Itechlaw conferene presentation 15th feb 2013 the quest over identity the issues of privacy over social networking sites

Uploaded on


More in: Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Dr. Tabrez Ahmad,, 1
  • 2. Dr. Tabrez Ahmad 2
  • 3. Agenda Concept of Privacy Right to Privacy in India Industry Initiative International initiatives –Right to Privacy Privacy Rights in U.K ,U.S Threat to Privacy The Future Privacy & Social Network The Digital Portrait Concept of Digital Breadcrumbs Social Media Users Social Network Data mining & Commerce Encroachment to Privacy : a classic case Privacy & Terms of Use and Agreement Legal Position in India Duty of Body Corporate to Frame Privacy Policy Reasonable Security Practices Liability on Violation of Provisions Criminal Liability for Disclosure of Information by any Person of Information Obtained under Contract Conclusion Dr. Tabrez Ahmad 3
  • 4. The Concept of privacyOften confused with trade secrets and confidentiality, privacy refers to the use and disclosure of personal information and is only applicable to information specific to individuals. Since personal information is a manifestation of an individual personality, the Indian courts including the Supreme Court of India, have recognised that the right to privacy is an integral part of the right to life and personal liberty, which is a fundamental right guaranteed to every individual under the Constitution of India. As such, the right to privacy has been given paramount importance by the Indian judiciary and can only be fettered with for compelling reasons such as, security of the state and public interest. Dr. Tabrez Ahmad 4
  • 5.  Right to Privacy-origin-Right to private property Louis Brandeis and Samuel Warren in 1890 proposed a new tort for violation of privacy rights-followed by Roe v wade, Grisworld v Connecticut Right of privacy-vis a vis govt, personal, workplace, digital The right extends over collection, retention, use and disclosure of personal information. Internet privacy to facilitate e-commerce Right to privacy connected with Freedom of Right to speech and expression Right to privacy is not absolute Dr. Tabrez Ahmad 5
  • 6.  Unreasonable intrusion upon a person’s seclusion Public disclosure of private facts Publicity that places a person in false light Appropriation of a persons name or likeness invoked Dr. Tabrez Ahmad 6
  • 7. Right to Privacy in India: Legal Position Article 21 of the Constitution of India-Right to life and personal liberty by necessary implication confers right to privacy – Kharak singh v State of U.P AIR 1963 SC 1295 Gobind v State of M.P 1975 SCC 468 PUCL v UOI (1997) 1 SCC 318 R.Rajagopal v State of Tamil Nadu (1994)6 SC 632- autoshanker case Article 19-freedom of speech and expression Article 19(2) –Reasonable restrictions Indian Penal Code Copyright Law Credit Information Companies Regulation Act, 2005(“CICRA”) One of the restrictions/conditions is National Security Privacy vs national security balancing competing interests Dr. Tabrez Ahmad 7
  • 8. India and privacy /national security protection India –Article 21 of the constitution of India Common law-action for damages for unlawful invasion of privacy exists -2 exceptions-publication relates to public record, discharge of official duties by public servant India-IT Act,2000 Cryptography provisions, Section 69- power to intercept, Section 72-Breach of confidentiality and privacy, section 80-power to search, seize ,section 44- failure to furnish information, etc India-Tort of defamation –Section 499 I.P.C The Right to Information Act,2005-national security and individual privacy concerns see Section 8 Prevention of terrorism Act 2002 chap V –interception of e- mail communications Dr. Tabrez Ahmad 8
  • 9. Industry Initiative: The National Association of Service & Software Companies (“NASSCOM”) is Indias national information technology trade group and has been the driving force behind many private sector efforts to improve data security. For example, NASSCOM has created a National Skills Registry which is a centralized database of employees of the IT services and BPO companies. This database is for verification (with independent background checks) of the human resources within the industry. Further, a self regulatory organisation has been launched which will establish, monitor and enforce privacy and data protection standards for India’s business process outsourcing (“BPO”) industry. The organisation has already completed its initial round of funding and the final rollout phase including industry membership is underway. Dr. Tabrez Ahmad 9
  • 10.  Additionally, many BPO service providers in India have engaged in voluntary self- regulation and adopted stringent security measures to reduce the risks of misuse of non-public personal data. To reduce the risks of misuse of non-public personal data, the BPO companies in India have adopted one or more of the following stringent security measures:  Posting of armed guards outside office premises.  Restricting entry by requiring microchip-embedded swipe cards.  Prohibiting bags and briefcases in the work area.  Making provisions that computers in workstations have no printers or devices for removable storage.  Banning or restricting agents or visitors from carrying mobile phones to the production floor.  Forbidding phone calls to and from either family or friends in employee workstations.  Disallowing image capturing devices like cell phones, scanners or photocopiers.  Restricting or prohibiting internet and e-mail access at workstations and inside most BPO companies.  Encryption of key information, such as passwords and, thus, s unseen by employees.  Monitoring employees via closed-circuit television.  The aforesaid protections to tighten security are an attempt by the Indian industry to ease customer concerns over theft of private information. Dr. Tabrez Ahmad 10
