Cyber Law

Understanding the legal meaning of “originator” under Information Technology Act, 2000(amended in 2008) by Dr.Debarati Halder

Image owned by Debarati halder

While scrolling my Instagram in a lazy Sunday morning in late august in 2025, I came across this sad news of a new father carrying his dead new born child to the office of the District Magistrate in a remote place in northern India because he wanted justice for the medical negligence shown to his pregnant wife; due to which their new born baby died. Someone had taken the video of his meeting the official which had become โ€œviralโ€. The man was able to convince the administration and the audience (of online content) about his ordeal and the administration had taken swift action against the concerned hospital.

Who is an originator?

Who created this content? Who uploaded this content? Can he be rewarded for public service for making us all understand how access to medical services is still a distant dream for many women in India? Which this may make us think about โ€˜whistle blowingโ€™ and genuine reporting, I wanted to emphasize on the this to explain who is an originator in the present context.

S.2(za) of the Information Technology Act, 2000(amended in 2008) defines the term originator as a person who

(i) sends, generates, stores or transmits any electronic message, or

(ii) causes any electronic message to be sent, generated, stored or transmitted to any other person,

This clause very categorically excludes intermediary from the concept of originator.

As may be seen above, originator may necessarily include a โ€˜personโ€™, whether a biological person or a juridical person ( which includes any organization, Nation, government etc, represented by authorized human being). If we now see the above incident of capturing the sad moment in camera, uploading the same in the social media platform and sharing the same worldwide through his/her authorized and lawfully possessed account, we may understand that the first person who recorded the same may be the first originator of the content. Let us again see S.2(ZA) of the Information Technology Act, 2000(amended in 2008) : it says if any one generates any content or stores the content (electronic message) or causes to do the same, he may be considered as an originator as well.

Are  โ€˜originator โ€˜ and โ€˜senderโ€™  same?

But here one issue may rise doubts about the literal meaning of โ€œoriginator: whether the term applies for one who generates or stores electronic message (which may be perceived as content) ? or , whether originator is also one who generates, stores or even transmits or causes to do all these?

I have seen in many instances many practitioners, students and common people who may want to understand their rights, may get extremely confused in this regard. If we go by literal rule of interpretation, does one who originates and stores the message or content (which may be offensive), have to take the responsibility and liability as that of the โ€˜senderโ€™ who transmits the messages to the addressee or the recipient?  In some understandings like shifting liability to the โ€˜sendersโ€™ in WhatsApp messages whereby the recipients/addresses may get victimized due to such โ€˜sendingโ€™ , the former may be termed as originators because he may originate/curate/store the message and then send the same with a knowledge that such content may affect the addressee. But what about the person who originates and stores the content, but does not send the same?   Here, we may apply both Literal Rule of interpretation and Doctrine of harmonious construction which may provide a holistic interpretation to resolve the conflict. A person who may generate any content and stores it, may do so illegally as well if he generates the content without proper permission like generating child sexual abuse contents by capturing real-life child sexual abuse incidences and storing the same with an intention for self-gratification. But not to forget, the content is stored in an electronic device which may be unauthorisedly accessed: hence, he may have to take the responsibility of not only originating an illegal content, but also the responsibility of โ€˜sendingโ€™/ transmittingโ€™ the illegal content which may have more harmful effect than merely generating and storing the content.  

The draftsmen therefore created the concept of โ€˜originatorโ€™ under S.2(ZA) of the information technology Act, 2000(amended in 2008) from a predictive perspective which will attract the liability of a sender to the originator as well. Clearly, this is evident from S.11 of the Information Technology Act, 2000(amended in 2008) where the provision explains about attribution of electronic records by stating

An electronic record shall be attributed to the originator if

  • It was sent by the originator himself
  • The said electronic record was sent by any authorized person on behalf of the originator
  •  The electronic record was sent by an information system that programmed by or on behalf of the originator to operate automatically.

It is for this reason that every user of digital communication technology must be extremely careful about what is being generated and stored by him and what is being sent by him.

Stay safe, stay aware!

Please note: If you want to share /use the write-up for your work, please cite it as Halder Debarati (2025), Understanding the legal meaning of originator under Information Technology Act, 2000(amended in 2008). Published in https://internetlegalstudies.com/2025/08/24/understanding-the-legal-meaning-of-originator-under-information-technology-act-2000amended-in-2008-by-dr-debarati-halder/ on 24-08-2025

cyber crime against women, Cyber Law

Parties to digital communication: Know who is the addressee and whether she is a victim too. By Dr.Debarati Halder

Image owned by Debarati Halder

Introduction

Often we get to hear about digital arrest, stalking, workplace sexual harassment related communication, online bomb hoax and so on. If we analyse the nature of the above mentioned offences, we may see some are targeted to specific individuals (like threatening or hurling intimidating comments, bullying), some are targeted towards the State (consider bomb hoax cases where the sender generally shares information about places where bomb is kept or place which may fall within the vicinity of the bomb blast). If we look at the communications thus received, we may see that the recipient is the victim and the sender is the accused. But this does not mean that it is only the sender who may be considered as the sole accused or the recipient is the only victim. Criminal cases on offensive digital communication may often fail due to huge lack of understanding about the concepts of recipients and senders and the other concerned stakeholders in this regard.

Let us now analyse two case studies:

  1. In April, 2025 Thiruvananthapuram airport received bomb threat via email. Reportedly several hotels in Kerala, a popular tourist destination for its natural scenic beauty in the south western coastal region in India, received emails containing bomb threats.
  2. In  a news report published in August, 2025, Mumbai police rescued  a 61 year old woman who was reportedly subjected to digital arrest and transferred large sums of money to fraudsters.

The recipient in the first case was the airport. In the second case, the woman is the recipient of communications that made her to believe that if she does not transfer the amount, she would be in legal trouble. While in the latter case,    the victim is a single female recipient, in the former, the mail would have been received by an individual who may have been handling the official mail id of the airport, which is a government entity. But in this case, the individual who opened the mail and read the mail is not the actual recipient. As the mail was received by the airport authorities in its official email id, legally, the recipient would be the Thiruvananthapuram airport authority.

Addressee as explained by Information Technology Act, 2000(amended by 2008)

Who now becomes the addressee- โ€˜victimโ€™? a clear reading of S.2(b) of the Information Technology Act, 2000(amended in 2008) would clear doubts in this regard.

This provision defines the term addressee in the following words:

โ€œAddressee means a person who is intended by the originator to receive the electronic record but does not include any intermediary.โ€

Essentially the origin of the concept of addressee here can be attributed to Indian Contract Act, 1872 which throws light on completion of communication of a proposal under S.4 : it says

The communication of a proposal is complete when it comes to the knowledge of the person to whom it is made. The communication of an acceptance is complete, โ€” as against the proposer, when it is put in a course of transmission to him, so as to be out of the power of the acceptor; as against the acceptor, when it comes to the knowledge of the proposer.  The communication of a revocation is complete, โ€” as against the person who makes it, when it is put into a course of transmission to the person to whom it is made, so as to be out of the power of the person who makes it; as against the person to whom it is made, when it comes to his knowledge.

The acceptor is the one who receives the communication and has authority to act upon the acceptance or rejection of the proposal made through the communication. This โ€œacceptorโ€ is the recipient and the addressee of the communication.

