Categories
Blog

Development of Cybercrime Law in the European Union

At the European Union level, although the possibility of having a comprehensive legal framework dealing with cyber crimes was not a far stretched idea owing to the cooperation at the Union level, however, this idea was not considered until the late 1990s.

Taking into account the growing incidents of cyber crimes, their peculiar nature, and the essential element of international cooperation in this regard, a series of initiatives were taken at the EU level in the form of recommendations and Council conclusions. This was followed by the first legislative proposal by the Commission in early 1998 to deal with certain aspects of computer crimes, i.e. credit card frauds and forgery of non-cash means of payment. However, it was only in May 2001 that the Framework Decision on Combating Fraud and Counterfeiting of Non-Cash Means of Payment was adopted.[1]

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

During the same time, the Council of Europe was taking a number of steps and engaging in negotiations, in collaboration with the G8 countries, USA, Canada, Japan, United Kingdom, Germany, France, Italy, and Russia, with respect to judicial cooperation in this field.  As a result, an agreement was reached in 1997 pertaining to an action plan to combat high-tech and computer-related crimes. One of the action plan’s initiatives is the 24/7 network of law enforcement contact points to combat cybercrime, which is now a part of the current legal framework at the EU level. This network furthers the objective of international cooperation, specifically with respect to the investigation of cybercrimes.

In October 1999, the G8 met again as a follow-up measure of the action plan. This follow-up concluded that the biggest roadblock in combating computer crimes is the identification and tracking of criminals in cyberspace. To overcome this roadblock, many principles were adopted to ensure transnational access to data, simplified mutual assistance, and general permission to access publicly available material in another state without express permission. These principles now form the basis of the current legal regime at the EU level[2].

Meanwhile, the European Committee on Crime Problems[3] (CDPC) decided to set up a committee of experts to deal with cyber-crime in November 1996. Subsequently, the Report submitted by Professor H.W.K. Kaspersen concluded that “it should be looked to another legal instrument with more engagement than a Recommendation, such as a Convention. Such a Convention should not only deal with criminal substantive law matters but also with criminal procedural questions as well as with international criminal law procedures and agreements”.[4]

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

Taking into account the Report submitted to the CDPC, the Council of Europe was successful in formulating the Convention on Cybercrime[5], with an aim to bring minimum harmonization in the acts termed as ‘cybercrime’ in the Member States of the EU.

The Explanatory Report of the Cybercrime Convention highlights the changing nature of crimes and the subsequent need to develop a legal framework to prosecute such crimes exclusively. It states that-

The technological developments have given rise to unprecedented economic and social changes, but they also have a dark side: the emergence of new types of crime as well as the commission of traditional crimes by means of new technologies.[6] Criminals are increasingly located in places other than where their acts produce their effects. However, domestic laws are generally confined to a specific territory. Thus, solutions to the problems posed must be addressed by international law, necessitating the adoption of adequate international legal instruments”.[7]

The Convention on Cybercrime adopts a holistic approach in dealing with both substantive and procedural aspects[8] of cybercrimes at the EU level. Section 1 of Chapter II covers both criminalization provisions and other connected provisions in the area of computer or computer-related crime by defining nine offences (illegal access, illegal interception, data interference, system interference, misuse of devices, computer-related forgery, computer-related fraud, offences related to child pornography and offences related to copyright and neighbouring rights) grouped into four different categories (offences against the confidentiality, integrity and availability of computer data and systems, computer-related offences, content-related offences and offences related to copyright and neighbouring rights)[9]. It further deals with ancillary liability and sanctions[10].

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

Furthermore, the Convention also contains provisions for traditional as well as computer crime-related mutual assistance and extradition.[11] It also provides for transborder access to stored computer data without mutual assistance, either with consent or without consent, in the case of publicly available data. It also provides for the setting up of a 24/7 network to ensure speedy assistance among the Parties.

Lastly, at the Union level, to address the issue of cooperation at, the Union level, the European Network and Information Security Agency (ENISA) was established in 2004. ENISA was given the responsibility to develop expertise to enhance cooperation between public and private sectors and provide assistance to the Commission and Member States of the EU in their dialogue with industry for the purpose of addressing security-related problems in hardware and software products. It was also required to promote risk assessment activities as well as interoperable risk management routines.[12]

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

[1] EUR-Lex, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32001F0413 (last visited May 3, 2021).

[2] These principles can now also be found in the Cybercrime Convention.

[3] Decision CDPC/103/211196.

[4] Salaheddin J. Juneidi, Council of Europe Convention on Cyber Crime, IPICS (2002).

[5] The Cybercrime Convention.

[6] Explanatory Report to the Cybercrime Convention, part I(5).

[7] Explanatory Report to the Cybercrime Convention, part I(6).

[8] Supra note 29, chapter II, § 2.

[9] Supra note 29, chapter II, § 1.

[10] Supra note 29, chapter II, §1, title 5.

[11] Supra note 29, art. 25.

[12] ENISA, https://www.enisa.europa.eu/ (last visited May 6, 2021).

Categories
Blog

Rule Of Law in Globalising World

The concept of rule of law finds its origin in the rulings of Chief Justice Sir Edward Coke[1] wherein he emphasised the significance of the King being under the law. However, it was only later that A. V. Dicey in his book: Introduction to the study of the Law of the Constitution, 1885[2], tried developing the concept further. He identified three components of the rule of law[3]

  1. The supremacy of law
  2. Equality before law
  • Constitution as a result of ordinary law of the land (signifying the relevance of judge-made laws in England)

These components ensured that the rule of law acted as a constraint on the arbitrary exercise of power by the sovereign over its subjects. Therefore, his primary focus was on the way in which the law was made, applied, and enforced (process-focused approach), rather than the actual content of the law (end-focussed approach). This creates a lot of confusion with respect to the applicability of the rule of law. Modern democracies are founded on this principle, however, there are contrasting convictions about what ‘law’ is/should be.