  • 11. International initiatives Universal Declaration of Human Rights,1948- Article 12 recognizes right of privacy Article 17 of the International Covenant on Civil and Political Rights,1996-Right to privacy Article 8 of the European Convention on Human rights-Right to privacy Council of Europe Convention on human right in securing privacy protection in the context of information technology came into force in 1985-now 20 states ratified convention Basic principles for data protection, trans border flow of information ,establish consultation committee and procedure for future amendment of convention European Union Data protection directive 1998-reaffirms principles introduced in the EU Convention Dr. Tabrez Ahmad 11
  • 12. Guidelines –OECD -1980-On protection of privacy andtrans border flow of personal info Collection of personal data with consent Relevance of data to subject under investigation Specify purpose of collection No further use except with consent +legal use Safeguards to prevent leakage Accountability is high of persons collecting info A Person’s Right of access, rectification Collection Limitation Dr. Tabrez Ahmad 12
  • 13. PERSONAL DATA PRIVACY in U.K & U.S UK- Data Protection Act 1998 Processing of data legitimate if person gives consent, legal obligation, public sector interest Sensitive personal data not processed till granted express consent Section 13-Right to compensation if data controller contravenes any provisions of the Act US Children’s online privacy protection-U.S-in force since 2000. U.S Freedom of Information Act, The privacy Act of 1974-Department of justice v reporters committee for freedom of press U.S-Electronic communication privacy Act-prohibits unauthorised interception, disclosure of electronic comm- violation subject to civil, criminal liabilities ,applies to govt, private persons both Dr. Tabrez Ahmad 13
  • 14. Threats to privacy Hacking Cookies HTTP Information provided voluntarily Browsers E-mail Websites Spam Softwares to check employee behavior Satellite vigilance Dr. Tabrez Ahmad 14
  • 15. The future?Without privacy protection“freedom will diminish in such an unnoticed way as clean water and air have ” (László Sólyom) Dr. Tabrez Ahmad 15
  • 16. Dr. Tabrez Ahmad 16
  • 17.  “Never before in the history of the planet have so many people - on their own - had the ability to find so much information about so many things and about so many other people” — Thomas L. Friedman Dr. Tabrez Ahmad 17
  • 18.  Social networking sites have put a totally different spin on Internet privacy. These sites are meant to encourage interaction among Internet users. These sites allow users to both express their individuality and meet people with similar interests. However, it is burdened with potential threats to privacy such as identity theft and disclosure of sensitive information. However, many users still are not aware of these threats and the privacy settings provided by these sites. The sensitive personal information which socialnetworking sites receive from their users puts them in a responsible position as this Information has an intrinsic value, particularly to commercial organisations, and misuse of information is a real risk for individuals. Dr. Tabrez Ahmad 18
  • 19.  There has been a growing recognition that socialnetworking sites need to consider more closely their use of user data particularly related to sensitive personal information. Personal information has become a commodity with immense pecuniary value. The rise of the data aggregators with data mining tools who provide services on the basis of collected personal data have once again unsettled the position settled by the guide of data protection and privacy laws. This presentation concentrates firstly on the concept of data and the accumulation of personal data stored in the social networking sites, then it flows into the privacy threats these social networking sites possess to the bastion of privacy rights. The presentation ends with discussion of data protection laws in India including the Information Technology Act and ancillary Rules and Guidelines and the how far the Indian Legislature has succeeded to protect one of the foremost rights of mankind. India has strengthened its data protection laws by the help of many guidelines which were promulgated April-2011. However it is still left to see how much teeth these laws have in victimizing its perpetrators. Dr. Tabrez Ahmad 19
  • 20. THE DIGITAL PORTRAIT Since the advent of Internet, digital identity had remained one of the most controversial realms of academic study. Countless scholars have pondered the composition, construction and meaning of identity for as long as history has been remembered. Regardless of specific definitions of the perplexing abstraction, which can even only be spoken about because it is given dubitable, emergent form by dynamic, contingent recognition, identity remains at the core of our understandings of self and existence as human beings. From Facebook’s use of tracking cookies to monitor users to Carrier IQ key logging software for “smart phones”; companies and governments are using digital surveillance. To some writers, the internet’s freedom is giving away to a darker possibility that authoritarian states will use the internet for control and repression. Yet the deeper concern may be what governments do on our behalf with our tacit consent. The particular danger from the loss of privacy is that the open data and transparency agenda can encourage digital discrimination such as “weblining.” Identity is the key to linking records and multiple identities are the key to maintaining social functioning with appropriate anonymity, while retaining accountability. Dr. Tabrez Ahmad 20