The term โ€œAddresseeโ€ under the S2(b) of the Information Communication Act (Amended in 2008) shall therefore include the direct recipient who can take action on the communication him/herself, or the recipient who may act on the communication on behalf of the organization as he may have been authorized to take any decision. Addressee also necessarily include the organization that has received the communication through its email address or any other communication handle that are operated by authorized stakeholder.

Noticeably, intermediary would not be considered as an addressee even though it provides services to receive, store send messages on electronic platforms.

When addressee becomes a victim?

Addressee therefore can become a victim of offensive communication if the said communication carries threat, hatred, intimidation, misleading or fraudulent in nature or is a part of defamatory statement. Addressee him/her/itself  can also have locus standi in the courts for seeking justice if the communication falls within the parameter of offensive communication.  In cases where the addressee is a minor or have a juridical personality, the parents, guardians and authorized stakeholders /officers can have locus standi. But there remains an exception: if the addressee is a minor and is subjected online sexual offences or offensive communication that creates threat, hatred etc, he/she can also directly lodge complaints with the criminal justice machineries. The courts in such cases may allow the parents and guardians to assist and represent her in specific cases.

In all the above cases, addressee however also retains the right to be rescued/rehabilitated/compensated directly for the offensive communications received by him/her/it.

Concluding remarks

Please note: if you are addressee who may have received any offensive communication, or you may be knowing an addressee  who wants to communicate to reporting authorities of criminal justice machinery or grievance redressal cells, please contact the nearest police station or lodge your complaints through www.cybercrimes.gov.nic  and do not communicate directly with the sender of the offensive communication.

Please note: If you want to use this content, please cite it as Halder Debarati (August, 2025). Parties to digital communication: know who is the addressee and whether she is ย a victim too. Published in https://internetlegalstudies.com/2025/08/17/parties-to-digital-communication-know-who-is-the-addressee-and-whether-she-is-a-victim-too-by-dr-debarati-halder/ on 17-08-2025

cyber crime against women

Can we have TRUST on โ€œtrustedโ€ partners? 2025 Womenโ€™s day speaks a different story by Dr.Debarati Halder

Image courtesy : Dr.Debarati Halder

DOI: 10.13140/RG.2.2.19930.04802

Internet is indeed a vast ocean of knowledge now which brings authentic news, bad news, sad news and fake news all at once from trusted, not so trusted and not trusted sources. After artificial intelligence and machine intelligence have taken over the responsibility of mapping and bridging minds for fostering human relationships for networking, to dating to commercial partnership purposes, we got to see heavy volume of breach of TRUST from trusted partners. Indeed, this has given rise to numbers of cybercrimes and women and children are worst affected.

My this monthโ€™s case study therefore includes the unfortunate โ€œbreach of trustโ€ case of a European woman in India by her Instagram male friend in the early weeks of March, 2025. News reports suggested that while the whole world was busy discussing about โ€œFor ALL Women and Girls: Rights. Equality. Empowermentโ€ for UN womenโ€™s day, and womenโ€™s right month, a British woman complained to a local Delhi police station about alleged rape by a man who asked her to come to Delhi for a meet. While the case would have been primarily focusing on physical rape that is addressed by S.63 (rape) and 64 (punishment for rape), Indian laws, especially Information Technology Act, 2000(amended in 2008) still do not have specific law to address communication for the purpose of committing sexual offences in physical space.

What kind of online offence is created in this case?

A brief over view of the newspaper reports may suggest that the communication between the accused and the victim did not elevate to the scale of offensive speech. The victim met the man over social media platform, traveled to India as a tourist and wanted to meet the โ€˜friendโ€™. The latter  rejected the offer to meet her in the place where she was staying and asked her to come to place where he was staying. The communication between them could have been a normal one between two consenting adults and this may not attract the attention of the investigating officers unless the communication may suggest that the man was impersonating someone or it was sexually explicit or obscene that is restricted as per Indian legal understanding under S.67A and 67 of the Information Technology Act, 2000(amended in 2008). But as it is said โ€œbeauty lies in the eyes of the beholderโ€, whether the language is considered offensive and when it turned into for the victim, who was probably consensually reciprocating, needs to be established by prosecution to give the entire case an additional profile of online crime too.

Consensual communication and victim blame game:

Interestingly on 17th October, 2025, Information Technology Act, 2000 will be celebrating 25th year of existence. And in these 25 years we have come to understand that the concept of content based cybercrimes basically emphasizes one major tool: language of the communication. It can be deceptive, threatening, insulting, harassing. it can be expressed in end numbers of ways including pictograms, digital graffiti and any legible textual communication mode.  Given this understanding, legal debates are also shifting towards consensual acceptance of the offer โ€˜to acceptโ€™ the relationship by the recipient. Indeed, the burden of proof now falls on the victim to establish that the communicator was impersonating, playing fraudulent cards or was in a relationship with the victim in order to pass on threatening, harassing communication to her. It is majorly for this reason that most of the victims start feeling guilty and avoid going to the police fearing victim blame game.

But not to forget, State plays the role of victim too and hence โ€˜victim blame gameโ€™ may definitely backfire on the investigators and the prosecutors if proper access to justice and assistance for the direct victim is denied in the name of blame game.

 A key player in this is indeed the intermediary. For long, the intermediaries have adopted the practice of due diligence for escaping the liability of knowingly hosting such faulty communicator and the communication that may be falling outside the scope of protected speech. Indian laws have also provided the protection for the intermediaries under S.79 of the Information Technology Act, 2000(amended in 2008), which addresses exemption from liability of intermediary in certain cases. The exemption clauses were further clarified by Information Technology (Intermediaries guidelines) Rules, 2011.

The trust:

Now comes the question of โ€œtrustedโ€ friend. Again, the accused may be wrapped up in criminal liabilities if he was impostering as internet Romeo. But if he had used genuine information for building up a trusted relationship with an adult โ€˜awareโ€™ and empowered woman, he may not be considered an offender under provisions like S.66C (addressing identity theft and punishment for the same), 66D(cheating by personation and punishment for the same  ) of the Information Technology Act2000(amended in 2008). Neither he may be apprehended under S.319 of Bharatiya Nyaya Sanhita (cheating by impersonation). The victim therefore will be left with laws addressing physical rape only subject to the consequences of investigations on the records of communication. Trust therefore will be considered a mere emotional factor here which is broken because of lack of anticipation of the behavior of the โ€˜instagram friendโ€™.

But then if the victim can prove that she had a โ€˜consensualโ€™ communication and the trust (and consent) was built up on misconception of fact (as S.28 of the Bharatiya Nyay Sanhita explains for clarifying what is NOT a GENUINE consent), the accused can further be wrapped with charges under Sections 66C and D of the Information Technology Act and 319 of the Bharatiya Nyaya Sanhita.

Indeed, this becomes a tedious work for the investigating officer and the prosecutor as they need to establish the behavior of the accused, past criminal and institutional records and intention for networking with women through cyber space.

What can be the best forum?

The reports suggested that the victim lodged the complaint with a local police station in Delhi. Interestingly this could have included a triangle of โ€˜forum shoppingโ€™ if this was limited only with online crime: victim is from UK, defendant is from India, their profiles and communication were facilitated on intermediary which follows US rules. One arm of this triangle will be automatically vanishing since the intermediary may be taking the protective shield of due diligence laws.