Previously, the concept of rule of law was limited in its application to the sovereign territory of the state as the interactions were primarily intranational. However, over a period of time, with the advent of technology and the movement of people, goods and services across borders, such interaction became international, leading to cross-border disputes. Through the process of globalization, “political, economic, and technological changes have had globalizing ramifications that penetrate state borders in ways that transformed the core rule of law values in the international legal order and have created a shift away from the previously prevailing state-centric system.”[4]

With respect to the applicability of rule of law at the international level, globalisation has made the world one single market where individual and state entities interact with other individuals and entities on a daily basis. Therefore, such interaction cannot be left unchecked with respect to the foundation principle of the legal system i.e. the rule of law. Hence, there is a need to transpose the principle of rule of law, internationally, in light of the globalized world. The significance of rule of law at the international level in the era of globalisation has been pointed out a number of times[5].

However, this transposition is easier said than done. There are some inherent issues in applying the principle globally. Firstly, with respect to whether such a principle, which was originally developed to be applicable to the national legal system, can be applied to the international legal system, in the absence of a central sovereign authority. Secondly, if the answer to the first issue is affirmative, does such international application require a reconceptualization of the original concept of rule of law in order to adapt it to the legal issues arising at the international level. Thirdly, should the international rule of law be limited in its application with respect to the relationship of different sovereign nation-states, or should it also be applied to the relationship of different individuals who are subjects of such nation-states?

The first roadblock towards the applicability of the principle of rule of law in the globalised world today encompasses the fact that there is no common sovereign power in the international arena. There is United Nations, however, the international law establishing such an institution, is a soft law in itself. Besides, it is left to the discretion of the nation-states to decide whether they wish to be a part of the U.N. Since there is no common sovereign, it is often contented by scholars that the rule of law cannot meaningfully exist in the international arena.[6] This further entails the difficulty in ascertaining what constitutes “law” in the international context since there is no “one” sovereign, and no “one” law regulating the conduct of individual nation-states.

Secondly, the Dicean concept of rule of law highlights a very narrow and process-focused approach. Such a framework will not satisfy the end objective of rule of law at the international level, with respect to acting as a constraint against the gross violation of the fundamental human rights of the individuals by the sovereign states. Therefore, the rule of law, when transposed to the international level, should not only be process-oriented but also end-oriented.

However, the nation-states, in light of the growing interaction in the globalized world and the common aim to attain international peace and order, have taken the necessary steps to address these roadblocks in the applicability of the principle internationally[7]. Globalization has a significant contribution to the development of both domestic and international legal frameworks governing and regulating transnational transactions and activities. This has led to the development of international institutions tasked with the implementation of international law to secure peace, order and respect for basic human rights in the international community.

In today’s world, however, the significance of the rule of law stretches far beyond its application to traditional inter-state relations. The second aspect of the rule of law at the international level is the increasing attention of the international community on the impact of the international rule of law on individuals, with respect to the need to protect the inalienable human rights of the individuals. The international humanitarian law and human rights law has ensured that the basic human rights of the “individuals” are brought at the centre stage[8], and that every nation-state is obligated to protect them. These developments have placed legal constraints on the conduct of sovereign states in the international community and prescribed international standards which ensure that substantive aspects of justice are also catered to, at the global level.

However, this individual-focused approach to rule of law at the international level is being implemented at the domestic level, by making the domestic legal system in line with the international standards. In light of this, it is important to keep a check on the discretion provided to the national legal system regarding the substantive rules as rule of law cannot be considered effective in its true essence if the laws are unjust and oppressive.

 

[1] LTJ, http://lawtimesjournal.in/rule-of-law/ (last visited Feb. 1, 2021).

[2] A V DICEY, INTRODUCTION TO THE STUDY OF THE LAW OF THE CONSTITUTION (1885).

[3] Id.

[4] Ruti G. Teitel, Humanity’s Law: Rule of Law for the New Global Politics, 35 CORNELL INT’L L.J. 355, 357 (2002).

[5] The Rio +20 Conference on Sustainable Development Outcome Document, 2012; UN Millennium Development Goals etc.

[6] Charles Sampford, Reconceiving the Rule of Law for a Globalizing World, GLOBALISATION AND THE RULE OF LAW 9, 10 (2005).

[7] UDHR, ICCPR, ICESCR, Convention against Terrorism, Human Trafficking etc.

[8] United Nations Human Rights Committee, the International Criminal Tribunals (ICTY, ICTR), and the International Criminal Court (ICC) etc.

Categories
Blog

Data Protection Regime in India

Privacy has been considered an international human right, as is enumerated under Article 12 of the Universal Declaration of Human Rights[1] and Article 17 of International Covenant on Civil and Political Rights.[2] India being a signatory to these international instruments, is under an obligation to protect privacy of the individuals. The current legal framework in India with respect to privacy and data protection is scattered in different legislations, rules and regulations, which individually deal with certain aspects of data protection.

The most important piece of legislation with respect to data protection is the Information Technology Act, 2000 (IT Act). Section 43A of the Act imposes civil liability on the body corporates if, while dealing with sensitive personal data or information, they are found to be negligent in implementing reasonable security practices and procedures and this leads to wrongful loss or gain to any person[3]. Furthermore, Section 72A imposes criminal liability on any person for disclosing personal information of an individual to a third party, without the consent of such individual[4]. These provisions are to be read with the IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011[5] [SPDI Rules], which defines sensitive personal data or information[6] and provides the procedures to be followed by a body corporate for collection[7], disclosure[8] and transfer[9] of information. The Rules further provides what constitutes reasonable security practices and procedures[10].

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

Furthermore, the Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (Cert-In Rules) impose an obligation on the service providers, intermediaries, data centers and corporate entities to mandatorily notify, in case of certain type of ‘Cyber Security Incidents’.