  • 21. Concept of digital breadcrumbs Almost all online activities, such as sending e-mails, filing tax declarations, managing bank accounts, buying goods, playing games, connecting to a company Intranet, and meeting people in a virtual world, require identity information to be given from one party to another. Informational self-determination has become a challenging concept to promote and protect in a world of unlimited information passing from individuals to organizations, and from organizations to each other, often described as “Web 2.0.” Our digital footprints and shadows are being gathered together, bit by bit, megabyte by megabyte, terabyte by terabyte, into personas and profiles and avatars – virtual representations of us, in a hundred thousand simultaneous locations. These are used to provide us with extraordinary new services, new conveniences, new efficiencies, and benefits undreamt. Web2.0 is the logical evolution of the Internet to permit the connecting of people to each other and to permit individual control over their interaction; Dr. Tabrez Ahmad 21
  • 22.  Counting the Internet cookies and IP addresses as personal information, then Internet users have left behind personally identifiable information everywhere they’ve been. They have left “digital bread crumbs” throughout cyberspace. Social networking sites do carry a great deal of personal information, and the unwary or uninformed user may easily give away a great deal more information than they had intended. Personal information which people legitimately place on the web may have been uploaded to be shared amongst friends, but may be exploited by others in various ways. Dr. Tabrez Ahmad 22
  • 23. Social Media Users The ubiquitous use of the Internet and the posting of personal information have created a “privacy paradox”: users of social networking websites tend to disclose a high degree of personal information online, yet retain an expectation of privacy. Privacy is more than simple legal and regulatory compliance for social networking sites. As shown by the Facebook case, privacy does matter to users. Cell phones leave a data trail, and its becoming standard for major police departments and agencies to use this data A survey by the Pew Research Centers Internet Project & American Life provides new data about the privacy settings people choose for their social networking profiles, and the specific steps users take to control the flow of information to different people within their networks. Dr. Tabrez Ahmad 23
  • 24.  About two-thirds (63%) of adults say they currently maintain a profile on a social networking site. Nearly six-in-ten (58%), say their main profile is set to be private so that only friends can see it; another 19% set their profiles to partially private so that friends of friends or networks can view them; 20% say their main profile is completely public. About two-thirds of internet users use social networking sites (SNS) and all the major metrics for profile management are up, compared to 2009: 63% of them have deleted people from their “friends” lists, up from 56% in 2009; 44% have deleted comments made by others on their profile; and 37% have removed their names from photos that were tagged to identify them. Dr. Tabrez Ahmad 24
  • 25. Dr. Tabrez Ahmad 25
  • 26. Dr. Tabrez Ahmad 26
  • 27.  Some 67% of women who maintain a profile say they have deleted people from their network, compared with 58% of men. Likewise, young adults are more active “Unfrienders” when compared with older users. Two-thirds of adult internet users (65%) now say they use a social networking site like MySpace, Facebook or LinkedIn, up from 61% one year ago. That’s more than double the percentage that reported social networking site usage in 2008 (29%). Dr. Tabrez Ahmad 27
  • 28.  Out of all the “daily” online activities that we ask about, only email (which 61% of internet users access on a typical day) and search engines (which 59% use on a typical day) are used more frequently than social networking tools. Social Networking Sites are used by all age group from 18 years to 65 years and above. The most social network active being falling in Dr. Tabrez Ahmad 28
  • 29. Dr. Tabrez Ahmad 29
  • 30. Dr. Tabrez Ahmad 30
  • 31.  the age group of 18-29 years. With the growth of social networks, its becoming harder to effectively monitor and protect site users and their activity because the tasks of security programmers become increasingly spread out. Lets imagine, if a prison whose inmate count jumped from a few dozen to 250 million in less than five years only employed 300 guards (in the case of MySpace). The reason social network security and privacy lapses exist results simply from the astronomical amounts of information the sites process each and every day that end up making it that much easier to exploit a single flaw in the system. Dr. Tabrez Ahmad 31
