ANALYZING THE LEGAL ASPECTS OF PRIVACY AND DATA PROTECTION IN THE CONTEXT OF SMART HOMES AND IOT DEVICES

What is data

Data refers to all information and materials created and acquired during the provision of the services, including survey plans, charts, recordings (audio and/or visual), pictures, curricula, graphic representations, computer programs, printouts, notes, and completed or uncompleted documents that can be used to forecast the future of the entity or the individual.

Two categories of data exist:

Personal data

The person’s personal information can be used to track or monitor him online. It is any data about a named or distinguishable individual. No other third party should know about this. Medical, biological, financial, and residential data are examples of personal data.

Non-personal data

Non-personal data: All information that is not personally identifiable. An individual’s general knowledge is what enables organizations to create plans for financial success. Data gathered by the government when conducting publicly sponsored projects.

What is privacy

Depending on the legal situation, the definition of privacy can alter. It is possible to refer to it as an individual’s right regarding their personal information. Freedom from unauthorized encroachment is what it is.

What is data privacy?

Users have the right to limit the data that a website or an organization gathers

and to limit how much of their data is collected. Data privacy refers to the management of a user’s data, such as history, financial, and property information, i.e., private information that may be used to track,

monitor, and trace the identity of the user on a website or an online platform,

from being accessed by anybody or any third parties. It regulates data processing and guards against unauthorized online access. Is just a website’s or platform’s proper use of data.

The relationship between the internet user and the intermediary needs to be trustworthy; else, the person’s online identity and privacy would be exploited. There is no set restriction on the amount of data that a website or organization may gather in the current digital age that has been declared by Indian law.

These data privacy categories are listed.

Types of data privacy

Ø Online Privacy

Websites have privacy policies outlining their use and collection of data because online privacy is crucial.

Ø Residential information

When gathered, details concerning a user’s place of residence and standard of life should be kept private.

Ø Medical privacy

Other than the organization and the user, medical information about a user should not be shared with anyone else. Maintaining doctor-patient confidentiality is necessary to prevent medical privacy from being violated.

Ø Financial privacy

The gathering of financial information by a website is referred to as financial privacy. If it is not saved and protected, hackers may use credentials fraudulently.

Advantages of data privacy

Ensure that those who steal and misuse data be held accountable; Prevent
the government from spying on the populace;
respects borders;
make sure that personal data is under control;

Consequences of data disclosure

If data is revealed, it can ruin someone’s life. If not caught in time, hackers can use personal information to commit fraud or purchase illegal goods using the user’s credentials, making him responsible for the transaction. Some websites market and sell information that leads to unwanted advertisements. A person’s right to freedom of speech and expression, which is guaranteed as a basic right under Article 19(1)(a) of the Indian Constitution, is inhibited if they are being watched or monitored online. What does data privacy entail?

The reality of data privacy

Data privacy is difficult for an individual to attain. In retrospect, it is possible to accomplish this goal by regulating how organizations acquire and store data. Regulation and privacy are generally seen negatively. Not all businesses uphold confidentiality. In large organizations, data security and confidentiality safeguards are crucial. Smaller organizations, however, fall short in terms of accountability and secrecy.

Since the last decade, there have been numerous data breaches and hacks involving the data of significant corporations, including Facebook, Mobikwik, etc. Users’ personal information kept on the servers is being taken and sold on the dark web. The year is almost 400,000. That year, the nation had one of the top five highest numbers of cybersecurity

incidents. India is also third in the world for the number of internet users.

Data localization

The process of localization entails adjusting the operation within its confines.

It is the practice of keeping data on any gadget present inside national boundaries. No restrictions or authorizations would be needed to access the data if it were kept domestically. Mutual Legal Assistance Treaties should enable the country to access data stored in the foreign cloud. Data localization is crucial to national security because it prevents foreign spying by storing data on a server that can be accessed at any time and is located within the nation.

It is the act of localizing all sensitive data belonging to Indian users of various digital payment services on any device present within the country’s borders. What significance does data security have?