  But not to forget, the offence of physical sexual violence on the victim from another jurisdiction has happened in Delhi, India. Defendant is apparently a resident of Delhi and the place of occurrence is also Delhi.  Therefore, trial courts in Delhi can take the matter for consideration for punishing the accused if proven guilty. The victim however needs to be satisfied with the offer of legal and medical aid and either apology and compensation (if decided by the court that may be extracted from the fine), or a judicial assurance of prevention of repetition of the crime as long as the accused (and if convicted) /convicted is under lawful detention.

But we did see revenge-gratification in such cases. The court can extend the preventive order against the accused (even if he somehow manages to get bail while bail is generally not a rule for rape cases).

Let March be the month for renewal of our faith to equality, equal right to access to justice and respect for women as human beings.

Please note: Please do not violate the copyright of this post. Please cite it as Halder Debarati (March 16, 2025). Can we have TRUST on โ€œtrustedโ€ partners? 2025 Womenโ€™s day speaks a different story. Published in https://internetlegalstudies.com/2025/03/16/can-we-have-trust-on-trusted-partners-2025-womens-day-speaks-a-different-story-by-dr-debarati-halder/

Uncategorized

Privacy thy name isโ€ฆโ€ฆโ€ฆ. child: understanding the responsibilities of parents to protect the privacy of children in the digital platforms by Dr.Debarati Halder

DOI:ย 
10.13140/RG.2.2.19360.70406

In the first week of February, 2025 a short audio-visual content showcasing an embarrassed, extremely traumatized child with his face under blankets became viral on Instagram. It essentially found its way in other social media platforms too. The audible contents and the accompanying texts suggested that the child apparently spent a little fortune for accessing online games. No parent of middle class family would be happy for such behavior of children. Parents of this child were neither! they expressed their frustration and anger by publicly shaming the child by capturing the โ€˜scoldingโ€™sโ€™, childโ€™s crying face, attempts to hide under the blanket and (not to forget) images of other children who were visibly perplexed as whom to support. The issue became viral and attracted netizens attention. Many schooled the parents for such unethical exposure of the child. But, can the parents be really made liable for exposing an embarrassed child in such manner if we see this from various existing laws in India?
How a child becomes victim of over exposure by parents /lawful guardians?
Let me take you, my readers back to 2012, when Aishwarya Rai, former Miss World and a Bollywood celebrity was famously photographed trying to cover her infant daughterโ€™s face by every mean. As a parent she had tirelessly tried to protect her daughter from paparazzi and social media entrepreneurs who attempt to make a fortune by showcasing the images of celebrities from different angels. Aishwaryaโ€™s daughter grew up to attract limelight and became subject-matter of content creators who started sharing fake news and even health-updates about her. The child was not exposed by her parents. But she continued to get exposed on different internet platforms without her or her parentsโ€™ consent.
In this case, clearly, the parents (who are her legal guardians) are not liable for her over exposure and potential harms of impersonation, privacy infringement, doxing, defamation, cyber stalking, subjecting her images for the purpose of online child sexual abuse materials etc.
But now consider the case of the young boy (mentioned above) who was shamed by his parents on social media handles for spending family fortune for online gaming. The facial image of the boy is identifiable and the exposure has been made by the parents/adult family members. The boy was visibly NOT CONSENTING for photographs.
In numbers of social media profiles, parents continue to upload the images and audio-visual contents of their children and India is no exception. But majority of the parents may not be aware that this very act may expose and over expose their children to different patterns of victimization. Interestingly parents of Gen Z, Gen Alpha and Gen Beta are aware of different kinds of online victimsiation, including patterns of online child sexual abuse materials. But they may not be able to accept the truth that they themselves can become tools for online victimization for their children.
Bossing over the โ€œconsentโ€ and privacy of the children
In general, parents are given the profile of โ€œIn-Chargeโ€ data principal under S.2j of the Digital Personal Data Protection Act, 2023. The Clause defines the data principal as individual to whom the personal data relates and where such individual is a child , includes the parents or lawful guardian of such a child and where the individual is a person with disability (whether adult or child), includes her lawful guardian, acting on her behalf.
But not to forget, Digital Personal Data Protection Act, 2023 or the Draft Digital personal Data Protection Rule, 2025 are not the only legal documents that are giving such โ€œsupremacyโ€ for parents to decide about the โ€˜consentโ€™ of the children to share their data including images (which carries vital personally identifiable data). Laws and statutes like Constitution of India, Indian Contract Act, Indian Penal Code, Indian Criminal Procedure Code, Indian Evidence Act (and now the Bharatiya Nyaya Sanhita, Bharatiya Nagarik Suraksha Sanhita, Bharatiya Nagarik Suraksha Adhiniyam, Transfer of Property Act, Juvenile Justice Care and Protection Act and so many like this give the parents of minor children key responsibilities to handle their โ€˜consentโ€™. Until the child turns 18, it is mandatory to accept consent of the parents as that of the child. But there is only one exception to this rule: in case the child is abused or the child feels threatened or uncomfortable due to the act of her/his parents /legal guardians, the court is bound to take note of the consent of the child to relocate her/him with different โ€˜guardianโ€™. We get to see this in some child custody cases and in cases of child sexual abuse. This is because the philosophy of child welfare is glaringly dominated over the demand for supremacy of parents over the opinions of children regarding their sense of comfort and security through Juvenile Justice Care and Protection Act and Protection of Children from Sexual Offences Act in matrimonial dispute cases and in cases, cases of corporeal punishment of children, cases of willful negligence and traumatizing of children by abandoning them and/or by suppressing their basic needs of food , shelter and physical security and in cases of child sexual abuse cases.
Apparently we get to see execution of such โ€˜bossing overโ€™ mentality of the parents in cases of choice of dresses and accessories, choice of schools, forcing the child to participate in the family functions where he/she is not feeling comfortable and so on. But this bossy decision making nature of the parents (which in India and in many other jurisdictions are accepted as a social norm) may not play good for the safety and security of the children always.

Why privacy of child matters
Imagine when the little child photographed adorned in dresses and accessories chosen by the parents gets bullied on Instagram by her/his peers shaming the appearance and the dresses that may not suit their taste! Imagine when the child is targeted in real life as the child of parents who are YouTube controversy creators! Imagine if the child is constantly targeted by unknown people because his/her parents are social media influencers and use him/her as example for best parenting tipsโ€ฆ.
One day the parents will leave internet because of their age, fragile cognitive power or because of their wish to withdraw from the internet. But the contents created with their children (without even considering for their consent) will remain floated on internet. Research , experience and experiments have proved that contents which may have attracted high rate of views, discussions , do not โ€˜evaporateโ€™ even if the original content creator pulls down the content from their database. There are many ways to download, re-share, forward and recreate the old contents. Minor children, their images and audio visual recordings along with their parents therefore may remain on the internet not only during the lifetime of the โ€˜childrenโ€™, but also during the life time of the next generation of such โ€˜childrenโ€™. The child in question will never be able to enjoy the right be left alone . his/her medical conditions, mental health conditions, school life, exam records, likes and dislikes will be matters of public affair and the no third party, but his/her own parents will be solely responsible for such privacy infringement of the child.