With respect to the protection of financial data, the Credit Information Companies (Regulation) Act, 2005 (CICRA) requires that the credit information of individuals in India has to be collected as per privacy norms enunciated in the CICRA regulation. Entities collecting the data and maintaining the same have also been made liable for any possible leak or alteration of this data.

With respect to the protection of health data, the Digital Information Security in Healthcare Act (DISHA), 2018 aims to protect the privacy of patients by protecting their medical data. It lays down the procedure for sharing of personal health records, through digital medium, between various healthcare service providers. Further, the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2020 impose an obligation on the registered medical practitioner to comply with the relevant provisions of the IT Act, data protection and privacy laws[11].

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

The Indian Contract Act, 1872 also become applicable if the privacy and confidentiality clauses enumerated in the agreement are breached by either party.

The Indian Penal Code, 1860 becomes applicable in the realm of data protection regime, as when there is a theft of data, prosecution can follow for the offenses of theft[12], misappropriation of property[13] or criminal breach of trust[14] under the Code.

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

The most significant development in India has been the case of Justice K S Puttaswamy v Union of India[15], wherein the nine-judge bench of the Apex Court unanimously held that the right to privacy is an intrinsic part of personal liberty under Article 21 of the Indian Constitution. This highlighted the need for a data protection legislation dealing with all the direct and incidental aspects. The latest step towards this has been the Personal Data Protection Bill of 2019 which is currently being reviewed by the Joint Parliamentary Committee. Once this Bill becomes a law, India will have a single piece of legislation exclusively dedicated to privacy and data protection.

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

[1] Universal Declaration of Human Rights, 1948, art. 12.

[2] International Covenant on Civil and Political Rights, 1966, art. 17.

[3] Information Technology Act, 2000, s. 43A

[4] Information Technology Act, 2000, s. 72A.

[5] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

[6] Id, rule 3.

[7] Supra note 66, rule 5.

[8] Supra note 66, rule 6.

[9] Supra note 66, rule 7.

[10] Supra note 66, rule 8.

[11] Applicability of the Regulations.

[12] Indian Penal Code, 1860 , s. 378 and s. 379.

[13] Indian Penal Code, 1860, s. 403.

[14] Indian Penal Code, 1860 , s. 405, s. 408 and s. 409.

[15] Justice K S Puttaswamy v. Union of India, (2017) 10 SCC 1.

Categories
Blog Intellectual Property Law

Ritu Kumar v. Biba

Ritika Private Ltd. vs Biba Apparels Pvt Ltd. 230 (2016) DLT 109

Delhi High Court

Judges: Justice Valmiki J. Mehta

Applicable law: Section 15 of the Copyright Act, 1957

Did you know: In order for the owner of a design to enjoy protection under the Designs Act, 1911, it is necessary that the design be registered under the act.

Effect of Legal Provisions: Section 15 of the Copyright Act states that if a design is registered under the Designs Act, 1911 the copyright in such design will cease. Copyright will also cease even if the design is not registered but is capable of registration and the design has been reproduced more than 50 times.

Where it all began:

  1. Ritika owns the famous brand ‘Ritu Kumar’ and Biba Apparels also owns a famous brand called ‘Biba’. Both produced apparel and accessories using industrial designs
  2. Ritika alleged that Biba had copied the designs of Ritu Kumar and had used them to produce apparel and as such, it had infringed the copyright of Ritika.
  3. Ritika’s designs are not registered under the designs act.

Legal issue: Once the copyrighted works of the plaintiff are applied for the making of dresses, and the production of dresses exceeds 50 in number, whether protection of copyright is lost?

Learn more about IPR with Enhelion’s Online Law firm certified Master Course! 

Ritika’s arguments: there is originality in the garment prints and sketches created by Ritika Pvt Ltd for the dresses/garments. It is pleaded that its ensembles are so designed that each component, such as sleeves, front and back panels etc are delineated and are coordinated with unique features. As such it is entitled to copyright protection.

Biba’s arguments: Because the designs of Ritika are industrial designs, the suit for infringement of copyright is barred because of Section 15 of the Copyright Act.

Judgment in the case:

  1. The court came to the conclusion that the suit was barred by Section 15(2) of the Copyright Act, 1957 as Ritika’s copyright in the said works had ceased to exist.
  2. Ritika’s case fell squarely under Section 15(2) of the Copyright Act, 1957 i.e. the copyright in Ritika’s designs ceased to exist as it had been reproduced more than 50 times by an industrial process.

Significance

The court elucidated the position as to the operation of subsection (2) of section 15 and re-affirmed the view that the bar would apply under certain conditions even if the design is not registered.

Learn more about IPR with Enhelion’s Online Law firm certified Master Course! 

Categories
Blog

Cyber Defamation

Defamation is a tort that encompasses the publication of false statements which subsequently harm someone’s reputation. There are two types of defamation depending on the medium of publication- libel (in permanent form) and slander (in transient form). To establish a case of defamation, certain prerequisites are to be met. Firstly, the imputation should be about the plaintiff, secondly, such imputation should be defamatory and should not fall under the exceptions, thirdly, the defamatory imputation should be published i.e. communicated to a third person, and lastly, such imputation should lower down the reputation of the plaintiff in the eyes of people who think highly of him.

The development of technology and the advent of the internet have provided an online medium for individuals to make defamatory imputations. In light of this, jurisprudence with respect to cyber defamation has evolved over the last few decades.