Data security

Data security is the safeguard that keeps a person’s information safe from unauthorized access by outsiders and malicious websites that steal data. Data security helps to protect against malicious attacks and unauthorized access to users’ personal information while ensuring the integrity of the data.

Examples of data security include the password for a person’s online banking account and the encryption offered by the website.

Should you pay extra for data security?

Selling security measures for cash is wrong. Every user has the right to privacy, which must be protected, and it is the responsibility of an organization to offer them the same level of protection. Some commercial businesses charge extra fees from customers to safeguard them from unauthorized and fraudulent transactions.

Security breach: sale of data on the dark web

8.2 terabytes, the largest such breach in India, allegedly contain the personal information of 3.5 million users of the payments network MobiKwik and are being offered for sale on the dark web in a significant data security breach by a private company.

Even though numerous independent cybersecurity experts have been warning of a possible data breach on MobiKwik’s servers as early as February, French security researcher

Difference between data privacy and data security

Data privacy is distinct from data security. Data security protects the protection from unauthorized access, whereas data privacy controls the flow of user data by a website or an organization. A data breach prevention strategy can be part of data security. In plain English, it refers to both what is protected and how it is protected. Organizations utilize firewalls and encryption technology to achieve data security. Data privacy aims to give the user total transparency about his data by letting him know what information is being collected. It is hard to handle privacy issues without first implementing strong security procedures.

Examples of data privacy provisions include the de-identification process.

Encryption is a key data protection technological measure, rendering digital data, software, and hardware unreadable to unauthorized users and hackers.

GoDaddy reports a data breach, affecting the data of 1.2 million customers.

In the filing, it is stated that “email addresses and customer numbers of approximately 1.2 million active and inactive Managed Word Press customers were disclosed.” There is a big problem with email address theft. Phishing attempts, in which fraudsters send emails to users to fool them into disclosing the passwords to other accounts, may become more likely as a result.

Legislature

There is no authorized legislative framework for data privacy in India.

Right to privacy: A fundamental right

The core of both the Constitution and fundamental rights is found in Article 21. The judicial intervention said that the rights are included within it, and the scope of Article 21 is not narrow and restricted. It has been widened by several judgments. Based on its rulings, the court added the following rights that are protected by Article 21:

Right to privacy
Right to shelter
Right to go abroad
Right against custodial death
Right to pollution-free water and air
Right against solitary confinement
Right against handcuffing
Right against delayed execution
Right against public hanging
Protection of cultural heritage
Right to health and medical aid
Right to education
Protection of under-trials.

In a response on behalf of the union in the case, Justice K.S. Puttaswamy v. UoI (2017) 10 SCC, the Advocate General of India argued that the right to privacy is not a fundamental freedom and is not protected by the constitution. According to the majority decision of the Supreme Court, Article 21 of the Indian Constitution safeguards the right to privacy as a fundamental right. The constitutionality of the Aadhar Act, the usage of biometrics, and other personal data gathered from individuals were disputed in this case by Justice K.S. Puttaswamy, a retired High Court judge. The collection is legitimate, the court found, and will only be used as it narrows for the good of the person and the nation.

Right to be forgotten

A person’s right to be forgotten is their ability to have their personal information deleted from internet histories and other platforms. The court recently ruled that the right to privacy is a subset of the right to be forgotten.

The Information Technology Act of 2000’s Section 43(A) reads as follows:

Vinit Kumar v. CBI and Others Wp No. 2367 of 2019 –

The Union Home Ministry issued an order that allowed businessmen’s calls to be intercepted in this instance, and the petitioner challenged the orders in the High Court of Bombay because they violated their right to privacy. The directives were overturned by the court because there was no legitimate cause for them.

Two sections deal with data disclosure. Any violations of the Information Technology Act of 2000’s data protection provisions.

Compensation for failure to protect data

When a body corporate negligently fails to implement and maintain reasonable security practices and procedures and causes a person to suffer wrongful loss or wrongful gain as a result, that body corporate will be responsible for compensating the person who was harmed with damages. This liability shall arise from the body corporate’s possession, dealing, or handling of sensitive personal data or information in a computer resource that it owns, controls, or operates.

punishment for information leaking in violation of a valid contract

Except as otherwise provided in this Act or any other law currently in force, any person, including an intermediary, who while performing services under the terms of a lawful contract secured access to any material containing personal information about another person, discloses that material without the consent of that person or in violation of a lawful contract with the intent to cause or anticipate that he will likely create an unjustified loss or gain.

