adequate measures to protect any sensitive personal data or information held by a corporate body in a computer resource which it owns, controls or operates.
  3. Section 72 of the IT Act, 2000 provides for breach of confidentiality and privacy. It states that if any person has access to any electronic record, document or other material, without the consent of the person concerned, discloses such document or other material to any other person, will be punished with imprisonment of up-to 2 years or with a fine of up-to 1 lakh Rupees or both. 
  4. Section 72A of the IT Act, 2000 provides that any person who, while providing services under the terms of a lawful contract, has secured access to any material containing personal information about another person, discloses the same without consent, or in breach of the lawful contract, knowing it is likely to cause harm, will be punished with imprisonment for a term up-to 3 years or with a fine up-to 5 lakh Rupees or both.  
  5. Section 84A allows the Central Government to prescribe any modes or methods for encryption for securing the usage of electronic medium and promoting e-commerce and e-governance.

The intention of the legislature while formulating this act is quite evident from the preamble itself which states that “An Act to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as ―electronic commerce‖, which involve the use of alternatives to paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the Banker’s Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto”.[14]

On 11th April, 2011, the central government by virtue of the power conferred upon it as stated  in Section 87(ob) r/w Section 43A of the IT Act, 2000 vide notification formulated certain rules and named them as “Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011”.[15] These rules lay down certain practices and standard procedures that need to be adhered to by corporations or an individual acting on behalf  of such corporation while handling personal & sensitive data.

LEGAL REGIME IN OTHER COUNTRIES FOR SAFEGUARDING PRIVACY AND DATA PROTECTION

According to a survey conducted by United Nations Conference on Trade and Development (hereinafter referred to as UNCTAD)[16], out of 195 countries, 107 had enacted legislation/s for protecting the data privacy i.e. 66% of the total in number, whereas 10% countries had a draft legislation in place. 19% of the countries currently have no legislation regulating data privacy and for the remaining 5% countries, UNCTAD didn’t have access to any data pertaining to privacy laws. To make things a little clear, below mentioned are national privacy laws of a few countries:

  1. Argentina: In Argentina, there has been a privacy law since October, 2000 which is titled as “The Argentina Personal Data Protection Act” Act no. 25.326.[17] This is applicable to both individuals and entities (including corporate entities) encompassing within the territorial boundaries of Argentina. ‘Personal data’[18] has been defined to include basic information of an individual such as name, date of birth, browser cookies, history etc. There is a statutory obligation to obtain consent[19] of the person concerned before attempting to collect any personal data by informing them as to why the information is being collected, i.e, ‘the actual purpose of such collection’. Another important aspect is that the person concerned always has the right to seek deletion of their personal data.
  2. Brazil:  On 15th August, 2018, Brazil enacted its first ever comprehensive legislation on data protection: “Brazilian General Data Protection Law (LGPD)”, Federal Law no. 13,709/2018.[20] The Act will come into effect from August 2020 because the enforcement supposedly got delayed. Hence, the preceding legislation is currently in force. The act prior to (LGPD) which had been regulating the personal data over the internet was called “The Brazilian Internet Act” which was introduced in the year 2014. The Act contains provisions pertaining to the usage, collection and treatment of personal data. Consent[21] being the touchstone, is required to collect such personal data. However, children below the age of 16 years are not eligible for giving any such consent. The second category is the 16 to 18 years age bracket wherein a child can give consent with the permission of their guardian and the last category is where individuals above 18 years are fully authorised to give their consent. It also creates an obligation on the amassers of such personal information to draft their privacy policy in a subtle manner which can easily be understood by the concerned person.
  3. European Union (EU): The European Union, on 14th April 2016 adopted the “General Data Protection Regulation” (here in short GDPR) which came into force on 25th May, 2018 after a transition period of 2 years. The provisions of GDPR are directly applicable to the member countries, and are binding in nature. It substituted the “European Union Data Protection Directive of 1998”.[22] The primary goal of GDPR is to bring unity and simplify the privacy laws of the member states of the union and to empower every person to have sound control over their personal sensitive data/information.[23] GDPR has become a popular choice for most of the countries in the world whilst referring to it as a model data privacy protection regulation for drafting their own data protection legislations.
  4. Australia: Australia has in place legislation to regulate privacy since the year 1988 when ‘The Privacy Act of 1988’[24] was enacted. Primary function of the Act is to promote and protect the aspects of privacy including those of public – private entities and individuals. There are 13 principles laid down in the Act which are titled as “Australian Privacy Principles (APPs)”.[25] The entities on whom these principles are applicable are cumulatively referred to as ‘APP entities’. These principles comprehensively cover the rights and obligations pertaining to the usage, accumulation and disclosure of personal information by APP entities.