REGULATION OF CYBER DEFAMATION IN THE UNITED STATES OF AMERICA

The first amendment to the U.S. Constitution guarantees its citizens, the freedom of expression and freedom of the press. The defamation law seems to be in conflict with the right to express oneself. However, the exercise of such a right cannot be unrestricted as defamation law seeks to protect human dignity. The same has been highlighted by the US Supreme Court by asserting that the tort of defamation “reflects no more than the basic concept of the essential dignity and worth of every human being- a concept at the root of any decent system of ordered liberty.”[1]

On the federal level, there is no criminal defamation. Majority of the defamation suits (both libel and slander) are dealt with by applying the common law principles of tort. Some the states have codified slander and libel together into the same set of laws to be applicable within their jurisdiction. Cyber defamation is also governed by the same set of legal framework regulating traditional defamation in the U.S.

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

The burden of proof standards

Until the second half of the 20th century, the defamation law in the US seemed to be favorable to the plaintiff as the statement made was presumed defamatory and the burden was on the defendant to prove that the statement was true, as truth was an absolute defense to defamation. However, in 1964, the case of New York Times Co. v. Sullivan[2] dramatically changed the nature of libel law in the US. The court held that when libellous statements were made against the public officials, the plaintiff (such public officials) should prove ‘actual malice’ on part of the publisher. Actual malice was defined as “knowledge that the information was false or that it was published with reckless disregard of whether it was false or not[3]. This decision was later extended to cover ‘public figures’[4]. This highlights the paradigm shift in the burden of proof standards involving public officials.

The liability of Internet Service Providers (ISPs) and Intermediaries

Technology and internet provided a new platform to individuals to express their opinions and thoughts. Therefore, in cases of cyber defamation, the plaintiff has the option of instituting a suit against the person who made the imputation or the entities which provided a platform for such imputation to be made. However, considering the nature of the internet, the courts analysed whether the same standard of protection can be provided to ISPs, as is provided to their traditional counterparts like newspapers and radios.

In Chubby Inc v CompuServe Inc[5], defamatory statements were made using the platform of CompuServe, which was an ISP. The issue was whether such ISP can be held liable for defamation. The court held that CompuServe was merely a distributor and not a publisher, which had no editorial control over the content being shared and uploaded. Therefore, it could not be held liable as it was a mere passive conduit, without direct editorial control.

However, the court in Stratton Oakmont, Inc. v. Prodigy Services Co.[6], a case involving similar facts with the difference that Prodigy, as an ISP, employed a screening program, implying that it had editorial control, held that Prodigy is liable for the defamatory statements made using its platform, not as a distributor, but as a publisher.

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

Considering the extent of liability imposed on the ISPs post-Stratton Oakmont, Congress enacted the Communications Decency Act, 1996 (CDA) to provide protection to ISPs from online defamation. Section 230(c)(1) of the Act stated that “no provider or user of any interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”[7]

After the enactment of the CDA, the judicial approach to defamation cases changed significantly. In Zeran v. America Online, Inc[8], the court implemented section 230 by providing federal immunity to America Online (AOL) for unreasonable delay in removing defamatory messages posted by a third party and refusal to post a retraction. The court further held that ‘distributor’ was a sub-class of ‘publisher’, and would fall under the ambit of section 230. Additionally, the court established that notice to an ISP of defamatory content does not create liability.

Further, in Blumenthal v. Drudge[9], the court again reiterated the finding that in cases involving ISPs, the only potential party to the defamation claim is the original author.

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

The protection under section 230 was further extended in Carafano v. Metrosplash.com[10]  and Barrett v. Rosenthal[11]. Lunney v. Prodigy[12] also asserted that ISPs play a passive role and cannot be held liable in light of section 230. The court further added that even if the ISP were a publisher, it would have a common law qualified privilege on the basis of lack of knowledge about the fact that the statements were false.

Publication rule

The publication of imputation i.e. communication to a third person is one of the prerequisites of a defamation suit. This requirement of publication can also be satisfied by the republication of the original defamatory statement. The publication rule is important to ascertain the limitation period for filing the suit. In case of a single publication, the period starts as soon as the statement is communicated to a third person, however, in the case of multiple publications, a fresh cause of action starts each time the statement is communicated to a third person. Therefore, in case of multiple publication rule, the limitation period loses its significance.

Taking into account the inherent issue of the multiple publication rules, the American courts have adopted the single publication rule in case of defamation[13]. In Wolfson v. Syracuse Newspapers Inc.[14], the court rejected the multiple publication rule by asserting that it makes the applicability of the limitation period in such cases futile. The single publication rule has been adopted in cyber defamation cases as well. In Firth v. State[15],  the court held that “a multiple publication rule would implicate an even greater potential for endless retriggering of the statute of limitations, the multiplicity of suits and harassment of defendants.”[16]

To conclude, although the jurisprudence with respect to cyber defamation is evolving in the U.S., however, the courts still provide greater protection to the first amendment right of expression by asserting that defamation lawsuits have a ‘chilling effect’ on speech. This has led to the proliferation of so-called ‘Anti-SLAPP’ suits which provide a way for the individuals to fight back against the baseless lawsuits that are designed to silence expression.

REGULATION OF CYBER DEFAMATION IN THE EUROPEAN UNION

The European Convention on Human Rights (ECHR), under Article 10, enshrines freedom of expression[17]. Article 10(2) further allows the contracting states to impose restrictions for the protection of the reputation or rights of others[18]. Therefore, with respect to defamation in the European Union (E.U.), the legal framework has been left to the individual member states. However, the E-commerce Directive deal with certain aspects relating to the liability of ISPs in cyber defamation cases.

With respect to the jurisdictional issues arising in defamation cases in the E.U., the Brussels Convention on Jurisdiction and Enforcement of Judgements in Civil and Commercial Matters, 1968 becomes relevant. Article 5(3) of the Convention provides that “a person domiciled in the contracting state may be sued in matters relating to tort, delict or quasi-delict, in the courts for the place (of other contracting state) where the harmful event occurred[19]. However, if the ‘harmful event’ occurred at a number of places, i.e. with respect to defamation, if the harm to reputation occurred at a number of places, then which court will assume jurisdiction. This issue was addressed by the Court of Justice of the European Union in Shevill and others v Presse Alliance SA[20], on reference from the House of Lords. The court held that the victim of libel in several contracting states can either institute a suit in the jurisdiction where the publisher is established, or in each of the contracting states where the publication was distributed, and the plaintiff suffered damage to reputation[21]. Further, wherever the plaintiff decides to institute the suit, the law of that contracting state will apply[22].