  • 32.  On any given day 61% of people in the age group of 18-29 use social networking websites like facebook, MySpace, LinkedIn. Features that invite user participation -- messages, invitations, photos, open platform applications, etc. are often the avenues used to gain access to private information, especially in the case of Facebook. Adrienne Felt, a Ph.D. candidate at Berkeley, made small headlines last year when she exposed a potentially devastating hole in the framework of Facebooks third-party application programming interface (API) which allows for easy theft of private information. Felt and her co-researchers found that third-party platform applications for Facebook gave developers access to far more information (addresses, pictures, interests, etc.) than needed to run the app. In December of 2009 Facebook made one of the most controversial changes to their privacy policy. The nearly invisible account option was removed, this nearly invisible account allows only those whom one wants in by default. Dr. Tabrez Ahmad 32
  • 33. SOCIAL NETWORK DATA MINING AND COMMERCE  First, there is online stalking by companies like Spokeo, Pipl and CVGadget.  As an example, Spokeo can take an e-mail address and locate people in social networks like Facebook and MySpace.  For a small fee you can download your e-mail address book to Spokeo, and learn the habits of friends, relatives and complete strangers.  Unfortunately, both of the major social networking websites in the United States today Dr. Tabrez Ahmad 33
  • 34.  Facebook and MySpace, are motivated by profit. This can be a problem, because their profits are dependent on the free flow of personal information about their customers. Facebook offers members a plentitude of privacy options. At the time of writing this presentation 43 settings that can be tweaked, not including a bunch for limiting information that can be seen by software applications installed by one’s Facebook friends. Facebook’s default settings for new accounts protect users in some ways. For instance, the information in one’s profile is restricted to friends and other people in one’s school, workplace or geographic networks; it is not accessible to friends of friends. But Facebook sets few restrictions by default on what third-party software can see in a network of friends. Members are not likely aware that unless they change the default privacy settings, an application installed by a friend can vacuum up and store many categories of a member’s personal information. Dr. Tabrez Ahmad 34
  • 35.  Computer scientists and policy experts say that such seemingly innocuous bits of self-revelation can increasingly be collected and reassembled by computers to help create a picture of a person’s identity, sometimes down to the Social Security number. “Technology has rendered the conventional definition of personally identifiable information obsolete,” said Maneesha Mithal, associate director of the Federal Trade Commission’s privacy division. “You can find out who an individual is without it.” In its latest privacy blunder, the social networking site was forced to confirm that it has been constantly tracking its 750million users, even when they are using other sites. This was done mainly to know the user behavior and to provide customized advertisement on the basis of user preference. The social networking giant responded the huge privacy breach was simply a mistake - that software automatically downloaded to users computers when they logged in to Facebook inadvertently sent information to the company, whether or not they were logged in at the time. Dr. Tabrez Ahmad 35
  • 36.  Australian technology blogger NikCubrilovic has uncovered Facebooks practices of tracking users when they are offline. Most social networking sites are free of charge; however, they depend on third-party affiliates to generate income. Many social networking sites collect and sell user information in the form of marketing profiles. One example of this is the targeted ads used by Facebook. Security and privacy related to social networking sites are fundamentally behavioral issues, not technology issues. The more information a person posts, the more information becomes available for a potential compromise by those with malicious intentions. People who provide private, sensitive or confidential information about themselves or other people, whether wittingly or unwittingly, pose a higher risk to themselves and others. Dr. Tabrez Ahmad 36
  • 37. ENCROACHMENT TO PRIVACY:A CLASSIC CASE On September 5, 2006, Facebook unveiled its “news feed” and “mini feed” features. These new features served to aggregate the activities of a user and post them on the users page as well as broadcast them to the users friends. Less than a day after introducing the new features, Facebook received thousands of emails from users claiming the feature invaded privacy. On November 6, 2007, Facebook launched its Beacon program. Facebook described Beacon as a “core element of the Facebook Ads system for connecting businesses with users and targeting advertising to the audiences they want.” Dr. Tabrez Ahmad 37
  • 38.  The program reported information about Facebook users activities on third party sites back to Facebook and posted details of a users activities on that users profile. Users specifically objected to the automatic sharing of details regarding user purchases on other sites Dr. Tabrez Ahmad 38