Principle 1 states that APP entities, in order to acquire the personal information should function with transparency and this will include uploading the latest privacy policy on the website in express and clear terms.[26] Principle 2 imposes an obligation on APP entities to allow individuals to hide their identity and/or allow individuals to use fake identity.[27] Principle 3 talks about the procedure in which the personal information should be collected from individuals.[28] Principle 6 states those circumstances in which APP entities may use or make disclosure of information collected by them.[29] Principle 11 makes it mandatory for the APPs to take reasonable steps for safeguarding the personal information from being misused, including but not limited to unauthorized access, loss, etc.[30] Principle 13 puts the onus on APP entities to make correction of the personal information collected in case of any inaccuracy, falsity, incompletion, etc. These principles give flexibility to APP entities to draft their privacy policies in consonance with and balance it with individuals’ comfort.

  1. Canada: Since 13th April, 2000 Canada has a specific law dealing with matters connected to privacy which is titled as “Personal Information Protection and Electronic Data Act”[31] (hereinafter referred as ‘PIPEDA’). The legislation was enacted to encourage people to opt for e-commerce without there being any concern regarding use of personal information by according it due protection. Gradually, the scope of the Act has expanded its contours and now it is being extended to cover the medical sector, banks, broadcasting businesses etc.[32] The latest amendment was carried out on 21st June, 2019.[33] The primary objective of the Act is to grant protection to personal information of every individual by regulating its collection, usage and disclosure. PIPEDA applies to every private enterprise which aims to collect personal information during the course of any commercial activity and makes it mandatory for an enterprise to take consent of the individual whose data is being collected, used or disclosed. The entity also has to provide for a legitimate reason for the proposed collection, usage or disclosure. According to provisions of the Act, there exists an office of ‘Privacy Commissioner’ which acts as a watchdog to keep a vigil on the enterprises to prevent any misuse or privacy breach.

 

CONCLUSION

Even though India has been categorised as the world’s largest democracy, yet we certainly are unable to develop a wholesome legislation/ regulatory framework for protecting the privacy of the citizens, which in fact, is an implicit part of right to life and personal liberty as enshrined under Article 21 of Indian Constitution and, a prerequisite for any democratic nation to protect the basic human rights. Though prima facie, breach of privacy seems harmless and not an offence per se in nature but dwelling a little deeper into the subject makes you realize the seriousness of the offence and which is why via judicial activism mechanism, it has been inculcated under right to life and personal liberty. The current regime and laws dealing with data protection and privacy in India are not ideal. Jurisprudential trends and the legislations in force pertaining to privacy lacking on many fronts and even the latest Personal Data Protection Bill, 2019 which was introduced, seems to be unable to overcome the lacunae, rather it is deemed to be unreasonable and arbitrary in nature as it tremendously empowers the government whilst regulating personal data. The bill is modelled largely on existing frameworks for protecting privacy in other jurisdictions, including the GDPR and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework.[34] These regulations themselves are based on older frameworks for the protection of privacy that originated in the 1970s.

The legislation regulating privacy cannot either be too stringent in order for it to be hampering the smooth functioning of businesses/enterprises, nor too lenient, whereby it can invade the privacy of an individual or enterprise. A moderate approach needs to be adopted, taking into consideration the pros and cons. The lawmakers should try and achieve an equilibrium keeping in mind the merits and demerits. The onus lies on the government to draft a law/s which is/are comprehensive and beneficial to the public at large. William E. Gladstone very beautifully quoted “Good laws make it easier to do right and harder to do wrong” It is high time the authorities should introspect and devise methods and develop a framework so that the concern regarding theft and misuse of data can be prevented in the best interests.

[1] Kristopher J. Brooks, on Security breaches relating to use of Zoom App, The CBS Interactive INC., Last Accessed on 29.04.2020), https://www.cbsnews.com/news/zoom-app-personal-data-selling-facebook-lawsuit-alleges/.

[2] Tiziana Celine, on Privacy concerns as per user reviews, The TechTimes.com, (Last Accessed on 30.04.2020), https://www.techtimes.com/articles/248675/20200408/video-calling-service-zoom-sued-by-own-stakeholder-for-not-revealing-privacy-security-breach.htm.

[3] News Article published on republiclworld.com. Available at: https://www.republicworld.com/world-news/rest-of-the-world-news/singapore-stops-zoom-for-online-education-as-hackers-strike.html (Last Accessed on 1.05.2020)

[4] Kunal Gaurav, News Article of German foreign ministry restricts the use of Zoom app amid  lack of  security reports, R.Republiclworld.com, (Last Accessed on 1.05.2020), https://www.republicworld.com/world-news/rest-of-the-world-news/german-foreign-ministry-restricts-use-of-zoom-amid-reports-of-security.html

[5] Ministry of Home Affairs, “Zoom app is not safe”, ET Online, 29th April 2020, Article published on economictimes.indiatimes.com. Available at: https://economictimes.indiatimes.com/tech/internet/zoom-video-conferencing-app-is-not-a-safe-plarform-home-ministry-cautions-users/articleshow/75181094.cms

