1|Page

CYBER LAW

FINAL DRAFT

Project Topic:
THE CONCEPT OF PRIVACY AND CYBERSPACE

Submitted by
AKANKSHA DIPANKAR
Roll No. - 14121005
9th Semester, 5th Year, B.B.A.LL.B. (Hons.)

Submitted to
KUMAR GAURAV
Faculty of Law

CHANAKYA NATIONAL LAW UNIVERSITY,

ACKNOWLEDGEMENT

The projects and presentations has been one of the most appreciated areas for the holistic
development of a student. It helps a student to be more curious, to know more and to
research more.
I would like to extend my deepest thanks to Kumar Gaurav sir who has provided me with all
the possibilities to complete the project. I would also like to extend my regards to my friends
for their aspiring guidance, invaluably constructive criticism and friendly advice during the
project work.

Akanksha Dipankar
9th semester
Roll No. 14121005
3|Page

Table of Contents

ACKNOWLEDGEMENT .............................................................................................................. 2

1. INTRODUCTION..................................................................................................................... 4

2. NEED FOR INTERPRETATION........................................................................................... 7

3. RULES OF INTERPRETATION ........................................................................................... 8

4. CONCLUSION ............................................................................Error! Bookmark not defined.

INTRODUCTION

“You can have security and not have privacy, but you cannot have
Privacy without security.”
—Tim Mather
The word privacy may have different meanings in different perspective in different scenario.
Probably this was our culture and living style or the unanticipation about upcoming and fast
growing technology that has not compel the lawmakers to include the issue of privacy while
framing the legal structure for nation. Before discussing the e-privacy and data protection in
Indian perspective we need to define privacy term.
The word privacy has been derived from the Latin word “Privatus which mean separate from
rest”. It can be define as capability of an individual or group secludes themselves or information
about themselves and thereby reveal themselves selectively. Privacy can be understood as a right of
an individual to decide who can access the information, when they can access the information,
what information they can access.
Indian constitution defines the privacy as personal liberty in Article 21. “Protection Of Life And
Personal Liberty” No person shall be deprived of his life or personal liberty except according to
procedure established by law. The privacy is considered as one of the fundamental rights
provided by constitution in list I .
Privacy is recognized at international level as Human Rights in different dimension as
 Privacy of person
 Privacy of personal behavior
 Privacy of personal communication
 Privacy of personal data.
The word privacy differs from the word confidentiality. We use words privacy, confidentiality
and information security synonymously but these words have different meaning and different
scope. The word confidentiality simply means Discretion in keeping secret information.
With introduction of various technologies it become difficult to protect the information through
confidentiality only and the coverage of protection has been widen to include Integrity and
Availability so as to achieve information security. With advancement of latest technology for
which many efforts at technological and legal level are done but still there is threat to
5|Page

information because the scope of privacy has been remain still untouched and to provide
complete protection to information it is essential to cover the privacy.
Although the digitization of data has created convenience in terms of Availability yet it has
created havoc of data overflow that leads to difficulty in management of large data, it also
includes personal and sensitive information like credit card information. Improper handling of
this data can create damage and loss for individual as well Nation.
Today business is customer centric and success of any business is depend on users personal
preference, in temptation to have technological adaptation, we pass on our personal and some
time sensitive information very easily without giving much concern to privacy.
For example from creating a mail account to open an online banking account we pass on our
personal information everywhere in day to day life. Ideally the provided information must be
used with limited purpose only for which it has been collected but in reality this information is
further processed, transmitted and exploited for unauthorized purposes without the permission
of data owner .
In a day we receive almost many unintended calls which offer you various products and
services and we never came to know from where this telecaller gets information and details to
call us. Actually these calls are resultant of information provided by us unknowingly at some
moment of time like when we buy a SIM or opens an account or perform online shopping.
Although in given example invasion in privacy lead to disturbance and mental harassment yet
some time it may lead financial loss ,damage and even it may cause loss of reputation or
life.
This has given primary concern to privacy issue in all over the world in different forms,
different countries have adopted various laws and framework to protect privacy not only at legal
level but privacy has been endeavored to protect at technical side.
There are many organization that are working on globally adapted structure of privacy
framework like OECD Based on OECD guideline UK has adopted DPA (Data Protection Act,
1998) which include 8principles and addresses issues like what is personal information,
sensitive information, who is data owner, data subject, who is data processor and who is
responsible to protect the privacy.
6|Page