Can the child sue the parents for privacy infringement in digital platform?
The answer is YES. Even if the parents are in-charge data principal of the children, if the acts of the parents infringe the privacy of the children or exposes the children to grave threat, children can take legal action against their own parents. Not to forget, Protection of children from sexual offences Act, 2013 makes the scope of the Act wide enough to include โ€œwhoeverโ€ as the perpetrator if the same has violated the laws including creating/distributing etc., of child porn materials. S.67B of the Information Technology Act, 2000 (amended in 2008) also sings the same song. This will be possible if the child takes the complaint to the police, judicial magistrate or the Child Welfare Committee. Not to forget, the Constitution and child welfare centric laws make the State a โ€˜guardianโ€™ when the natural/legal guardian of the child exposes him/her to dangerous situation which may cause physical and mental trauma. A careful reading of the Juvenile Justice Care and Protection Act along with Bharatiya Nyaya Sanhita may also suggest that children can access justice against their own parents if the latter plays crucial role in violating the childโ€™s basic rights including privacy.
The denouement
While parents can have the right to decide for the best interest of the child, the decision may not always fetch best results. Awareness is growing for safer internet for children and adults. But adults must be responsible enough to create safe and healthy examples for children.
Put yourself in the place of the child and think how he/she would be treated for his/her digital presence.
Acknowledge the future risks of online harms even if you are a cyber-security guru.
Take timely action to protect the privacy of the child.
Prepare the child for the BIG BAD world like a pro to have sigma energy.

Cyber crimes against women, Cyber Law

Creation of Porn content (including child porn): who holds the liability ? by Dr.Debarati Halder

In a recent incident, a minor girl discovered a mobile phone in a washroom in local restaurant in Diu, a popular tourist destination in western India. When she alerted her family members who were having a short halt there for refreshment, they found out that an employee of the restaurant installed the device for recording washroom activities of women and children. The man apparently opened the video setting while installing the device and hence his images were also captured: this helped the family to identify the perpetrator and immediately take action. The report suggests that the person was handed over to the police who charged him under S.77 of Bharatiya Nayay Sanhita which penalizes voyeurism and Ss.13, 14 and 15 of the Protection of children from sexual offences Act, 2012 which prescribes punishment for using children for pornographic purposes and for storage of porn contents involving children.

There are two aspects in this case that I would be discussing here:

  • The punishment and the purpose of the same,ย  and
  • The questions of legal liabilities in such cases

At the onset, let me share that Bharatiya Nyaya Sanhita was brought in to Indianise the criminal acts and the punishments for the same: the colonial concepts of criminal acts were changed to adjust the entire criminal justice system to contemporary Indian understanding.  While many research papers, articles and informative write-ups are created on pornography and its effect on society, surprisingly, the terminology of โ€œpornographyโ€ is not properly defined in the laws in India. It is rather defined from the perspective of sexually explicit content, that we get to see in different laws including Information Technology Act, 2000 (amended in 2008). Largely, pornography is explained by private and government stakeholder as some visible representations that arouse and give sexual pleasure. Given this understanding, pornography can have two sides: legal pornography that are created only for medical purposes with contents, images or consensual human activities of adults like sexual acting /performing for sexual arousing of adults; and illegal pornography which is created by different methods including voyeurism, rape videos, using children and disabled people coercively etc. Many stakeholders have huge disagreements regarding legal nature of pornography. But unfortunately the reality needs to be accepted. Diving deep into legal philosophy, we may see that once we can differentiate legal and illegal pornography, the legal liabilities for illegal pornography may become more acceptable and prominent for prohibiting such illegal acts and designing thoughtful restorative justice oriented punishment for the same.  In the contemporary criminal justice system, voyeurism creation, production, circulation of illegal pornography and sexually explicit contents are seen as   bailable offence under Nyaya Sanhita for the first conviction as the maximum time for imprisonment has been set to three years. Protection of children from sexual offences Act however categorized such offences as non bailable in most cases. Indian courts have produced some landmark cases in this regard too. But unfortunately that did not deter   people like this restaurant employee to go ahead for installing device for recording washroom activities of women and children that can not only be viewed for personal sexual gratification, but also can be used for generating illegal profit by selling them in the porn market. Apparently the penal system may have failed to create deterrence feeling and awareness for illegalities for such activities. We however cannot blame the criminal justice system entirely. We need to see the digital technological advances too that provides anonymity and second life for anyone who may need to create multiple avatars to survive in the cyber space. 

Now, let us concentrate on the legal liabilities  of stakeholders for creating porn contents. In the Diu restaurant case, the perpetrator had apparently used device that was under his control and had installed it in the washroom of the restaurant where he was working. The legal liability may be divided for production of the content between the owner/chief operator of the premises, owner of the device and the person who is installing the device   if the owner/operator /chief manager of the premises knew beforehand about the purpose of the installation of the video capturing device in the washroom which may not be subject to surveillance in general times. The same understanding of liability will also be applicable for the owner of the device if the same was being handled by any other person for creation of the porn content. Given the understanding that device owner and the installer of the device in the washroom in this case  may be the same, we now have to turn our attention to the liability of the android service provider and the internet service provider (in case if the content was being live streamed). Apparently, the last two stakeholders may apply immunity veil through liability exemption clause as described under S.79 of the Information Technology Act, 2000(amended in 2008). The provision reads as follows:

S.79(1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link made available or hosted by him.

(2) The provisions of sub-section (1) shall apply if–

(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted; or

(b) the intermediary does not–

(i) initiate the transmission,

(ii) select the receiver of the transmission, and

(iii) select or modify the information contained in the transmission;

(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.

(3) The provisions of sub-section (1) shall not apply if–

(a) the intermediary has conspired or abetted or aided or induced, whether by threats or promise or otherwise in the commission of the unlawful act;

(b) upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner.

Explanation. — For the purposes of this section, the expression “third party information” means any information dealt with by an intermediary in his capacity as an intermediary

While the statute as shown above, saves the intermediary from being a stakeholder in cases of such as these, Clause (3) of S.79 highlights liabilities of the intermediary in case it knowingly took part in the action of production, creation, circulation of the content that falls in the category of illegal porn content and sexually explicit content, creation, production and circulation of which is criminalized.   

Now, let us see if the perpetrator can be charged and tried under S.15 of the Protection of Children from Sexual Offences Act, 2012. This provision speaks about storing of child porn contents. S.15(1) f the POCSO Act prescribes punishment with a fine of Rs 5000/- in the fist conviction and Rs.10,000/- in the second conviction for a  โ€œ person, who stores or possesses pornographic material in any form involving a child, but fails to delete or destroy or report the same to the designated authority, as may be prescribed, with an intention to share or transmit child pornographyโ€.  This sub clause therefore penalizes storing of child porn content with an intention to share and transmit it and does not report the matter to the designated authority. Clause (2) of S.15 goes ahead further for prescribing punishment of jail term for  a maximum period of 3 years for storing or possessing  โ€œโ€ฆโ€ฆ.pornographic material in any form involving a child for transmitting or propagating or displaying or distributing in any manner at any time except for the purpose of reporting, as may be prescribed, or for use as evidence in court.โ€

Clause (3) further prescribes punishment stores or possesses pornographic material in any form involving a child for commercial purposes. The maximum punishment is for five years jail term with the minimum time period for the jail term is three years. It may become bailable offence if this very provision is applied for the perpetrators.

Interestingly, in the recent case of JUST RIGHTS FOR CHILDREN ALLIANCE Vs. S. HARISH Diary No.- 8562 โ€“ 2024, the Supreme Court has held that mere watching of child pornography is also considered as offence  as this may be considered as inclusive of a chain of behavior like opening the link containing porn content, storing the same with possible control over the possession , reporting of the content and deleting the content without opening the content.

