Author: Anna Mary Mathew
INTRODUCTION
Privacy in normal
connotation can be defined as the protection of personal as well as sensitive
personal information from being made known to third parties unless it is given
specifically assent by the person whose information is released. Data privacy
is the term that is accorded to protection of personal information in
technological space. This brings us to the next question as to if there is any
difference between data privacy and security.
Security comes under the broader
head of Data privacy. Security ensures that an individual’s personal
information stored in the form of data is inaccessible through malicious
software, but how about the technology that is present in the websites in the
form of cyber cookies. Some of these cookies do not even seek prior approval
from collecting our data. Hence, a clear breach of our privacy is committed.
This blog will examine India’s stance with regard to data privacy specifically
through the focal point of cyber cookies.
CYBER
COOKIES AND DATA PRIVACY
A cyber cookie is a text
file that is embedded on a website, which enables the creator to distinguish
your computer in a network server. Ideally, cyber cookies will aid the website
owners to provide users with optimum browsing experience, as cookies will
monitor the activities and ascertain the inclination of the user and
personalise the website according to liking of the user. This in a way will
benefit both the user and the website owner.
There are various types
of cookies, out of the total variety of cookies the strictly necessary cookies
are the most important kind, as these are the only cookies that essentially
fulfil the purpose of its creation. These cookies are necessary to browse the
website and access the basic features of the website like adding items to a
cart etc. There are other kind of cookies such as, persistent cookie. This is the
cookie that is present in the hard disk of the user and it will remain there
until it is erased manually or till its expiration period is exhausted.
There is another
peculiar, but rather dangerous form of cookie called the third-party cookie.
These cookies retain the information of the user of a device and shares this
information to a third-party advertiser. Now, imagine a scenario without our prior-approval
these website owners are sharing our information to third-parties. This is an
absolute breach of privacy.
INDIA’S
STANCE ON CYBER COOKIE REGULATION
It is rather disappointing
to say that India till date does not have a law that is exclusively present to
protect personal information in the form of data stored in electronic devices,
neither is it a party to international convention that focus on guaranteeing
data protection, such as Group Data Protection Regulation of the European Union
or the Personal Data Protection Policy.
In India, through the
Supreme Court case law Justice K S Puttaswamy V. Union of India, (2017) 10
SCC 1 (India), it is a well-known fact
that right to privacy has been recognised as a fundamental right and as a facet
of Article 21 of the Indian Constitution. Even though, clearly right to privacy
has been has been emphasised by Indian laws, cyber cookies are still in existence
and is still embedding personal information of individuals into their database.
Currently as there
exists no specific law to address this issue, we have to look into a general law
which is relevant to the cyber space of India, the Information Technology Act,
2000. In the Information Technology Act, 2000. There exists two sections, 43A
and 72A which propounds on compensation provided to individuals in case
sensitive personal data is breached.
Section 43A only looks
into situations where “sensitive personal information” is collected. Hence, it
is absolutely necessary to identify as to whether a cookie collects sensitive
personal information or not, a categorization that can be considered as
sensitive personal information has been provided under Section 3 of the Data
Protection Rules 2011. It specifies about bank account number etc. Even though
superficially it might seem as a cyber cookies might not collect any sensitive
personal information. But as we have seen in the functioning of a cyber cookie,
how it gets embedded on a website. Once it gets embedded it has full access to
the activity of an individual, in fact we cannot even apprehend as to the
amount of data they’ll be able to access if they can oversee the entire
activity that we engage in.
Being mindful about the
possible mishaps that can happen with the growth in the use of technology the
government introduced The Personal Data Protection Bill, 2019. Even though this
is an idealistic law, that is, if it comes into existence then it can
essentially resolve a significant amount of data privacy issues that are
present in the current world. It is still kept in deliberation. The
parliamentary session for the deliberation on the implementation of the bill
keeps extending indefinitely.
However, there is
another moot question that is very relevant to data protection. Should only
personal data be regulated, shouldn’t there be some kind of regulation made to
non-personal data as well. Because, even though by definition non-personal data
might not be considered as vital, in certain circumstances non-personal data
can lead to gaining access to personal data. This is because the cyberworld is
growing profusely and if situations like these are apprehended beforehand then some
amount of cyber-crimes can be reduced.
A classic example that can
be provided to specify as to what will qualify as a personal information and
what qualifies as a non-personal information is that: If I place an order for
food through a food delivery app on my mobile phone then the application
collects information such as my name, age, gender and contact number. The name
and the contact number of the person making the order will qualify as personal
information and the rest as non-personal information. In this scenario, if a
cyber expert wants to commit a cybercrime a mere access to non-personal
information can lead to obtaining personal information.
CONCLUSION
Therefore, when cookies
were created in the year 1994 it was with an intent to benefit the users as
well as the owners of business. However, with the growth of technology people
are making new ways to misuse the data obtained through this medium and commit
cybercrimes. Hence, what India requires to do urgently is that, it should first
pass the Data Protection bill, this will provide significant protection to internet
users and in turn will safeguard this important data of individuals.