Privacy and Cyberspace-

Cyberspace is shorthand for the web of consumer electronics, computers, and communication
networks that interconnects the world.1

The Internet users in present scenario, are dangerously exposed to the risk of privacy
infringement in cyberspace. With the growing use of internet by the citizens of the country, the
risk of their being exploited and victimized by infringing their privacy over internet is increasing
day by day. This concern is felt more in the case of youth and teenagers who constitute majority
of the internet users and are susceptible in understanding the risk of exposing themselves to the
cyber world. The social are susceptible in understanding the risk of exposing themselves to the
cyber world. The social networking sites which are now used extensively for social interactions
between the individuals by uploading their personal content, has further aggravated the issue of
‘internet privacy’. There are several ways in which, the privacy of the individual could be
violated in cyber space.

Privacy is an incident of fundamental freedom or liberty. The right to privacy is one of the basic
Human rights. In addition, Courts in India have admitted it a status of fundamental right, though
it is not directly provided in the Constitution of India.

In Justice K.S. Puttaswamy Vs Union of India2, the Apex court unanimously affirming that the
right to privacy is a fundamental right under the Indian Constitution. The verdict brought to an
end a constitutional battle that had begun almost exactly two years ago, on August 11, 2015,
when the Attorney-General for India had stood up during the challenge to the Aadhaar Scheme,
and declared that the Constitution did not guarantee any fundamental right to privacy.3

1
A more official-sounding name is the Global Information Infrastructure (“GII”). See generally The Global
Information Infrastructure: Agenda for Cooperation, 60 Fed. Reg. 10,359 (1995) (setting forth the U.S.
Government’s vision for developing the GII and identifying the policy issues critical to encouraging its use).
The United States is committed to developing its portion of the GII, the National Information Infrastructure
(“NII”). The NII has an expansive meaning, which includes low- and high-tech hardware, software, network
interconnection standards and protocols, information, and the people who make all this possible. See generally
The National Information Infrastructure: Agenda for Action, 58 Fed. Reg. 49,025 (1993) [hereinafter Agenda
for Action].
2
WRIT PETITION (CIVIL) NO 494 OF 2012
3
http://www.livelaw.in/supreme-courts-right-privacy-judgment-foundations/
7|Page

Justice D.Y. Chandrachud, while delivering the main judgment, on behalf of the Chief Justice
J.S. Khehar, Justice R.K. Agarwal, himself and Justice S. Abdul Nazeer has held that privacy is
intrinsic to life, liberty, freedom and dignity and therefore, is an inalienable natural right.4

There are certain laws in force, which ensures protection to the right to privacy. The Right to
Privacy is one of the most cherished right for the human beings given the nature and the
importance of this right. The human beings by their very nature require a space exclusive from
interference of any kind. This is necessary for the development of their individual personality.
The fact that the right to privacy finds a special mention in the ancient texts and sources signifies
its importance to the societies of all times. This right has received recognition and protection in
societies of all times. In modern era, the human rights movements have considerably affected the
concept and jurisprudence of legal rights. The right to privacy has found explicit mention in all
international instruments concerning human rights.5 In India, the right to privacy has received
highest protection as fundamental right under the Constitution of India.