The Act mandates that everybody corporate (i.e., businesses) must have a detailed privacy policy. The privacy statement must state:

A concise,
understandable description of its procedures and policies
Information collection
methods and security measures
The reasons for data collection, storage, and information disclosure policies

A robust law must include the following clauses to satisfy the consumer:

Data collection and sharing rights: No information should be made available to outside parties.
Consent: Users’ consent is required before any information is gathered.
Data minimization: Only gather what is required and explain why.
Data usage done well: Data usage done right and ethically.
Controller’s responsibility for data.

The 2019 Data Privacy and Personal Data Protection Act

The Sri Krishna Committee was established by the court as a special committee to develop a bill on personal data. The committee, chaired by retired Supreme Court justice BN Krishna, submitted a report on July 27, 2018. The government drafted the Personal Data Protection, 2019 bill, which was then promptly referred to the Joint Parliamentary Committee (JPC) and has not yet been put into effect since the committee found the framework to be imprecise and unsuitable for the rapidly changing technological environment. Since 2019, five extensions have been asked for to pass the made measure. Clause 35 of the PDP, 2019, grants the government protection and allows it to access any user’s information as well as track information about the nation’s citizens.

The government had complete authority to monitor individuals and their online activity (if necessary). The issue should be governed by legislation because it is now a national security risk. According to the GDPR, a “data fiduciary” and a “data processor” are equal to the terms “controller” and “processor.” The bill protects people by fining companies that collect user data without their consent.

The PDP Bill will apply to both people inside and outside of India regarding business conducted in India, the offering of goods or services to Indian citizens, or the profiling of individuals.

The bill also included provisions for the storage of user information.

What is the status of the PDP Bill,2019

The Joint Parliamentary Committee started working on the report on purpose in 2019. The committee was discussing several clauses and provisions, most notably Clause 35 of the bill, which exempts the government from responsibility for maintaining public order and the national interest. After two arduous years, on November 22, 2021, the committee authorized sending the bill to the parliament for consideration during the following session. The committee made a slight amendment to the exemption language, and although the state has the authority to exempt itself from the applicability, it should only be utilized in extreme cases. Additionally, the committee suggested that all social media companies open up offices in India and establish a media regulating authority to control the flow of content. Additionally, the committee had stated that there was no clause addressing data collected by device makers.

Major Breaches of Information Privacy

1. Pegasus spyware

It was founded by the Israeli NSO (N stands for Niv, S for Shalev, and O represents Omri, the founders) organization and is well-known for its zero-click surveillance devices, which have led to numerous legal challenges. Using end-to-end encryption, apps like WhatsApp and Facebook can’t be tracked or traced. Pegasus, a product produced by the NSO group, overcomes the encryption barrier by allowing users to read encrypted messages and calls just by dialing their number. It can even remove the call once it has been made. Any device can have Pegasus malware infiltrate through a backdoor without the device owner being aware of it. Using a zero-click exploit, it may collect any data from the device after installation, and the user has complete control over the data. Over 300 verified Indian mobile phone numbers were listed as prospective Pegasus spyware target numbers, according to a report by a global media consortium. The NSO organization stated that the spyware was created specifically for governments and law enforcement to acquire useful concealed information; however, this fact alone does not ensure the privacy of the individual. On September 13, the bench of the Supreme Court deferred a decision, requesting information about whether the Pegasus malware was being used to illegally surveil citizens by the Centre. The requests for independent investigations are in response to accusations of alleged spying by government agencies using the malware Pegasus from the Israeli company NSO on prominent people and politicians.

Apple filed a lawsuit against the NSO organization and provides fresh information on the Pegasus attacks on some iPhone owners.