  • 39.  As a response to the harsh user reaction, Facebook changed its Beacon program from opt-out (meaning users would have to proactively un-register themselves from it) to opt-in (meaning that users would have to confirm to Facebook, on each individual instance, whether or not they wanted their information from third party sites to be broadcast on Facebook). There are no laws or regulations that directly address how privacy on socialnetworks should be implemented or revised. Moreover, there is no preventative protection of the privacy interests of the users of online socialnetworking sites that would stop massive policy changes from quickly occurring. Once a socialnetworking site decides to change its privacy policy, there is nothing requiring advance notice of the change or transparency in the process. Because of the lack of any comprehensive information privacy law, people concerned with their privacy on socialnetworks appear to be attempting to form piecemeal protection utilizing existing laws to address their concerns. Dr. Tabrez Ahmad 39
  • 40.  Contractually there was no barrier to Facebook doing this as it has the right to unilaterally amend its user terms at any time and users automatically accept the revised terms by their continued use. However, the perceived effect of widening the already broad license of use for Facebook to extend beyond termination raised concerns. The significance of the change was that, with the relevant wording deleted, it would give Facebook the rights to continue using a users data even where they have left the site. Dr. Tabrez Ahmad 40
  • 41.  Just a few short years ago, consumer-oriented businesses were stuck in the world of static “focus groups” and paper-based surveys. But not even the most forward-looking of these organizations could have dreamed of the present-day scenario, where newly forged nuggets of data about consumer behavior and preferences wait to be mined by state-of-the-art BI computing infrastructure. For many social media sites, the Terms of Service (TOS) are explicitly clear and to the point: If you post content to the site you essentially grant the site permission to use the content for any purpose they deem appropriate. While each site is different in their irrevocable and perpetual right to reproduce the information found in your posts, it is wise to err on the side of caution. No matter how private you deem the content, privacy controls usually only go so far - the demarcation between private and public information remains fuzzy at best. Dr. Tabrez Ahmad 41
  • 42. PRIVACY AND TERMS OF USE AND AGREEMENTS In Social Networking Sites users provide vast amounts of data about themselves to these websites. The extent of control that users retain over that information and the right to sell, use, and transmit that personal information is typically addressed in the terms to which users agree before accessing the website and handing over their information to the social network. A terms of use agreement is a set of promises proposed by a website and agreed to by the user of the website. Accordingly, the terms of use agreement delineates the legal responsibilities of both parties and what each party is allowed to do with the information of the other party. Crafting a comprehensive terms of use agreement, therefore, is a crucial aspect of beginning a social networking website as courts will refer to the terms of use agreement to determine any claims that may arise between the two parties. Dr. Tabrez Ahmad 42
  • 43.  Browsewrap agreements are terms of use agreements the user may not read at all; the user, however, consents to the terms of use by using the website. Browsewrap agreements are typically included on a website and accessed by clicking a link which often appears on the bottom of the page. Social networking websites exist in a strange tension with their users. Networks like,, and require users to contribute to their websites in order to be a “value added” service. The term “value added” means that as more users contribute to the site with pictures, information, and applications used exclusively by the site and its users, the site becomes more valuable, and, in turn, more used, visited, and profitable. Dr. Tabrez Ahmad 43
  • 44.  The concept is referred to as “sticky” content because content generated by social networking users that is exclusive to that site sticks to the site and is what draws more users to use the site. Social networking websites challenge traditional notions of ownership and consumer-owner relationships. Socialnetworks challenge this understanding of ownership because users are constantly creating, adding to, and producing content on socialnetworkingwebsites, yet they do not own the material or a portion of the site. Rather, the site, by the terms of agreement, co-opts the information and declares ownership of it. Accordingly, users add value to the website; indeed, user- generated content on sites such as Facebook is what makes the site attractive for other users and yet, users never own anything they add to the site. Dr. Tabrez Ahmad 44
  • 45. Legal Position in India Information Technology Amendment Act, 2008 had been passed when the Bill called "Personal Data Protection Bill 2006" was still under consideration of the Parliament. Since this has not been passed it may be considered that the Personal Data Protection Bill 2006 may be allowed to lapse. Hence India will continue under a regime that there will be no separate "Privacy Act" or "Data Protection Act". Information Technology Act, 2008 will therefore have to serve the requirements of such legislations also. The data protection provisions do not extend beyond the territories of India. Within the territory of India, Sections 43A and 72A of the Information Technology Act, 2000 provides protection for data. Even data which is outsourced to India gets protection under these Sections. Dr. Tabrez Ahmad 45