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

Shevill was decided on the premise of traditional defamation. However, it has been adopted by the District Court of Ammochostos, Cyprus, in the Cyber Libel case of Christoforos Karayiannas & Sons Ltd Vs. Cornelius Desmond O’ Dwyer[23].

Later in 2011, in eDate Advertising GmbH v X and Olivier Martinez v MGN Ltd[24], CJEU dealt with the applicability of Shevill’s ruling in cyber defamation cases, with respect to the issue of jurisdiction. The court held that online medium has to be distinguished from the traditional medium as the former is aimed at ensuring ubiquity of the content. Online content can be accessed by a number of users throughout the world, irrespective of any intention on part of the person who uploaded such content online. Therefore, the Shevill criteria have to be adapted in a manner in which the plaintiff can institute a suit in one jurisdiction, for all the damage caused to him. The court said the jurisdiction where the plaintiff had his ‘centre of interests’ should also be a jurisdiction to institute a suit of cyber defamation.

Furthermore, the CJEU in Bolagsupplysningen OÜ, Ingrid Ilsjan v. Svensk Handel AB[25], held that an action for removal of defamatory imputation by way of an injunction cannot be initiated in every Member State where the website was accessible.

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

The most recent case of Glawischnig-Piesczek v. Facebook Ireland Limited[26] is of specific significance with respect to the scope of removal of defamatory content. The case involved the posting of a defamatory comment against the applicant, Eva Glawischnig–Piesczek, by an anonymous Facebook user in Austria. The European Court of Justice held that the EU E-commerce Directive does not preclude the member states from ordering the worldwide removal of unlawful content and it is left to the member states to decide the geographic scope of the restriction.

The court reached the conclusion by recalling that Article 14(1) of the Directive exempts ISPs from liability as long as they have no knowledge of any illegal activity or information[27], or if they become aware of it, they have acted expeditiously to remove or disable access[28]. Within this realm, individual states and their courts may establish procedures to remove or disable illegal content.

The Court further held that although Article 15(1) prohibits general monitoring of online content, which includes actively seeking facts or circumstances indicating illegal activity, however, once being notified of the illegal content, the ISP has to expeditiously remove or disable the impugned content.

REGULATION OF CYBER DEFAMATION IN THE UNITED KINGDOM

Defamation in the United Kingdom is governed by the Defamation Act of 1996 and 2013. These acts do not provide an explicit definition of ‘defamation’. In the leading case of Sim v. Stretch[29], it was proposed by Lord Atkin that a defamatory statement is one which “injures the reputation of another by exposing him to ̳hatred, contempt or ridicule, or which tends to lower him in the estimation of right-thinking members of society.”[30]

Elements of defamation

Section 1(1) of the 2013 Act state that a statement cannot be considered defamatory unless its publication has caused or is likely to cause ‘serious harm’ to the reputation of the plaintiff[31]. Section 1(2) further states that ‘serious harm’ is the one involving serious financial loss[32]. This definition has raised the bar for bringing a claim of defamation in the UK.

Jurisdiction

With respect to the publication of defamatory imputation, the court in Harrods v. Dow Jones[33] adopted the approach used by the Australian court in Dow Jones v. Gutnick[34] by establishing the principle that where a newspaper or magazine was published on the internet, the plaintiff could bring an action in any jurisdiction where the content could be received[35]. Therefore, the plaintiff can institute a suit in any jurisdiction where the users had accessed the defamatory content, thus fulfilling the publication requirement.

Publication rule

The publication can be defined as “the making known of defamatory matter after it has been written to some person other than the person to whom it is written.”[36]

Earlier, UK courts used to follow the multiple publication rule, which derived its origin in the case of Duke of Brunswick v. Harma[37]. However, the same was done away with, and the single publication rule was adopted after the 2013 Act came into being[38]. Therefore, the first publication of the defamatory content to the public triggers the limitation period of one year for initiating the claim for defamation.

The liability of ISPs

In defamation law, ISPs can be considered secondary publishers. Section 1(1) of the Defamation Act, 1996 lays down the situations where the secondary publisher cannot be held liable for the illegal content posted on its platform- if the ISP took reasonable care in relation to the publication[39], or it did not have the knowledge that the content was defamatory[40]. This provision is based on the common law defence of ‘innocent dissemination’.

In Godfrey v. Demon Internet Service[41], the court addressed the issue of liability of ISP as a publisher. It was held that once the ISP has actual knowledge of defamatory statements being posted on its platform, it should take down such content to escape liability. If it fails to do so, is can be held liable as a publisher of such content.

Defenses

The law accepts that in some circumstances, the publication of a statement may be public interest, even though the veracity of such statement cannot be proved. The same has been held in Reynolds v, Times Newspaper[42] by the House of Lords. The court developed the common law defence of qualified privilege to give protection to a newspaper article that implied that the former Prime Minister of Eire had lied. However, the court also held that in such cases, it is important for the defendant to show that it abided by high journalistic standards to verify the information, seek the plaintiff’s comments and include the gist of the plaintiff’s side story.

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

REGULATION OF CYBER DEFAMATION IN INDIA

The Constitution of India, under Article 19(1)(a) provides the citizens of India, the right to freedom of speech and expression. However, this right is not absolute and is subject to certain reasonable restrictions mentioned under Article 19(2), under which defamation is considered a reasonable restriction. This particular restriction provides a constitutional basis to defamation laws in India. The same position has been upheld by the Supreme Court of India in the case of Subramanian Swamy v. Union of India[43], while holding that section 499 of the Indian Penal Code, 1860, which deals with criminal defamation in India, is not an excessive restriction under Article 19(2). The Apex Court also held that an individual has a right to reputation, which is a part of Article 21 of the Indian Constitution[44].

