This post has been authored by Raghav Saha, a 3rd year student at Gujarat National Law University.
Introduction
Category: Privacy
IT AMENDMENT RULES 2022: An Analysis of What’s Changed
[This post is authored by Sohina Pawah, a second-year student at the NALSAR University of Law, who is also an Editor for the TLF]
INTRODUCTION
Back in June 2022, the Ministry of Electronics and Information Technology (“MeitY”) had first released the proposed amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules 2021”) for public consultation. Recently, the MeitY notified the Amendments to Parts I and II of the IT Rules 2021 by introducing the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2022 (“IT Amendment Rules, 2022”). The IT Amendment Rules 2022 aim at the regulation of social media intermediaries by increasing the burden of their compliance, and ensuring that the safe harbours provided to them are not abused. On the whole, the Rules aim at strengthening the protective framework for the “netizens’ interests” by prioritising their fundamental rights under Articles 14,19, and 21 of the Indian Constitution.
The Telecommunications Reforms: A Step towards a Surveillance State (Part II)
[This is the second part of a two-part post analyzing the Draft Indian Telecommunication Bill, 2022. It is authored by Intisar Aslam, a second-year student at National University of Study and Research in Law, Ranchi. This first part can be found here]
Decryption: Preventing Cyber Frauds or Invading Privacy?
CERT-In Directions on Cybersecurity, 2022: For the Better or Worse?
This post is authored by Raj Shekhar, a fourth-year student from National University of Study and Research in Law, Ranchi
The Indian Computer Emergency Response Team (“CERT-In”), on 28th April 2022, issued new directions (“Directions 2022”) under the powers conferred to it by Section 70B(6) of the Information Technology Act, 2000 (“IT Act”). The Directions 2022 have sought to improve cyber-security by incorporating stringent provisions ranging from breach reporting to data retention for security purposes. Owing to its status as the national agency for the upkeep of cyber security, as per provisions of Section 70B of the IT Act, the CERT-In is also empowered to call for information and give directions to any service provider, intermediary, data centre, body corporate and Government organisation (“Entities”). However, while the Directions 2022 have received applause from many cyber security experts owing to the expedited and stringent measures for blocking and identifying cyber security threats, there have been criticisms on grounds of privacy infringement, over-regulation, etc. as well. In light of the same, this article tries to evaluate the criticisms and analyse if the Direction are ushering us into a solely optimistic cybersecurity and data regime.
Brain Computer Interface: A Breakthrough Medical Development or a Black Mirror Episode for Your Personal Data?
[This piece has been authored by Anushruti Shah, a fourth-year law student at the Hidayatullah National Law University, Raipur]
Introduction
Duty of a Data Fiduciary to Report a Breach: Part II
[This post has been authored by Ms. Vasundhara, Managing Partner, Verum Legal and Mr. Mudit Kaushik, Counsel, Zeus IP. Part One can be found here]
International Precedents and Comparison
While every nation in the world strives to ensure the digital security of its citizens, there are very few legislative developments to back up the claim. The General Data Protection Regulations of the European Parliament that became effective from May 2018, is a unique legal framework that enforces a unilateral form of data security laws that all EU members comply with, to ensure the protection of the European market as a whole.
Duty of a Data Fiduciary to Report a Breach: Part I
[This post has been authored by Ms. Vasundhara, Managing Partner, Verum Legal and Mr. Mudit Kaushik, Counsel, Zeus IP. Part Two can be found here]
Data breaches have become an issue for companies in the digital era, with no entity being spared for direct or even indirect involvement in a breach. Recently, Dominos Indiawas subject to a data breach by an unidentified hacker who allegedly took over 20 crore order details from Domino’s India server. What must have been worrisome for Dominos India would have been the fact that they collect information such as their customer’s name, email address, contact details, location and their address.
Right to Privacy at the Mercy of the Executive: Part II
[This two-part essay has been authored by Aarya Pachisia, a 4th-year law student at Jindal Global Law School. Part One can be found here.]
Continuing the argument of how the executive seeks to control different actors under the Bill, this article focuses on executive control over the citizens. I advance the argument in two parts. First, I argue that under section 35 of the Personal Data Protection Bill, 2019 (‘the Bill’), a notification by the executive can exempt any stage agency from obtaining consent to process data of the citizens. There is no oversight mechanism envisaged by the Legislature under the Bill, as recommended by the Committee to validate or invalidate such notifications. Second, I argue that the Bill also considerably dilutes the consent framework under the Bill and drifts away from the concept of allowing the data subject to exercise control over personal data at every stage.
Right to Privacy at the Mercy of the Executive: Part I
[This two-part essay has been authored by Aarya Pachisia, a 4th-year law student at Jindal Global Law School. Part Two can be found here.]
Technology is advancing at lightning speed, making privacy violations inevitable. Today, machine learning software is sophisticated enough to predict one’s sexual orientation, political and religious affiliation merely by processing their likes on Facebook. The Whatsapp Snooping scandal is another instance, where WhatsApp has filed a case in the court of California against the NSO group for hacking targets’ phones through the app. The case brought to light that unchecked power and absence of proper legal mechanism can lead to gross violations of right to privacy.
Breaking Encryption and Violating User Privacy: Is there a Way Out?
[This post has been authored by Shamik Datta and Shikhar Sharma, first year students at NALSAR University of Law and National Law School India University respectively.]
How the IT Rules break End-to-End Encryption
End-to-end encryption ensures that intermediaries or third parties don’t have access to the content of the message and identity of the communicating parties. However, Rule 4 (2) of the new Informational Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules 2021 specifies that all ‘significant social media intermediaries’ must enable the traceability of the first originator of a message. The collected information may be used if and when required by a court of competent jurisdiction or competent authority under Section 69A of the Information Technology Act, 2000. The information derived via the breaking of end-to-end encryption may be used to investigate offences abetted or caused by the spread of fake news. This includes open-ended offences like disturbing ‘public order’, which are broad in their scope, and thus, leave a wide scope for their blatant misuse and arbitrary interpretation. The proviso to Rule 4(2) states that intermediaries are not required to reveal the content of the message, or any other related information. However, under Rule 4 of the IT (Procedure and Safeguards for Interception, Monitoring and Decryption) Rules, 2009, the government possesses the power to demand the revelation of the content of electronic messages. The government could, upon identifying the user under the 2021 Rules, ask the intermediary to decrypt the content of other messages of the same user under the 2009 IT Rules citing “public order” (for example, citing the history of the user as a fake news spreader). This would render the proviso to Rule 4(2) of the 2021 Rules meaningless. Therefore, when the information about the first originator is gathered via enabling traceability and powers to disclose the content of the message is exercised, it leads to a break in end-to-end encryption. This destroys the very purpose of the cryptographic keys and encryption protocols developed over the years to encode the messages and safeguard the identity of their sender.