This article, written by Shoronya Banerjee from Amity University, Kolkata discusses the system intermediaries and data repositories and the scope of its liability during breaches.
Protection of data and personal information and the improvement in the lives of people is a long term expectation with the institutions setting up and establishing huge and complex datasets to protect certain data and make the availability of data publically easy. However, there are several stumbling blocks in the path of extracting the benefits from open data. But in the case of data users, they still have to face difficulty in accessing data, poor standard of data literacy, low availability of social and financial capital for utilizing open data, and so on. Open data intermediaries are important in linking complex open datasets with user needs.
The development of Information Technology has facilitated the establishment of cyberspace which has brought in the system of sharing and storing data and also attracting threats and data breaches can be caused easily without even tracing the offender on the other side of the screen. This whole system includes data repositories and intermediaries which play a huge role in securing data or disclosing it publicly. While intermediaries link to sources and collect data to maintain and store it, data repositories relate to an infrastructure for databases where data can be collected, maintained, stored, managed, analyzed, and reported.
A data repository means a place that stores data, facilitates its usage by making it easily available, organizes, and analyzes it. It may also be considered as a suitable, specific location where data can be submitted. The data repositories could have certain standard requirements in relation to the subject or research domain; data access and usage, data structuring, and so on. Certain data repositories also consist of restrictions on who can store the data, qualifications, nature, and quality of data. The open data repositories are favorable as it is open to receive data from anyone. Institutions could have their separate data repository as well.
There are several data repositories such as data lakes, data marts, data cubes, and so on. The data lake is a huge data repository that can contain vast data systems in its original format. It can hold raw data, and every object has a uniquely identifying key along with certain metadata tags. Data lakes do not have an already bounded structure, when the need to use it comes, the data is analyzed, structured, and then used. The structure can be configured according to the need of the user, it also provides storage at a very low price. Data warehouse on the other hand is extremely essential for business intelligence. It denotes a system used for reporting and analyzing data. They have the capability to store present and historical information and data together in one source. Just like these, there are several other repositories. India has the government supported and sponsored National Data Repository (NDR) which is a system of preserving, updating, and promoting data from systemized usage and future development. The NDR has been working since 28th July 2017. It mainly provides storage for hydrocarbon exploration and production data. These data are preserved and used when necessary. It has also provided opportunities for petroleum exploration.
Working with data repositories
Working with data repositories requires certain hardware and software decisions to be made. All stakeholders have to be involved and engaged at the time of project development and while it is being used. Someone appealing to people across departments can bring them in to utilize the data repository, because the system needs to be growing, and treated as an ongoing and working system. Ideally for efficient usage, the extent of a data repository should be further structured, developed, and maintained by expert workers. For keeping its scope moderate, smaller and limited sets of data and data subjects should be considered. The complexity of the system should be further grown and developed as soon as the data users begin working and learning about the existing system. The repository should be developed with the type of data it collected changing. This development and adaptability stimulate change and progress in technology. Metadata is extremely essential for reporting data and carrying out quality analysis of it.
A data repository used to store and maintain volumes of data initiates a safe and secure process for an enterprise’s security system. Endorsing and approving a complex security system, and allowing only authorized users to access, alter, store, or transmit data, is an important requirement. Digital signature and authentication is an important part of the procedure to keep confidential data safeguarded in the repository. Storing, maintaining, and analyzing data is an extremely important part of an enterprise. This helps in making accurate and definite decisions in relation to business. Data repositories used as part of data management also helps in better decision making with regard to business. All the data stored together helps in analyzing and comparing to come up with efficient decisions. The compartmental division of data in the repositories helps in better identification of certain problems. It has to be ensured that database management systems have the ability to be developed and remain compatible with the growth in the database. Since all the data is clustered together it could be easy for an unauthorized user to access all data at the same time if the system is not protected well.
A data intermediary obtains, controls, maintains and applies data. This data stored could be the available public data in federal, state, or local data portals, data related to long-term agreements accompanied by source agencies, or primary data sources received through partnership. An essential role of data intermediaries is to safeguard and protect data against unauthorized use. An essential, productive, and effective help could be provided if communities can design a data intermediary website for the purpose of sharing analysis on problems and data systems, introduce a way of obtaining downloadable data, coordinate information and data, and provide help desk services wherever required. The intermediaries should utilize the data to manufacture products and services for the advantage of the community.