In India, under the law of land, a person aggrieved by defamation has both civil and criminal remedies available simultaneously[45].

Under the tort law, the following elements need to be fulfilled before instituting a suit for defamation[46]

  1. The words or the act must be defamatory i.e. it should tend to injure the reputation of the plaintiff;
  2. They must have reference to the plaintiff, and
  3. They must have been published i.e. communicated to a third party, a party other than the person defamed.

The provisions of the Indian Penal Code, 1860[47] deal with criminal defamation in India under sections 499 to 502. Section 499 provides what amounts to defamation[48], section 500 provides the punishment[49], section 501 and section 502 provide for the liability in case of printing or engraving matter known to be defamatory[50], and sale of such material[51], respectively.

Applicable law

Previously, section 66A of the Information Technology Act, 2000, dealt with cases of cyber defamation. However, the same was struck down by the Supreme Court in Shreya Singhal v. Union of India[52] owing to the broad and ambiguous purview of the provision.

Therefore, owing to the lack of specific provision/legislation dealing with cyber defamation in India, it is generally dealt under the Indian Penal Code (for criminal defamation) and the general principles or tort law (for civil defamation).  It is pertinent to note that section 499 does not specify the medium used to make imputations, neither traditional medium, nor computer/internet medium.

Publication rule

With respect to publication by repetition, initially, India adopted the common law approach of multiple publications [53]. However, in Khawar Butt vs Asif Nazir Mir[54], the Delhi High Court, in 2013, set aside the multiple publication rule on the internet and followed the single publication rule[55]. With respect to the limitation period for filing a civil suit of defamation, the Limitation Act, 1968 provides for the limitation period of 1 year[56].

Jurisdiction

The Delhi High Court in Swami Ramdev v. Facebook Inc[57], held that- “once content was uploaded from India and was made available globally, the removal of such content, as ordered by a competent court, shall also be ‘worldwide’ and not just restricted to India[58]. By adopting this approach, the court assumed global jurisdiction while issuing the take-down order to the intermediaries.

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

Liability of ISPs and Intermediaries

With respect to the liability of intermediaries in India, section 79 of the I.T. Act states that intermediaries are not liable for any third-party information, data, or communication link made available or hosted by them[59] so long as[60]

  • “Their function is limited to only providing access to communication system;
  • They do not initiate the transmission; select the receiver of the transmission, and select or modify the information contained in the transmission.
  • They exercise due diligence in their duties and adhere to any guidelines which may be prescribed[61]

Therefore, if the above-mentioned conditions are met by the intermediary, liability for publication may only arise when it has failed to remove defamatory material after being notified. This principle is called the ‘Notice and take down approach’.

With respect to such liability of the intermediary, the Delhi High Court in Vyakti Vikas Kendra, India Public Charitable Trust, Trustee Mahesh Gupta & Ors vs. Jitender Bagga & Anr, held that under Section 79(3)(b) of the IT Act, 2000, “Google is under an obligation to remove unlawful content if it receives actual notice from the affected party of any illegal content being circulated/published through its service.”[62] The Court observed that Rule 3(3) of the IT Rules read with Rule 3(2) requires an intermediary to “observe due diligence or publish any information that is grossly harmful, defamatory, libellous, disparaging or otherwise unlawful[63]. Rule 3(4) of the Rules creates an “obligation on an intermediary to remove such defamatory content within 36 hours from receipt of actual knowledge”.[64]

[1] Rosenblatt v. Baer, 383 U.S. 75 (1966).

[2] New York Times Co. v. Sullivan, 376 U.S. 254 (1964).

[3] Id.

[4] St. Amant v. Thompson, 390 U.S. 727 (1968).

[5] Chubby Inc v. CompuServe Inc, 776 F. Supp. 135 (S.D.N.Y. 1991).

[6] Stratton Oakmont, Inc. v. Prodigy Services Co., (1995 WL 323710).

[7] Communications Decency Act, 1996, s. 230.

[8] Zeran v. America Online Inc., 129 F. 3d 327.

[9] Blumenthal v. Drudge, 992 F. Supp. 44 (D.D.C. 1998).

[10] Carafano v. Metrosplash.com, 339 F.3d 1119.

[11] Barrett v. Rosenthal, 146 P.3d 510 (Cal. S. Ct. 2006).

[12] Lunney v. Prodigy 94 N.Y.2d 242.

[13] The Restatement (Second) of Torts, s. 577A.

[14] Wolfson v. Syracuse Newspapers Inc, 254 App. Div. 211.

[15] Firth v. State, 98 N.Y.2d 365.

[16] Id.

[17] The European Convention on Human Rights, 1950, art. 10(1).

[18] The European Convention on Human Rights, 1950, art. 10(2).

[19] Brussels Convention on Jurisdiction and Enforcement of Judgements in Civil and Commercial Matters, 1968, art. 5(3).

[20] Shevill and others v. Presse Alliance SA, [1995] 2 W.L.R. 499.

[21] Id.

[22] Supra note 20.

[23] Christoforos Karayiannas & Sons Ltd v. Cornelius Desmond O’ Dwyer, Case 365/2006.

[24] eDate Advertising GmbH v. X, C-509/09; Olivier Martinez v. MGN Ltd, C-161/10.

[25] Bolagsupplysningen OÜ, Ingrid Ilsjan v. Svensk Handel AB, C‑194/16.

[26] Glawischnig-Piesczek v. Facebook Ireland Limited, C-18/18.

[27] Electronic Commerce Directive, 2000, art. 14(1)(a).

[28] Electronic Commerce Directive, 2000, art. 14(1)(b).