Above discussion may now lead us to understand the followings about legal responsibilities of stakeholders who may be involved for producing, creating and circulating porn contents including child pornography contents:

  1. Production of porn contents may not only mean financially facilitating the creator of the porn content, but also may mean any one who may provide facilities like permitting to use premises under his/her own possession for creation of porn contents mainly with purpose of gaining /sharing illegal profit from illegal distribution of such contents.
  2. Installation of camera devices secretly in washrooms, rest rooms, bed rooms etc, may be considered as an act for the purpose of recording, creating and disseminating voyeur images, child porn and nonconsensual adult porn images.
  3. The mobile phone company, software company that may facilitate operation in the mobile phone or electronic devices and the service provider that may be used to record, store, disseminate the illegal images, may not be held liable for aiding the actual perpetrator unless they are knowingly aiding in such work.
  4. Storing of such images (including illegally captured images of sexual organs of adults and children, people engaged in sexual acts etc, is considered as an offence under POCSO Act as well as under Information Technology Act, 2000(amended in 2008).
  5. Non-reporting of receiving /knowledge of such illegal porn contents can also be considered as an offence especially under POCSO Act.

May every child be safe . May every adult be safe.

Please donโ€™t violate the copyright of this writeup. Please cite as Halder Debarati (2024).. Published in https://internetlegalstudies.com/2024/11/14/Creation of Porn content (including child porn): who holds the liability ?by-dr-debarati-halder/ on 14/11/2024

Uncategorized

Dance of death on the cyber space: Legal trouble for the content creators and viewers for “death” videos. by Dr.Debarati Halder

Image credit: Internet

In a recent Instagram post shared by some Instagram handles in early July, 2024, a boy of 16 is seen collapsing in the school corridor in India due to heart attack and  consequently he passes away. Previously, another video clipping of a young girl jumping to her death in Kota, Rajasthan apparently due to study pressure shook the net-world. Apparently the clippings were seemed to have been taken from CCTV cameras and later they  became viral. This is not the first time that the sudden deaths due to heart attacks or deaths due to accidents or violent attacks of minors and adults were shown in the internet platforms specially in India. Noticeably images of such sorts of mishaps were accessed from surveillance cameras affixed in the buildings, public roads and traffic signals. These unfortunate images (in most of the cases, clear facial image of the victim may not be available) are generally shared from one user and then the clipping lands in the hands of content makers and influencers who may share this for the purpose of profit making whereby they may get revenue from the internet platforms like YouTube on the basis of โ€˜viewsโ€™ .The most disturbing fact in this context is that, the intermediaries or the websites through which such contents are shared, may not suspend  the content from public viewing even though it may continue to re-victimize  the family members of the victim.

There are three issues that everyone must understand before watching such โ€œdyingโ€ videos  :

  1. The clipping of โ€œdeathโ€ carries crucial information about reasons for death, nature of death and place and time of death. This may also provide crucial health information, traffic violation information or even any sort of information about criminal activities. It can also provide information about the accountability of the stakeholders who were responsible for providing first aid, preventing adults and children from committing suicides or for preventing any sort of criminal activities in the premises where death has occurred.
  2. No one other than the authorized agent can cull out any specific clipping from the chain of images that are the being recorded in any cctv camera. Such accessing and taking out of specific images must be done with proper authorization which may permit not only accessing and taking out specific images from the chain of the images, but also for downloading and archiving the same for specific legal purposes.
  3. Every accidental death and abnormal death need to be documented by the police and analyzed by the courts for understanding the cause of the death, compensating the victims and punishing the offenders who may have caused the death.ย  In doing this, the courts need to analyze forensic report for the death as well as the forensic report of the images that have been captured, the virtual footprints on the images for understanding the broader cause and effects of the death.

Now let us understand how these above mentioned issues are connected with statutes including Information Technology Act 2000(amended in 2008) which may make the unauthorized interceptor fall in legal trouble: S.69(1) of the Information Technology Act , 2000(amended in 2008) says as follows:

Power to issue directions for interception or monitoring or decryption of any information through any computer resource.โ€“(1) Where the Central Government or a State Government or any of its officers specially authorised by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient so to do, in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.

Now, concentrate on the words โ€œ Central Government or a State Government or any of its officers specially authorised by the Central Government or the State Governmentโ€: these very clearely suggest that any data captured by computer and digital information communicator can only be intercepted and decrypted by the authorized agencies only. Again, let us look into the words  โ€ฆ. โ€œit is necessary or expedient so to do, in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.โ€ This may mean that accessing the specific image and downloading and sharing the same may not be considered a private act for profit gain or name gain.

Let us now understand how such sharing of โ€œdyingโ€ may disturb the court proceedings and victimโ€™s right to justice: courts may need to analyze the entire content (this will be considered as electronic record now) for understanding the reasons for death and the responsibilities of the concerned stakeholders: the electronic record may need to be admissible as a good evidence as per S.63 of the Bharatiya Sakshya Adhiniyam Act, 2023. Once the content/electronic record becomes eligible as an admitted evidence, it may help the court to reach conclusion for causation of death. The chain of digital footprint may also help the court to understand whether the electronic record has been decrypted and modified illegally to add or delete any valuable information. This electronic record may include text messages or voice or any other graphic added to the content or electronic record. The court may also need to analyze the associated comments of the creator, conveyer and the bystanders.

 Generally, the comments of the bystanders (who are popularly known as โ€œviewersโ€) may also lead the court to understand how the victim may have survived, how the victim died, the situation/environment which may have killed the victim. The comments of the viewers may also lead the court to predict probable prohibitions and punishments.

As we may understand from the above, accessing and decrypting any CCTV camera image of deaths or death like real life incidences therefore can be considered as punishable offence and bystanders can also be considered answerable. Contents depicting real life death should not be commercialised. It becomes the responsibility of us the civil society members to respect the laws and legal norms on internet and help the intermediaries to take a note of such misuse of the platforms by reporting such contents, rather than sharing it for profit and name gain. ย 

Please donโ€™t violate the copyright of this writeup. Please cite as Halder Debarati (2024).Published in https://internetlegalstudies.com/2024/07/08/dance-of-death-on-the-cyber-space-legal-trouble-for-the-content-creators-and-viewers-for-death-videos-by-dr-debarati-halder/ on 08-07-2024

Uncategorized

The Princess and her photos: a modern day fairy tale of internet kingdom by Dr.Debarati Halder

Photo credit: internet

We the common civilians are mostly obsessed with the tales of princes and princesses, their kingdoms, their lifestyles and obviously, their richness, the wealth they display and the wealth of wisdom that is displayed by the media. Today majority of the countries have democratic setup with an elected president as the head of the State. Some countries in Europe, Asia and Africa however have monarchial systems with Kings and Queens as the head of the State. These monarchs ascend the throne as a hereditary right. Post second world war, some monarchs have been ousted either to accommodate the best in the line or to bring in a democratically elected head of the state. In either cases, the lifestyle of the royal families attracts lot of public attention always. It is alleged that this public inquisitiveness is monetized by professional photographers: the more the images of royal women are captured the more these photographers gain monetarily. The tragic death of Diana, princess of Wales is a glaring example. Images of her last moments in the car crash are still floating in the internet and these are heavily searched, giving more profits to those creators who keep on sharing such images with extra touch of editing.