  • 46.  However, when data is sent outside the territories of India, one cannot seek protection under these Sections, neither there is no obligation cast on the countries to which India sends sensitive personal information for processing to have an acceptable data protection mechanism. IT Act, 2008 has two direct sections viz. 43 A and 72 A which address the data protection requirements. Along with it other sections like 65, 66, 66 E and 43 indirectly penalize or provide compensation for infringement of privacy by way of unauthorized access to information. Dr. Tabrez Ahmad 46
  • 47.  The newly inserted section 43A makes a start at introducing a mandatory data protection regime in Indian law. The section obliges corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’ to implement and maintain ‘reasonable’ security practices, failing which they would be liable to compensate those affected by any negligence attributable to this failure. It is only the narrowly-defined ‘body corporates’ engaged in ‘commercial or professional activities’ who are the targets of this section. Thus government agencies and non-profit organisations are entirely excluded from the ambit of this section. “Sensitive personal data or information” is any information that has been defined under S. 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011 Dr. Tabrez Ahmad 47
  • 48. It provides an inclusive definition and provides that the followingtypes of information as ‘sensitive personal information’: password; user details as provided at the time of registration or thereafter; information related to financial information such as Bank account / credit card / debit card / other payment instrument details of the users; physiological and mental health condition; medical records and history; Biometric information; information received by body corporate for processing, stored or processed under lawful contract or otherwise; call data records; Dr. Tabrez Ahmad 48
  • 49.  But it does not apply to “any information that is freely available or accessible in public domain or accessible under the Right to Information Act, 2005”. The import of the phrase “any information that is freely available or accessible in public domain” has not been defined. This section can be used by Social Networking Websites to escape liability. As it can be interpreted that whatever information that we provide in the social networking websites like email ids, phone numbers, address, photos, sexual orientation or any kind of updates that includes mention about our consumer preferences and brands can be used by social networking website to provide information to its business partners as all those data is freely available or accessible in public domain. Dr. Tabrez Ahmad 49
  • 50. Duty of body corporate to frame privacy policy  Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011 enjoins a body corporate or its representative who “collects, receives, possess, stores, deals or handles” data to provide a privacy policy “for handling of or dealing in user information including sensitive personal information”.  This policy is to be made available for view by such “providers of information”  The policy must provide details of: Type of personal or sensitive information collected under sub-rule (ii) of rule 3;  Purpose, means and modes of usage of such information;  Disclosure of information as provided in Rule 6 ( Prior permission is required if data is shared with a third party) Dr. Tabrez Ahmad 50
  • 51.  issue of prior consent and limitation on use of data Rule 5 (1) of the said Rules states that the body corporate must shall obtain consent from the provider of information regarding purpose of the information before collection. Rule 5 ( 3)states that In addition to the restrictions on collecting sensitive personal information, body corporate must obtain prior consent from the “provider of information” regarding “purpose, means and modes of use of the information”. The body corporate is required to “take such steps as are, in the circumstances, reasonable” to ensure that the individual from whom data is collected is aware of :  the fact that the information is being collected; and  the purpose for which the information is being collected; and  the intended recipients of the information; and  the name and address of :  the agency that is collecting the information; and  the agency that will hold the information. Dr. Tabrez Ahmad 51
  • 52.  During data collection, body corporates are required to give individuals the option to opt-in or opt-out from data collection in accordance with Rule 5 (7). Along with it they must also permit individuals to review and modify the information they provide "wherever necessary". Also the provider of information can at any time withdraw consent. The information collected should be used only for the purpose for which the sensitive personal information is collected according to Rule 5(5). The information collected must be kept secure by the body corporate as mandated by Rule 5(8). However, Unlike "sensitive personal information" there is no obligation to retain information only for as long as is it is required for the purpose collected. Dr. Tabrez Ahmad 52
  • 53. REASONABLE SECURITY PRACTICES Rule 8 stipulates that a body corporate shall be deemed to have complied with reasonable security practices if it has implemented security practices and standards which require: a comprehensive documented information security program; and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected. Dr. Tabrez Ahmad 53
