This article is written by Anindita Deb, a student of Symbiosis Law School, Noida. This article is going to elucidate on the privacy concerns which have arisen due to the pandemic and the relevant data protection laws. 

Introduction

On 11th March 2020, the World Health Organisation declared that the spread of COVID-19 has become a Global Pandemic. What started in the Chinese city of Wuhan and seemed to be an Asian problem, spread across the globe in the blink of an eye and forced countries across the world to go into lockdown. 

However, with the technological advancements of the 21st century and the continuous evolution of applications and software serving our needs, we are better equipped than ever before to combat this situation. With online delivery of groceries and medicines to work from home through Zoom and digital classrooms which make it possible to learn from the comfort of our homes, technology prevented the disruption of the life of the masses during a pandemic. Location data is being used to determine movements of people, the spread of the virus, and to ensure if the protocols are being followed. But with this comes a major concern that cannot be ignored: is the data we are compelled to share online on an everyday basis duly protected? As useful as technology is proving to be, it comes with shortcomings of global concern data protection issues. Furthermore, political and corporate players might use this situation to justify a more intrusive data use of the people and may continue doing so in the future even after the pandemic is over.

Privacy and personal information consideration

People across the world have had various questions since the pandemic brought about an online environment that required them to disclose personal information to various organisations and share it over the internet. Through this article, I would like to address some of the concerns. 

What if our privacy policy outlines the kind of personal information acquired and how will it be used, yet we need to disclose personally identifiable information (“PII”) of our customers, guests, or website users in response to COVID-19 (e.g., to the government and/or health agencies).

Various privacy policies do reveal the type of PII that the government might need an individual to disclose in extreme circumstances, like for wanting to stop the spread of COVID-19, but many of them do not do so. The policies which do reveal the types of PII typically include a type of language that describes tracking of timing and location of customer purchases, tracking the movement of the person through geolocation data from apps, cookies, and pixels. Companies normally persuade users to share this type of information in exchange for discounts on certain products or any future services. However, despite the use of this language, customers generally do not contemplate the use of PII for public health purposes. 

Given the current situation, companies and organisations must review their existing privacy policies to ensure that these policies cover the disclosure of PII to government and public health agencies for emergency purposes. Industry-standard privacy policies should also mention sharing of PII to protect a person’s health or safety, or in response to a legal obligation imposed on them. 

Customers and partners of the company should also consult relevant professionals as to whether their exceptional disclosure of PII will trigger a product, service, or a change in the organisation’s role in accordance with the existing data protection laws. 

What if, in response to COVID-19 (e.g. employee, client, or customer travel or geolocation), an organisation wishes to gather PII for wider interests such as public media, government agencies, and what all it should consider before collecting, using, or sharing it

The first and foremost step for an organisation to do so is to ensure that:

1. Such data collection and its use is lawful under the existing data protection laws, and 
2. Review their privacy policies and consent notices to determine sufficiency concerning the PII that the organisation wishes to collect, and in what manner it intends to use or share the PII that has been disclosed to them. 

If the policies in existence do not allow the usage of data in the manner that the organisation wishes to use, the organisation is obligated to update all the applicable privacy policies before requesting disclosure of PII. In addition to that, there must also be a new and/or supplemental privacy policy or notice at the time of obtaining consent and data collection which should cover any new PII that the organisation intends to collect, especially about COVID-19.

What information can an organization disclose if employees or customers have tested COVID-19 positive

As the virus keeps spreading, organisations need to identify employees, customers, contractors, and guests in the workplace who are or may be carrying the novel coronavirus. For this purpose, they will need to collect, disclose and use PII in a manner that does not breach the data protection laws in force. Organisations that seek to use and disclose personal information related to COVID-19 identified in the workplace must ensure that they comply with the following rules:

1. That the collection, use, or disclosure of the PII is for a reasonable purpose. Organisations are normally authorised to take reasonable steps to protect the health and safety of their employees, contractors, customers and guests. In response to the COVID-19 outbreak, it may be considered reasonable for the organisation to identify individuals in the workplace who are or may be carrying the virus by collecting and using their PII, and then acting upon that information under the guidelines laid down by the local public health authorities. 
2. The PII collected, used, and disclosed of the identified individuals by the organisation must only be to meet the reasonable purpose for which it was collected or disclosed such as in compliance with the instructions of the public health authorities. With regards to every collection, use, or disclosure, the organisation should consider whether there are other less invasive alternatives for achieving the same end.
3. The collection, use, and disclosure of PII without obtaining the consent of the individual must be in accordance with the law. In certain situations such as the COVID-19 outbreak that puts public health at great risk, legal provisions authorise organisations to disclose personal information of employees, customers, and guests without obtaining their consent. In case the organisation does not enjoy any such exemption by law to disclose PII, then it will have to provide notice to the individuals, and if required, obtain their consent to do so. 
4. It is important that the organisation uses an appropriate form of consent for the disclosure of PII. When determining this means, organisations must take into consideration the sensitivity of the information and the reasonable expectations of the individual. An organisation should notify its workers, contractors, and visitors that it has implemented a COVID-19 response policy, which outlines how it will handle the collection, use, and disclosure of personal information if COVID-19 is detected in the workplace.

Human rights and data protection

Constitutions and Human rights are designed keeping in mind the time of crises like a pandemic. Certain rights are inalienable, such as the right to life (unless in the case of deaths caused by lawful acts of war), the prohibition of torture and other instances of ill-treatment, the prohibition of slavery or servitude, and the rule of no punishment without law. Many other rights, however, are subject to limitations, including the right to privacy, freedom of expression, freedom of movement, and the right to freedom of assembly and association. Such restrictions may only be in force for a limited period of time. As it was stated in the case of ADM Jabalpur v. Shivkant Shukla (1976), that a person’s right not to be unlawfully detained may be suspended in case of an emergency. 

Privacy and data protection are human rights that might be suspended during a crisis. The usage of data from and by corporate agencies adds to the complexity of the problem. In the current situation, corporate firms hold the key to utilising ‘Big Data’ to combat the corona crisis. In addition, conventional data protection regulations, such as the EU General Data Protection Regulation (GDPR), emphasize individual rights and consent. As a result, they overlook several features of collective autonomy. In conclusion, conventional data protection regimes and human rights laws offer minimal protection for privacy and ethical data usage in emergencies. 

In the landmark judgment of KS Puttaswamy v. Union of India (2017), the Supreme Court of India held that the right to privacy is a part of the ‘right to life and personal liberty’ and hence will be considered a fundamental right under the Constitution of India. However, the Apex Court added that the right to privacy is not absolute, and may be limited in times when the legal framework requires doing so. 

Potential concerns

In response to the spread of the pandemic, the World Health Organisation (WHO) has directed testing, isolation, location, and contact tracing to control the spread of the virus. In this regard, many countries, including India have launched applications and software which track the location of users and their social contacts. Other technological methods like thermal screening and mass surveillance have also been adopted by the authorities. While all these applications and technological advancements are providing great assistance in the fight against the pandemic, it has raised some serious concerns over the data protection and privacy of the masses at large.

All companies store some personal information related to their customers like phone numbers, email IDs, financial transactions with each customer, and sometimes even their credit card numbers. Besides this, they also have data like personnel files, product information, customer databases containing their choices and preferences, etc. The management of these companies makes future marketing decisions based on this data in order to deliver quality products according to their customers’ preferences and ensure maximum customer satisfaction. Hence, it is clear that data is one of the most important assets for any business organisation. Thus, data protection should be a top priority for every business. This involves ensuring the integrity of the data, guarding the access of information to its employees, and maintaining the confidentiality of the data at all times. 

When a customer engages with any business organisation, ensuring that their data is protected by the company is the minimum expectation they carry. Employing a good data protection mechanism builds trust between the customers and the company. It safeguards the reputation of the business, while also establishing a brand in the market that the company is worthy of the customers’ trust. 