Recently another royal woman, the present Princess of Wales has attracted unwanted attention for an image featuring herself with her three children including future heir to the throne. Apparently Catherine (popularly known as Kate) had undergone for an abdominal surgery which many speculated to be connected with cancer. Post-surgery, Kate and her family had to break this speculation so that neither her family nor the  country may be targeted for an unwanted bash on the health and lifestyle of the Royals which may lead to many diplomatic and  political speculations. All these were finally triggered with a single photograph.

What was the issue: the photograph, shared by the official handles of  Prince and Princess of Wales showed a happy mother holding two children with her hands  and  her three children happily laughing with her. Photo scrutinizers figured out that the photo has been edited and the presentation suggests that the motherโ€™s hand and the daughterโ€™s waist do not match in an ideal way. There was some more editing which raise questions as to whether the children were really sitting with the mother in the outdoors for the happy photograph. Kate later apparently shared an apology to accept that the photograph was (badly) edited. This further raised the speculation of the health update of the Princess and the authenticity of the information shared by the social media handles of the couple (prince and princess of Wales).

What is the legal issue: After the tragic death of Diana, princess of Wales, her son Prince of Wales had emphasised for privacy of the family like any other common civilian family. The introduction of UK Data Protection Act, 2018 made the right to privacy a significant right for all including members of royal family. While this may prevent third party infringement of the right to privacy for the members of royal family, question arises about legal protection against public expression through comments on the specific photograph shared by the social media handles. Here two main issues may be identified: what was shown by the image creator/distributor and what expression /actions are being generated by various stakeholders about the data owner (in this case, the Princess of Wales). Courts in England have highlighted the need for protecting privacy of medical records which may be โ€˜presumedโ€™ and shared for โ€˜public interestโ€™ on the basis of photographs : Naomi Campbellโ€™s case is the best example in this regard.ย  In Kateโ€™s case, the issue may be connected to a certain extent because she and her children are not โ€˜photographedโ€™ like Naomi. Rather, she had consensually been photographed and had apparently taken right to edit the photograph. Here emphasis is shifted to expressed comments /speech that may affect her reputation, her health records and obviously the privacy of her children. But can an individual or a family (even if it is a Royal Family) silence the speech which expresses speculations andย  may build up theories of non-reliance of information shared by individuals who are followed and watched by many?ย  judicial precedents to a large extent have removed that protection from public figures unless such speech is passing through clear and present danger test.

The risk-factor for all: But in this case apprehend harm is more intense. The photo scrutinizers have not only checked the blurred parts, additions and deletions, they have revealed information about possible stay of the family including the children in specific locations, vulnerable mental health factors and obviously the โ€˜body searchโ€™ of the mother and children. This throws a challenge for all women across the globe who would wish to share their selfies, images of their children and locations. Any one now can scrutinise the dress, sitting positions and the facial images to understand the body size (which may fall within the category of sensitive personal data), specific identifiable marks in the face and geo locations. This may make it easy for predators for image cloning for criminal purposes, virtual striptease and online sexual assault of women and children by using Artificial intelligence supported by human imagination.

Is there any suggestion for protection? Yes off course! While the application of copyright laws is being prescribed worldwide to prevent unwanted usage of the images and get relief, Data protection laws and penal codes are offering solutions for preventing the wrong doer from causing more harm and punishing for wrong doer. But the originators/creators may still need to take the responsibility for controlling who may access the images and when they may access such images. We may not control the public interest into the lives of celebrities. But definitely a growing awareness about privacy and respect to privacy may go a long way to let the princes and princesses, actors, players, influencers who have become highly โ€˜consumableโ€™ in the era of internet live safely forever.

Please donโ€™t violate the copyright of this writeup. Please cite as Halder Debarati (2024).The Princess and her photos: a modern day fairy tale of internet kingdom. Published in https://internetlegalstudies.com/2024/03/22/the-princess-and-her-photos-a-modern-day-fairy-tale-of-internet-kingdom-by-dr-debarati-halder/ on 22-03-2024

Uncategorized

Looking for 5 star restaurants or amenities or service providers? Here is the reality by Dr.Debarati Halder

Image courtesy: author

Recently there was a news report of a woman losing a little fortune for a pencil marketing scam in India. In the contemporary world, digital marketing has become a lucrative job for all. This promises a good income from the home comfort zone and just needs two tools: internet connection and a digital technology enabled device (it can be either a smart phone or a laptop or desktop computer). But this is a myth bursting report for everyone who may read this article. I have been contacted by a recruiter agency recently and I got to see a practical example as how such agencies dupe people, especially women.

  1. How do these agencies get the phone numbers of the target victims?

Apparently they have a super research team who may go for data mining from every possible source: this can be data base of the shops where we may have recently visited and shared the phone numbers, our phone data recharging agencies where our phone numbers are supposedly saved for processing the data, third party service providers who may be working with our phone numbers, Aadhar data etc., for our professional workspaces etc. The one who contacted me (un)smartly shared that they collect โ€˜verified numbersโ€™ by partnering with telecom companies for the purpose of market survey for their clients. Now the question is: who are these telecom companies? Apparently they are the digital communication service providers like Airtel, Jio, Vodafone etc. But not really: there are many telecom agencies who are middlemen. They are the agents of the main data fiduciary. They are data collectors, recharge service providers and they are all bound in the same legal chain, namely Digital Personal Data Protection Act, 2023 and Information Technology Act, 2000(amended in 2008).

  • Modus operandi: These โ€˜agencyโ€™ people filter the profile of data profiles on the basis of certain criteria. This may include age, gender and geo-location. They may contact the target through SMS or through WhatsApp. In the case of later, they may start the conversation by stating about the daily estimated income and after that they may share the trial task. It is but obvious that they do not stick to a static number. Hence if one completes the trial task and shares the bank details, the scammer may โ€˜vanishโ€™ with account details and some essential confidential information that may enable them to access the account without much hard work.
  • Now comes the question as what type of task would be given and what is the โ€˜jobโ€™. This surprised me because I am a foodie and I really trust the โ€˜starsโ€™. But its time to come out of the myth. No restaurant may have a neat 5 star from customers and diners. Itโ€™s the manipulative work of digital marketing companies that may outsource the job to people like me and you and in between some scammers may join to mint money from both the parties. I was asked to rate restaurants from Google map and the โ€˜taskโ€™ restaurant was somewhere 260 kilometers away from where I stay. I have never visited the restaurant and the place where it is situated. I have never seen their menu card nor I have tasted their food (nope, not even by Zomato ย or Swiggy because they wont deliver any food item so far).

Now probably you may know how some restaurants, shops, hotels or even health care service providers may get 5 stars and stay at the top of search list!

But thatโ€™s not all. These agencies may necessarily provide links to upload positive comments and stars. A click on them may invite many more digital trouble.

  • Would they be worried if you tell them you have lifted the โ€˜innocent veilโ€™ and found out who they are? Answer is โ€˜noโ€™. Thatโ€™s because they would take seconds to change their phone numbers and delete all texts shared with the victims to disable the latter to take any evidence to the police.