[6] Hemani Sheth, “Hackers are selling Zoom exploits on the dark web for S30,000”,The HinduBuisnessline.com, 13.04.2020, Available at:  https://www.thehindubusinessline.com/info-tech/hackers-are-selling-zoom-exploits-on-the-dark-web-for-up-to-30000-says-report/article31328312.ece

[7] Indo Jain v. Forbes Incorporated 2007 LAWPACK (Del) 37652

[8] R. Rajagopal v. State of Tamil Nadu AIR(SC) 264

[9] Umesh Kumar v. State of Andhra Pradesh 2013 10 SCC 591

[10] K.S. Puttaswamy v. Union of India 2017 10 SCC 1

[11] Joseph Shine v. Union of India 2018 AIR(SC) 4898

[12] K.S. Puttaswamy v. Union of India 2017 10 SCC 1

[13] Daft Personal Data Protection Bill, 2019 Available at: https://www.prsindia.org/billtrack/personal-data-protection-bill-2019 (Last Accessed on 2.05.2020)

[14] Preamble to the Information Technology ACT, 2000; Available at: https://indiacode.nic.in/ bitstream /123456789/1999/3/A2000-21.pdf (Last accessed on 1.05.2020)

[15] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, Available at: https://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf (Last Accessed on 1.05.2020)

[16] Survey conducted by UNCTAD, Available at: https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx (Last Accessed on 1.05.2020)

[17] The Argentina Personal Data Protection Act, Available at: http://www.jus.gob.ar/media/3201023/ personal_data_protection_act25326.pdf (Last Accessed: 4.05.2020)

[18] The Argentina Personal Data Protection Act, Available at: http://www.jus.gob.ar/media/3201023/personal_ data_protection_act25326.pdf, Section 2 – Definitions (Last Accessed: 4.05.2020)

[19] The Argentina Personal Data Protection Act, Available at: http://www.jus.gob.ar/media/3201023/personal_ data_protection_act25326.pdf, Section 5 – Consent (Last Accessed: 4.05.2020)

[20] Brazilian General Data Protection Law (LGPD), Available at: https://iapp.org/media/pdf/resource_center/ Brazilian_General_Data_Protection_Law.pdf (Last Accessed: 5.05.2020)

[21] Brazilian General Data Protection Law (LGPD), Available at: https://iapp.org/media/pdf/resource_center/ Brazilian_General_Data_Protection_Law.pdf Article 5 Clause (12) (Last Accessed: 5.05.2020)

[22] European Union Data Protection Directive of 1998, Available at: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML (Last Accessed: 4.05.2020) This was the legislation prior to the coming of GDPR.

[23] Goals and Objectives of GDPR, Available at:  https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en; (Last Accessed on 4.05.2020)

[24] The Privacy Act of 1988, Available at: https://www.legislation.gov.au/Details/C2014C00076 (Last Accessed: 5.05.2020)

[25]  The Australian Privacy Act of 1988, Available at:  https://www.oaic.gov.au/privacy/the-privacy-act/ (Last Accessed on 5.05.2020)

[26] Principle 1 of the Privacy Act, Available at: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-1-app-1-open-and-transparent-management-of-personal-information/ (Last Accessed on 5.05.2020)

[27] Principle 2 of the Privacy Act, Available at:  https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-2-app-2-anonymity-and-pseudonymity/ (Last Accessed on 5.05.2020)

[28] Principle 3 of the Privacy Act, Available at: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-3-app-3-collection-of-solicited-personal-information/ (Last Accessed on 5.05.2020)

[29] Principle 6 of the Privacy Act, Available at https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-6-app-6-use-or-disclosure-of-personal-information/ (Last Accessed on 5.05.2020)

[30] Principle 11 of the Privacy Act Available at: https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-11-app-11-security-of-personal-information/ (Last Accessed on 5.05.2020)

[31] Personal Information Protection and Electronic Data Act, Available at: https://laws-lois.justice.gc.ca/ENG/ACTS/P-8.6/page-1.html#h-416885 (Last Accessed: 5.05.2020)

[32] Personal Information Protection and Electronic Data Act, 2000, available at: https://digitalguardian.com/ blog/what-pipeda- personal-information-protection-and-electronic-documents-act-understand-and-comply (Last Accessed on 6.05.2020)

[33] Amendment to the PIPEDA, 2000. Available at:  https://laws-lois.justice.gc.ca/PDF/P-8.6.pdf (Last Accessed on 6.05.2020)

[34] Alex Walls, “GDPR Matchup: The APEC Privacy Framework and Cross-Border Privacy Rules,”, International Association of privacy Professionals, (Last accessed on 2.05.2020), https://iapp.org/news/a/gdpr-matchup-the-apec-privacy-framework-and-cross-border-privacy-rules/.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on email
Email
Share on whatsapp
WhatsApp