2. Joker Malware

Joker Malware is a type of malware designed to steal personal data including debit and credit card numbers. When a consumer installs a malicious app from the Google Play store, the Joker malware discreetly enters their smartphone. This malware is hazardous and has infected over 200 malicious apps. Google took action and removed the applications that were putting users’ data at risk of infection. The malware reappeared on November 21, 2021, and this time it damaged 15 Play Store apps. According to reports, the Joker software steals money from users by forcibly enrolling them in unwanted paid memberships.

Without the user’s knowledge, it mimics the device with adverts before stealing the victim’s SMS communications, including OTP (One Time Password) messages used to authenticate purchases. This time, the Play Store has been found to have two fresh versions of the spyware known as Joker Dropper and Premium Dialer. These were discovered concealed in certain trustworthy applications.

According to the report, the malware “adopted an old technique from the conventional PC threat landscape and used it in the world of mobile apps to avoid detection by Google.”

Multiple apps with thousands of installs on the Google Play Store were found to contain the Joker malware.

3. Emotet Botnet

When a user clicks on a link given by the attacker via email that appears to be authentic, Emotet, a sort of botnet that is also referred to as the “king of malware,” enters the computer system. It propagates from one system to another, making it possible for it to join the botnet as a bot. Several infected computers or servers known as a “botnet” attack a particular computer or server by sending out more commands than it can manage. Emotet’s architecture consisted of tens of thousands of servers spread throughout the globe. All of these had various capabilities to control the infected victims’ machines, proliferate to new ones, assist other criminal organizations, and ultimately strengthen the network’s defenses against takedown attempts. Using phrases like healthcare and COVID-19 preventive measures in emails, the attacker utilized the Emotet malware to click-bait the victim and gain access to personal information. In January 2021, eight law enforcement agencies joined together to take down the ransomware-infected infrastructure that Emotet had been employing.

The world’s most dangerous malware, Emotet, is disabled by an international team.

What can be learned from the current struggle?

Can an individual learn from the attacks happening one way to try and stay secure is to avoid opening links in random spam and fraudulent emails. Before entering any websites or platforms, users should read the privacy statement and only accept cookies if necessary. These attacks affect those who blindly believe what they read or see online because the attacker targets particular individuals.

Be mindful of the wording and the email address, and ignore the email interface’s spam section.

How can organizations protect personal information?

Software that automates data privacy principles can assist you in complying. Every organization must be able to comprehend its customers’ needs. An organization can help ensure data privacy by implementing encryption and authentication. In addition to helping you better understand your consumers, privacy software keeps track of your deadlines for each data subject request.

Need for a reform :

Other nations have data protection legislation similar to the GDPR in place along with the necessary safeguards to secure data privacy and the protection of their residents. India should take into account the benefits of GDPR and enact legislation in India that provides the appropriate penalties and descriptions to secure data privacy and protection for its residents. The PDP Bill 2019 should be passed by the parliament and put into effect as soon as feasible.

The EU’s General Data Protection Regulation (GDPR)

The EU (European Union) passed GDPR in May 2018 as a piece of law to safeguard the processing and privacy of personal data. It applies to all businesses and organizations that handle user data. This law established stringent guidelines and sanctions. The GDPR mandated that organizations handling user data safeguard it. If there is any abuse or exploitation of data, someone will be held accountable and forced to make a sizable payment. In the end, GDPR requires every processor (a division of an organization that deals with data processing) to keep records of the data it processes and how it is processed, imposing a considerably higher level of liability in the event of a breach.

The unit of an organization responsible for controlling data, known as a controller, is required to make sure that any agreements with processors adhere to GDPR. Giving consumers the right to know when their data is breached is one of the major improvements the GDPR brought about. To ensure that people take action to stop their data from being misused, organizations are expected to notify the national authorities as soon as feasible.

A controller, or part of an organization that is in charge of data management, must ensure that any contracts with processors comply with GDPR. One of the key enhancements the GDPR brought about was the right of consumers to know when their data is compromised. Organizations are obligated to alert the national authorities as soon as practical to ensure that people take action to prevent their data from being exploited. The GDPR clarified the right to be forgotten, granting individuals who no longer wish to have their data processed additional freedom and rights to have it destroyed if there is no legitimate reason to continue using it.