CYBER LAW: REGIONAL PERSPECTIVE:
Countries throughout the world are
dealing appropriately with cyber crimes for the growth of Information &
Communication Technology and Computer Networks.
India enacted many cyber-related
laws, rules and regulations. These are for the protection of ICT development.
The Indian IT Act-(ITA) 2000 was the first step toward information Technology.
The government of Pakistan
promulgated the Electronic Transactions Ordinance (ETO) in 2002. This law has
recognized and facilitated documents, records, information, communication and
transactions in electronic forms. It provides the accreditation of certification
services providers. The Qanun-E-Shahadat Order, 1984 has been amended to allow
electronic documents as evidence.
The Electronic Transaction and
Digital Signature Act-2004 came into effect in Nepal. The IT Policy-2000 was
promulgated for the promotion of E-commerce, E-Business, Business, Telemedicine,
Tele-Processing, Distant Learning etc. The Telecommunications Act-1997 and Telecommunications
regulation 1997, have regulated Nepal's telecommunication sector.
Bhutan & Maldives developed
their legislative Cyber law provisions relating to E-Commerce. The Telecommunication Act 1991 enacted to prevent unauthorized access and misuse of Telecommunication
Systems and Networks.
Sri Lankan parliament enacted the
Information & Communication Technology Act-2003, The Electronic Transaction
Act and the Intellectual property Act-1979 etc. have given exclusive economic
rights of computer software.
Developed countries, especially
those in Europe and North America have cyber-related laws and cyber crime laws
to protect and save their privacy, computer & Computer networks and the Internet. This concern with privacy prompted constitutional amendments in
Brazil, The Netherlands, Portugal & Spain.
INTERNATIONAL CONVENTIONS ON CYBER LAW:
Bilateral & Multilateral
International law & conventions have come into force in respect of Cyber
Crime and Laws:
- The European Conventions on Cyber Crime came into force in 2001. It is the first international treaty on criminal offenses related to Cyber Crime. The Organization for Economic Cooperation and Development (OECD) in 2002 published documents as the guidelines for the security of information Systems & Networks. But the OECD guidelines are not appropriate.
- The United Nations Approved a Model Law" on e-commerce and electronic Signatures. This is the United Nations Commission on International Trade Law (UNCITRAL) for the protection of digital information technologies.
- The World Intellectual Property Organization (WIPO), World Performances and Phonograms Treaty (WPPT) and World Copyright Treaty (WCT) are material protection of audiovisual Performers and Broadcasting Organizations.
PRINCIPLE OF DATA PROTECTION:
There are Eight Principles of Data
Protection-
1, Fair and lawful: Your organization must have legitimate grounds for collecting the data and it must not have a negative effect on the person or be used in a way they wouldn't expect. Organizations are required to provide full transparency about how they wish to use the data, as well as ensure their data is only used in ways customers would expect. Detailing precisely what a consumer's information is being used for allows them to make an informed decision as to whether to share certain pieces of personal information.
Changes under GDPR:
Under GDPR, conducting criminal
record checks on employees must be justified by law. For example, a school is
far more likely to be permitted to carry out such checks on their teachers than
a restaurant hiring kitchen staff.
2. Specific for its purpose:
Organizations must be open about their reasons for obtaining personal data and what
they plan to use it for. They should only use the personal data for the purpose
they originally said it would be used for. This means that a company should not
use the data to market other companies to their customers unless the individual
has agreed to it. For example, if a local toy store starts selling children's
bikes, it is probably fine for them to market the bikes to existing customers.
However, unless they have agreed, the toy store cannot use their customers'
details to promote other companies. They also shouldn't pass customers' details
onto third parties unless they have already consented.
Changes under GDPR
Genetic and biometric information
is now considered sensitive data, meaning that purpose. A health clinic, for example,
should require such information in order to provide the best possible care for
their patients. Organizations may only request such information if it is
required for a relevant
3. Be adequate and only for what
is needed: The data you hold on your customers should be adequate for the
purpose you are holding the information. You should avoid holding more
information than necessary for your customers. The best practice is to
calculate the information you need in order to achieve your goals, a practice
known as “minimization". An example of this would be when an individual
unsubscribes from a service. In this case, the company should only keep hold of
the minimum information needed in order to hold records on former customers.
Changes under GDPR
Privacy notices or how we use your
information" guides now need to be clearer than before. This means that
mere consent is not enough; the individual must be informed of exactly what
their data is being used for. Further, organizations must inform the person of
their right to withdraw consent at any time.
4. Accurate and up to date: Reasonable
steps must be taken to keep the information up to date and to change it if it
is inaccurate. When a customer updates the information a company holds on them,
the organization must stop contacting the individual using the previously provided
details. Moreover, organizations should not simply wait for individuals to
contact them to update their information, rather they should be active in ensuring
they have the correct information on an individual.
For example, a company that sells
books to individuals online doesn't need to regularly check they have the
correct information about them. However, if a Company awards a pay increase to
a staff member, their details and salary should be checked and updated where
necessary.
5. Not kept longer than needed:
Organizations must regularly review the length of time they retain data on individuals.
Only holding on to data for the amount of time required will make it easier to
manage your data and provide personal information to customers who request it.
Data that is out of date or no longer necessary must be properly destroyed or
deleted. For example, a customer contacts a music store to tell them they no
longer wish to receive any marketing information and to remove their details
from their records. The company should retain enough information on the individual
to ensure they can remove them from their marketing lists.