Why are they targeting women? A possible answer is women, especially undergraduate students and home makers may need to make money from the comfort of home. Itโ€™s a moonlighting while the home makers are involved in full time household chores.  And yes, most the targets may not be able to suspect the scammers because they may use womenโ€™s photographs in their WhatsApp profiles. As such, we may never know who accesses our WhatsApp or Instagram profile pictures and how they may be misused.

The laws that may help: First of all, understand why they are called scammers and what sort of crime they are doing. Digital personal data protection Act , 2023 has mandated that all data collectors must mandatorily explain the reason behind colleting the personal data (including the phone numbers) of data principals. All data fiduciaries are also mandated to explain why and how the collected data will be processed. Have you ever heard from your shopping mall or any other service provider stating you clearly why they are collecting your number? Itโ€™s not n for future connection. But its for sharing our phone numbers (whether consciously or unconsciously) with scammers who may continue to feed other business establishments   by providing unauthorized information. S.43A of the Information Technology Act, 2000(amended in 2008) makes the body corporate liable to pay damages to data owners for negligence to protect the integrity of the data. But this is the live example as how all stakeholders in this regard dupe the actual data principle.

Often victims who may understand that they are trapped, may try to counter these scammers by calling them, sharing photos and numbers of the scammers on the social media portals, or even try to reach out to them searching for the physical office addresses. Each of these may invite different kinds of trouble. The best way to address this is to be aware of the patterns of  fraudulent activities done by such scammers, block and report the phone  numbers to the intermediary and report the matter to the portal of https://cybervolunteer.mha.gov.in/webform/Volunteer_AuthoLogin.aspx  . Remember, we women are the chosen target for cyber crooks because they feel women are less empowered. It is our right to be safe and duty to prove them wrong!

Stay safe.

Please don’t infringe the copyright of this write-up. Please cite this as Halder.D(2023). Looking for 5 star restaurants or amenities or service providers? Here is the reality. Published on 11-11-2023 @https://wordpress.com/post/internetlegalstudies.com/1472

Cyber Law

Intermediary liability: Are Universities countable? By Dr.Debarati Halder
Image Courtesy: Internet

Behind every data storage mechanism , there is a human intelligence that works to decide how the data store house will be managed, protected and which data may be exposed and how. For Long I have been arguing that behind every breach of data security, there is a human brain. He/she can be a data collector, data fiduciary, data manager, data protection engineers or a designated data protection officer of any website and tech company. My argument becomes stronger with every day update on data breaching methods: this time it is a two member group of  university officials in western India who have been accused for leaking cloud storage password to another university located in central India. while the accused persons have the right to defense for such allegation, such information may suggest that no organization including the banks, hospitals, universities and government departments dealing with civilianโ€™s data are safe.   

Let us first understand what is an intermediary:

Often, we tend to confuse the term intermediary with website, internet service provider and internet. All  three of them denote different meanings but the concept is over lapping with each other. Indian information technology Act 2000 (amended in 2008) defines  intermediary  especially in respect to electronic records and data in S.2(w) as

any person who on behalf of another person (i) receives, stores or transmits that record or

(ii)provides any service with respect to that record and

(iii) includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.

Interestingly the word โ€œany personโ€ has got different meanings in this section: when it says โ€œany person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that recordโ€, it may mean a natural person, i.e. human beings (especially adult human beings, who may be capable to take rational decisions, enter into contracts  etc.) again, when it says โ€œtelecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafesโ€ etc, it may mean a juristic person who has legal personality and who may be represented by its human representatives like the CEOs or the  nodal officers etc.

In its preamble (para 4)in  Recommendation CM/Rec(2018)2 of the Committee of Ministers to member States on the roles and responsibilities of internet intermediaries, the Committee of Ministers, Council of Europe has shared some functions of such intermediaries which are as follows: โ€ฆโ€ฆโ€ฆโ€ฆโ€ฆโ€ฆโ€ฆ. โ€œinternet intermediariesโ€, facilitate interactions on the internet between natural and legal persons by offering and performing a variety of functions and services.

Some connect users to the internet, enable the processing of information and data, or host web-based services, including for user-generated content.

 Others aggregate information and enable searches; they give access to, host and index content and services designed and/or operated by third parties.

Some facilitate the sale of goods and services, including audio-visual services, and enable other commercial transactions, including payments.

Individual responsibility of the natural person intermediary for failure to protect the confidentiality of the data

As the above discussion may lead us to understand the meaning of intermediary as both natural person as well as juristic person (who may be represented by a natural person), let me now explain how intermediary (natural person) including the data manager and /or the data protection officer as appointed by the data fiduciary may be responsible for leaking of the data saved in data storehouse under the body corporate . He/she may

  1. Intentionally violate the obligation of confidentiality and share the security password for the data to third party without consent of the body corporate or the data fiduciary who may have collected the personal data for specific purpose.
  2. Negligently passes over the security information to third party to allow the confidentiality of the data to be breached.

In both these cases the primary responsibility of data breach may fall upon the Body corporate who may need to pay compensation under S.43A of the information Technology Act, 2000(amended in 2008) to the data principals whose data has been breached while the same was under his custody. But then such individual (natural persons) may also be held responsible under numbers of legal provisions. These may necessarily include S.72A of the Information Technology Act which prescribes punishment for disclosure of information in breach of lawful contract. This bag of penal provisions against such intermediary (including the data manager or the data protection officer) may also include S.43 read with S.66 of the Information Technology Act which prescribes punishment computer related offences.

What we understand from the above especially about universities as intermediaries as well as body corporates?

Universities are also intermediaries and body corporates who collect personal data including sensitive personal data of the teaching and non-teaching staff and of the students.

The personal data of the above-mentioned stakeholders are connected with their family members. Hence it may be easy for the possible perpetrators to fish out sensitive personal data of university employees and students as well as their family members.

Universities as body corporates also hold information about their own examinations, public examinations and data related to foreign university collaborations (which may also include domestic -foreign trade collaborations).

As a matter of fact, then if data is leaked from the university data base or the university is attacked by ransomware attacks, all stakeholders connected with the universities may be affected and women will be particularly vulnerable targets. It is necessary therefore that all universities must set up proper cyber security infrastructure and employ trained data protection officers and data managers who may be providing safe services for all as university intermediaries.

Please don’t violate the copyright of this writeup. Please cite as Halder Debarati (2023)Intermediary liability: Are universities countable? Published on 31-10-2023 @https://wordpress.com/post/internetlegalstudies.com/1463

Editor's column, Uncategorized

THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023: can women expect any meaningful protection for Data privacy now? by Dr.Debarati Halder
Women for women

On 11th August, 2023 the much awaited The Digital Personal Data Protection Act, (DPDA) 2023 came into existence finally. Drafted majorly in the shadow of the EU general Dara Protection Regulations, DPDA offers certain rights to the data principals and certain duties to the data fiduciaries. But first, let me break a myth: DPDA is not an exclusive statute for providing privacy to our Data. The words โ€˜protectionโ€™ and โ€˜privacyโ€™ may not be synonymous always.