  • 54.  In case of an information security breach, such body corporate will be  “required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security program and information security policies”. The Rule further stipulates that by adopting the International Standard IS/ISO/IEC 27001 on  “Information Technology – Security Techniques – Information Security Management System – Requirements”, a body corporate will be deemed to have complied with reasonable security practices and procedures. Dr. Tabrez Ahmad 54
  • 55.  The rule further permits “industry associations or an entity ” who are following standards other than IS/ISO/IEC 27001. ISO/IEC 27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, m aintaining and improving a documented Information Security Management System within the context of the organizations overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. ISO/IEC 27001 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties. In every case nevertheless correspond to the requirements of sub-rule 8(1), to obtain approval for these codes from the government. Dr. Tabrez Ahmad 55
  • 56.  Once this approval has been sought and obtained, the observance of these standards by a body corporate would deem them to have complied with the reasonable security practice requirements of section 43A. However, it is to be noted that section 69 of the Act, which is an exception to the general rule of maintenance of privacy and secrecy of the information, provides that where the Government is satisfied that it is necessary in the interest of:  the sovereignty or integrity of India,  defense of India,  security of the State,  friendly relations with foreign States or  public order or  for preventing incitement to the commission of any cognizable offence relating to above or  for investigation of any offence, Dr. Tabrez Ahmad 56
  • 57.  it may by order, direct any agency of the appropriate Government to  intercept,  monitor or  decrypt or  cause to be intercepted or  monitored or  decrypted any information generated,  transmitted,  received or  stored in any computer resource.  This section empowers the Government to intercept, monitor or decrypt any information including information of personal nature in any computer resource.  Where the information is such that it ought to be divulged in public interest, the Government may require disclosure of such information.  Information relating to anti-national activities which are against national security, breaches of the law or statutory duty or fraud may come under this category. Dr. Tabrez Ahmad 57
  • 58. LIABILITIES ON VIOLATION OF PROVISIONS Section 72 of the Information Technology Act, 2000 provides for those situations where breach of confidentiality and privacy clause is there. It mentions that any person who in use of any of the powers provided in this Act, Rules and Regulations had secured access to  any electronic record,  book,  register,  correspondence,  information, document or  other material without the consent of the person concerned discloses  such electronic record,  book,  register,  correspondence,  information,  document or  other material to any other person shall be punished with imprisonment or should pay fine. The Keyword in the section is “secured in pursuant of any powers conferred under this Act Powers have been conferred under this Act to various agencies including the Police, Certifying Authorities and officers authorised by specific notification. In the Information Technology Amendment Act, 2008 the Indian Computer Emergency Team and probably some other agencies may be conferred some powers for collection of data. Section 72 may be interpreted as applicable only to these agencies. 58
  • 59. Criminal Liability for unauthorized disclosure ofinformation by any person of informationobtained under contract Section 72A of the IT Act imposes a penalty on any person (including an intermediary) who has obtained personal information while providing services under a lawful contract and discloses the personal information without consent of the person, with the intent to  cause, or  knowing it is likely to cause  wrongful gain or  wrongful loss Such unauthorised disclosure to a third person is punishable with imprisonment up to three years or with fine up to Rs. five lakh, or both. Dr. Tabrez Ahmad 59
  • 60. CONCLUSION Given the relatively new emergence of social networking websites, this issue is just beginning to be addressed by courts. While courts have been slow to integrate new technologies into privacy law. In the social networking world and in the Web 3.0 paradigm in general, innovation often comes at a cost to privacy. An intrusion of a virtual space should be assessed based on whether the defendant learned of the plaintiffs private affairs or matters through a type of surveillance. It is also to be seen that an expectation of seclusion or solitude on social networking websites--should be evaluated not by the number of people who have access to the profile or group, but rather by the privacy settings the plaintiff has implemented to restrict access to his or her information. For Businesses that are focused on data mining the information on Facebook, Twitter, Linked In, My Space, etc, although it is confounding for those of us that use social networks on a regular basis and live by the mantra: “What happens in the Network, stays in the Network”. Dr. Tabrez Ahmad 60
  • 61. Dr. Tabrez Ahmad 61
  • 62. Dr. Tabrez Ahmad 62
  • 63. Dr. Tabrez Ahmad 63