Intermediaries facilitate the connection between data providers and people who can use data for some work or advantage or utilize data-driven products. Data intermediaries help in expressing and establishing the demand for data, creating data, and such applications. Internet intermediaries have emerged as important elements required in the development of the Internet and creative content. They acquire, store, locate, and search for content and allow it to reach people all over the world. But its developing influential role has raised a question about the guard against online copyright infringement. The emergence of user-generated content websites, online video streaming websites, and free online storage for data and information highlights the ever-evolving online space. The Internet Service providers (ISPs) have a target of controlling third party actions and surveying the potential part to present an attractive regulatory target and survey the path potential for delinquent activities. Primary delinquents are difficult to be caught as they either are large in numbers or are strongly anonymous to get recognized and be caught. The existence of ISPs makes everyone easy enough to be located. ISPs can be held liable for copyright infringement but this is often debated on and the defense uses it against imposing liability on ISPs.
Data and privacy of data
The Information Technology Act, 2000 under its Section 2(1)(o) defines the term ‘data’ meaning a representative form of knowledge, facts, information, instructions, and so on, prepared or being prepared and processed in a computer system or a similar network, which could be in any form or even stored in the memory of the computer. The definition of ‘data’ put forth by the electronic consent framework issued by the Digital Locker Authority could include static as well as transactional documents. But data is not only available through an electronic platform it can be stored in physical form as well.
With technological development and scientific progress data generated through electronic devices has increased over the years. Several established businesses work on analyzing ‘big data.’ Important business strategies depend on such analysis. The speed that the work gets with the help of technology substantiates the business efficiency and results in monetary and commercial gains. But in this procedure right to privacy is often taken for granted. The right that helps an individual to be free from inappropriate publicity, abuse of character, have no interference of others in their lives, and so on is threatened by this development and data business.
The Supreme Court has put forth guidelines regarding the requirement for State’s interference in a matter related to fundamental rights. The State can intervene to protect state interests, but there has to be a lawyer present for validating such an intrusion, an important prerequisite of Article 21 of the Indian Constitution. But such a law has to be authorized and be consistent with Article 14 of the Constitution and it has to be proportionate to the need for which the legislature approves and passes it. The debate between adopting a ‘rights-based’ data protection model in contrast to the current ‘consent-based’ model in the case of data privacy is everlasting in India. The consent-based model deals with the utilization of private data after the user’s consent is confirmed. Whereas the ‘rights-based’ model confers upon the user better and more specified rights over their data, it also requires the data controller to safeguard the rights of the users which helps in better and safer control over the users’ personal data. Cases of data breaches and privacy rights allow the Indian citizens to pursue judicial relief which could have an effect on the policies related to privacy and protection followed and adopted by tech companies in India. The user-facing data breach can file for torts based claims and also their fundamental right to privacy.
Information and Technology Act, 2000
The IT Act plays an important role in the sphere of data protection especially after the amendments that were brought in 2008. Section 43A of the Act is essential for data protection as it puts forth that when a body handling, dealing, controlling, storing, and maintaining personal data neglects the security protocols and practices required inconsistency with the personal data and causes ‘wrongful loss or wrongful gain’ to someone, that body is liable to compensate the person facing the data breach and wrongful loss by paying the damages. An imprisonment term extending to three years with a fine of ten lakh rupees is the penalty for identity theft, illegal utilization of electronic signature, tracking passwords, and hacking unique identification features under Section 66 C of the Act. Also as per Section 72A, if any person, even an intermediary while working with providing services as per set contract if gets access to personal information about another individual, and for causing a wrongful loss to that person and gain to himself reveals and discloses such information without consent and violating the contract, then that person shall be liable to an imprisonment term extending to three years and a fine extending to five lakh rupees, or both.
Data breaches in 2019
Data breaches of Indian companies seen in 2019 was mainly due to unprotected servers, leading to huge losses faced altogether. The country as a whole faced over 3,00,000 cybersecurity breaches as reported by the Computer Emergency Response Team-India. Some of the companies and start-ups that faced such breaches and attacks were Airtel, Nykaa fashions, Oyo, Indian Space Research Organization, and so on.
Although some only focus on financial losses that data breaches follow, the consumer trust at stake cannot be ignored as well. All these companies and organizations have their privacy protocols and legal liabilities in case of data breaches. Therefore, such incidents are followed by the imposition of legal liability and penalties for such breach. To avoid these steps have to be taken. It is essential to instill the detection and notification processes. Data breach faced by one company is not limited there, it also affects the data of other companies working along with it in partnership or collaboration. The average cost of a data breach on a worldwide basis in 2019 was found to be $3.92 million, which was a 1.5 percent increase in the cost from 2018 as found by the Ponemon Institute in Michigan. As noticed domestic internet-consumer companies do not have a proper system to detect problems and handle it accordingly. Certain companies are not even aware about where to report these bugs.
