Categories
Blog

Cyber Defamation

Defamation is a tort that encompasses the publication of false statements which subsequently harm someone’s reputation. There are two types of defamation depending on the medium of publication- libel (in permanent form) and slander (in transient form). To establish a case of defamation, certain prerequisites are to be met. Firstly, the imputation should be about the plaintiff, secondly, such imputation should be defamatory and should not fall under the exceptions, thirdly, the defamatory imputation should be published i.e. communicated to a third person, and lastly, such imputation should lower down the reputation of the plaintiff in the eyes of people who think highly of him.

The development of technology and the advent of the internet have provided an online medium for individuals to make defamatory imputations. In light of this, jurisprudence with respect to cyber defamation has evolved over the last few decades.

REGULATION OF CYBER DEFAMATION IN THE UNITED STATES OF AMERICA

The first amendment to the U.S. Constitution guarantees its citizens, the freedom of expression and freedom of the press. The defamation law seems to be in conflict with the right to express oneself. However, the exercise of such a right cannot be unrestricted as defamation law seeks to protect human dignity. The same has been highlighted by the US Supreme Court by asserting that the tort of defamation “reflects no more than the basic concept of the essential dignity and worth of every human being- a concept at the root of any decent system of ordered liberty.”[1]

On the federal level, there is no criminal defamation. Majority of the defamation suits (both libel and slander) are dealt with by applying the common law principles of tort. Some the states have codified slander and libel together into the same set of laws to be applicable within their jurisdiction. Cyber defamation is also governed by the same set of legal framework regulating traditional defamation in the U.S.

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

The burden of proof standards

Until the second half of the 20th century, the defamation law in the US seemed to be favorable to the plaintiff as the statement made was presumed defamatory and the burden was on the defendant to prove that the statement was true, as truth was an absolute defense to defamation. However, in 1964, the case of New York Times Co. v. Sullivan[2] dramatically changed the nature of libel law in the US. The court held that when libellous statements were made against the public officials, the plaintiff (such public officials) should prove ‘actual malice’ on part of the publisher. Actual malice was defined as “knowledge that the information was false or that it was published with reckless disregard of whether it was false or not[3]. This decision was later extended to cover ‘public figures’[4]. This highlights the paradigm shift in the burden of proof standards involving public officials.

The liability of Internet Service Providers (ISPs) and Intermediaries

Technology and internet provided a new platform to individuals to express their opinions and thoughts. Therefore, in cases of cyber defamation, the plaintiff has the option of instituting a suit against the person who made the imputation or the entities which provided a platform for such imputation to be made. However, considering the nature of the internet, the courts analysed whether the same standard of protection can be provided to ISPs, as is provided to their traditional counterparts like newspapers and radios.

In Chubby Inc v CompuServe Inc[5], defamatory statements were made using the platform of CompuServe, which was an ISP. The issue was whether such ISP can be held liable for defamation. The court held that CompuServe was merely a distributor and not a publisher, which had no editorial control over the content being shared and uploaded. Therefore, it could not be held liable as it was a mere passive conduit, without direct editorial control.

However, the court in Stratton Oakmont, Inc. v. Prodigy Services Co.[6], a case involving similar facts with the difference that Prodigy, as an ISP, employed a screening program, implying that it had editorial control, held that Prodigy is liable for the defamatory statements made using its platform, not as a distributor, but as a publisher.

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

Considering the extent of liability imposed on the ISPs post-Stratton Oakmont, Congress enacted the Communications Decency Act, 1996 (CDA) to provide protection to ISPs from online defamation. Section 230(c)(1) of the Act stated that “no provider or user of any interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”[7]

After the enactment of the CDA, the judicial approach to defamation cases changed significantly. In Zeran v. America Online, Inc[8], the court implemented section 230 by providing federal immunity to America Online (AOL) for unreasonable delay in removing defamatory messages posted by a third party and refusal to post a retraction. The court further held that ‘distributor’ was a sub-class of ‘publisher’, and would fall under the ambit of section 230. Additionally, the court established that notice to an ISP of defamatory content does not create liability.

Further, in Blumenthal v. Drudge[9], the court again reiterated the finding that in cases involving ISPs, the only potential party to the defamation claim is the original author.

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

The protection under section 230 was further extended in Carafano v. Metrosplash.com[10]  and Barrett v. Rosenthal[11]. Lunney v. Prodigy[12] also asserted that ISPs play a passive role and cannot be held liable in light of section 230. The court further added that even if the ISP were a publisher, it would have a common law qualified privilege on the basis of lack of knowledge about the fact that the statements were false.

Publication rule

The publication of imputation i.e. communication to a third person is one of the prerequisites of a defamation suit. This requirement of publication can also be satisfied by the republication of the original defamatory statement. The publication rule is important to ascertain the limitation period for filing the suit. In case of a single publication, the period starts as soon as the statement is communicated to a third person, however, in the case of multiple publications, a fresh cause of action starts each time the statement is communicated to a third person. Therefore, in case of multiple publication rule, the limitation period loses its significance.

Taking into account the inherent issue of the multiple publication rules, the American courts have adopted the single publication rule in case of defamation[13]. In Wolfson v. Syracuse Newspapers Inc.[14], the court rejected the multiple publication rule by asserting that it makes the applicability of the limitation period in such cases futile. The single publication rule has been adopted in cyber defamation cases as well. In Firth v. State[15],  the court held that “a multiple publication rule would implicate an even greater potential for endless retriggering of the statute of limitations, the multiplicity of suits and harassment of defendants.”[16]

To conclude, although the jurisprudence with respect to cyber defamation is evolving in the U.S., however, the courts still provide greater protection to the first amendment right of expression by asserting that defamation lawsuits have a ‘chilling effect’ on speech. This has led to the proliferation of so-called ‘Anti-SLAPP’ suits which provide a way for the individuals to fight back against the baseless lawsuits that are designed to silence expression.

REGULATION OF CYBER DEFAMATION IN THE EUROPEAN UNION

The European Convention on Human Rights (ECHR), under Article 10, enshrines freedom of expression[17]. Article 10(2) further allows the contracting states to impose restrictions for the protection of the reputation or rights of others[18]. Therefore, with respect to defamation in the European Union (E.U.), the legal framework has been left to the individual member states. However, the E-commerce Directive deal with certain aspects relating to the liability of ISPs in cyber defamation cases.

With respect to the jurisdictional issues arising in defamation cases in the E.U., the Brussels Convention on Jurisdiction and Enforcement of Judgements in Civil and Commercial Matters, 1968 becomes relevant. Article 5(3) of the Convention provides that “a person domiciled in the contracting state may be sued in matters relating to tort, delict or quasi-delict, in the courts for the place (of other contracting state) where the harmful event occurred[19]. However, if the ‘harmful event’ occurred at a number of places, i.e. with respect to defamation, if the harm to reputation occurred at a number of places, then which court will assume jurisdiction. This issue was addressed by the Court of Justice of the European Union in Shevill and others v Presse Alliance SA[20], on reference from the House of Lords. The court held that the victim of libel in several contracting states can either institute a suit in the jurisdiction where the publisher is established, or in each of the contracting states where the publication was distributed, and the plaintiff suffered damage to reputation[21]. Further, wherever the plaintiff decides to institute the suit, the law of that contracting state will apply[22].

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

Shevill was decided on the premise of traditional defamation. However, it has been adopted by the District Court of Ammochostos, Cyprus, in the Cyber Libel case of Christoforos Karayiannas & Sons Ltd Vs. Cornelius Desmond O’ Dwyer[23].

Later in 2011, in eDate Advertising GmbH v X and Olivier Martinez v MGN Ltd[24], CJEU dealt with the applicability of Shevill’s ruling in cyber defamation cases, with respect to the issue of jurisdiction. The court held that online medium has to be distinguished from the traditional medium as the former is aimed at ensuring ubiquity of the content. Online content can be accessed by a number of users throughout the world, irrespective of any intention on part of the person who uploaded such content online. Therefore, the Shevill criteria have to be adapted in a manner in which the plaintiff can institute a suit in one jurisdiction, for all the damage caused to him. The court said the jurisdiction where the plaintiff had his ‘centre of interests’ should also be a jurisdiction to institute a suit of cyber defamation.