The threat to privacy over internet is not a new phenomenon. The developed countries in the
world, where the information technology is firmly rooted amongst the masses, have already
adopted the security measures by which this problem can be redressed effectively to a
considerable extent. The Internet users of these countries normally observe all these security
measures while navigating in the cyberspace. The latest McAfee study sheds light on examines
the online behavior and social networking habits of Indian tweens and teens. The study stresses
the need for more awareness and focus on online safety for youth, the majority of internet users
in India are young teenagers who do not understand the risks in exposing themselves to the
completely unknown cyber-world6. They often fail to analyze the potential threat that they are
under while using the internet for social networking or otherwise. The Privacy concerns in India

4
ANURAG BHASKAR, Key Highlights of Justice Chandrachud’s Judgment in the Right to Privacy Case, 27/08/2017
https://thewire.in/171325/justice-chandrachud-judgment-right-to-privacy/

5
Art.12 of the Universal Declaration of Human Rights and Art.14 and 17 of the International Covenant on Civil and
Political Rights
6
Kul Bhushan, Indian teens and tweens more exposed to online risks, 10 - Nov – 2014,
https://www.digit.in/internet/indian-teens-and-tweens-more-exposed-to-online-risks-24415.html
8|Page

are thus unaddressed by the internet users and lack of security and legislative measures in this
direction are adding to the gravity of this already serious issue.

Cybercrime investigations need to take into account privacy concerns while implementing the
procedural provisions of the Convention on Cyber Crime. Cybercrime investigations require
more technical expertise and surveillance than conventional crime but it also needs to be ensured
that here is protection of fundamental privacy principles both in the national and international
law. As basic principles for the protection of privacy there are three international treaties that are
widely recognized as the basis for the protection of privacy and personal life: Article 12 of the
Universal Declaration of Human Rights of 1948, Article 17 of the International Covenant on
Civil and Political Rights (ICCPR). The OECD guidelines on the Protection of Privacy and
Trans border Flow of Data are also of relevance in this aspect.7

Alan Westin (1967) in ‘Privacy and Freedom’ defined privacy as the “desire of people to choose
freely under what circumstances and to what extent they will expose themselves, their attitude
and their behavior to others.”8

The absolute protection of privacy on the internet as discussed above is difficult to imagine and
achieve. The evolution of the technology and the law for the same is already on the move. The
self-restraint by the users on his ‘web-habits’ is the basic solution which may yield positive
results in this direction.9

The Indian Scenario-

In the report ‘Big democracy, big surveillance: India's surveillance state’10 published by Open
Democracy, India’s surveillance programs mostly started following the 2008 Mumbai terror

7
http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm

8
Alan F. Westin, Privacy And Freedom, 25 Wash. & Lee L. Rev. 166 (1968),
http://scholarlycommons.law.wlu.edu/wlulr/vol25/iss1/20
9
Dr. Pankaj Kakde, Right to Privacy and Its Infringement in Cyberspace,
https://www.academia.edu/5635495/Right_to_Privacy_and_Its_Infringement_in_Cyberspace

10 10
MARIA XYNOU, Big democracy, big surveillance: India's surveillance state, 10 February 2014,
https://www.opendemocracy.net/opensecurity/maria-xynou/big-democracy-big-surveillance-indias-surveillance-
state
9|Page

attacks. That was when the Ministry of Home Affairs first proposed the creation of a National
Intelligence Grid (NATGRID), which will give 11 intelligence and investigative agencies real-
time access to 21 citizen data sources to track terror activities. These citizen data sources will be
provided by various ministries and departments, otherwise called “provider agencies”, and will
include bank account details, telephone records, passport data and vehicle registration details,
among other types of data. NATGRID is far from India's only data sharing scheme. the Crime
and Criminal Tracking Network & Systems (CCTNS), which would facilitate the sharing of
databases among 14,000 police stations across all 35 states and Union Territories of India,
excluding 6,000 police offices which are high in the police hierarchy. Rs. 2,000 crore (around
USD 320 million) have been allocated for the CCTNS, which is being implemented by the
National Crime Records Bureau under the national e-governance scheme. Apparently, sharing
data and linking databases is not enough to track criminals and terrorists. In September 2013 it
was reported that the Indian government has been operating Lawful Intercept & Monitoring
(LIM) systems, widely in secret. In particular, mobile operators in India have deployed their own
LIM systems allowing for the so-called ‘lawful interception’ of calls by the government. And
possibly to enable this, mobile operators are required to provide subscriber verification to the
Telecom Enforcement, Resource and Monitoring (TERM) cells of the Department of
Telecommunications.