6. Take into account people's
rights: People have the right to access their personal data, stop it from being
used if it is causing distress, prevent it from being used for direct
marketing, have inaccurate data changed, and claim compensation for damaging
data breaches. In certain cases, customers have the right to request that
specific data be deleted or destroyed. Customers should only request information
relevant to themselves. The organization has a responsibility to establish
whether the information requested by customers is relevant to the person
requesting it.
Customers can also request to see
the information held on them by submitting a subject access request. This is a
request typically sent by email, fax, or post. While organizations can issue an
online form for individuals to request they stop holding information on them,
they shouldn't require this as the only way to do so.
Changes under GDPR
A new right to be forgotten"
in the GDPR means that someone can request that online content is removed from
an organization's database. The Data Portability Act means that a person can
request all their personal data be transferred to another system for free. For
example, they may wish to have all their photos transferred from one social
network to another.
7. Kept safe and secure: A proper
physical and technical security system must be used to keep personal information
safe and secure, and not be exposed to undue security risks, It is advisable to
provide training for staff in your organization on data protection and cyber
security. Further, your information security system should be relevant to the
nature of your business and the data you hold on your customers. For example, a
bank should have a higher information security system than a local book store. This
is because the potential repercussions of a data breach stand to be much higher
than for the book store.
Changes under GDPR
Companies that process over 5,000
personal records per year and employ over 250 employees are now required to
appoint a Data Protection Officer or DPO. The DPO is responsible for
everything related to keeping personal data secure and cannot be easily
replaced. Appointing someone in this position means personal data can be kept
safe and secure more easily, with customer and employee rights being respected
according to GDPR.
8. Not be transferred outside the
EEA: Data should not be transferred to other countries that do not have the
same level of data protection. For example, with the US, the EU has a 'Privacy
Shield' that American companies can sign up for to enable data to be legally
sent across the Atlantic. Data sent within the EEA and a few other specified
countries are allowed.
GENERAL DATA PROTECTION REGULATION
(GDPR)
What Is Data Protection Regulation
(GDPR)?
The General Data Protection
Regulation (GDPR) is a legal framework that sets guidelines for the collection
and processing of personal information from individuals who live in the
European Union (EU). Since the Regulation applies regardless of where websites
are based. it must be heeded by all sites that attract European Visitors, even
if they don't specifically market goods or services to EU residents.
The GDPR mandates that EU visitors
be given a number of data disclosures. The Site must also take steps to facilitate
such EU consumer rights as a timely notification in the event of personal data
being breached. Adopted in April 2016, the Regulation came into full effect in
May 2018, after a two-year transition period.
Customer-Service Requirements of
the GDPR
Under the rules, visitors must be
notified of data the site collects from them and explicitly consent to that
information-gathering, by clicking on an Agree button or other action. (This
requirement largely explains the ubiquitous presence of disclosures that sites
collect "cookies" small files that hold personal information such as
site settings and preferences.)
Sites must also notify visitors in
a timely way if any of their personal data held by the site is breached. These
EU requirements may be more stringent than those required in the jurisdiction
in which the site is located.
Also mandated is an assessment of
the site's data security, and whether a dedicated data protection officer (DPO)
needs to be hired or an existing staffer can carry out this function.
Information on how to contact the
DPO and other relevant staffers must be accessible so that visitors may
exercise their EU data rights, which also include the ability to have their
presence on the site erased, among other measures. (Naturally, the site must
also add staff and other resources to be capable of carrying out such
requests.)
Other Rules and Mandates of the
General Data Protection Regulation (GDPR)
As further protection for
consumers, the GDPR also calls for any personally identifiable information (PI)
that sites collect to be either anonymized (rendered anonymous, as the term
implies) or pseudonymized (with the consumer's identity replaced with a
pseudonym). The pseudonymization of data allows firms to do Some more extensive
data analysis, such as assessing the average debt ratios of its customers in a
particular region-a calculation that might otherwise be beyond the original
purposes of data collected for assessing creditworthiness for a loan.
The GDPR affects data beyond that
collected from customers. Most notably, perhaps, the regulation applies to the
human resources records of employees.
DATA PROTECTION LAW IN UNITED
STATES:
Information privacy laws or data
protection laws prohibit the disclosure or misuse of information about private
individuals. Over 80 countries and Independent territories, including nearly
every country in Europe and many in Latin America and the Caribbean, Asia, and
Africa, have now adopted comprehensive data protection laws. The European Union
has the General Data Protection Regulation (GDPR), in force since May 25, 2018.
The United States is notable for not having adopted a comprehensive information
privacy law but rather having adopted limited sectoral laws in some areas.
These laws are based on Fair
Information Practice guidelines developed by the U.S. Department for Health,
Education and Welfare (HEW), by a Special Advisory Committee on Automated Personal
Data Systems, under the chairmanship of computer pioneer and privacy pioneer
Willis H. Ware. The report submitted by the Chair to the HHS Secretary titled
"Records, Computers, and Rights of Citizens (07/01/1973)", proposes
universal principles for the privacy and protection of consumer and citizen
data:
- For all data collected there should be a stated purpose.
- Information collected from an individual cannot be disclosed to other organizations or individuals unless specifically authorized by law or by consent of the individual
- Records kept on an individual should be accurate and up to date
- There should be mechanisms for individuals to review data about them, to ensure accuracy. This may include periodic reporting
- Data should be deleted when it is no longer needed for the stated purpose
- Transmission of personal information to locations where "'equivalent" personal data protection cannot be assured is prohibited
- Some data is too sensitive to be collected unless there are extreme circumstances (e.g., sexual orientation, religion)
0 Comments