Furthermore, the CJEU in Bolagsupplysningen OÜ, Ingrid Ilsjan v. Svensk Handel AB[25], held that an action for removal of defamatory imputation by way of an injunction cannot be initiated in every Member State where the website was accessible.

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

The most recent case of Glawischnig-Piesczek v. Facebook Ireland Limited[26] is of specific significance with respect to the scope of removal of defamatory content. The case involved the posting of a defamatory comment against the applicant, Eva Glawischnig–Piesczek, by an anonymous Facebook user in Austria. The European Court of Justice held that the EU E-commerce Directive does not preclude the member states from ordering the worldwide removal of unlawful content and it is left to the member states to decide the geographic scope of the restriction.

The court reached the conclusion by recalling that Article 14(1) of the Directive exempts ISPs from liability as long as they have no knowledge of any illegal activity or information[27], or if they become aware of it, they have acted expeditiously to remove or disable access[28]. Within this realm, individual states and their courts may establish procedures to remove or disable illegal content.

The Court further held that although Article 15(1) prohibits general monitoring of online content, which includes actively seeking facts or circumstances indicating illegal activity, however, once being notified of the illegal content, the ISP has to expeditiously remove or disable the impugned content.

REGULATION OF CYBER DEFAMATION IN THE UNITED KINGDOM

Defamation in the United Kingdom is governed by the Defamation Act of 1996 and 2013. These acts do not provide an explicit definition of ‘defamation’. In the leading case of Sim v. Stretch[29], it was proposed by Lord Atkin that a defamatory statement is one which “injures the reputation of another by exposing him to ̳hatred, contempt or ridicule, or which tends to lower him in the estimation of right-thinking members of society.”[30]

Elements of defamation

Section 1(1) of the 2013 Act state that a statement cannot be considered defamatory unless its publication has caused or is likely to cause ‘serious harm’ to the reputation of the plaintiff[31]. Section 1(2) further states that ‘serious harm’ is the one involving serious financial loss[32]. This definition has raised the bar for bringing a claim of defamation in the UK.

Jurisdiction

With respect to the publication of defamatory imputation, the court in Harrods v. Dow Jones[33] adopted the approach used by the Australian court in Dow Jones v. Gutnick[34] by establishing the principle that where a newspaper or magazine was published on the internet, the plaintiff could bring an action in any jurisdiction where the content could be received[35]. Therefore, the plaintiff can institute a suit in any jurisdiction where the users had accessed the defamatory content, thus fulfilling the publication requirement.

Publication rule

The publication can be defined as “the making known of defamatory matter after it has been written to some person other than the person to whom it is written.”[36]

Earlier, UK courts used to follow the multiple publication rule, which derived its origin in the case of Duke of Brunswick v. Harma[37]. However, the same was done away with, and the single publication rule was adopted after the 2013 Act came into being[38]. Therefore, the first publication of the defamatory content to the public triggers the limitation period of one year for initiating the claim for defamation.

The liability of ISPs

In defamation law, ISPs can be considered secondary publishers. Section 1(1) of the Defamation Act, 1996 lays down the situations where the secondary publisher cannot be held liable for the illegal content posted on its platform- if the ISP took reasonable care in relation to the publication[39], or it did not have the knowledge that the content was defamatory[40]. This provision is based on the common law defence of ‘innocent dissemination’.

In Godfrey v. Demon Internet Service[41], the court addressed the issue of liability of ISP as a publisher. It was held that once the ISP has actual knowledge of defamatory statements being posted on its platform, it should take down such content to escape liability. If it fails to do so, is can be held liable as a publisher of such content.

Defenses

The law accepts that in some circumstances, the publication of a statement may be public interest, even though the veracity of such statement cannot be proved. The same has been held in Reynolds v, Times Newspaper[42] by the House of Lords. The court developed the common law defence of qualified privilege to give protection to a newspaper article that implied that the former Prime Minister of Eire had lied. However, the court also held that in such cases, it is important for the defendant to show that it abided by high journalistic standards to verify the information, seek the plaintiff’s comments and include the gist of the plaintiff’s side story.

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

REGULATION OF CYBER DEFAMATION IN INDIA

The Constitution of India, under Article 19(1)(a) provides the citizens of India, the right to freedom of speech and expression. However, this right is not absolute and is subject to certain reasonable restrictions mentioned under Article 19(2), under which defamation is considered a reasonable restriction. This particular restriction provides a constitutional basis to defamation laws in India. The same position has been upheld by the Supreme Court of India in the case of Subramanian Swamy v. Union of India[43], while holding that section 499 of the Indian Penal Code, 1860, which deals with criminal defamation in India, is not an excessive restriction under Article 19(2). The Apex Court also held that an individual has a right to reputation, which is a part of Article 21 of the Indian Constitution[44].

In India, under the law of land, a person aggrieved by defamation has both civil and criminal remedies available simultaneously[45].

Under the tort law, the following elements need to be fulfilled before instituting a suit for defamation[46]

  1. The words or the act must be defamatory i.e. it should tend to injure the reputation of the plaintiff;
  2. They must have reference to the plaintiff, and
  3. They must have been published i.e. communicated to a third party, a party other than the person defamed.

The provisions of the Indian Penal Code, 1860[47] deal with criminal defamation in India under sections 499 to 502. Section 499 provides what amounts to defamation[48], section 500 provides the punishment[49], section 501 and section 502 provide for the liability in case of printing or engraving matter known to be defamatory[50], and sale of such material[51], respectively.

Applicable law

Previously, section 66A of the Information Technology Act, 2000, dealt with cases of cyber defamation. However, the same was struck down by the Supreme Court in Shreya Singhal v. Union of India[52] owing to the broad and ambiguous purview of the provision.

Therefore, owing to the lack of specific provision/legislation dealing with cyber defamation in India, it is generally dealt under the Indian Penal Code (for criminal defamation) and the general principles or tort law (for civil defamation).  It is pertinent to note that section 499 does not specify the medium used to make imputations, neither traditional medium, nor computer/internet medium.

Publication rule

With respect to publication by repetition, initially, India adopted the common law approach of multiple publications [53]. However, in Khawar Butt vs Asif Nazir Mir[54], the Delhi High Court, in 2013, set aside the multiple publication rule on the internet and followed the single publication rule[55]. With respect to the limitation period for filing a civil suit of defamation, the Limitation Act, 1968 provides for the limitation period of 1 year[56].

Jurisdiction

The Delhi High Court in Swami Ramdev v. Facebook Inc[57], held that- “once content was uploaded from India and was made available globally, the removal of such content, as ordered by a competent court, shall also be ‘worldwide’ and not just restricted to India[58]. By adopting this approach, the court assumed global jurisdiction while issuing the take-down order to the intermediaries.

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

Liability of ISPs and Intermediaries

With respect to the liability of intermediaries in India, section 79 of the I.T. Act states that intermediaries are not liable for any third-party information, data, or communication link made available or hosted by them[59] so long as[60]

  • “Their function is limited to only providing access to communication system;
  • They do not initiate the transmission; select the receiver of the transmission, and select or modify the information contained in the transmission.
  • They exercise due diligence in their duties and adhere to any guidelines which may be prescribed[61]

Therefore, if the above-mentioned conditions are met by the intermediary, liability for publication may only arise when it has failed to remove defamatory material after being notified. This principle is called the ‘Notice and take down approach’.

With respect to such liability of the intermediary, the Delhi High Court in Vyakti Vikas Kendra, India Public Charitable Trust, Trustee Mahesh Gupta & Ors vs. Jitender Bagga & Anr, held that under Section 79(3)(b) of the IT Act, 2000, “Google is under an obligation to remove unlawful content if it receives actual notice from the affected party of any illegal content being circulated/published through its service.”[62] The Court observed that Rule 3(3) of the IT Rules read with Rule 3(2) requires an intermediary to “observe due diligence or publish any information that is grossly harmful, defamatory, libellous, disparaging or otherwise unlawful[63]. Rule 3(4) of the Rules creates an “obligation on an intermediary to remove such defamatory content within 36 hours from receipt of actual knowledge”.[64]

[1] Rosenblatt v. Baer, 383 U.S. 75 (1966).

[2] New York Times Co. v. Sullivan, 376 U.S. 254 (1964).

[3] Id.

[4] St. Amant v. Thompson, 390 U.S. 727 (1968).