[29] Sim v. Stretch, [1936] 2 All ER 1237 (HL),

[30] Id.

[31] Defamation Act, 2013, s. 1(1).

[32] Defamation Act, 2013, s. 1(2).

[33] Harrods v. Dow Jones, [2003] EWHC 1162 (QB).

[34] Dow Jones v. Gutnick, 210 CLR 575.

[35] Id.

[36] Pullman v. W. Hill & Co Ltd, [1891] 1 QB 524.

[37] Duke of Brunswick v. Harma, (1849) 14 QB 185.

[38] Defamation Act, 2013, s. 8(1)(3).

[39] Id, (b).

[40] Supra note 38, (c).

[41] Godfrey v. Demon Internet Service, [2001] QB 201.

[42] Reynolds v. Times Newspaper, [2001] 2 AC 127.

[43] Subramanian Swamy v. Union of India, (2015) 13 SCC 353.

[44] Id.

[45] Asoke Kumar v. Radha Kanto, A.I.R. 1967 Cal. 17.

[46] R F V HEUSTON, SALMOND ON THE LAW OF TORTS 355 (1996).

[47] Indian Penal Code, 1860.

[48] Id, s. 499.

[49] Supra note 47, s. 500.

[50] Supra note 47, s. 501.

[51] Supra note 47, s. 502.

[52] Shreya Singhal v. Union of India, (2013) 12 S.C.C. 73.

[53] Followed in UK prior to enactment of the Defamation Act, 2013, s. 8.

[54] Khawar Butt v. Asif Nazir Mir, CS(OS) 290/2010.

[55] Defamation Act, 2013, s. 8 (United Kingdom).

[56] The Limitation Act, 1963, Entry 75.

[57] Swami Ramdev v. Facebook Inc., 263 (2019) DLT 689.

[58] Id.

[59] The Information Technology Act, 2000, s. 79(1).

[60] The Information Technology Act, 2000, s. 79(2).

[61] Id.

[62] Vyakti Vikas Kendra, India Public Charitable Trust v. Jitender Bagga & Anr., CS(OS) No.1340/2012.

[63] Information Technology (Intermediaries guidelines) Rules, 2011, rule 3(3) and rule 3(2).

[64] Information Technology (Intermediaries guidelines) Rules, 2011, rule 3(4).

Categories
Blog

Significance of Cyber Forensics in the modern digital world

The influence of Information and Communication Technologies (referred to as ‘ICTs’ hereafter) on society goes far beyond establishing basic information infrastructure. It has proven to be a foundation for development in the creation, availability and use of network-based services. It has played the most significant role in transforming the world we live in.

Although ICTs have helped in the creation of a truly global marketplace, characterized by a constant flow of information through networks and websites, however, just like everything, Internet technology to has its own pros and cons. On one hand, the ICT makes our life easier and on the other hand, it provides a platform for individuals to commit crimes in cyberspace, by taking advantage of the vulnerabilities and risks associated with the Internet. This led to the development of jurisprudence with respect to ‘cybercrime’ or crime committed in cyberspace.

Learn about Digital Forensics with Enhelion’s Online Law firm certified Course! 

With the recognition of new age crimes as ‘cybercrimes’ and their peculiar nature, as opposed to traditional crimes, there was also a need to develop a security framework as well as a legal framework to exclusively combat such crimes. This led to the development of the regime of ‘cyber security and ‘cyber laws’ in various jurisdictions.

The basis of the cyber law regime was the same as that of traditional law- for the prosecution of crimes, whether traditional or new age, the court of law required credible evidence. However, it was no secret that the form of evidence required in traditional criminal cases differs from that in the case of cybercrimes, as the latter entails procurement of evidence from the ‘cyberspace’ itself, as opposed to a physical location. Since the traditional investigation and evidence procurement tools were not adequate in the context of cybercrimes which eventually led to a lack of prosecution of cybercriminals, therefore, a new disciple of forensics[1] known as ‘cyber forensics’ emerged.

Cyber forensics is defined as “the collection and analysis of data from computer systems, networks, communication streams and storage media in a manner that is admissible in a court of law[2]. In general terms, it was the use of knowledge of computer science to gain access to credible evidence which will be considered admissible in the court of law while prosecuting an accused in a case concerning the commission of cybercrime.

Learn about Digital Forensics with Enhelion’s Online Law firm certified Course! 

Initially, the use of cyber forensic tools was limited to the purpose of prosecution in court where cybercrimes were committed against private individuals. However, cybercrimes were not directed only at private individuals, various public, as well as private organizations which adopted ICTs in their day-to-day operations, were increasingly becoming victims of such crimes. Therefore, these organizations realized the potential of cyber forensics in identifying the offenders and securing their networks and started using the same within their organizations. Presently, cyber forensic tools are used equally by the government, private organizations and investigating authorities.

Cyber forensics per se involves the utilisation of knowledge of computers, computer systems, computer networks and the Internet i.e. it is primarily technical in nature. It is pertinent to note that the evidence collected with the use of cyber forensics should be admissible in a court of law, otherwise such evidence is futile. Therefore, there is also a requirement for setting legal standards as to how to collect, store and process evidence in cases of cybercrime. The legal framework of the country provides for these legal standards. For example, in India, the Indian Evidence Act, 1872[3] was amended in 2000 to insert various provisions relating to the admissibility of electronic evidence. The definition of the term ‘evidence’ was amended to include within its ambit, electronic records.[4] Section 65A[5] read with section 65B[6] provides for the admissibility of electronic records.

The COVID-19 pandemic had an unprecedented impact on the technological sector. Most individuals were completely dependent on the use of technology for their day-to-day activities, employment and education, among other things. This dependence provided a breeding ground for cybercriminals to exploit the vulnerable networks. Therefore, the significance of cyber forensic tools to combat such cybercrime activities was realised during the COVID-19 pandemic, more than ever.