Position in India

The Central Government on April 2, 2020, launched the Aarogya Setu app which tracks the location of the users and notifies them of their proximity to infected individuals. The data protection laws of the country only provide a basic framework and do not exhaustively mention the responsibility of the public health authorities to ensure data protection while collecting data during a public health emergency. As per the KS Puttaswamy case, the Supreme Court of India has stated that if the state protects an individual’s identity, it can legitimately argue a reasonable state interest in public health preservation in order to devise suitable policy interventions based on the data provided. The Aarogya setu app requires users to keep their Bluetooth and GPS turned on at all times which will facilitate their location tracking through the app. This has been highly criticized by tech experts across the globe due to the fact that the application can serve as a surveillance tool for the Government. 

The State Governments of various states across the country have also launched similar applications which raise serious concerns with regards to the data protection of the citizens. The State Government of Kerala was using an application Sprinklr which enabled a foreign entity to access personal sensitive information. The High Court of Kerala in April 2020 issued an interim order directing the State Government to anonymize all the data collected in relation to COVID-19 before sharing it with Sprinklr and to obtain consent from the citizens informing them that their data can be shared with Sprinklr or other third parties. The High Court further restricted Sprinklr from committing an act that may result in the breach of data confidentiality under their contract with the State Government of Kerala and exploiting such data for any commercial purpose whatsoever, directly or indirectly, or representing to any third party that they were granted access to information relating to COVID-19 cases. Sprinklr was also ordered to return all the data upon the completion of contractual obligations and to delete any secondary or residual data in its possession. 

While a crisis like a coronavirus pandemic necessitates targeted, swift, and effective responses, it’s important to remember that data depends on context. In distinct contexts, the same dataset can be sensitive, and we need proper governance structures to ensure that this data is collected, analyzed, kept, and shared in legal and responsible ways. Location data could be highly beneficial for epidemiological study in light of the COVID-19 pandemic. However, the same location data can jeopardize the rule of law, democracy, and the enjoyment of human rights in the event of a political crisis. 

Cybersecurity laws in India

The main legislation that governs cyberspace and the activities carried on within the cyber framework is the Information Technology Act, 2000 (“IT Act”). The IT Act defines cybersecurity as the protection of information, devices, equipment, computer and computer resources, communication devices, and all the information stored therein from unauthorized access, use, disclosure, modification, disruption, or destruction. The Act not only provides legal recognition and protection for all the transactions carried out through electronic data or any other means of electronic communication, but the IT Act, along with various other rules made thereunder, also focus on areas like information security, defines reasonable security practice that must be followed by companies and redefines the roles of intermediaries, recognises the role of the Indian Computer Emergency Response Team (“CERT-In”), etc. The IT Act further led to the amendment in the scope of the Indian Penal Code, 1860, the Indian Evidence Act, 1872, the Bankers’ Books Evidence Act, 1891, and the Reserve Bank of India Act, 1934, and for matters connected therewith or incidental thereto, which were mainly focusing on the regulation of the overly sensitive banking and financial services sector. 

The IT Act is not only applicable in India but also extends to any offence or contravention committed outside India by any person. The legal sanctions provided for under this Act include imprisonment, penalties, and also have a framework for compensation or damages to be paid to the claimants. Additionally, if a company involved in possessing, dealing, or handling any sensitive personal data or information in a computer resource that it owns, controls or operates, is negligent in implementing or maintaining reasonable security practices and procedures and this results in wrongful loss or wrongful gain to any person whatsoever, such company will be liable to pay damages in the form of compensation to the person who has been affected by their negligence. 

Some relevant rules framed under the IT Act

Information Technology (The Indian Computer Emergency Response Team and manner of performing functions and duties) Rules, 2013 (“CERT Rules”)

CERT-In has been formed as the nodal entity responsible for collecting, analysing, and disseminating information on cyber incidents, as well as implementing emergency actions to contain such occurrences, according to the CERT Rules. Furthermore, it is mandatory to report to the CERT-In the following instances: 

1. A targeted intrusion or the compromise of critical networks or systems; 
2. Unauthorised access to IT systems or data; 
3. Website defacement, malicious code attacks, denial of service and distributed denial of service (DDoS) attacks, attacks on domain name systems and network services; and 
4. Attacks on e-government and e-commerce apps. Individuals and businesses can also freely report any other cybersecurity incidents or vulnerabilities to CERT-In and seek the necessary support and technical assistance to recover from them. Unfortunately, the law’s reporting requirements are insufficient and need to be revised, as they are not mandatory and are only requested on a voluntary basis. This relieves the entities of the duty to maintain the required transparency. 

Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”)

The SPDI Rules are strictly aimed at governing the corporate entities that are involved in collecting and processing sensitive personal information across India. The Rules: 

1. Mandate consent for data collection; 
2. Imply that it be done only for lawful purposes; 
3. Mandate that organisations have a privacy policy; 
4. Specify data retention instructions;
5. Provide individuals with the right to correct their information; and 
6. Impose restrictions on disclosure, data transfer, and security measures. Besides this, certain sectors like banking and insurance, telecom, health sector, etc., have their own specific sectoral rules which contain data protection provisions. In the absence of more comprehensive or stringent law, the current framework at least adheres to the fundamental principles of data privacy and gives businesses more flexibility to create industry-specific standards and best practices. 

The Personal Data Protection Bill, 2019

The Personal Data Protection Bill, 2019 (PDP Bill) was introduced in December 2019 as a new iteration of data privacy and protection legislation. Section 24 of the PDP Bill requires data fiduciaries (also known as data controllers as per PDP Bill terminology) to put in place safeguards for a myriad of purposes, including preventing misuse, unauthorised access to, modification, disclosure, or destruction of personal data. Section 25 contains provisions regarding the reporting of a breach of personal data. The clause requires the data fiduciary to inform the envisaged Data Protection Authority about the cases where a data breach may potentially cause harm to the data principal. 

In response to growing concerns about privacy and cybersecurity, the government is assessing threats, which may include political opportunities, and enacting regulations affecting vulnerable populations such as children. regulations are also being formulated that will affect the data protection framework for high-risk applications, including e-commerce platforms. 

Punishment for the breach of cybersecurity

The term “cyber-crime” covers the aspects of breach of cybersecurity. The term is not defined in any statute or rulebook, however, “cyber-crimes” are offences relating to computers, the internet, and virtual reality. 

Laws that deal with penalising cyber-crimes can be found in various statutes and regulations framed by different regulating bodies. In India, the IT Act and the IPC penalise a number of cyber-crimes and various provisions of both the acts can also be found to be overlapping with each other. The cyber-crimes penalised by the IPC and the IT Act have the same ingredients and sometimes even the same nomenclature. Following are some cyber-crimes related to data breach and their punishments as given under IPC and IT Act:

Hacking and data theft

Section 43 and Section 66 of the IT Act penalise a variety of activities like hacking into a computer network, data theft, introducing and spreading viruses through computer networks, damaging computers, computer networks, or computer programmes, disrupting any computer, computer system, or computer network, denying authorised personnel access to a computer or computer network, damaging or destroying information stored in a computer, etc. The maximum penalty for the aforesaid offences is 3 (three) years in prison or a fine of Rs. 5,00,000 (Rupees five lac), or both.

Since Section 22 of the IPC states that the words “movable property” are intended to include corporeal property of every description, except land and things attached to the earth or permanently fastened to anything attached to the earth, Section 378 of the IPC, which deals with “theft” of movable property, will apply to the theft of any data, online or otherwise. The maximum penalty for theft under Section 378 of the IPC is three years in prison or a fine, or both. Besides this, Section 424 of the IPC also applies to data theft. The maximum punishment under this section is imprisonment up to 2 (two) years or fine or both. 

Damaging computer systems or denying access to a computer system will fall within Section 425 of the Indian Penal Code, which deals with mischief. The maximum penalty for mischief is provided under Section 426 of the IPC as imprisonment of up to three months or a fine or both. 

Receipt of stolen property

Dishonestly receiving any stolen computer resource or communication equipment is punishable under Section 66B of the IT Act. The individual receiving the stolen property must have done so dishonestly or had reason to believe it was stolen property, according to this provision. The punishment for an offence under this section is imprisonment of up to three years or a fine of up to Rs. 1,00,000 or both. 