[5] Chubby Inc v. CompuServe Inc, 776 F. Supp. 135 (S.D.N.Y. 1991).

[6] Stratton Oakmont, Inc. v. Prodigy Services Co., (1995 WL 323710).

[7] Communications Decency Act, 1996, s. 230.

[8] Zeran v. America Online Inc., 129 F. 3d 327.

[9] Blumenthal v. Drudge, 992 F. Supp. 44 (D.D.C. 1998).

[10] Carafano v. Metrosplash.com, 339 F.3d 1119.

[11] Barrett v. Rosenthal, 146 P.3d 510 (Cal. S. Ct. 2006).

[12] Lunney v. Prodigy 94 N.Y.2d 242.

[13] The Restatement (Second) of Torts, s. 577A.

[14] Wolfson v. Syracuse Newspapers Inc, 254 App. Div. 211.

[15] Firth v. State, 98 N.Y.2d 365.

[16] Id.

[17] The European Convention on Human Rights, 1950, art. 10(1).

[18] The European Convention on Human Rights, 1950, art. 10(2).

[19] Brussels Convention on Jurisdiction and Enforcement of Judgements in Civil and Commercial Matters, 1968, art. 5(3).

[20] Shevill and others v. Presse Alliance SA, [1995] 2 W.L.R. 499.

[21] Id.

[22] Supra note 20.

[23] Christoforos Karayiannas & Sons Ltd v. Cornelius Desmond O’ Dwyer, Case 365/2006.

[24] eDate Advertising GmbH v. X, C-509/09; Olivier Martinez v. MGN Ltd, C-161/10.

[25] Bolagsupplysningen OÜ, Ingrid Ilsjan v. Svensk Handel AB, C‑194/16.

[26] Glawischnig-Piesczek v. Facebook Ireland Limited, C-18/18.

[27] Electronic Commerce Directive, 2000, art. 14(1)(a).

[28] Electronic Commerce Directive, 2000, art. 14(1)(b).

[29] Sim v. Stretch, [1936] 2 All ER 1237 (HL),

[30] Id.

[31] Defamation Act, 2013, s. 1(1).

[32] Defamation Act, 2013, s. 1(2).

[33] Harrods v. Dow Jones, [2003] EWHC 1162 (QB).

[34] Dow Jones v. Gutnick, 210 CLR 575.

[35] Id.

[36] Pullman v. W. Hill & Co Ltd, [1891] 1 QB 524.

[37] Duke of Brunswick v. Harma, (1849) 14 QB 185.

[38] Defamation Act, 2013, s. 8(1)(3).

[39] Id, (b).

[40] Supra note 38, (c).

[41] Godfrey v. Demon Internet Service, [2001] QB 201.

[42] Reynolds v. Times Newspaper, [2001] 2 AC 127.

[43] Subramanian Swamy v. Union of India, (2015) 13 SCC 353.

[44] Id.

[45] Asoke Kumar v. Radha Kanto, A.I.R. 1967 Cal. 17.

[46] R F V HEUSTON, SALMOND ON THE LAW OF TORTS 355 (1996).

[47] Indian Penal Code, 1860.

[48] Id, s. 499.

[49] Supra note 47, s. 500.

[50] Supra note 47, s. 501.

[51] Supra note 47, s. 502.

[52] Shreya Singhal v. Union of India, (2013) 12 S.C.C. 73.

[53] Followed in UK prior to enactment of the Defamation Act, 2013, s. 8.

[54] Khawar Butt v. Asif Nazir Mir, CS(OS) 290/2010.

[55] Defamation Act, 2013, s. 8 (United Kingdom).

[56] The Limitation Act, 1963, Entry 75.

[57] Swami Ramdev v. Facebook Inc., 263 (2019) DLT 689.

[58] Id.

[59] The Information Technology Act, 2000, s. 79(1).

[60] The Information Technology Act, 2000, s. 79(2).

[61] Id.

[62] Vyakti Vikas Kendra, India Public Charitable Trust v. Jitender Bagga & Anr., CS(OS) No.1340/2012.

[63] Information Technology (Intermediaries guidelines) Rules, 2011, rule 3(3) and rule 3(2).

[64] Information Technology (Intermediaries guidelines) Rules, 2011, rule 3(4).

Categories
Blog

Significance of Cyber Forensics in the modern digital world

The influence of Information and Communication Technologies (referred to as ‘ICTs’ hereafter) on society goes far beyond establishing basic information infrastructure. It has proven to be a foundation for development in the creation, availability and use of network-based services. It has played the most significant role in transforming the world we live in.

Although ICTs have helped in the creation of a truly global marketplace, characterized by a constant flow of information through networks and websites, however, just like everything, Internet technology to has its own pros and cons. On one hand, the ICT makes our life easier and on the other hand, it provides a platform for individuals to commit crimes in cyberspace, by taking advantage of the vulnerabilities and risks associated with the Internet. This led to the development of jurisprudence with respect to ‘cybercrime’ or crime committed in cyberspace.

Learn about Digital Forensics with Enhelion’s Online Law firm certified Course! 

With the recognition of new age crimes as ‘cybercrimes’ and their peculiar nature, as opposed to traditional crimes, there was also a need to develop a security framework as well as a legal framework to exclusively combat such crimes. This led to the development of the regime of ‘cyber security and ‘cyber laws’ in various jurisdictions.

The basis of the cyber law regime was the same as that of traditional law- for the prosecution of crimes, whether traditional or new age, the court of law required credible evidence. However, it was no secret that the form of evidence required in traditional criminal cases differs from that in the case of cybercrimes, as the latter entails procurement of evidence from the ‘cyberspace’ itself, as opposed to a physical location. Since the traditional investigation and evidence procurement tools were not adequate in the context of cybercrimes which eventually led to a lack of prosecution of cybercriminals, therefore, a new disciple of forensics[1] known as ‘cyber forensics’ emerged.

Cyber forensics is defined as “the collection and analysis of data from computer systems, networks, communication streams and storage media in a manner that is admissible in a court of law[2]. In general terms, it was the use of knowledge of computer science to gain access to credible evidence which will be considered admissible in the court of law while prosecuting an accused in a case concerning the commission of cybercrime.

Learn about Digital Forensics with Enhelion’s Online Law firm certified Course! 

Initially, the use of cyber forensic tools was limited to the purpose of prosecution in court where cybercrimes were committed against private individuals. However, cybercrimes were not directed only at private individuals, various public, as well as private organizations which adopted ICTs in their day-to-day operations, were increasingly becoming victims of such crimes. Therefore, these organizations realized the potential of cyber forensics in identifying the offenders and securing their networks and started using the same within their organizations. Presently, cyber forensic tools are used equally by the government, private organizations and investigating authorities.

Cyber forensics per se involves the utilisation of knowledge of computers, computer systems, computer networks and the Internet i.e. it is primarily technical in nature. It is pertinent to note that the evidence collected with the use of cyber forensics should be admissible in a court of law, otherwise such evidence is futile. Therefore, there is also a requirement for setting legal standards as to how to collect, store and process evidence in cases of cybercrime. The legal framework of the country provides for these legal standards. For example, in India, the Indian Evidence Act, 1872[3] was amended in 2000 to insert various provisions relating to the admissibility of electronic evidence. The definition of the term ‘evidence’ was amended to include within its ambit, electronic records.[4] Section 65A[5] read with section 65B[6] provides for the admissibility of electronic records.

The COVID-19 pandemic had an unprecedented impact on the technological sector. Most individuals were completely dependent on the use of technology for their day-to-day activities, employment and education, among other things. This dependence provided a breeding ground for cybercriminals to exploit the vulnerable networks. Therefore, the significance of cyber forensic tools to combat such cybercrime activities was realised during the COVID-19 pandemic, more than ever.

Learn about Digital Forensics with Enhelion’s Online Law firm certified Course! 

[1] Forensics is the use of scientific knowledge to collect information for supporting a fact.

[2] Anjani Singh Tomar, Cyber forensics in combating cybercrimes, 3 PARIPEX 69, (2014).

[3] The Indian Evidence Act, 1872.

[4] Id., § 3.

[5] Special provisions as to evidence relating to documents may be given.

[6] Admissibility of electronic records.

