Cookies and Privacy Rights

An employee’s right to privacy in the workplace is an increasingly controversial legal topic, especially in an age of increased reliance on computers. An employee’s private life often intersects with the workplace through personal phone calls, personal emails. Technology has enabled employers to monitor virtually all workplace communication made by employees using computers. The state of inequality in power in a contractual relationship like employee and employer makes it possible for employer to extract more information from an employee without his or her full hearted consent. The information may be pertaining to the personal life, specific choices, family issues, background etc. such steps may lead to violation of the privacy rights. [i]

Further, the article provides the basic definition of cookies, its types and the importance and rules to follow to disable cookies or duration of the same.

Introduction

Privacy basically means freedom from unauthorized restrictions. Perhaps the challenges occurred by cookies on the data privacy is under construction. Cookies may be used for variety of purposes including the ability to continue with the information of the last page on the website, to remember the login information. But the main type of cookies that create privacy concerns for users are third party cookies where the external organ may interrupt the data. The sole aim of the article is to under the Privacy Rights of Employees, the provisions of Information Technology Act and other aspects. 

Meaning of Privacy

  Privacy is-

  1. The quality or state of being apart from company or observation
  2. Freedom from unauthorized instruction

Provision under Indian Constitution

The constitution of India clearly safeguards the right to privacy as a part of life under Article 21. Despite the fact that privacy is a fundamental right, it is  well established that it is not an absolute right and may be lawfully restricted for the prevention of crime, disorder or protection of health or the protection of other’s right and freedom.[ii]

Employee’s Privacy rights at workplace are;

  • Internet Usage and Email.
  •  Phone Calls and Voicemail Messages- But Electronics Communications Privacy Act (ECPA) places certain restrictions on employer’s right to monitor its employee telephone usage at work.

Provisions under Information Technology (IT) Act, 2000

The main enactment that deals with protection of data is the IT Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal information) Rules, 2011 (the “IT Rules”). Under the IT Act and the IT Rules, what is primarily sought to be protected is ‘personal information’ and ‘sensitive personal data or information’, i.e. the information related to

(i) password;

(ii) financial information such as bank account or credit card or debit card or other payment instrument details;

(iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; and

(vi) biometric information. However, the information which is freely available in public domain is not considered within the ambit of ‘sensitive personal data or information’.[iii]

The Government has provided a legal framework for data protection and privacy through the IT Act and the IT Rules in following manner:

The IT Act, after its amendments in 2008, is now equipped with multiple provisions catering to data protection, mandatory privacy policies, and penalties to be imposed on breach of such privacy policies.[iv] Below are the relevant provisions of the IT Act:

i) Section 43 (a), (b) and (i) – This section provides that any person, who without the permission of the owner or, any other person who may be in charge of a computer, computer system or computer network-

a) accesses or secures access to such computer, computer system or computer network;

b) downloads, copies, or extracts any data, computer data base or information from such computer, computer system or computer network which includes information or data held or stored in any removal storage medium;

c) steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage shall be liable to pay damages by way of compensation not exceeding the sum of INR 1,00,00,000 (Rupees One Crore) to the person so affected.[v]

ii) Section 43A – This section is bedrock of data protection and provides that where a body corporate possessing, dealing or handling any sensitive personal data or information25 in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, which shall not exceed a sum of INR 5,00,00,000 (Rupees Five Crores).

iii) Section 66 C – This section deals with identity theft and provides that whoever, fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment for a term which may extend up to three years and shall also be liable to pay a fine of up to INR 1,00,000 (Rupees One Lakh)

iv) Section 66 E – This section provides that whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person shall be punished with imprisonment which may extend up to three years or with fine not exceeding INR 200,000/- (Indian Rupees Two Lakh) or with both.[vi]

v) Section 72 – This section provides that any person who has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned and thereafter, discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to INR 1,00,000 (Rupees One Lakh) , or with both.[vii]

vi) Section 72A – This section provides that, any person, including an intermediary who, while providing services under the terms of a lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend up to three years, or with a fine which may extend up to INR 5,00,000 (Rupees Five Lakh), or with both. [viii]

Exception:

 Grounds on which Government can interfere with Data[ix]

Under Section 69 of the IT Act, any person authorized by the Government or by special authority, if satisfied that it is appropriated to monitor or intercept the information in relation to following grounds;

  1. The sovereignty or integrity of India,
  2. Defense of India,
  3. Security of the state,
  4. Friendly relation with Foreign states or
  5. Public order or
  6. For preventing incitement to the commission of any cognizable offence relating to above or
  7. For investigation of any offence

Sensitive Personal Data or Information (SPDI) [under Section 43A]

Employers collect SPDI of their employees for various reasons such as for selection process, record retention purpose, employee evaluations or other legitimate business purposes. In case if employer is negligent in implementing and maintaining the SPDI of employee, it may cause employer to be held liable to pay compensation to relevant employee.

Compliances in relation to SDPI

  1. Nexus– SPDI only be collected where there is need to collect such information.
  2. Opt in and opt out– Specific written consent should be taken from employees prior to collection of SPDI.
  3. Privacy policy- Employees shall have well documented privacy policy as required by IT Act and it shall be available on employer’s website also.
  4. Access- The employees should be allowed to revise or correct the deficiencies in the information.
  5. Transfer- SPDI can only be transferred where specific consent gas been taken by employees by adhering to the standards of the IT act.
  6. Reasonable security practices and procedure- The employers should maintain reasonable procedures to protect SPDI.[x]

Privacy in Tort law

The Right to Privacy is further discussed in the field of Torts which include the principles of nuisance, trespass, harassment, defamation, malicious falsehood and breach of confidence. The tort of Defamation involves the right of every person to have his reputation preserved inviolate by any third person and providing privilege to protect the right of freedom of speech. Also the employers have personal liability to ensure the physical safety of their employees. They are duty bound to take reasonable care, ensure safe workplace, safe system of work and well managed equipments and assets.

Privacy in Contract law

In India the governing legislation for contractual terms and agreements is provided under the Indian Contract Act 1872. There exist certain other means by which parties may agree to regulate or use of personal information gathered viz. by means of a ‘privacy clause’ or through a ‘confidentiality clause’ conformed under the deed. Accordingly, parties to a contract may agree to the use or may disclose an individual’s personal information, with the due permission and consent of the individual, in an agreed and lawful manner and/or for agreed purposes, but, any unauthorized disclosure of information, against the express terms of the agreement would amount to a breach of contract inviting an action for damages as a consequence of any default in observance of the terms of the contract. Also According to section 23 of the Act 1872, objects and consideration shall be lawful and must not be forbidden by law.

Privacy obligations under Specific relationships

There are few cases of specific inter-personal relationships wherein one party might be obligated or duty bond to maintain a certain measure of confidentiality. Unlike, doctor-patient, husband-wife, customer-insurance company or an attorney-client relationship, principle and agent; are instances where there exists a strong ethical obligation on the part of one party to protect the privacy of information relating to an individual which may expose him to social humiliation and/or ridicule. The above principle also receives legal standing in Ss. 123-126 of the Indian Evidence Act, 1871.

Provision under Intellectual Property Laws

The Indian Copyright Act prescribes mandatory punishment for piracy of copyrighted matter commensurate with the gravity of the offense. Section 63B of the Indian Copyright Act provides that any person who knowingly makes use on a computer of an infringing copy of computer program shall be punishable for a minimum period of six months and a maximum of three years in prison.[xi]

Provision under Credit Information Companies Regulation Act, 2005 (“CICRA”)

As per the CICRA, the credit information pertaining to individuals in India have to be collected as per privacy norms enunciated in the CICRA regulation. Entities collecting the data and maintaining the same have been made liable for any possible leak or alteration of this data. CICRA has created a strict framework for information pertaining to credit and finances of the individuals and companies in India.[xii]

The Personal Data Protection Bill, 2019

A Bill to provide for the right to privacy to the citizens of India and regulate the collection, regulation, maintenance, use and dissemination of their personal information and provide for penalization for violation of such rights and for matters connected therewith or incidental/hereto. The Bill governs the processing of personal data by (a) government, (b) companied incorporated in India and (c) foreign companies dealing with personal data of individuals in India

The Bill classifies certain personal data as sensitive personal data. That includes financial data, biometric data, caste, religion or political beliefs, or any other category recognized by the government.

 The Bill amends the IT Act, 2000 to delete the provision related to compensation payable by companies for failure to protect personal data. [xiii]

Anti- Discrimination Laws

The Constitution of India provides for equality of opportunity for all citizens relating to employment or appointment to any office under the State. Further, there shall be no discrimination on the basis of caste, race sex, descent, place of birth, religion or residence.

Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013 (‘SHW ACT’)- The Act provides for detailed complaint and inquiry mechanism in case of sexual harassment complaints at workplace. Under the Act, the employers are required to constitute an Internal Complaints Committee (ICC) that will inquire into sexual harassment complaints.[xiv]

Immune Deficiency Syndrome (Prevention and Control) Act, 2017 (‘HIV ACT’)-provides the strict internal policies with reference to discrimination issues relating to person with HIV, or belonging to social backward class etc.

The Equal Remuneration Act, 1976- Prohibits discrimination between workers on grounds of gender. The Act applies to both public and private sector employees. The Act extends to situation where relationship of employer and employees exist.[xv]

What are Cookies?

Cookies are small text files sent from the websites to the person’s terminal (usually the browser), where they are stored before being transmitted again on the same website visited by the same user. They are designed to hold small amount of data specific o particular client and website, and can be accessed either by the web server or client computer. A cookie cannot recover any other data from the user’s hard drive or pass on computer viruses or capture email addresses. Each single cookie is unique to the user’s web browser.[xvi] The advantage of having the cookies installed in one’s computer is that one no longer needs to fill out the same information each time if the user wants to access a site that has already been visited.

Types of Cookies[xvii]

Based on the features and essential fragments the cookies are distinguished among several categories:

Technical Cookies- Theses cookies are essential for the appropriate running of the site and are use to manage the login and the access to reserved functions of the site. The main purpose is to carry out the transmission of communication over an electronic communication network. The duration of this cookie is limited to the working session. They are not used for any other purpose and are generally installed by the owner or operator of the website. They are necessary for the correct working of the site as well as enable the user to browse the data based on the series of criteria such as language, selected products to purchase to improve the service or handle the data in precise manner. For installation of these cookies prior user’s consent is not required.

Profiling Cookies- These are aimed at creating profiles related to the user and are used to send advertising messages on the line with the preferences shown by the same part.

 Third party Cookies- These cookies are used to collect and analyze traffic and utilization of the site anonymously. These are related to the external domains and can be installed by any person. They allow the external users to monitor the system and improve stability. The deactivation of these cookies can be executed without any loss of functionality.[xviii]

Duration of the Cookies

Some cookies remain active only until the user closes the browser or logout known as Session/Temporary cookies. While other cookies survive to the closure of the browser and are available also for future visits known as Persistent cookies. In some cases deadline is defined, in other cases the duration is unlimited.

List of Technical Cookies on the site

System Cookies- The user can disable these cookies from the browser by following the instruction in the dedicated paragraph on the site.

Google Analytics- These is tracking cookies used for the generation of site usage statistics. Google analytics uses cookies that do not store personal data and that are placed on your computer to allow the operator of the website to analyze how users use the site.

Facebook- It uses cookies to offer the user sharing functionality and ‘like’ on your profile.

Twitter- It uses cookies to offer sharing functionality on their wall.

How can we delete the Cookies?

We can disable cookies on our computer at any time, by changing  the Security and privacy setting on the browser.

Security issue with Cookies

Cookies are very important for ecommerce companies and advertising agencies that uses information through cookies to create a profile of a user. But the fact of Privacy is the most important concern, even though cookies cannot harm the computer like viruses. There exist several security implications with cookies, some website use cookies to provide free platform for free and easy access. However, if the login credentials or session details not entered carefully this type of system may be venerable to exploitation by unscrupulous third parties. Compromise with login details greatest privacy violation and may give serious threat to user.

 

Conclusion

Cookies are developed to provide easy and fair access to users. The purpose is to avoid unnecessary conflicts arising from websites delivering essential contents. Te question of privacy rights is the major concern as the information are stored for some duration. The threat from third party access may put client’s personal information at concern position. The Privacy rights encompassed with cookies are vital and also involve the information of employees working in organization. The liability cast upon the employers to ensure privacy of personal information of employees is adhered under various provision of IT Act, 2000. The article is to provide the details of privacy rights of users, employees and the overall purpose of Cookies.

Frequently Asked Questions (FAQs) 

a) Who can collect the personal data?

Rules 5 of the IT Rules prescribes that nobody corporate or any person on its behalf shall collect sensitive personal data or information unless (a) the information is collected for a lawful purpose connected with a function or activity of the body corporate; and (b) the collection of such information is considered necessary for that purpose.

b) For what duration can the personal data be stored?

Anybody corporate or persons holding sensitive personal data or information on its behalf cannot retain it for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any law for the time being in force and such information can be used only for the purpose for which it is collected.

c) To what extend can the personal data be shared with third parties?

The body corporate receiving the information can disclose sensitive personal data or information to any third party, provided prior permission from the provider of such information has been received, or such disclosure has been agreed to in the contract between the recipient and the provider of information, or where the disclosure is necessary for compliance of a legal obligation.

However, no such consent from the information provider is required where the information is shared with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.

d) What are the obligations of the employers in relation to the personal data collected of its employees?

The employers routinely collect ‘sensitive personal information’ of its employees such as health records, financial information etc. If the employer stores such personal information on a computer resource, such employer, if a body corporate, is required to have in place a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected.

e) Can cookies be used to violate my privacy?

Cookies cannot be used to obtain personal information from your computer. The only data in cookies is the data put into by a website server. The only site that has access to it is the site that put is there.

f) Who invented cookies?

Cookies were invented by Netscape in 1995 as a way to solve the persistence problem in HTTP sessions.

g) What’s the problem with third party types of cookies?

These type of cookies raise privacy concerns because they are largely hidden from view, difficult to locate, and hard to delete.

h) Are cookies only way to track me?

No, your browsing history can also be traced without using cookies.


References

[i] Halcrow, L.P., Technology and Ethics: privacy in the workplace,  Business and Society review, Sept 2001, 106(1):2-27.

[ii] V N Shukla, Constitution of India (10th ed, Eastern Book Company, 2018).

[iii]    Privacy Policy, Genzee (Oct 11, 2019, 3PM) https://genzee.in/pages/privacy-policy

[iv] Information Technology (Reasonable Security Practices and Protection and Sensitive Personal Information) Rules, 2011, (India).

[v] Section 43, Information Technology Ac t, 2000,  Acts of Parliament, 2000 (India). https://indiankanoon.org/doc/39800/

[vi]  Umair Ahmed, Emergence of Data Protection, SCRIBD (Nov 23, 2019, 3 Pm) https://www.scribd.com/document/436457765/Data-Protection

[vii] IT Act Regulations, MedRecordz (Nov 23, 2019, 4PM) http://medrecordz.com/MainPage.aspx

[viii] Information Technology Ac t, 2000,  Acts of Parliament, 2000 (India).

[ix] Aadhar Scheme and the Right to Privacy in Cyberspace, LawLex Org. (Mar 30, 2014, 4PM) 

https://lawlex.org/lex-bulletin/aadhar-scheme-and-the-right-to-privacy-in-cyberspace/9535

[x] The Indian Legal Position on Employee data protection and employee privacy, Rakhi Jindal, Sensitive data and information.

[xi] Data Protection Laws in India (Sept 11, 2019, 5PM)  https://studylib.net/doc/8035601/data-protection-laws-in-india

[xii] Devansh Saxena, Position and Perspective of Privacy Laws in India, Academike (Sept 8, 2014, 6PM)  http://www.lawctopus.com/academike/position-perspective-privacy-laws-india/html.

[xiii]  Draft Privacy Bill, The Centre for Internet & Society (Sept 11, 2011, 5PM) http://cis-india.org/internet-governance/draft-bill-on-right-to-privacy.

[xiv] IndusLaw, L& E Global, Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, Employment Law Overview  India,  Oct  2013, at 15.

[xv] LexMundi World Ready, Labour and Employment Desk Book, Amarchand & Mangaldas & Suresh A. Shroff & Co. (The Equal Remuneration Act, 1976).

[xvi] Information Cookie policy website, Mitigid (Jan 20, 2018, 10.15 PM), http://www.mitigid.com/pdf/Whatarecookies/html.

[xvii] Privacy and Cookies, Mezzaluna (Feb 15, 2017, 9.00 PM) http://www.mezzalinabio.it/PDF/PrivacyandCokkies/html.

[xviii] EGV1 – Cookie Policy (Oct 11, 2019, PM)  https://www.egv1.com/en/cookie-policy/

Leave a Reply

Your email address will not be published. Required fields are marked *