In the case of the Indian government, the LIM system is deployed at the international gateways
of large ISPs. The functioning of these systems are immune to interception by the ISPs and are
under lock and key so as to be in the complete control of the government. Though the
government has mandated checks for monitoring and protection of user privacy-- it is largely
absent. In effect, all Internet traffic of any user is open to interception at the international
gateway of the bigger ISP from whom the smaller ISPs buy bandwidth. Since the government
controls the LIMs, it directly sends software commands and sucks out whatever information it
needs from the Internet pipe without any intimation and information to anyone except to those
within the government who send the Internet traffic monitoring commands. This monitoring
facility is available to nine security agencies including the IB, the RAW and the MHA. The
governments’ monitoring system which is installed between the ISPs Internet Edge Router (PE)
10 | P a g e

and the core network has an ‘always live’ link to the entire traffic which enables the LIM system
to have access to 100% of all Internet activity with broad surveillance capability based not just
on IP or e-mail addresses, URL’s, HTTPs, FHTpc, tele-net or webmail but even through a broad
and blind search across all traffic in the Internet pipe using ‘keywords’ and ‘key phrases.11

In addition to LIM systems being installed, the Government of India runs the Central Monitoring
System or CMS which is a clandestine mass electronic surveillance program installed by C-DoT,
a government owned telecommunications technology development center and operated by
Telecom Enforcement Resource and Monitoring (TERM) cells12. Rule 419B under Section 5(2)
of the Indian Telegraph Act, 1885, allows for the disclosure of “message related information”
Call Data Records (CDR) to Indian authorities. Call Data Records, otherwise known as Call
Detail Records, contain metadata (data about data) that describe a telecommunication
transaction, but not the content of that transaction. In other words, Call Data Records include
data such as the phone numbers of the calling and called parties, the duration of the call, the time
and date of the call, and other such information, while excluding the content of what was said
during such calls. According to draft Rule 419B, directions for the disclosure of Call Data
Records can only be issued on a national level through orders by the Secretary to the
Government of India in the Ministry of Home Affairs, while on the state level, orders can only
be issued by the Secretary to the State Government in charge of the Home Department.

Other than this draft Rule and the ‘amendment to clause 41.10 of the UAS License
Agreement’13, no law exists which mandates or regulates the Central Monitoring System (CMS).
This mass surveillance system is merely regulated under Section 5(2) of the Indian Telegraph
Act, 1885, which empowers the Indian Government to intercept communications on the
occurrence of any “public emergency” or in the interest of “public safety”, when it is deemed
“necessary or expedient” to do so in the following instances:

 the interests of the sovereignty and integrity of India

11
Shalini Singh, Govt. violates privacy safeguards to secretly monitor Internet traffic,
http://www.thehindu.com/news/national/govt-violates-privacy-safeguards-to-secretly-monitor-internet-
traffic/article5107682.ece
12
https://en.wikipedia.org/wiki/Central_Monitoring_System
13
https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment
11 | P a g e

 friendly relations with foreign states

However, Section 5(2) of the Indian Telegraph Act, 1885, appears to be rather broad and vague,
and fails to explicitly regulate the details of how the Central Monitoring System (CMS) should
function. As such, the CMS appears to be inadequately regulated, which raises many questions
with regards to its potential misuse and subsequent violation of Indian's right to privacy and
other human rights.14