Categories
Blog

Data Protection Regime in the European Union- General Data Protection Regulation (EU-GDPR)

Originally proposed by the European Commission in 2012, the EU GDPR[1] came into effect on 25th May 2018. It is intended to harmonize privacy and data protection laws across Europe. It further aims to provide a framework to ensure that the data subjects have control over their personal data. The provisions are GDPR are applicable[2]

  1. When a controller or a processor is established in the EU
  2. When the personal data of EU data subjects is processed

The Regulation defines terms like ‘personal data’, ‘processing’, ‘data subject’, ‘controller’, ‘consent’, ‘processor’ and ‘personal data breach’.[3] It also enumerates the basic principles on which GDPR is based. These include “lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability[4].

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

One of the grounds mentioned under the Regulation which makes the processing of personal data by the controller or the processor lawful is when the data subject has consented to such processing[5]. The declaration seeking such consent should be made in an intelligible and easily accessible form, using clear and plain language[6]. Further, the data subject has the right to withdraw his consent at any time, and such withdrawal will not affect the lawfulness of the processing prior to the withdrawal.[7] When the data subject is a child below the age of 16 years, consent for the processing of personal data can only be given or authorized by the parents.[8] However, the Regulation gives the discretion to the individual member states of the EU to decide the minimum age for which parental consent will be required, however, such age cannot be lower than 13 years.[9]

The GDPR prohibits the processing of personal data relating to a specific category (sensitive personal data)[10]. However, such data can be processed in certain conditions like when the data subject gives explicit consent or when processing is necessary to protect the vital interests of the data subject or when processing is necessary for substantial public interest etc.[11]

Chapter 4 of GDPR enumerates the rights provided to the data subject with respect to the processing of their personal data. These include the right to access the data by the data subject (to know the purpose of processing, the categories of data being processed, recipients of such data, the period for which data will be stored, right to be informed of additional safeguards if data is transferred to a third country or an international organization etc.)[12], right to rectification (of inaccurate data concerning the data subject), right to erasure (when data is no longer necessary, when consent is withdrawn when data is unlawfully processed etc.), right to restriction of processing (for a particular time period) , right to data portability (receive the data in a machine-readable format and transmit the same to another controller) and right to object.

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

The member states of the Union have the right to restrict the scope of rights and obligations[13] of the data subject and the controllers/processors, under the Regulation on the ground of national security, defence, public security, and criminal offences[14], general public interest etc.[15] by means of legislative measures.

The controller is obligated to take necessary technical and organizational measures which are designed to implement the principle of GDPR while processing the personal data of the subject (data protection by design).[16] Furthermore, the technical measures should be implemented to ensure that, by default, only the personal data which is required for specific purposes, is processed[17] (data protection by default).

In case of a data breach which is likely to risk the rights of natural persons, the controller should notify the supervisory authority within 72 hours of becoming aware of such breach. The controller should also inform the data subject about such data breaches in certain specific situations[18].

Further, if the processing of data involves new technology which might result in “high risk to the rights and freedoms of natural persons, the controller should carry out an impact assessment, before processing any data[19].

The Regulation also mandates the appointment of a Data Protection Officer by the controller and processor in certain situations.[20] The Officer has the duty to inform and advise the employees of their obligations while processing the data of data subjects, to monitor the compliance of provisions of GDPR, to cooperate with supervisory authority etc.[21]

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

In case of infringement of any right of the data subject or any obligation mentioned under GDPR, the data subject has the right to lodge a complaint with the supervisory authority of a particular member state[22]. For severe violations, the fine framework can be “up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher[23]. In case of less severe violations, the Regulation sets forth fines of “up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher[24].

Therefore, the privacy and data protection regime in the European Union is very stringent. Although it has only been two years since the GDPR came into effect, however, the recent cases of imposition of huge sums of fines on Twitter[25] and Google[26] in Europe for violating the provisions of GDPR, highlight the seriousness of privacy and data protection in Europe.

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

 

[1] General Data Protection Regulation, Regulation (EU) (2016/679).

[2] Id, art. .

[3] Supra note 1, art. 4.

[4] Supra note 1, art. 5.

[5] Supra note 1, art. 6(1)(a).

[6] Supra note 1, art. 7(2).

[7] Supra note 1, art. 7(3).

[8] Supra note 1, art. 8(1).

[9] Id.

[10] Supra note 1, art. 9(1).

[11] Supra note 1, art. 9(2).

[12] Supra note 1, art. 15.

[13] Supra note 1, under art. 12-22, art. 34 and art 5.

[14] Prevention, Investigation, Detection or Prosecution.

[15] Supra note 1, art. 23.

[16] Supra note 1, art. 25(1).

[17] Supra note 1, art. 25(2).

[18] Supra note 1, art. 34(3).

[19] Supra note 1, art. 35.

[20] Supra note 1, art. 37.

[21] Supra note 1, art. 39.

[22] Supra note 1, art. 77.

[23] Supra note 1, art. 83(5).

[24] Supra note 1, art. 83(4).

[25] BGR, https://www.bgr.in/news/twitter-fined-547000-dollars-for-not-disclosing-data-breach-927683/ (last visited Feb. 1, 2021).

[26] REUTERS, https://www.reuters.com/article/us-google-privacy-france/french-watchdog-fines-google-amazon-for-breaching-cookies-rules-idUSKBN28K0NA (last visited Feb. 1, 2021).

Categories
Blog Intellectual Property Law

The Himalaya Drug Company vs Sumit 2006

Delhi High Court

Judges: Justice Badar Durrez Ahmed

Applicable law: Copyright Act, 1957

Did you know: ‘Meta-Data’ is like a digital footprint, which allows a person to assess what tools and code have been used to develop a particular website

Where it all began:

  1. Drug Company is engaged in the manufacture and sale of Ayurvedic Medicinal preparations and was established in the trade in the year 1930. Realizing the potential of the Internet as a medium of information, the plaintiff registered its own domain name www.thehimalayadrugco.com’ on 10.6.1998 and developed a website under the said name.
  2. The most important feature of the website is the section titled “HIMALAYAS HERBS”. This section essentially consists of a database of a wide variety of medicinal herbs, arranged in alphabetical order.
  3. Such information is not only comprehensive but is also arranged in a manner that is visually appealing and easy to grasp. It was clear that Himalaya has expended considerable time, labour, skill and money in preparing this database of Ayurvedic Herbs that find mentioned on its website. Himalaya has claimed that the preparation of the database began sometime in June 1998 and took more than a year to complete.

Legal issue: Whether Sumit has infringed the copyright of Himalaya and if so what damages is Himalaya entitled to?

Learn more about IPR with Enhelion’s Online Law firm certified Master Course! 

Himalaya’s arguments: Himalaya noticed that Sumit was operating a website “http://ayurveda.virtualave.net” which reproduced Himalaya’s entire herbal data verbatim. The copying was to such an extent that even the grammatical or syntactical errors that appear on Himalaya’s website have been copied onto Sumit’s website. Moreover, the meta tag of the source code of Sumit’s website includes Himalaya’s trademark “Himalaya Drug Co.”

Sumit’s arguments: Sumit did not appear despite service and the case proceeded ex-parte

Judgment in the case:

  1. The Court held that Sumit had misappropriated the effort, skill and expense that had gone into the creation of Himalaya’s website. Therefore, Sumit had copied the entire herbal database of the plaintiff and had infringed the copyright of Himalaya.
  2. The plaintiff has also been able to demonstrate that the defendants have attempted to pass off its herbal database as and for that of the plaintiff’s and have also violated the “trade dress” rights that exist in respect of the plaintiff’s herbal database. The reason being that the plaintiff’s herbal database is unique and, therefore, any similar herbal database that appears on a different website is bound to create confusion by causing a consumer to associate the website with that of the plaintiff’s.
  3. Because Sumit did not appear in this case it was impossible to assess what kind of profits he had earned from the website and accordingly difficult to calculate damages. Thus the court calculated the costs involved in preparing and putting up the website. Those costs were 7.9 Lakhs and the court granted 7.9 Lakhs as compensatory damages and an additional 7.9 Lakhs as punitive/Exemplary damages.

Significance: The judgment is noteworthy because it has used a novel way of calculating damages and has awarded both compensatory as well as punitive damages.

 

Learn more about IPR with Enhelion’s Online Law firm certified Master Course! 