Learn about Digital Forensics with Enhelion’s Online Law firm certified Course! 

[1] Forensics is the use of scientific knowledge to collect information for supporting a fact.

[2] Anjani Singh Tomar, Cyber forensics in combating cybercrimes, 3 PARIPEX 69, (2014).

[3] The Indian Evidence Act, 1872.

[4] Id., § 3.

[5] Special provisions as to evidence relating to documents may be given.

[6] Admissibility of electronic records.

Categories
Blog

Data Protection Regime in the European Union- General Data Protection Regulation (EU-GDPR)

Originally proposed by the European Commission in 2012, the EU GDPR[1] came into effect on 25th May 2018. It is intended to harmonize privacy and data protection laws across Europe. It further aims to provide a framework to ensure that the data subjects have control over their personal data. The provisions are GDPR are applicable[2]

  1. When a controller or a processor is established in the EU
  2. When the personal data of EU data subjects is processed

The Regulation defines terms like ‘personal data’, ‘processing’, ‘data subject’, ‘controller’, ‘consent’, ‘processor’ and ‘personal data breach’.[3] It also enumerates the basic principles on which GDPR is based. These include “lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability[4].

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

One of the grounds mentioned under the Regulation which makes the processing of personal data by the controller or the processor lawful is when the data subject has consented to such processing[5]. The declaration seeking such consent should be made in an intelligible and easily accessible form, using clear and plain language[6]. Further, the data subject has the right to withdraw his consent at any time, and such withdrawal will not affect the lawfulness of the processing prior to the withdrawal.[7] When the data subject is a child below the age of 16 years, consent for the processing of personal data can only be given or authorized by the parents.[8] However, the Regulation gives the discretion to the individual member states of the EU to decide the minimum age for which parental consent will be required, however, such age cannot be lower than 13 years.[9]

The GDPR prohibits the processing of personal data relating to a specific category (sensitive personal data)[10]. However, such data can be processed in certain conditions like when the data subject gives explicit consent or when processing is necessary to protect the vital interests of the data subject or when processing is necessary for substantial public interest etc.[11]

Chapter 4 of GDPR enumerates the rights provided to the data subject with respect to the processing of their personal data. These include the right to access the data by the data subject (to know the purpose of processing, the categories of data being processed, recipients of such data, the period for which data will be stored, right to be informed of additional safeguards if data is transferred to a third country or an international organization etc.)[12], right to rectification (of inaccurate data concerning the data subject), right to erasure (when data is no longer necessary, when consent is withdrawn when data is unlawfully processed etc.), right to restriction of processing (for a particular time period) , right to data portability (receive the data in a machine-readable format and transmit the same to another controller) and right to object.

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

The member states of the Union have the right to restrict the scope of rights and obligations[13] of the data subject and the controllers/processors, under the Regulation on the ground of national security, defence, public security, and criminal offences[14], general public interest etc.[15] by means of legislative measures.

The controller is obligated to take necessary technical and organizational measures which are designed to implement the principle of GDPR while processing the personal data of the subject (data protection by design).[16] Furthermore, the technical measures should be implemented to ensure that, by default, only the personal data which is required for specific purposes, is processed[17] (data protection by default).

In case of a data breach which is likely to risk the rights of natural persons, the controller should notify the supervisory authority within 72 hours of becoming aware of such breach. The controller should also inform the data subject about such data breaches in certain specific situations[18].

Further, if the processing of data involves new technology which might result in “high risk to the rights and freedoms of natural persons, the controller should carry out an impact assessment, before processing any data[19].

The Regulation also mandates the appointment of a Data Protection Officer by the controller and processor in certain situations.[20] The Officer has the duty to inform and advise the employees of their obligations while processing the data of data subjects, to monitor the compliance of provisions of GDPR, to cooperate with supervisory authority etc.[21]

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

In case of infringement of any right of the data subject or any obligation mentioned under GDPR, the data subject has the right to lodge a complaint with the supervisory authority of a particular member state[22]. For severe violations, the fine framework can be “up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher[23]. In case of less severe violations, the Regulation sets forth fines of “up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher[24].

Therefore, the privacy and data protection regime in the European Union is very stringent. Although it has only been two years since the GDPR came into effect, however, the recent cases of imposition of huge sums of fines on Twitter[25] and Google[26] in Europe for violating the provisions of GDPR, highlight the seriousness of privacy and data protection in Europe.

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

 

[1] General Data Protection Regulation, Regulation (EU) (2016/679).

[2] Id, art. .

[3] Supra note 1, art. 4.

[4] Supra note 1, art. 5.

[5] Supra note 1, art. 6(1)(a).

[6] Supra note 1, art. 7(2).

[7] Supra note 1, art. 7(3).

[8] Supra note 1, art. 8(1).

[9] Id.

[10] Supra note 1, art. 9(1).

[11] Supra note 1, art. 9(2).

[12] Supra note 1, art. 15.

[13] Supra note 1, under art. 12-22, art. 34 and art 5.

[14] Prevention, Investigation, Detection or Prosecution.

[15] Supra note 1, art. 23.

[16] Supra note 1, art. 25(1).

[17] Supra note 1, art. 25(2).

[18] Supra note 1, art. 34(3).

[19] Supra note 1, art. 35.

[20] Supra note 1, art. 37.

[21] Supra note 1, art. 39.

[22] Supra note 1, art. 77.

[23] Supra note 1, art. 83(5).

[24] Supra note 1, art. 83(4).

[25] BGR, https://www.bgr.in/news/twitter-fined-547000-dollars-for-not-disclosing-data-breach-927683/ (last visited Feb. 1, 2021).

[26] REUTERS, https://www.reuters.com/article/us-google-privacy-france/french-watchdog-fines-google-amazon-for-breaching-cookies-rules-idUSKBN28K0NA (last visited Feb. 1, 2021).