Section 411 of the IPC is also similarly worded as Section 66B of the IT Act and prescribes a penalty for dishonestly receiving stolen property. The punishment under Section 411 of IPC is imprisonment of either description for a term of up to 3 years or with fine or both. The difference is that under IPC, there is no maximum limit on the fine that can be imposed. 

Identity theft and cheating by impersonation

The penalty for identity theft is dealt with under Section 66C of the IT Act. This Section provides that anybody who fraudulently or dishonestly uses another person’s electronic signature, password, or other unique identification feature must be penalised by imprisonment of either description for a term that may extend to 3 (three) years, as well as a fine of up to Rs. 1,00,000. (Rupees one lac).

Section 66D of the IT Act defines “cheating by personation by using computer resource” as “any person who cheats by personation by using any communication device or computer resource,” and states that any person who cheats by personation by using any communication device or computer resource shall be punished with imprisonment of either description for a term that may extend to three years, and shall also be liable to a fine that may extend to Rs. 1,00,000. 

Section 419 of the IPC also establishes a penalty for ‘cheating by personation,’ stating that anyone who cheats by personation will be punished with imprisonment of any description for a term up to 3 (three) years, a fine, or both. A person is considered to be guilty of ‘cheating by personation’ if he or she cheats by claiming to be someone else, or by deliberately substituting one person for another, or by representing himself or herself as someone other than who he or she is. 

In a case of identity theft, the provisions of Sections 463, 465, and 468 of the IPC, which deal with forgery and “forgery for the purpose of cheating,” may also apply. Forgery for the purpose of defrauding is punishable under Section 468 of the IPC, which stipulates a penalty of imprisonment of any kind for a time up to 7 (seven) years, as well as a fine. Section 463 defines forgery as the making of a false document or part thereof with the intent to cause damage or injury to the public or any person, or to support any claim or title, or to cause any person to part with property, or to enter into any express or implied contract, or with the intent to commit fraud or that fraud may be committed.

In this regard, Section 420 of the IPC provides that any person who cheats and thus dishonestly induces the person deceived to deliver any property to any person, or to make, alter, or destroy the whole or any part of valuable security, or anything signed or sealed and capable of being converted into a valuable security, shall be punished with imprisonment of either description for a term extending up to seven years, and shall also be liable to pay fine. 

The fundamental difference between the provisions of the IPC and the IT Act is that the latter requires that the offence be committed using a computer resource. 

Work from home is more convenient but it serves as a gateway to cybercrime – final thoughts

Work from home has evolved as one of the most convenient developments in work ethics. Jobs that do not require physical labour can very well be performed by employees from the comfort of their homes at their own will without restricting themselves to the 9-to-5 working hours. Even after the daily cases hit an all-time low, various IT sector companies decided to continue the work from home infrastructure in order to save company resources and ensure the safety of their employees. However, while being convenient for both the company and the employees, the work from home system opens a whole new horizon of opportunities for cybercriminals to adapt their tactics and exploit employees even in their homes. There has been a substantial increase in cyber-crime statistics since the pandemic came knocking at our doors and this new version of working has been the major cause for it.

In our digital age, businesses have had to improve their cybersecurity, yet cybersecurity dangers have increased significantly as a result of distributed work. Employees who work from home are at a significantly higher risk than those who work in offices. Because residential connections are less secure, fraudsters can gain access to a company’s network more easily. Furthermore, the popularity of digital collaboration and productivity tools, solutions, and services tends to have the bare minimum of security default settings, and updates from third-party suppliers can easily change security preferences and be neglected. 

Threats like phishing and ransomware can more readily evade company defences when they aren’t in the immediate environment of an office. In a traditional office setup, workers can quickly query adjoining coworkers, which provides a natural barrier against phishing.  Indeed, when working from home, such checks may be more difficult to replicate, especially for less tech-savvy employees or those who are not connected to the @security channels on Zoom or Teams (if the company even has those). Before the pandemic, managers who were aware that corporate security was beefing up fraud detection dismissed a test phishing message; however, employees working from home exhibited a higher tendency to click on phishing emails since they were not in the loop.