Categories
Blog Intellectual Property Law

B.N. Firos vs. State of Kerala and Ors.

Supreme Court of India

Judges: Justice Ranjan Gogoi and Justice Mohan Shantanagoudar

Applicable law: Sections 2(k) and 17 of the Copyright Act, 1957 and Section 70 of the I.T. Act

Did you know: The government is empowered to declare any computer system as a protected system under the IT Act. Such declaration prohibits any person except the government to access such a computer system. This is to enable the government to protect critical IT infrastructure.

Effect of provisions: Section 2(k) defined a ‘Government Work’ and Section 17(d) vests the copyright of the government work in the government. Section 70 of the I.T. Act allows the government to declare any computer system as a ‘Protected System’ and access to such protected systems is barred to any other person except the government

Where it all began:

  1. The State of Kerala entered into an agreement to develop software for one-stop bill payment systems with the software giant Microsoft. Microsoft agreed to do so for free on a pilot basis and engaged a 3rd party M/s B.N. Firos for the development of the same
  2. After successful implementation State of Kerala sought to expand the project to all districts and an MOU was concluded between B.N. Firos and the state of Kerala.
  3. N. Firos alleged that the State of Kerala was transferring essential rights in the software to third parties and it was not allowed to do so.
  4. Both B.N.Firos and State of Kerala sought to be declared as exclusive owners of the copyright of the software.
  5. During the pendency of the dispute, State of Kerala issued a notification under Section 70 of the Information Technology Act declaring the software as a ‘Protected System’.
  6. N. Firos challenged the notification and held that the same was a violation of its rights as  the author of the software under Section 17 of the Copyright Act, 1957

B.N. Firos’s arguments: B.N. Firos argued that the copyright of the software vested exclusively with it and the notification was taking away its said rights

Kerala’s argument: The State of Kerala argued that the copyright of the software vested with the State government and in any case, it had the right to declare any computer system as a protected system

Issue: Whether any computer system could be declared as a ‘protected system’ under Section 70 of the I.T. Act, even in violation of the Copyright Act?

Judgment: The Hon’ble Supreme court held that:

  1. Only government works as defined in Section 2(k) of the Copyright Act could be declared as protected systems and only those systems can be protected which are very important for the functioning of the state.
  2. The power of the government to declare a computer system as a protected system was not unlimited and the provisions of IT Act and Copyright Act have to interpret harmoniously.
  3. As per the MOU signed between the State of Kerala and B.N. Firos the copyright of the software belonged to the State of Kerala.

Significance:  The Hon’ble Supreme Court has resolved the possible conflict between the rights of the owner of a computer system and the power of the government to declare such a system as a ‘protected system’ in the IT Act. It has in this way balanced the interests of the government in protecting critical computer infrastructure and those of individuals who design unique computer systems in collaboration with the government.

 

 

Categories
Blog

Role of Precedent in the Development of Law and Society

Before analysing the role of precedent in the development of law and society, it is important to understand what constitutes a precedent. According to Gray, it “covers everything said or done which furnished a rule for subsequent practice[1]. According to Keeton, it is a “judicial decision to which authority has in some measure been attached”.[2] In general words, precedent means a set pattern guiding future conduct. Judicial precedent, on the other hand, means the judgment of a Court of law which can be used as an authority for deciding a similar set of facts, by the lower courts, or the same court itself.

Where a court pronounces its decision, it contains in itself a principle. This principle creates a judicial precedent. The opinion in which the judge formulates his reasons for the decision is not the precedent, although such opinion plays an indispensable role in ascertaining the precedent, since only from the opinion can one discover what facts are regarded by the court as material. The application of the judicial precedent is governed by the different principles in different legal systems. These principles are called the ‘Doctrine of Precedent’.

Learn more about Constitutional Law with Enhelion’s Online Law firm certified course by Scriboard Advocates and Legal Consultants!

The concept of precedent originated from the doctrine of stare decisis which means to “abide by the decisions[3]. This doctrine aims to bring certainty and conformity to the decisions of the court and to the law.

The judicial precedents are binding on the lower courts and the same court, unless-

  1. The same has been overruled by the higher court
  2. The same has been reversed by the higher court
  • The facts of the case seem to be different

Precedent plays an instrumental role in the development of law and society. It ensures equality and fairness by means of treating similar cases in a similar manner. This brings the certainty of law and upholds the confidence of the citizens in the justice delivery system. With respect to the judiciary, it acts as a guideline to decide future cases based on similar facts. It ensures that the lower courts adhere to the interpretation of the law by the superior court in line with the changing needs of the society (the Vishaka guidelines in India[4]).

Furthermore, it provides a binding nature to the principles evolved seldom by the judiciary, while discharging their functions as an interpreter of law (the binding nature of the doctrine of basic structure with respect to amending the Constitution[5]). Lastly, it saves time and increases the convenience of the court, as a question of law, once decided, is settled and the judges and the lawyers need not spend time and labour on reestablishing the same principle.

With respect to India, the Indian Constitution empowers the Apex Court to interpret the law. Such interpretation is binding on the lower courts. The judgement of the Supreme Court is a decision, for the litigants, however, for the nation, it is a declaratory law[6]. However, a judgement acts as a precedent only when it decides a question of law and not otherwise[7].

Learn more about Constitutional Law with Enhelion’s Online Law firm certified course by Scriboard Advocates and Legal Consultants!

The expression ‘all courts’ used under Article 141 infers that the Supreme Court is not bound by its own decisions, except that a smaller Bench of the Apex Court is bound by the decisions of a larger Bench and that of a Co-equal Bench.[8]

With respect to the significance of precedent, the court in Union of India v. Raghubir Singh,[9] held that-

“The doctrine of binding precedent has the merit of promoting a certainty and consistency in judicial decisions, and enables an organic development of the law, besides providing assurance to the individual as to the consequence of transactions forming part of daily affairs. And, therefore, the need for a clear and consistent enunciation of legal principle in the decisions of a Court.”[10]

 

 

[1] https://www.srdlawnotes.com/2015/11/precedent-meaning-definition.html

[2] Id.

[3]http://mja.gov.in/Site/Upload/GR/Title%20NO.149(As%20Per%20Workshop%20List%20title%20no149%20pdf).pdf (last visited Feb. 1, 2021).

[4] As provided in the case of Vishaka v. State of Rajasthan, (1997) 6 SCC 241.

[5] Kesavananda Bharati Sripadagalvaru & Ors. v. State of Kerala & Anr., AIR 1973 SC 1461.

[6] Ganga Sugar Co.. Ltd., Etc vs State Of U.P. & Others, AIR 1980 SC 286.

[7] State of Punjab v. Surinder Kumar, 1992 (1) SLR 335(SC).

[8] Indian Oil Corporation v. Municipal Corporation, AIR 1995 S.C. 1490.

[9] Union Of India & Anr v. Raghubir Singh, AIR 1989 SC 1933.

[10] Id.

Categories
Blog

Right to be forgotten under General Data Protection Regulations

‘Right to be forgotten’ is the claim of an individual to have any data pertaining to him deleted, with no trace. The foundation of this right was laid by the European Court of Justice in its 2014 judgement in Google Spain SL v/s Agencia Española de Protección de Datos & Mario Costeja Gonzalez[1], wherein it held that European citizens have a right to request commercial search firms like Google to remove links to private information when asked, provided the information is no longer relevant[2]. This case set the precedent for the principle of the right to be forgotten under the General Data Protection Regulation (GDPR)[3] in the European Union.

Under the GDPR, the right to be forgotten has its basis in Recitals 65 and 66 as well as Article 15 and Article 17. Recital 65 iterates the right of a data subject to have his personal data erased when it is no longer necessary for the purpose for which it was collected. Therefore, the right to be forgotten is also known as the right to erasure in the EU[4].  On the other hand, Recital 66 talks about the obligation of the data controller who made the personal data public to take reasonable steps and technical measures to inform the data controllers processing such data about the request for erasure[5].

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

Furthermore, Article 15 provides for the right to rectification or erasure of personal data or restriction of its processing[6]. This right to erasure is not absolute and can only be exercised in certain conditions. Article 17 obligates the data controller to fulfil the request of erasure without undue delay[7], if one of the following grounds is met[8]

  1. The personal data is no longer necessary for the purpose for which it was collected or processed;
  2. Processing is based on consent and the data subject withdraws the same;
  • The data subject objects to the processing, and there is no overriding legitimate interest to continue the processing of data;
  1. Personal data has been processed unlawfully;
  2. Erasure is required to comply with a legal obligation; or
  3. Personal data has been collected to offer information society services to a child.

It is pertinent to note that the data controller can deny the exercise of the right to erasure if the processing of personal data is necessary for[9]

  1. Exercising the right of freedom of expression and information;
  2. Complying with a legal obligation;
  • Public interest in the area of public health;
  1. Archiving purposes in the public interest, scientific research historical research or statistical purposes; or
  2. Establishment, exercise or defence of legal claims.

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

Furthermore, the data controller can request a reasonable fee from the data subject for fulfilling his request of erasure[10].

[1] Google Spain SL v. Agencia Española de Protección de Datos & Mario Costeja Gonzalez, C‑131/12.

[2] EPIC.ORG, https://epic.org/privacy/right-to-be-forgotten/ (last visited Apr. 26, 2021).

[3] Regulation (EU) 2016/679.

[4] Id., recital 65.

[5] Supra note 46, recital 66.

[6] Supra note 46, art. 15(1)(e).

[7] Supra note 46, recital 59- A time period of one month.

[8] Supra note 46, art. 17(1).

[9] Supra note 46, art. 17(3).

[10] Supra note 46, art. 12(5)(a).

Categories
Blog

Role of Social Media in a Democracy

Social Media has for long been considered the fourth pillar of democracy owing to its potential to not just report what is happening around the world but to build a public opinion about the ongoing issues. The term ‘democracy’ implies the participation of people. Media facilitates this participation.

The emergence of social media, however, has changed the way in which people now participate in democracy. Compared to traditional media, social media has a larger reach, is easily accessible, enables mass participation and provides instant updates. These factors have led to a situation where people rely more on social media than their traditional counterparts, to become aware of their surroundings and participate in discussions- political, economic, or otherwise, which in turn strengthens democracy. However, social media does not have only positive implications on democracy. On the flip side of the coin, it has been misused a number of times, often becoming the antithesis of democracy. The following headings discuss the role played by social media in a democratic setup, both positive and negative.

Learn more about Social Media with Enhelion’s Law firm certified Online Course! 

Election Campaigning

Free and fair elections are undoubtedly one of the most important elements of modern democracy, and election campaigning forms very much a part of it. Political campaigning is not limited to physical rallies and posters. Social media has entered the realm of campaigning and is extensively being used by various political leaders as well as political parties to communicate their agendas to the general public. The ubiquitous nature of the Internet allows the leaders and political parties to simultaneously communicate with the voters across regions.

Social media is used for political campaigning through commercials, blogs, tweets etc. using social networking sites like WhatsApp, Facebook, Twitter, to announce a candidate running for the election, organize physical campaigning, recruit supporters and volunteers, seek funds, mobilize voters, share the party’s election manifesto and the candidate’s message to the general public, among other things.

The ex-President of the United States of America, Barack Obama, is famous for effectively harnessing the potential of social media as his campaign strategy in the 2008 Presidential Campaign. Since young voters rely more on social media compared to conventional media, social media was used to establish a contemporary voter-politician relationship between Barack Obama and the voters. Regular voting reminders were sent on Twitter, and Facebook was used as a platform to interact with people. As a result, President Obama maintained a significant lead in both Facebook likes and Twitter followers over his rival Governor Romney during his election campaign. The significant difference in the response on social media was translated into the historic win of Barack Obama as the first Africa-American President of the United States of America.[1]

Learn more about Social Media with Enhelion’s Law firm certified Online Course! 

The field of social media campaigning has not been left unexplored by Indian politicians and political parties. Launched in 2012, the Aam Aadmi Party (AAP) ran its political agenda through social media and emerged victorious in Delhi Assembly polls. AAP used social media platforms like Twitter, Facebook and YouTube to interact with voters, share their election manifesto and raise funds, thus, keeping the election expense within the limit. Indian media reported that Arvind Kejriwal, the founder of AAP had admitted to adopting the strategies used by Barack Obama in 2008.[2]

Furthermore, in the 2019 general elections in India, there were around 15 million voters who were aged between 18 to 19 years. In light of these statistics and the interest of youngsters in social media platforms, various political parties adopted full-fledged social media campaigns to communicate with the large audience of voters, which in turn helped the parties to save their money, time and resources. Social media political campaigning has benefits other than saving the time and resources of the political party. Politicians are able to gauge their communication by viewing direct responses to their social media campaigning on Facebook, Twitter or Instagram.

Learn more about Social Media with Enhelion’s Law firm certified Online Course! 

Taking into account the potential of social media campaigning in the 2019 elections, the Internet and Mobile Association of India (IAMAI), in consultation with the Election Commission of India (ECI) had developed a set of ‘Voluntary Code of Ethics’[3] to be adopted by various social media platforms to ensure free, fair and ethical use of social media in order to maintain the integrity of the electoral process. By virtue of this Code, the social media platforms were required to develop a notification mechanism for violations of section 126[4] of the Representation of Peoples Act, 1951.[5]

Although the potential of social media has been used to a great extent by various political parties for election campaigning, however, it is imperative to understand that social media platforms sometimes go overboard for political purposes. In the 2020 Presidential election in the United States, there were numerous reports of Facebook posting ads of Donald Trump, violating its own pre-election policies wherein it had announced that it would stop accepting new political ads after 27th October and would indefinitely ban all political ads after the polls close. However, on the first day of the moratorium, several ads appeared on the platform which was later taken down after being flagged.[6] Furthermore, social media political campaigning also has another drawback. After social media has been used for campaigning to the maximum extent possible, politicians use it as a one-way communication tool, rarely engaging in discussions with the citizens. This continues after they have been elected; they use social media to inform the people of their constituencies about different policies, rather than engaging in discussions with them.

Political Discussions

A healthy democratic setup gives utmost importance to public participation as the government is “of the people, for the people and by the people[7]. Public participation can best be achieved by expressing one’s political views and discussing them with others. Efficient democratic deliberation assumes citizens as equal participants where opposing points of view are not only accepted but encouraged, and the main goal is to achieve a rationally motivated consensus.

From the point of view of political involvement, social media has taken the power of political messaging from the mass media model and firmly placed it into the peer-to-peer, public dialogue. It provides an environment where the ‘aam aadmi’ of a country is able to freely express his political opinions and expectations, with the use of his phone/device. Earlier, only those individuals could be a part of political discussions who read newspapers, watched news channels or discussed politics at the nukkad of the village. However, the tech-savvy nature of social media campaigning effectively makes the youth a part of political discussion as well. They take time to analyse and discuss political issues. Such discussions also influence administrative decision making.

Learn more about Social Media with Enhelion’s Law firm certified Online Course! 

One of the examples of healthy political discussion is the 2015 #SOTU,[8] which enabled Twitter users to react to the topics covered by Barack Obama in the State of the Union address. There were around 2.6 million tweets in this context.

However, social media has the potential to be misused to manipulate individuals. It should always be kept in mind that “computer technologies should be used to serve the interests of the people and not corporate elites, to inform and enlighten individuals rather than to manipulate them, to articulate their own experiences and interests, and to promote democratic debate and diversity, allowing a full range of voices and ideas to become part of the cyberdemocracy of the future.”[9]

Cyber Governance

Social media also plays a vital role in cyber governance i.e. the use of information and communication technologies to support governance. Taking the example of India, various Ministries and the Ministers of the respective Ministries have their official social media handles which they use to perform their functions. These social media handles, on one hand, help the citizen to easily let the concerned Minister/Ministry know about the grievances faced by him, and on the other hand, help the concerned Minister/Ministry to respond and resolve the grievance raised.

The peculiar feature of cyber governance is the element of time and resources used to raise concerns. Earlier, citizens had to write formal letters to the concerned Minister/Ministry and wait for days for a response. This traditional system becomes futile if the situation requires urgent intervention. Therefore, social media has become a boon for cyber governance.

Learn more about Social Media with Enhelion’s Law firm certified Online Course! 

The micro-blogging site Twitter was extensively used by late Sushma Swaraj, ex-Minister of External Affairs, to resolve the issues faced by Indian citizens trapped abroad. She rescued 168 Indians trapped in Iraq by acting on a video that was tweeted to her, and helped a number of other individuals, Indians as well as foreigners, to return to their homeland.[10]

Facilitator of political change in Arab nations

Social media platforms have also been used to accelerate revolutions in many Arab countries.

During 2010-11, a number of campaigns of civil resistance and street demonstrations took place in Tunisia. These efforts led to the ousting of President Zine El Abidine Ben Ali. During this process, social media played a positive role by spreading awareness among people, helping people to organize themselves using Facebook and clearing the clouds of misinformation by sharing photos and videos.[11]

Social media also played a key role in ending the 30 years long misrule by President Hosni Mubarak of the National Democratic Party in Egypt. It all started with a photograph being posted on Facebook. The photograph depicted a young man named Khaled Mohamed Saeed who was brutally beaten to death by the Egyptian police. This prompted an agitated Ghomin to start a Facebook page named ‘Saeed’ to highlight the scenario in Egypt. The number of followers of this Facebook page increased from 300 to 25,000 in just three months. The online expression of distress of the regime of President Mubarak spread to the streets of Egypt wherein the historic Tahrir Square in Cairo was filled with protestors shouting ‘We are all Khaled Saeed’. As a result, President Mubarak was forced to resign and dissolve his party.[12]

2.6. As a tool of manipulation  

Social media has also been used to manipulate the political choices of voters. This has a detrimental effect on the democratic setup of a country, where manipulation does not find a place.

The 2016 United States Presidential election was at the central stage of the allegations of the use of social media to manipulate elections. Facebook admitted that Russian Groups Company bought $100,000 worth of ads with the purpose of spreading disinformation and propaganda.[13] Furthermore, Cambridge Analytica, a political consulting firm, found itself in deep trouble over the United States 2016 Presential Elections involving Presidential candidate Donald Trump. It was found that it used deceptive means to gain access to data of about 87 million Facebook users, without their consent or knowledge. It was alleged that the firm got hold of such data through researcher Aleksandr Kogan, a Russian American who worked at the University of Cambridge. He built a Facebook app, which was actually a personality quiz. Around 2,70,000 people were paid to take this quiz, under the shadow of research. However, the catch was that the quiz was designed to access the Facebook data of the people taking the quiz, as well as the data of the people who they are friends with. The data included personal information on where users lived and what pages they liked, which in turn helped Cambridge Analytica to build psychological profiles of the quiz takers that analysed characteristics and personality traits. This kind of information was later used to tailor political messaging for Donald Trump’s presidential campaign.[14]

The attempts of manipulation directly go against individual autonomy as well as privacy enjoyed by the individuals.

As a Tool of Repression

Social media has been used to propagate one’s ideas and opinions. However, this platform has also been used by different organizations to propagate communal, racist and sociological tensions. Taking into account the possibility of exploitation of social media by such organizations, the Information Technology Act, 2000 contains a provision[15] which allows the Central Government to block public access to information on social media, on certain grounds namely in the interest of sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above. These grounds are identical to the grounds mentioned under Article 19(2), based on which freedom of speech and expression can be curtailed by the government.

Learn more about Social Media with Enhelion’s Law firm certified Online Course! 

Since the power to block public access to information on the Internet and social media sites violate the freedom of speech and expression enjoyed by the citizens of India, such power should be used cautiously by the government. However, in recent times, the Central Government has overused this power to suppress genuine political discussion on social media. Some examples include the government’s order to Twitter to block certain tweets and accounts pertaining to farmer’s protests, anti-CAA protests as well as those criticizing the handling of the COVID-19 pandemic by the government[16]. These blocking orders highlight the misuse of power by the Government to curb political criticism, which is detrimental for the largest democracy in the world.

Conclusion 

The advent of social media has taken democracy a step further by firstly, facilitating public discussions on important issues, whether political, religious, social or economic, secondly, providing a greater reach to election campaigning with minimal time and resources, thirdly, ensuring that the grievances of individuals reach the concerned authorities in time, and lastly, facilitating and accelerating political revolutions in countries. However, the use of social media in democracy has a flip side as well, which is highlighted by its use in manipulating the opinions of individuals and suppressing the voices of people raising genuine concerns on the social media platforms.

Therefore, though social media has vast potential to uphold and propagate democratic principles, however, it should only be used in a bona fide manner to further lawful political interests. Furthermore, social media, in absence of a privacy and data protection regime in a country, is highly susceptible to exploitation by organizations who manipulate the psychology of individuals by using the data of social media users, without their consent, or even knowledge.

Learn more about Social Media with Enhelion’s Law firm certified Online Course! 

[1] Jennifer Aaker & Victoria Chang, Obama and the Power of Social Media and Technology, STANFORD BUSINESS (Feb. 28, 2021, 9:20 PM), https://www.gsb.stanford.edu/faculty-research/case-studies/obama-power-social-media-technology.

[2] Sevathi Ninan, Learning media strategy from AAP, LIVE MINT (Apr. 28, 2021, 9:30 PM), https://www.livemint.com/Opinion/HwHIPVrpDJC2Ax0TcTv03N/Learning-media-strategy-from-AAP.html.

[3]PIB,https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1586297#:~:text=Internet%20%26%20Mobile%20Association%20of%20India,bye%20elections%20being%20held%20simultaneously (last visited Apr. 26, 2021).

[4] Prohibition of public meetings during period of forty-eight hours ending with hour fixed for conclusion of poll.

[5] Jinala Sanghvi, Role of social media in Indian politics, LEGAL DESIRE (Apr. 28, 2021, 9:36 PM),  https://legaldesire.com/role-of-social-media-in-indian-politics/.

[6] Abhishek Singh, Democracy in times of social media, THE INDIAN EXPRESS (Apr. 25, 2021, 3:43 PM), https://indianexpress.com/article/opinion/democracy-in-times-of-social-media-6910382/

[7] Richard A. Epstein, Direct Democracy: Government of the people, by the people, and for the people, 34 HARVARD LAW JOURNAL AND PUBLIC POLICY 819, (2011), https://chicagounbound.uchicago.edu/cgi/viewcontent.cgi?article=2260&context=journal_articles.

[8] TWITTER, http://twitter.github.io/interactive/sotu2015/#p1, (last visited Apr. 26, 2021).

[9] Fenton & Barassi, Alternative media and social networking sites: The politics of individuation and political participation, 14(3) THE COMMUNICATION REVIEW 179-196, (2011).

[10] Ten times when Sushma Swaraj won the internet with her Twitter outreach as Foreign Minister, LIVE MINT (Apr. 29, 2021, 2:20 PM), https://www.livemint.com/news/india/ten-times-when-sushma-swaraj-won-the-internet-with-her-twitter-outreach-as-eam-1565121014539.html.

[11] How Social Media Accelerated Tunisia’s Revolution: An Inside View, HUFFPOST (Apr. 28, 2021, 2:10 PM), https://www.huffpost.com/entry/how-social-media-accelera_b_821497.

[12] Serajul I. Bhuiyan, Social media and its effectiveness in the political reform movement in Egypt, 1(1) MIDDLE EAST MEDIA EDUCATOR 14, (2011), https://ro.uow.edu.au/cgi/viewcontent.cgi?article=1002&context=meme.

[13] Scott Shane & Vindu Goel, Fake Russian Facebook accounts bought $100,000 in Political ads’ THE NY TIMES (Apr. 27, 2021, 9:30 PM), https://www.nytimes.com/2017/09/06/technology/facebook-russian-political-ads.html.

[14] Nicolas Confessore, Cambridge Analytica and Facebook: The scandal and the fallout so far, THE NY TIMES (Apr. 27, 2021, 9:36 PM), https://www.nytimes.com/2018/04/04/us/politics/cambridge-analytica-scandal-fallout.html.

[15] The Information Technology Act, 2000, s. 69A.

[16] Pranav dixit, Twitter is blocking tweets that criticize how the Indian government has handled the pandemic, BUZZFEED NEWS (May 5, 2021, 11:13 AM), https://www.buzzfeednews.com/article/pranavdixit/twitter-blocking-tweets-india.

Categories
Blog

The interplay between cyber forensics and threat to cyber security in digital spaces like Clouds

More and more businesses organizations are becoming dependent on technology, and most of the data and information is being stored online. The development of storage technologies and computing resources, which are reasonably priced, provide more storage on demand, and are ubiquitously located, became inevitable. Cloud computing is the product of such technological development. In simple terms, cloud computing services provide resources (like a computer, storage, network, etc.) to organizations on a lease and on-demand basis. It helps various organizations to increase affordability and availability. Owing to the potential cloud computing services hold, various enterprises- large, medium and small, as well as individuals, have stepped up and made use of these services to the maximum extent possible. [1] However, increased reliance on the Internet also has a dark side, i.e. cyber security concerns.

Cloud computing services are peculiar in the following ways-

  1. It provides on-demand self-service, i.e. users can avail and manage the resources automatically;
  2. It provides ubiquitous network access, which helps in delivering the resources to heterogeneous users located in different parts of the world;
  3. It provides the option to scale up and down the resources based on the user’s needs. This feature had proved to be very helpful in times of COVID-19 when on the one hand, few users scaled up the resources owing to the increased dependence on technology and work from home measures, and on the other hand, few others (primarily small entities) scaled down the resources because of lack of financial capability to afford the same;
  4. It provides a pay-as-you-go service, i.e. the users spend based on consumption. 

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

There is no doubt that cloud computing will enable further technological changes in the future. However, increased reliance on the Internet also has a dark side, i.e. cyber security concerns. Cloud computing has various issues, like privacy and security concerns. Since most of the data is stored in the cloud, any breach into the network implies firstly, breach of cyber security measures and secondly, jeopardizing the privacy of the individuals whose data is stored. Data breaches resulting from cloud misconfiguration led to a loss of nearly $3.18 trillion to businesses in 2019. [2] Furthermore, increased reliance on technology and cloud services during the COVID-19 pandemic also increased reliance on technology and cloud services has privacy and security implications attached to it. 

Cloud computing services are also often victims of malware infections. Distributed Denial of Service (DDoS) attack is the most common threat wherein a large volume of traffic is sent to a web-based application, leading to the crashing of servers. Botnets are also emerging as one of the most severe threats to cloud security as they provide a distributed platform for major illegal activities in the cloud.

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

Insecure Application user interfaces (APIs) also pose a cybersecurity challenge. APIs are the primary tools that enable interaction with cloud storage systems. Generally, they are used by the staff of an entity that uses cloud services and the staff of the cloud service provider. It is pertinent to note that many APIs are still vulnerable, which gives the cloud service provider an undue level of access to the data. For example, in March 2021, we found that Facebook stored the passwords of its users in plain text instead of encrypted text, which could be read by any staff within the organization. [3]

Cyber forensic tools can be used to address the challenge of cyber security posed by the use of cloud computing services. Cyber forensics help identify the offender, procure the required evidence and prosecute him. However, the use of cyber forensics in cloud computing services per se poses several challenges[4] owing to the nature of these services. 

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

Firstly, traditional cyber forensics methodology requires turning off the device and making an image of the hard drives. However, this methodology is not a viable option in the present time as entities are entirely dependent on cloud computing services, which act as their servers. Since cloud computing is not something that can be turned off by switching off the device, the traditional cyber forensics methodology becomes futile in the case of cloud computing. 

Secondly, cyber forensics uses the provenance technique to trace life changes and data transformation. However, such technology becomes futile in cloud computing, where the infrastructure is very complex to trace the originator of the data, the person who modified it and when it was modified. 

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

Thirdly, since the ‘cloud’ in ‘cloud computing’ signifies cyberspace, it is believed that the data in the cloud is stored in cyberspace. However, the providers of cloud computing services locate their services in various physical locations. Therefore, to procure electronic evidence, it becomes challenging to access such data due to its geographic distribution and the subsequent necessity of complying with the legal requirement of such jurisdictions. 

Fourthly, specific file systems used in the cloud could be redesigned, customized or specifically created to cater to the users’ needs. Traditional cyber forensics methodologies fail to retrieve data from such files as their structure is unknown to anyone other than the cloud computing providers. 

Learn about Information Security, Privacy and Data Protection with Enhelion’s Online Law firm certified Course! 

Lastly, since cloud computing services hold an enormous amount of data, it becomes difficult to retrieve a particular data without carrying out a mass data analysis using data mining technology. Such technology is not a part of the traditional cyber forensics methodologies. 

Therefore, the architecture and model of cloud computing makes it more complex to retrieve evidence using traditional cyber forensic tools. In such a situation, the development of newer devices to cater to the specific challenges posed by cloud computing becomes a necessity. 

  [1] Julian Jang, Surya Nepal & Y Jay Guo, Cybersecurity threats in cloud computing, 1(1) Australian Journal of Telecommunications and the Digital Economy 4.2., (2013). 

[2] Hashedout, https://www.thesslstore.com/blog/cloud-security-5-serious-emerging-cloud-computing-threats-to-avoid/ (last visited May 8, 2021). 

[3] the Tech Republic, https://www.techrepublic.com/article/facebook-data-privacy-scandal-a-cheat-sheet/ (last visited May 8, 2021).

[4] Pedro Ramos Brandao, Computer forensics in Cloud Computing Systems, 1(1) BirEx 71, (2019). 

Categories
Blog

Laws governing the Telecommunications sector in the United Kingdom

The current legal regime governing the telecommunications sector in the United Kingdom (UK) comprises primarily of two laws:

  1. The Communication Act of 2003[1], and
  2. The Wireless Telegraphy Act of 2006[2]

Before the 2003 Act was enacted, the Director-General of Telecommunication (DGT) was established as the independent regulatory authority under the Telecommunication Act, 1984. However, the 2003 Act replaced the 1984 Act to give effect to the Framework Directive (2002/21/EC)[3], which resulted in the setting up of the Office of Communications (Ofcom) as a new regulator of communications under the 2003 Act. The Digital Economy Act, 2017 prescribes that Ofcom is to be entirely funded through industry fees.

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

Ofcom is responsible for the regulation of all electronic communication networks and services and for licensing of broadcasting services as well as promoting fair competition across the industry, in collaboration with the Competition and Markets Authority (CMA), by enforcing the competition laws.

The main idea behind the new regime of the 2003 Act was to reduce the regulatory burden on the communications providers (referred to as providers hereafter)[4]. This approach was implemented employing general conditions and certain special conditions (if applicable), which the providers must comply with. General requirements apply to all providers, while special conditions apply to certain providers in certain situations. It is pertinent to note that there is no need for general authorization or licensing to provide electronic communications networks and services in the UK. Providers are merely required to comply with the General Conditions of Entitlement[5]. The general conditions were recently revised in 2018. Furthermore, Ofcom has the power to set specific requirements relating to universal service, access (network access and service interoperability), privileged operators (public communications providers) and significant market power (SMP- having dominance either alone or collectively with others in relevant markets). [6] Ofcom can impose financial and other penalties on failure to comply with specific conditions[7].

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

Concerning radio and mobile communications in the UK, service and network providers must receive a license from Ofcom under the Wireless Telegraphy Act, 2006 (WTA). The permit contains details relating to the specific frequency, use, fees and duration of the license. Ofcom is also empowered under the WTA to prescribe ‘Administered Incentive Pricing’, which allows setting fees above the administrative costs to encourage efficient spectrum use.

After UK’s exit from the EU, certain amendments were required to be made to the existing laws. These changes were incorporated through various Regulations in 2019[8], and now, the UK is no longer necessary to comply with any EU Directive or Regulation of the telecommunications sector.

Learn more about Technology Law with Enhelion’s Online Law firm certified Master Course! 

[1] Communication Act, 2003.

[2] Wireless Telegraphy Act, 2006.

[3] To give effect to Directive 2002/21/EC, Directive 2002/20/EC, Directive 2002/ 19/EC and Directive 2002/22/EC.

[4] The general authorization regime under the Act does not distinguish between fixed, mobile and satellite networks and services.

[5] OFCOM, Original Notification setting general conditions under section 45 of the Communications Act

2003, Jul. 22, 2003, http://stakeholders.ofcom.org.uk/telecoms/ga-scheme/general-conditions/archive/.

[6] Supra note 57, § 45.

[7] Supra note 57, § 96A-104.

[8] Electronic Communications and Wireless Telegraphy (Amendment etc.) (EU Exit) Regulations 2019 and the Broadcasting (Amendment) (EU Exit) Regulations 2019.