This program also gives security agencies and Indian Income Tax authorities centralized access
to the country’s telecommunications network and the ability to listen in and record mobile,
landline, satellite calls and voice over Internet Protocol (VoIP) and read private e-mails, sms and
mms and track the geographical location of individuals all in real time. It can also be used to
monitor posts shared on social media such as Facebook, LinkedIn and Twitter and to track user’s
search histories on Google without any oversight by the Courts or Parliament. Tapping is a
serious invasion of an individual's privacy as held in “People’s Union of Civil Liberties ... vs
Union of India and Anr”15. Senior Internet researchers feel that the CMS is chilling in view of its
reckless and irresponsible use of the sedition and Internet laws. They feel that it may be used to
silence critics, journalists and human rights activists. The right to privacy is guaranteed under the
Universal Declaration of Human Rights and the International Covenant on Civil and Political
Rights to which India is a state party. Article 17 of the Covenant provides that ‘’ (i) no one shall
be subjected to arbitrarily or unlawful interference neither with his privacy, family, home or
correspondence nor to unlawful attacks on his honor and reputation; (ii) everyone has the right to
the protection of the law against such interference or attacks.”16

For quite a long time in India there was no law governing cyber laws involving privacy issues,
jurisdiction issues, intellectual property rights and a number of other legal issues. To optimize
benefits of ICTs and secure confidence of user’s information society should be safe and secured

14
https://cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about
15
AIR 1997 SC 568

16
Article 17, UDHR, http://www.un.org/en/universal-declaration-human-rights/
12 | P a g e

not only through cyber laws per se but also appropriate enforcement mechanisms. In order to
formulate strict statutory laws to regulate the criminal activities in the cyber world the Indian
Parliament passed the ‘’Information Technology Act, 2000” to protect the fields of e-commerce,
e-governance, e-banking as well as penalties and punishments in the field of cyber-crimes. The
Act was further amended in the form of Information Technology Amendment Act, 2008 (ITAA-
2008)17

The Aadhaar data breach (2018)- Aadhaar, which means 'foundation', is a 12 digit unique-
identity number issued to all Indian residents based on their biometric and demographic data.
The Unique Identification Authority of India (UIDAI), a statutory body that oversees the world's
largest biometric identity card scheme, following a report in The Tribune18 that claimed
unrestricted access to any Aadaar number for a paltry sum of Rs 500. Biometric data, unlike the
UIDAI's statement, is not the only privacy concern with this breach. The disclosure of
demographic data, such as an individual's name, date of birth, address, PIN, photo, phone
number, e-mail, etc, is not any less of a privacy concern. This data forms the basis of many
cybercrimes, be it phishing or identity theft.

Additionally, obtaining biometric data is getting simpler, such as the extraction of fingerprints
from photographs or the spoofing of iris scans. Obtaining biometric data will be a huge target for
cybercriminals, because of the potential of combining it with the troves of other information
already illegally available. It is extremely dangerous, therefore, to underestimate the value of the
data disclosed in this breach, simply because it did not include biometric data,

A data 'breach' is not defined under the Indian Information Technology Act, 2000 or the Aadhaar
Act, 2016. However, a data 'breach' is not limited to a technical breach like hacking the security
systems of the Central Identities Data Repository (CIDR), as is commonly understood. Gaining
unauthorized access to a database – in this case, possibly the CIDR – is very much a data breach
and a violation of privacy.

17
http://www.cyberlawtimes.com/category/cyber-laws/
18
Rachna Khaira, Tribune News Service , Jan 4, 2018, http://www.tribuneindia.com/news/nation/rs-500-10-
minutes-and-you-have-access-to-billion-aadhaar-details/523361.html
13 | P a g e

It is the seriousness of this act of gaining unauthorised access to the Aadhaar database, which
makes it punishable not only under Section 43 of the IT Act but also under Section 38 of the
Aadhaar Act itself.