In the work-from-home concept, ransomware also has a benefit. Workers will have a harder time getting help from the right experts and authorities if their connection to the company is cut off. Furthermore, because trust levels are weaker when working from home, some employees may be anxious that they have “done something wrong” and so be hesitant to request assistance. While additional training and messaging that vigilance and involving corporate IT would be rewarded will help mitigate this risk, it is still an uphill struggle.

While the work-from-home structure has its own shortcomings, it is evident that this system is here to stay for quite some time, at least since it is completely safe for workers to start working at full strength in their offices. Until then, some legal remedies can be sought in case a user has been a victim of cybercrime. 

Section 43A of the Information Technology Act of 2000, which includes fines and compensations for offences such as “damage to the computer, computer system, or computer networks, etc.” provides the victim with the right to file an appeal in court for compensation for the wrong done to him. Anyone who deals with sensitive data, information, or maintains it on their own or on behalf of others and recklessly compromises such data or information will be held accountable under this section and may be ordered to pay compensation at the discretion of the court. Offences involving “tampering with computer source documents” are punishable under Section 65 of the Act. 

There are some crimes that are not covered under the IT Act since they are already covered by other laws, such as “cyber-defamation,” which is covered by the Indian Penal Code, 1860. Because the impact of such an online offence is the same as it is offline, the term “defamation” and its punishment are specified in this Act, there is no need for a separate definition elsewhere.

NIST Compliance – the need for India to implement a similar compliance structure to ensure data protection

The National Institute of Standards and Technology (NIST)  is a non-regulatory government agency that develops technology, metrics, and standards to help U.S.-based science and technology companies innovate and compete more effectively. NIST contributes to this effort by developing standards and guidance to assist federal agencies in meeting the Federal Information Security Management Act’s (FISMA) obligations. NIST also offers cost-effective programmes to help those agencies protect their information and information systems.

Many of the country’s most inventive firms rely on the National Institute of Standards and Technology for technological growth and security. As a result, many high-tech firms have made compliance with NIST standards and guidelines a primary priority.

NIST recommendations are often developed to assist agencies in meeting specific regulatory compliance obligations. NIST, for example, has listed nine steps to complying with FISMA:

• Categorize the data and information you need to protect.
• Develop a baseline for the minimum controls required to protect that information.
• Conduct risk assessments to refine your baseline controls.
• Document your baseline controls in a written security plan.
• Roll out security controls to your information systems.
• Once implemented, monitor performance to measure the efficacy of security controls.
• Determine agency-level risk based on your assessment of security controls.
• Authorize the information system for processing.
• Continuously monitor your security controls.

The advantage of NIST compliance is that it aids in the security of an organization’s infrastructure. NIST also lays out the groundwork for organisations to follow in order to comply with specific regulations like FISMA. India can benefit by implementing a similar guidance manual for data protection. 

Conclusion

The pandemic has forced people to take safety measures and follow government protocols to reduce the risk of infection, and until the time is right for all the employees to resume working in offices at full strength, companies are compelled to employ the work from home system. However, it is necessary that companies, as well as their employees, take all precautions regarding the safety of their computer systems and files contained by them. Installing anti-virus software and forming strong passwords are only some of the few things that the users must ensure while using electronic devices. Besides that, one also needs to keep updated on the cybersecurity laws which can come to aid in case they have been a victim of a cyber-crime. 

References

• https://www.bennettjones.com/Blogs-Section/Privacy-Considerations-When-COVID-19-Identified-in-the-Workplace

• https://www.episerver.com/guides/covid-19-privacy-considerations

• https://jhumanitarianaction.springeropen.com/articles/10.1186/s41018-020-00072-6#Sec3

• https://www.mondaq.com/india/data-protection/928998/covid-19-implications-on-the-data-protection-framework-in-india

• https://www.lexology.com/library/detail.aspx?g=d7b0a465-cc55-48e9-9534-b05bf0c036bd

• https://www.mondaq.com/india/it-and-internet/891738/cyber-crimes-under-the-ipc-and-it-act–an-uneasy-co-existence

---

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: