ARTICLE
24 September 2024

Data Privacy And Cyber Security Newsletter | August 2024

DL
Dentons Link Legal

Contributor

Dentons Link Legal logo
Established in 1999, Dentons Link Legal is a full service corporate and commercial law firm with over 40 partners and 150 lawyers across multiple practice areas. With offices across all major Indian cities and access to more than 200 offices in more than 80 countries of Dentons’ combination firms across the world, Dentons Link Legal is equipped to assist you in achieving your business objectives with the help of a team of experienced, well trained and qualified lawyers. The Firm’s clientele includes some of India’s leading corporate groups, public sector undertakings, public sector and private banks, private individuals, and multinational corporations across the world.
Explore Firm Details
Welcome to the first Edition of the Data Privacy and Cyber Security Newsletter for August 2024.
India Privacy
Photo of Nusrat Hassan
Photo of Ambuj Sonal
Photo of Nayona Roy
Authors

Welcome to the first Edition of the Data Privacy and Cyber Security Newsletter for August 2024. This quarterly Newsletter traces the evolution of the regulatory landscape given the classic problem of technology outpacing regulatory effort. It not only captures the highlights of the key regulatory interventions but also the industry response to the same and judicial pronouncements which establish the position of law in interpretation thereof. With data being the new gold in the global economy, protection of data and security of cyber networks assume paramount importance. In the wait up to the enforcement of the already notified Digital Personal Data Protection Act, 2023 in India, significantly mirroring the principles of the EU General Data Protection Regulation 2016, regulatory initiatives of industry bodies such as the DSCI and International collaborations chart the course for the expected regulations in India.

Industry Updates

1. Data Security Council of India ("DSCI")1 publishes the 2024 Cybersecurity Outlook2

July 8, 2024: The Cybersecurity Outlook 2024, delivers an in-depth examination of the changing cybersecurity landscape, providing insights into current challenges and emerging trends in the space.

Some of the key features of the Cybersecurity Outlook 2024 are:

  1. A paradigmatic move towards password-less authentication by leveraging biometrics, security tokens, hardware keys, magic links to revolutionize security, streamline user experience, reduce costs etc.
  2. Cybersecurity's emerging role as a critical public good in Environmental, Social, and Governance (ESG) discourse, increasing liability and accountability for companies and making cybersecurity practices for organizations a necessity, rather than an option.
  3. Reshaping cyber risk management by adopting Cyber Risk Quantification (CRQ) transitioning threat impacts from qualitative to quantitative evaluations, making cyber threats tangible, measurable and mitigable.
  4. Comprehensive Reporting Obligations for security and privacy breaches mandated by Reserve Bank of India, Securities and Exchange Board of India and the Digital Personal Data Protection Act, 2023.
  5. Data Privacy Integration in an organization's objectives and operations
  6. AI Evolution in Cyberspace

2. Cyber Security Conclave3

May 24th, 2024: The Cyber Security Conclave was jointly organized in New Delhi by Common Services Centers("CSC") and United Service Institution ("USI") under which important strategies for implementing cyber securities were discussed. Apart from important discussions in the space of cyber security (like combatting cyber threats, etc), a Memorandum of Understanding was signed between the CSC and USI to strengthen cyber security.

3. WhatsApp to discontinue its services in India if directed to break encryption4

April 25, 2024: WhatsApp LLC ("Petitioner") has filed a petition challenging Rule 4(2) of India's Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("IT Rules"), which mandates 'significant social media intermediaries' like WhatsApp, to trace and reveal the identification of the first originator of any information such as messages, upon government or court orders. WhatsApp argues amongst other things, that the requirement of identifying message originators will compromise user privacy, infringe upon the right to free speech and expression, and encryption. The Petitioner also argues that this requirement under the IT Rules is ultra vires of its parent act i.e. the Information Technology Act, 2000 which states that "...no person providing any service as a network service provider shall be liable under this Act, rules or regulations made thereunder for any third party information or data made available by him if he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence or contravention."

Further, the Petitioner contends that complying with the rule would necessitate changing its privacy policies and potentially weaken encryption safeguards. Thereby warned that if forced to break encryption, it will cease its operations in India. These petitions are transferred to the Delhi High Court, set for hearing on August 14, 2024. This legal battle underscores the clash between regulatory requirements, digital privacy, and encryption standards in the digital communications landscape.

4. MeitY via notification dated March 20th, 20245 notifies Fact Check Unit6

March 20, 2024: The Ministry of Electronics and Information Technology ("MeitY") has, vide Notification dated March 20th 2024, notified the Fact Check Unit ("FCU") under the Press Information Bureau of the Ministry of Information and Broadcasting ("MIB"), as an investigation arm of the Central Government with respect to Cybersecurity. FCU was established as a deterrent to creators and disseminators of fake news and false information. It is pertinent to note that the investigative role of the FCU is restricted to allegedly suspicious and questionable information pertaining to the Government of India alone and does not extend to individuals and citizens. It has the power to undertake investigations either suo motu or via complaints, however it does not have the power to act in a judicial capacity. FCU has also taken measures to increase accessibility of the fact-checks to persons with disabilities, for instance, by providing alternative text to ensure universal reach, acknowledging that images form a significant component of content shared digitally.

5. MeitY issued additional advisory on due diligence by Intermediaries / Platforms under the Information Technology Act, 2000 and Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 20217

March 15, 2024: The MeitY issued an advisory in regard to due diligence by intermediaries/platforms under the Information Technology Act, 2000 ("IT Act") and Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("IT Rules").

The objective of the same was the negligence of the intermediaries and platforms in undertaking due diligence obligations under the IT Act and IT Rules. Intermediaries and platforms were guided to comply with the following:

  1. ensure that use of AI models/software on or through its computer resource does not allow users to host, display, upload, modify, publish, transmit, store, update, or share any content that is 'unlawful' under the IT Act or IT Rules;
  2. that their computer resources in itself or through the use of AI model(s)/LLM/Generative AI, software(s) or algorithm(s), do not permit any bias or discrimination or threaten the integrity of the electoral process;
  3. under-tested or unreliable AI models/software etc. should be made available to users in the Indian internet, only after appropriately labeling the possible inherent fallibility or unreliability of the output generated. A 'consent popup' or equivalent mechanism may be used to explicitly notify users of these risks;
  4. users must be informed through terms of service and user agreements about the consequences of sharing unlawful information. This includes actions such as disabling access, removing non-compliant content, and potentially suspending or terminating user accounts, in accordance with applicable laws.

Further it has been provided that when intermediaries enable the creation, generation, or modification of text, audio, visual, or audiovisual information through software or computer resources, should be marked with a permanent, unique metadata or identifier such that it can be used to identify that such information has been created, generated or modified using the computer source of the intermediary.

6. The Government of India, Ministry of Home Affairs had issued an Office Memorandum ("OM") titled "Forwarding of MeitY's communication regarding CCTVs"

April 26, 2024: The Ministry has issued an Office Memorandum directing all Government agencies (in respect of CCTV) to adhere to MeitY's communications regarding CCTVs, which are:

i. Notification dated March 6, 2024 on the amendments to Public Procurement Order (PPO)-2017 for CCTVN/Video Surveillance Systems

With the intention of propelling the 'Make in India' campaign to promote manufacturing and production of goods and services in India, MeiTY laid emphasis on locally manufactured Video Surveillance Systems for Security. It further mandated specific compliances for Security of CCTVs ensuring the protection of sensitive information, with testing parameters.

ii. Amendment notification dated April 9, 2024, to the "Electronics and information Technology Goods (Requirement of Compulsory Registration) Order, 2021

As per the Order, no person shall manufacture or store for sale, import, sell or distribute goods which do not conform to the Indian Standard specified in the Order. Manufacturers of these products are required to apply for registration from Bureau of Indian Standards (BIS) after getting their product tested from BIS recognized labs.9

iii. MeitY Advisory dated March 11, 2024 on the Threat of Information through CCTV/Video Surveillance system

Comprehensive security guidelines for CCTV cameras in light of concerns raised by various Ministries and Departments regarding security implications associated with CCTV cameras, cyber auditing and testing of hardware pertaining to them and other Internet of Things (loT) devices.

Judgments

Supreme Court

1. Supreme Court stays the Madras High Court order which upheld the right to privacy as an inalienable right

July 24, 2024: In Ikanoon Software Development Pvt. Ltd v. Karthick Theodore & Ors. SLP(C) No. 15311/2024, the Supreme Court of India has stayed the order passed by the Madras High Court which held that right to privacy is an inalienable right.

Background

February 27, 2024: In Karthick Theodore v. The Registrar General and Others (W.A.(MD)No.1901 of 2021), the Madurai Bench of the Madras High Court evaluated the discretionary right of a litigant to not have their personal sensitive information published in judgments (dated 30.04.2014 in Crl.A.(MD) No.321 of 2011). The Petitioner was aggrieved by the refusal to redact his name and identity from certain judgments by the Registrar General and Ikanoon Software Development Pvt. Ltd., a legal database online platform Indian Kanoon ("Indian Kanoon"). The Petitioner had faced criminal proceedings but was acquitted on all charges. However, a copy of the order passed by the local court in these criminal proceedings was uploaded on the website of Indian Kanoon, which is publicly available for download. The order revealed the Petitioner's identity, and his plea was based on his entitlement to privacy. He had also been denied his visa due to this order.

The Madras High Court concluded that the right to privacy is an inalienable right subject to the restrictions in the Constitution of India. The Right to be forgotten was also examined in light of the digital age. Moreover, it was noted that when the judgment was passed the impending Digital Personal Data Protection Act, 2023 ("the Act") was not in force. The Court discussed certain provisions of the Act and its applicability to the Courts to conclude that granting the relief of masking/redaction of information from certified copies that are issued for public circulation must be enabled in appropriate situations, which would warrant consideration on a case-to-case basis, subject to the discretion of the Courts. Even without the benefit of the awaited Act, the Madras High Court felt it necessary and right to issue the mandamus sought for. Indian Kanoon was directed to take down the judgment entirely, while the other respondents were directed to redact the name and other details of the Petitioner from the judgment in question.

The order passed by the Madras High Court was challenged by Indian Kanoon before the Supreme Court of India, where the Supreme Court has accepted the plea of Indian Kanoon and has passed an interim order directing the stay on the operation of the order passed by the Madras High Court. The proceedings are still pending before the Supreme Court of India, and it is to be seen what view the Supreme Court will take on the inalienable nature of the privacy rights of individuals.

Read the judgment here.

2. Hon'ble Supreme Court holds that continuously monitoring the movement of an accused as a condition for bail violates his right to privacy

July 8, 2024: In a matter concerning a prosecution under the Narcotic Drugs and Psychotropic Substances Act, 1985, in Frank Vitus v. Narcotics Control Bureau, 2024 SCC OnLine SC 1657 the Hon'ble Supreme Court examined the tenability of one of the conditions imposed on the accused by the High Court for the grant of bail under Section 439(1)(a) of the Criminal Procedure Code, 1973 ("CrPC") , mandating the accused to drop a PIN on Google Maps enabling the Narcotics Control Bureau to monitor the movements of the accused in real-time. The Court, while taking note of the discretionary powers of the Sessions Court and High Court to impose conditions in the interest of justice under Section 437(3) of the CrPC, observed that "interest of justice" cannot be construed to be "fanciful, arbitrary and freakish".

Further the Apex Court held that conditions imposed for granting of bail must be consistent with the objective of the said conditions and may only curtail the constitutional rights of the accused to the minimal extent possible. Given that the guilt of the accused was not yet determined, the Court held that condition of constantly monitoring the movement of the accused was a violation of his right to privacy read into the Fundamental Right to Life and Personal Liberty under Article 21 of the Indian Constitution of India. The Court examined the technical statement of Google LLC as regards dropping of the PIN on Google Maps which render complete autonomy to the user to block the tracking of the PIN as the user deems fit, which rendered the condition redundant for the Narcotics Control Bureau. Accordingly, the Court directed that the condition of "dropping a PIN on Google Maps" be deleted from the bail order. Ahead of the enforcement of the much awaited and debated Digital Personal Data Protection Act, 2023 this judgment becomes specifically pertinent in upholding right of privacy infringed by digital means.

Read the judgment here.

High Court

3. Public Interest Litigation filed before Delhi High Court seeking directives to ensure confidentiality and privacy while handling consumer data by international travel companies

April 3, 2024: In the wake of consumer data being scraped by artificial intelligence at scale, this Public Interest Litigation ("PIL") filed by BJP leader Ashwini Kumar ("Petitioner") in Ashwini Kumar Upadhyay v. Union of India & Others W.P.(C)/4837/2024 before the Delhi Court becomes particularly relevant. The PIL sought for statutory directives to ensure confidentiality and privacy being maintained of consumer data, such as names, Aadhar numbers, and passport details by international travel companies. Ashwini Kumar emphasized the risk of data misuse by travel companies, specifically foreign companies particularly because they are allegedly owned by foreign investors.

The Court noted that the Petitioner had not submitted any representation with the Union of India before approaching the court. The bench granted the Petitioner the liberty to file a representation before the Union Government to this effect and refrained from intervening in the same. While the decision of the judiciary in the present case was to refrain from taking legislative action, it would be pertinent to see how such matters are dealt with in the future either by statutory law or judicial precedent given the current state and practice of technology.

Read the judgment here.

4. Delhi High Court holds that press reports relating to the public life of public personalities does not per se violate privacy rights unless such news amount to harassment and invasion of private life

February 23, 2024: In a case that underscores the clash between the law enforcement's investigation powers and the right to privacy, amidst ongoing investigations by the Enforcement Directorate ("ED"), the Petitioner, in Mahua Moitra v. Enforcement Directorate, 2024 SCC OnLine Del 1264 a former Member of Parliament, had filed a plea to direct the ED (Respondent No. 1) to refrain from disclosing any information including confidential, sensitive, unverified or unconfirmed information to the media in connection with the investigation. The investigations by the ED arose due to alleged violations by the Petitioner under the provisions of the Foreign Management Act, 1999. The grievance arose when the news of the summons issued to the Petitioner was published before she actually received it along with other details pertaining to this investigation, including sensitive information of "potential allegations".

Referring to the Central Advisory on Media Policy dated April 1st, 2010, which lays down precautions to be taken in respect of sharing information by an investigating agency to the media, the Court held that publications neither constituted an invasion of the Petitioner's privacy nor prejudiced the ongoing investigation. The Court highlighted the role of media and its importance in respect of public interest and stated that Article 19 (1) (a) of the Constitution included the freedom of press and communication needs in a democratic society. Additionally, the people have a right to be apprised of information regarding public figures, who are subject to heightened scrutiny and pervasive public attention, unless these publications amounted to harassment and invasion of private life of the public figure.

Since the information disseminated by the publication was unrelated to her private life, privacy and not hampering the ongoing investigation, the Court refused to grant the writ petition.

Read the judgment here.

Glossary:

a. AI – Artificial Intelligence, which refers to the theory and development of computer systems able to perform tasks normally requiring human intelligence, such as visual perception, speech recognition, decision-making, and translation between languages.

b. AI model - A program that applies one or more algorithms to data to recognize patterns, make predictions, or make decisions without human intervention.

c. Authentication - The process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

d. Biometric – Automated and statistical identification of individuals by means of unique physical characteristics, typically for the purposes of security and access control.

e. CRQ - Cyber Risk Quantification, which refers to the process of calculating risk exposure and its potential financial impact on an organization.

f. Cyberspace - The dynamic and virtual space that connects different computer systems.

g. Cybersecurity - Computer security, cybersecurity, or information technology security (IT security) is the protection of computer systems and networks from information disclosure, theft, or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.

h. Data localization - The practice of keeping data within a specific region – typically the region it originated from.

i. DSCI - Data Security Council of India.

j. Encryption - The process of protecting information or data by using mathematical models to code it in such a way that only the parties who have the key to unscramble it can access it.

k. ESG – Environmental and Social Governance, which refers to an investing principle that prioritizes issues pertaining to the environment, social well-being, and corporate governance.

l. Generative AI - Generative AI (GenAI) is a type of Artificial Intelligence that can create a wide variety of data, such as images, videos, audio, text, and 3D models.

m. LLM - Large language models that are a subset of AI models which use machine learning and can comprehend and generate text in natural human language.

n. Message originators – The individual or entity from whom a message has been dispatched toward the recipient.

o. Redact – To censor or obscure a part of a document or any text format for legal and/or security purposes.

p. Significant Social Media Intermediaries - An intermediary that primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify, or access information using its services, as defined under the IT Act, 2000.

Footnotes

1 Data Security Council of India (DSCI), is a not-for-profit, industry body on data protection in India, setup by Nasscom, committed to making the cyberspace safe, secure and trusted by establishing best practices, standards and initiatives in cyber security and privacy.

2 2024 Cybersecurity Outlook | Data Security Council of India (dsci.in)

3 Press Release:Press information Bureau (pib.gov.in)

4 Will cease to function if forced to break encryption, WhatsApp tells Delhi High Court | Mint (livemint.com)

5 Press Information Bureau (pib.gov.in)

6 Gazette Notification_0.pdf (meity.gov.in)

7 Advisory 15March 2024.pdf (meity.gov.in)

8 CCTV_30042024.pdf (mha.gov.in)

9 Standards | Ministry of Electronics and Information Technology, Government of India (meity.gov.in)

Contributors to the Newsletter:

  • Nusrat Hassan, Managing Partner, India
  • Ambuj Sonal, Partner
  • Nayona Roy, Partner
  • Meghna Punjabi, Senior Associate
  • Aayushi Barot, Associate
  • Saachi Jaisinghani, Associate

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Nusrat Hassan
Nusrat Hassan
Photo of Ambuj Sonal
Ambuj Sonal
Photo of Nayona Roy
Nayona Roy
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More