1. INFORMATION RETRIEVAL, INFORMATION ACCESS & BIG DATA- LEGAL PERSPECTIVES

2. A PRESENTATION BY PAVAN DUGGAL ADVOCATE, SUPREME COURT OF INDIA PRESIDENT, CYBERLAWS.NET PRESIDENT, CYBERLAW ASIA HEAD, PAVAN DUGGAL ASSOCIATES

3.  Volume, Velocity and Variety are the three Vs impacting big data today. The Economist reports in its 2012 Outlook that the quantity of global digital data expanded from 130 exabytes in 2005 to 1,227 in 2010, and is predicted to rise to 7,910 exabytes in 2015 http://www.economist.com/node/2 1537922http://www.economist.com/node/2 1537922.

4.  Big data and information access has brought forward various legal, policy and regulatory issues.

5.  There are legal issues related to securing the Big data infrastructure in terms of having an appropriate legal framework for protecting secure computations in distributed programming frameworks.

6.  There is a need for coming up with and adopting appropriate best practices for enforcing and maintain security for non-relational data stores.

7.  Big data, information retrieval and information access together have an intrinsic connection with privacy, a predominant legal issue, in the context of preserving data mining and analytics. Further the use of cryptographically enforced data centric security brings forward its own legal issues.

8.  The granular access control brings forward various complicated legal and policy issues pertaining to privacy.

9.  Another major legal issue is related to data management.

10.  There is a need for having in place appropriate enabling legal frameworks for ensuring secure data storage and transactional logs and also granular audits.

11.  Of prime concern is maintaining the authenticity, integrity and veracity of big data that is sought to be accessed and retrieved.

12.  There is a need to safeguard privacy while dissemination of information.

13.  Another important issue pertains to protection of sensitive data including sensitive personal information using cryptography and granular access control.

14.  Need for ensuring the authenticity as well as integrity of streaming data emerging from diverse end points which is often used for forming real time analytics for security incidents.

15.  Big data provides immense challenges in the context of data protection, both for processors and regulators. The high volume of of data obtained from diverse sources distinctly demand need for a safe and secure legal framework that can help to protect users of data as also suppliers of data.

16.  Different national jurisdictions have different regulatory requirements for data protection. European Union has got its data protection directives. Other countries have incorporated various data protection provisions in their existing national legislations.

17.  However, data protection in the context of big data requires a distinct re-visit inasmuch as data protection legislations have always been framed keeping in mind individuals’ chunks of small islands of data. as contra- distinguished from huge volumes of data encapsulated by big data.

18.  Another legal issue pertains to legalities concerning anonymity of data in context of the person who places the information on the internet and data masking.

19.  What are the basic principles that should be applicable in the context of big data collection, processing, retention and dissemination?  Big data has had and continues to have huge ramifications on privacy.

20.  Data minimization also brings forward issues concerning privacy and data protection. Of particular relevance is the need for coming up with appropriate international best practices dealing with collection, retention and destruction of data including personally identifiable data.

21.  Different national legislations differ on the issue of consent or individual control on data.

22.  As on date, there is no one international legal arrangement that deals with big data on a universal basis.

23.  Intellectual property rights and big data together constitute another major legal issue.  Who has the intellectual property rights to big data? What are the intellectual property rights related to collection, storage, processing or sharing of big data?

24.  Often there are concerns that the new big data search and analysis tools could result in infringement of Copyright of the said data.

25.  Big data and data privacy thus assume importance in the legal world. In the context of big data, there are often going to be disputes as to who owns the output data, more so when third parties are involved in developing systems that are put to use for generating the said output.

26.  Another legal issue pertains to contractual liability for the relevant contracting parties for inaccurate or incomplete information or when expected co-relations do not emerge.

27.  It is also possible that technology opens up the possibility for abuse of information obtained in relation to competitors in the market and that itself gives rise to various competition law issues.

28.  Further given the fact that today large number of big data censors in big data are predominantly in the hands of powerful intermediaries, the potentiality of them being misused and abused to violate rights and liberties of individuals cannot be ruled out.

29.  There is a need for coming up with appropriate enabling legal framework to ensure that big data does not in any case prejudicially impact the enjoyment of rights and duties of citizens.

30.  We now look at legal issues pertaining to information retrieval, access and big data in the context of India:

31. THE INFORMATION TECHNOLOGY ACT, 2000 – INDIAN CYBERLAW  In India, the Information Technology Act, 2000 is the Mother Legislation that deals with issues related to use of computers, computer systems, computer networks and the Internet.

32. THE IT ACT, 2000 – INDIA’S FIRST CYBERLAW  Aims to provide the legal infrastructure for e-commerce in india.

33. THE IT ACT, 2000 – OBJECTIVES (contd)  Aims to provide for the legal framework so that legal sanctity is accorded to all electronic records and other activities carried out by electronic means.

34. OFFENCES & PENALTIES  Penalties and adjudication for various offences involving computers, computer systems and computer networks.  Imprisonment and fine for various cybercrimes defined

35. CYBER OFFENCES  Various cyber offences defined  Cyber offences to be investigated only by a Police Officer not below the rank of the Inspector (now), Deputy Superintendent of Police( earlier).

36. OFFENCES & PENALTIES (contd)  PENALTIES FOR DAMAGE TO COMPUTER, COMPUTER SYSTEM ETC. HAVE BEEN FIXED AS DAMAGES BY WAY OF COMPENSATION NOT EXCEEDING RS. 5,00,00,000/- TO AFFECTED PERSONS.

37. BREACH OF SECURITY  Breach of security attracts consequences of civil liability.  If a person without the permission of owner or any other person in charge of a computer, computer system or computer network, accesses or secures access to such computer, computer system or computer network, he is liable to pay statutory damages by way of compensation, not exceeding five crore rupees to the person so affected.

38. CIVIL LIABILITY  Downloading, copying or extracting any data, computer database or information from such system or introducing any computer virus into the same or damaging, destructing or causing to be damaged or disruption of the same or denying the access to any authorized person of the same.

39. CIVIL LIABILITY (cont CIVIL LIABILITY (contd.)  and providing any assistance to any person for doing any of the acts mentioned above, would also attract the civil liability of damages by way of compensation not exceeding rupees five crore.

40. CYBER OFFENCES UNDER THE IT ACT  Tampering with computer source documents – Section 65  Computer related offences - Section 66  Publishing of information which is obscene in electronic form - Section 67

41. INFORMATION TECHNOLOGY RULES, 2011  These Rules consists of the following: Information Technology (Electronic Service Delivery) Rules, 2011 Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 Information Technology (Intermediaries Guidelines) Rules, 2011 Information Technology (Guidelines for Cyber Cafe) Rules, 2011

42. INFORMATION TECHNOLOGY RULES, 2011  Intermediaries have been straddled with the obligation to observe due diligence mandated by the Information Technology Act, 2000 and also by the Information Technology Rules, 2011.

43. INFORMATION TECHNOLOGY RULES, 2011  Further, the Rules have defined what is sensitive personal data or information. The Rule 3 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 states as follows: …contd.

44. INFORMATION TECHNOLOGY RULES, 2011 “3. Sensitive personal data or information.— Sensitive personal data or information of a person means such personal information which consists of information relating to;― …contd.

45. INFORMATION TECHNOLOGY RULES, 2011 (i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; …contd.

46. INFORMATION TECHNOLOGY RULES, 2011 (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise: …contd.

47. INFORMATION TECHNOLOGY RULES, 2011  Further various obligations have been put upon body corporate to provide for policy for privacy and disclosure of sensitive personal information. The way and the manner in which information has to be collected and disclose is vary vast.

48. INFORMATION TECHNOLOGY RULES, 2011  Further relevance is that every entity is obligated to maintain reasonable security practices and procedures under Rule 8 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. …contd.

49. INTERMEDIARY  Every person or institution doing work in information retrieval today is an intermediary under Section 2(1)(w) of the Information Technology Act, 2000.

50. LIABILITIES OF INTERMEDIARIES AND THE INDIAN CYBERLAW  There could have exposure to legal consequences, both civil and criminal, for the company and its top management.  Civil Damages - for damages by way of compensation upto 5 crore rupees per contravention under Section 43 of the Information Technology Act, 2000.

51. LIABILITIES OF INTERMEDIARIES AND THE INDIAN CYBERLAW  Criminal Consequences - The top management could also be exposed to criminal consequences ranging from imprisonment of 3 years to life imprisonment and fine from 1 Lakh INR to 10 Lakhs INR.

52. PAVAN DUGGAL ASSOCIATES COMPLIANCE FRAMEWORK – FOR COMPLIANCE, EVALUATION AND CERTIFICATION  Asia Pacific Legal 500 says about Pavan Duggal Associates “Cyberlaw specialist Pavan Duggal Associates Advocates is the first port of call for many in terms of cases involving data theft, usually companies that have experienced theft of confidential or commercially sensitive information by former employees.” “Pavan Duggal Associates Advocates provides niche expertise in cyber law.”

53.  Only in compliance, compliance and compliance lies the way for Nirvana for any intermediary.

54. A PRESENTATION BY PAVAN DUGGAL ADVOCATE, SUPREME COURT OF INDIA PRESIDENT, CYBERLAWS.NET PRESIDENT, CYBERLAW ASIA HEAD, PAVAN DUGGAL ASSOCIATES Email pduggal@vsnl.com pavanduggal@yahoo.com