Since India’s Information Technology Act came into existence in the year 2000, the concept of data privacy has gained more importance.
The Information technology Act, 2000(amended in 2008) defined data as a representation of knowledge, facts, concept or instructions which have been processed in a computer system in a formalised way, and are stored internally in the memory of the computer.
With this definition coming into force, stakeholders seriously started considering more about the privacy of data since digital data, particularly private and financial is vulnerable. The Information Technology Act, 2000 already had provisions prohibiting unauthorised access to digital data. With the 2008 amendment, unauthorised accessing, vandalising or re-fabricating the data for misuse has been made punishable. All these penal provisions actually contribute to the concept of data privacy law.
It needs to be understood that data can be of several types: publicly available data, private data and financial data. The concept of private data has got a wider scope, covering health data, professional profiles that may be used by workplaces, private pictures, pan card or Adhar card details so on and so forth. Financial data has been considered as a separate type of private data where data generator can be the bank as well as the person who uses the banking facilities, including online money transactions.
On the other hand, public data may include those which has been made public either by the data generator, including the owner of the data or the data procession unit.
The Information Technology Act, 2000 (amended in 2008) makes the corporates responsible for the protection of the sensitive personal data, which it is dealing with, handling or processing
The Information Technology Act, 2000 (amended in 2008) makes the corporates responsible for the protection of the sensitive personal data, which it is dealing with, handling or processing. This means that any organisation, including any corporate farm, bank or Internet service provider may become responsible for protecting the data. It may be punished for a failure in its duty, particularly if it does not show due diligence to protect the data under its purview.
In my experience as a cyber victim counselor, I have seen many victims whose private data privacy has been breached. There are several ways of breaching the data privacy and some of these have been recognised by the existing laws as well.
One of the well-known ways of breaching data privacy is unauthorised access to the data. Popularly, this is known as hacking. Notably, the term ‘hacking’ is not used in the Information Technology Act 2000. Unauthorised access to data may be done by accessing the password and username.
In most cases of interpersonal cyber victimisation, the victim may unknowingly make personal data available to the perpetrator.
What concerns me more is the victim’s participation in breaching the privacy of the person's own data. In most cases of interpersonal cyber victimisation, the victim may unknowingly make personal data available to the perpetrator. This enables the perpetrator to carry on several types of online harassments and crimes, including the creation of fake avatar of the victim in the social media and adult entertainment sites to defame the victim, sextortion, blackmailing or spreading defamatory information about the victim to others. In this case, besides the perpetrators, the websites from where the personal data has been leaked may be held responsible, and even prosecuted if they fail to restrict further circulation and misuse of the data.
Victim participation may also be noted in cases of privacy breach of financial data. In this case, the victim, unknowingly, reveals information about banking details like banking password, Pin Numbers, etc. This is also known as phishing. In cases like this, the banks may be held responsible for failure to protect data as the verification from the bank’s side failed to detect unauthorised users.
However, it must also be understood that in cases where the mobile phone device of the victim may also have been unauthorisedly accessed as a part of victimisation, the banks may argue no responsibility as they may not be aware of the ‘phone hacking’.
It is unfortunate to note that India still does not have any law for the protection of the privacy of the data
It is unfortunate to note that India still does not have any law for the protection of the privacy of the data, including digital even though Data Privacy Bill was drafted way back in 2011. While the existing laws, including the Indian Penal Code (especially after 2013 Criminal Law amendment) have been supporting the victims, lacunas do exist in legal procedures and legal understanding in this regard.
Further, a majority of the victims are not even aware of the privacy settings that are offered by websites. By privacy settings, I mean the reporting mechanism to inform of privacy breaching. When a victim identifies a breach of privacy of data, he/she must report the content that contains the private data to the website concerned.
Further, the victims must also remain cautious of any kind of suspicious activities in the form of suspicious emails or bank verification messages. Any such activity must be reported to the body corporate and in more serious cases, to the police.
Also, the victim should not adopt an irrational coping mechanism to negotiate with the breach of data privacy; it is never advisable to contact a hacker to recover the data or approach the perpetrator. Often it leads to an escalation of the problem. It is, therefore, best to report the matter to the police with all evidence in hand. Above all, data privacy may be prevented if the data owner remains cautious and aware. We need to remember that we live in a digital era and, hence, we have to be extra careful about our digital data.