It is a relief that the breach did not involve a large amount of data being downloaded and stolen,
as was seen in the Equifax data breach, where their grievance redressal system was hacked.
Nevertheless, each individual whose number has been entered into the system and details
extracted in this case has had his privacy violated. The potential of this breach is much greater,
with almost any Aadhaar holder's information being accessible this way.

American whistleblower Edward Snowden19 delivered a firm reproof to the Indian government
for "destroying the privacy" of its citizens and spoke out in support of the reporter who broke
the Aadhaar data breach.

Government of India has recently decided to introduce an exhaustive law on privacy, which will
soon be introduced before the parliament. This law provides for stringent punishment, including
revocation of licenses of telecom service providers, for illegally intercepting telephone calls and
making their content public. After the Supreme Court declared privacy a fundamental right, it is
left to Parliament to define what constitutes privacy under the ambit of right to life and personal
liberty.

Parliament will also have to define reasonable restrictions in the case of right to privacy as it
involves, already pointed out by intelligence agencies, the issues of national security.

With these restrictions, defining privacy is going to be big challenge for the parliamentarians.

You cannot define right to privacy in absolute terms. Codification of right to privacy right will be
a big problem. It will be a challenge for Parliament to accurately define what constitutes
privacy,20

19
Edward Snowden is an American computer professional who initially worked with the Central Intelligence
Agency and then the National Security Agency before being charged with leaking information about United States
Surveillance program to the media.
20
Prabhash K Dutta, August 24 2017, http://indiatoday.intoday.in/story/right-to-privacy-fundamental-right-
parliament/1/1032794.html
14 | P a g e

Another significant step taken by the government of India for ensuring cyber security and
controlling cyber-attacks in India is the National Cyber Security Policy 2013, unfortunately the
reactions of cyber experts over the policy in terms of privacy protection are not encouraging. The
need of incorporating stringent provision in this policy to deal with privacy infringement
effectively is expressed by the individuals concerned.
15 | P a g e

Conclusion-

The importance of right to privacy for the maintenance of dignity of an individual is beyond
explanation. The legislative measures are adopted in India in this regard though seem to be
enough on paper but when it comes to implementation, lack of awareness amongst the users, the
internet habits of the users in India and lack of expertise amongst the enforcement agencies are
presenting serious challenges ahead.

In today’s privacy politics, the strong medicine of a privacy commission will be politically
infeasible until weaker medicine has been tried. In the meantime, most of us could agree that
policymakers and academics alike should work to improve public understanding of cyberspace
privacy. In continuing the privacy conversation, we must recognize that a vision protective of
information privacy in cyberspace will be singularly hard to maintain.

India need to work more for enduring an effective and concrete legislation for data protection.
However, while creating the laws, the legislature has to be well aware for maintaining a balance
between the interests of the common people along with amicably handling the increasing rate of
cybercrimes. Technological advancements such as micro cameras and video surveillance has had
a profound effect on personal privacy. Everyone, be it an individual or an organization has a
right to protect and preserve their personal, sensitive and commercial data and information. India
at the moment needs a dedicated law protecting the data and personal privacy of an individual. A
national privacy policy is still missing in India. The laws should be made keeping both genders
in mind rather than protecting only female rights because in the cyber space both males and
females are equal victims. A gender neutral law is as crucial as a technological neutral
legislation. Protecting the privacy rights of individuals requires a re-conceptualization on both
personal as well as professional grounds keeping in mind human privacy in the context of
Information and Communication Technologies. For privacy intactness, proper training and
awareness, monitoring and auditing, and incident response is required Expression through speech
is one of the basic need provided by civil society. Variance in the scope of freedom of
expression, combined with more online communication, has produced concerns about censorship
in cyberspace. Freedom of opinion and expression should be free from any kind of political,
commercial or any other influences. It should be applied in non-discriminatory and non-arbitrary
16 | P a g e

manner, also, should be supported by applying safeguards against any kind of abuse, hate
speeches, religion biasing etc