 If we look into the preamble of DPDA we would see that the preamble offers four reasons for enacting this law:

  1. To provide for the processing of digital personal data in a legalised manner
  2. To recognise the right of individuals to protect their personal data and
  3. To recognise the  need to process such personal data
  4. To recognise the  lawful purposes for processing the data

Every individual is a data principal according to S.2(J) of the DPDA. Irrespective of gender and age a data principal is a person to whom the concerned data is related. However, this provision clarifies the status of children and disabled by stating that for the former the parents or the lawful guardians will become the data principal and the for later, the lawful guardian will be the data principal. As we know from the Information Technology Act, 2000(amended in 2008), data means nothing but information that may represent many profiles of individuals: these may include financial status, health status, educational status, maturity status, marital status, and what not. Data itself may be extremely costly especially when it is processed and formally associated with specific organizations or institutions. According to S.2(x) โ€œprocessingโ€ in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction

Interestingly,  DPDA therefore advocates not only for the protection of the integrity of the data while it is being processed, it also bats for right to be forgotten.

For years I have been observing that women are targeted on the cyberspace for many illegal acts. I have witnessed the amendment of Indian Penal Code whereby a dedicated series of S.354 was introduced for penalizing several patterns of criminalities on cyber space. These included cyber stalking, voyeurism, disrobing women in the physical space and photographing the assault, sexual harassment and using sexually explicit language, gestures etc. Several other laws such as The sexual harassment at workplace (prevention, prohibition and redressal) Act, Indecent representation of women (prohibition) Act etc, were introduced, amended to provide further protection to women and support Information Technology Act, 2000(amended in 2008). None could actually completely prevent online crimes against women. On the contrary, perpetrators have found new ways to commit cyber-crimes against women. At present we get to see women are targeted more by fraudsters who are tricking them for financial loss.

DPDA creates a layer of protection against the data processing stakeholders. A processed data may contribute for creating identity of the data principal, educational degrees, health records, financial records etc.  Most of these are vulnerable sensitive personal data. DPDA therefore has enhanced the responsibility of the data fiduciaries to protect the consensual data that is shared with them.

But now let us see how DPDA may not protect the interest of women:

  1. Who manages the Artificial intelligence that will be applied for processing of the data under S.2(X) of the DPDA?

The Act indicates that the Data fiduciaries and the data processors may be responsible for controlling the AI for processing the data. But where is the data pool for the AI which will be working with the data ? we must not forget that most data fiduciaries may use foreign based AI for  processing data. In that case is there any specific rule to control the foreign entity who may be controlling the AI? The answer may be found in S.3(b) of the DPDA which shares about the scope of the Act. It says as follows:

        Subject to the provisions of this Act, it shall (b)        โ€ฆโ€ฆโ€ฆ..also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India ;

The answer may also be found in S.11 which speaks about rights of the data principal. But again, this needs a clear explanation.

It is not very clear if the AI system (that will be applied for data processing) falls within the meaning of โ€œservices to data principles within the territory of Indiaโ€. If this falls within this category, then we need to see whether the contractual obligations between the data fiduciary and the AI creator company/entity can be made transparent to the data principal.

2.How would the non-digitized data be digitized without manipulating the original data?

Let us go back to S.3 of the DPDA again. While explaining the scope of the DPDA, S.3 (a) mentions that this Act shall apply to the processing of digital personal data within the territory of India where the personal data is collectedโ€ฆโ€ฆ.in non-digital form and digitised subsequently. In such case and also in the case of processing digital data, DPDA does not mention what security procedure may be applied to restrict the leaking of sensitive personal data of data principals, especially women. Such question may be answered through the DPDA Rules that we are looking forward for. But honestly, there may be many occasions where data would be exposed unauthorisedly by the data protectors themselves. We need to see how far the statute would be implemented to heal the harm and compensate the data principal directly especially when the data principal is a senior citizen or a minor or educationally challenged or a disabled woman.

3.Now comes the question of grievance redressing mechanism system that must be set up by data fiduciary as has been mentioned in S.8(10) of the DPDA.

The Act remains silent about the infrastructure of the said mechanism. If we look into Information Technology Act, 2000(amended in 2008) we get to see the court system where the qualification of the forum members (for example, Administrator for civil offences etc) are clearly mentioned. But neither the Information Technology Act, 2000(amended in 2008) mention anything about the qualification of the grievance redressal officers. IT(intermediary guidelines and digital media ethics) Code, 2021 discusses in detail about engaging grievance redressal mechanism by the intermediaries in Rule 3(focusing on due diligence by intermediaries ) and Rule 10 (furnishing and processing of grievance), and Chapters 2, 3 and 4(which discuss about level 1, 2 and 3 of self regulating mechanism and oversight related mechanism. We have to see if DPDA applies parts of   IT(intermediary guidelines and digital media ethics) Code, 2021 for mandating the data fiduciaries to set up grievance redressal mechanisms. In my opinion, data fiduciaries must consider engaging women officers to look after the grievances from women data principals. This may make the female data principals (especially those coming from orthodox societies and those who may be educationally and/or socio-economically challenged to access the male dominated grievance redressal mechanisms) feel comfortable to share their grievances. This may also encourage better reporting of criminal activities on cyber space.

  • DPDA under S.3ยฉ very clearly withdraws its scope from the data principals in the following situations:

(i)    personal data processed by an individual for any personal or domestic purpose; and

(ii)   personal data that is made or caused to be made publicly available

byโ€”(A)   the Data Principal to whom such personal data relates; or (B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.

The explanation to S.3 of the DPDA explicitly shows that if a data principal voluntarily shares her personal data publicly, DPDA provisions (regarding the responsibilities of data fiduciaries) will not be applicable here. In my capacity as cybercrime victim counsellor, I have seen the unfortunate rise of cybercrime cases and more unfortunate cases of victim blaming in cases such as those mentioned in the exception of S.3ยฉ of the DPDA: bloggers, digital creators and social media influencers intentionally share their personal data for profit gain. In case of infringement of their data integrity or data breach, they will now become โ€˜guardian-less victimsโ€™ who should brace themselves to face challenges in the system of criminal justice. But here lies the legal twist: such women may claim the protection of DPDA if their sensitive personal data integrity is violated due to the negligence of the data fiduciary i.e., the intermediary/website/web domain etc, who are providing them platforms to publish their blogs, write-ups, opinions, videos, business related information etc.  As such, women bloggers, digital creators and social media influencers must go ahead with their data sharing and data processing contracts with the primary data fiduciary (the web domains, websites etc) with extreme care. Such women (and men too) must now consult lawyers to prepare an agreement for entering into contract with such intermediaries etc, who have always tried to dominate the contractual relationships with their custom made agreements which may enable them to escape the liabilities by using immunity veils.

4. Last, but not the least is the question of โ€œlawful purposesโ€ that makes the data fiduciaries liable to share the personal sensitive data with the government stakeholders.

The issue of surveillance is mention-able here. While there may be surveillance in the name of safety of the nation, peace and security of the community, friendly relationship with neighbouring countries and even for protecting the rights of the fellow citizens as has been stated under Article 19(2) of the Constitution, misuse of power by government officials including police officers to breach the integrity of personal data of women may be a serious blow on the right to protection and privacy of digital data.

DPDA, 2023 offers many positive aspects for data protection. But this is a beginning of a new understanding of data protection regime in India. We need to have lot more research on the practical applicability of the Law to provide safety to women. Let this โ€˜new beginningโ€™ bring more positive attitude and awareness for a holistic safety on cyber space.

Please note: please do not violate the copy right of this writeup. If you want to use it for your article, assignment, project etc, please cite it has Halder Debarati (August, 2023) THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023: can women expect any meaningful protection for data privacy now? Published in https://wordpress.com/post/internetlegalstudies.com/1433 on 24-08-2023