The threat caused by Whatsapp
A set of rules that were notified and published in December 2018, and under consideration would make the technological intermediaries like Whatsapp, its parent company Facebook, and so on become the keepers of any data or information put online. It was claimed that this would also help in keeping tabs on people trying to conduct illegal activities online. These intermediaries would decide on which information they would have to keep in their store.
These rules would require several companies to bring changes in their policies. A lot of critics came up with the aspect of this violating privacy as well as freedom of speech and expression.WhatsApp usually encrypts all messages which are not possible for companies to read, and this apparently makes it difficult for WhatsApp to invigilate users and their activities. Under the set rules Whatsapp would not follow the encryption system anymore. This has put digital rights advocates in fear as this in all probability would violate the privacy rights and laws. The Intermediary Guidelines, will not be WhatsApp specific. It would be applicable to all internet companies which store, control, maintain, and publish useful information and data. The Information Technology [Intermediaries Guidelines (Amendment) Rules] 2018 received acceptance from the law ministry in 2020 and after revision it will be implemented soon.
Aadhaar database breach
The importance of the Aadhaar card in an Indian’s life is also reflected in the Aadhaar database containing the biometric data of all the citizens in India. The Aadhaar data breach cases have brought in a loss and fear of personal data being stolen by unknown people. In 2017 a security researcher had disclosed a website that had leaked the Aadhaar data of more than five lakh minors. Subsequently, the researcher had also put forth the warning about several other such websites that were still existing.
The Unique Identity Authority of India containing data regarding residents, and stores of an area, and so on, had filed a report against Axis Bank Limited, Suvidhaa Infoserve, a business correspondent of Axis, and eMudhra. These three companies had been working with several Aadhaar transactions by utilizing already stored biometric data and infringing the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016, that outlaws the storing of such data.
Such incidents have raised a huge question against legal liability and the right to privacy in case of such breaches. The Aadhaar Act does not mention any notice to be provided to an individual during the breach of that person’s personal information. But this had initially been suggested by the Justice Shah Committee dealing with the issue of Privacy in 2012, for formulating a structure for the new privacy law. Although under Section 6 of the Aadhaar (Sharing of Information) Regulations, an individual’s Aadhaar number is prohibited from being published publicly by a person or agency, the users don’t have the right to know about such a breach of their data. Since under Section 47(1) of the Aadhaar Act, the Unique Identification Authority of India is vested with the authority of dealing with complaints in the matter of breach of privacy, the court cannot take cognizance of any offense as appealed by individual users. In the case against Axis bank as mentioned earlier has resulted in Axis bank being forbidden from administering Aadhaar-based transactions. Under Section 8(1)(a) of the Right to Information Act, the government or authorities cannot be forced to disclose information that could affect the sovereignty and integrity of the nation, or interfere and disrupt international relations, security data, economic interests, and so on. It doesn’t even have a legal necessity to publicize the probable data at the end of amending and fixing a case data breach. Aadhar data breaches are considered to be a state secret.
Private companies certainly focus and give huge importance to the strategies related to privacy policies and measures of retaining economic interests. Policies of choice and privacy controls are great developments but it doesn’t affect the surveillance protocol of the intermediaries. It gives the intermediaries the reason for developing their data processing methods considering the user’s agreement to the proposed privacy terms. Without rigid and protected methods, information intermediaries could continue formulating and establishing policies consistent with their business strategies and goals even if it is infringing privacy commitments. Government agencies transfer their responsibility regarding the privacy policies on companies because of the power differential existing amongst users and information intermediaries who set up the platform for establishing such rules.
When the government had initially notified about the time that they would put forth the amendments to the intermediary liability rules, three companies Mozilla, GitHub, and Cloudflare requested the Indian government to maintain the standard of transparency of the recommended amendment to the set intermediary regulations as it feared the new rules increasing the surveillance and only favoring better of and more strong companies. These companies requested the amendments to allow the internet to stay as an open, and competitive, area. The companies feared certain new amendments placing a great burden on several online intermediaries. These amendments would have the potential of challenging new startups with building strong and expensive infrastructure, data protecting systems, and lawyers.
Intermediaries explain the usefulness of data. Multiple intermediaries facilitate the better usage of data as a particular intermediary cannot contain all the capital required to maintain the worth of the transaction between the provider and the end-user. Collaborating with several intermediaries could be advantageous for the government instead of dealing with a common intermediary with limited capital and data. Several funding models should be checked upon in terms of sustainability as open data initiatives could involve risk.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: