Effects of TRIPS Plus Provisions in International Trade Agreements upon Access to Medicines in Developing Countries

Posted on Updated on

JIPR Vol.22(6) [November 2017]

Sandeep Mittal
Former Director, LNJN NICFS (MHA)
New Delhi, India
sandeep.mittal@nic.in

Journal of Intellectual Property Rights (JIPR) : [776]
ISSN: 0975-1076 (Online); 0971-7544 (Print)
JIPR Vol.22(6) [November 2017] Page(s): 295-302

 

Abstract: Though the UN has envisaged that accessibility to essential medicines is a basic human right, a large number of people in developing countries are denied access to essential medicines. MNCs having the branded medicines have a tendency to choke the supply chain of cheaper generic medicines using the weapon of intellectual property rights. The TRIPS Agreement has set the minimum standard of protection of Intellectual Property but it has provisions of flexibilities such as compulsory licenses, parallel imports limitations to patent rights, etc., which can be used by member states to provide access to these essential medicines to their people. However, countries like US are using provisions which are over and above the flexibilities incorporated in TRIPS to deny access to essential medicines to people in developing countries. The accessibility of essential medicines to the population in developing countries as affected by these FTAs, ACTA, TPP and TTIP agreements have been examined in this paper and a case has been made out for the unity of the developing and least developed countries to deter US from choking the supply lines of the essential medicines to poor and needy.

Keywords: Doha Declaration, TRIPS, Free Trade Agreements, ACTA, TPP, TTIP, intellectual property rights

Both the Universal Declaration of Human Rights, 1948, (the Declaration),1 and the International Covenant on Economic, Social and Cultural Rights (the Covenant) require that “medicines are available, accessible, acceptable and of good quality”.2 All the states that are a party to the Covenant have the “legal obligation not to interfere with the rights conferred under the Declaration and the Covenant”.3 However, horizontal and vertical spatial inequalities in healthcare, including in terms of access to medicines, persist throughout the world.4 The mortality rate due to tuberculosis in the WHO African Region during the year 2013 was 42 per a population of 100,000, which is more than twice the global mortality rate (of 16 per a population of 100,000) and 42 times the mortality rate of the WHO American Region (of 1 per a population of 100,000).5 In 2013, in sub-Saharan Africa, out of 25 million people living with HIV, about 64 per cent did not have access to any ART.6 The lack of access to essential medicines in a country is the result of many factors, but the primary reason is the prevalence of high prices of the medicines, stemming from strong intellectual property protection.7 A “secondary analysis of medicine prices, availability, [and] affordability, in 36 developing and middle income countries”8 indicates that the median price difference for originator medicines is substantially higher, reaching up to a whopping figure of 380 per cent as compared to the generic equivalents of these medicines. This reinforces the demand for “switching from originator brand medicines to generic equivalents in the developing countries”, which could facilitate savings of up to 80 per cent on expenditures incurred on essential medicines, as illustrated in Fig. 1.9 Although, the TRIPS Agreement10 lays down minimum standards for the protection of intellectual property, and offers safeguards and flexibilities to prevent patent abuse, the developed countries like the US and the European Union (EU) nations are signing bilateral trade agreements to usurp the flexibilities ingrained in TRIPS. However, the US is consistently and aggressively using such FTAs to deny access to essential medicines to populations in developing countries. Therefore, the scope of this paper is limited to an analysis of the FTAs initiated by US. The flexibilities available in TRIPS are listed out in the paper with the objective of examining how the US is using bilateral FTAs11 and plurilateral (ACTA12, TPP13, TTIP14) agreements to coerce developing countries into accepting stringent ‘TRIPS plus’ provisions for satiating the ever-growing greed of the pharmaceutical industry and denying the poor and needy access to essential medicines. The paper also assesses other factors that constrain the availability of essential medicines for those in desperate need of the latter.

Figure 1 — Average percentage savings obtained by switching from originator brands to lowest priced generic equivalents for three individual medicines in the developing countries15

TRIPS Flexibilities, the Doha Declaration and Public Health

The TRIPS Agreement delineates the minimum global standards for the protection of intellectual property, and offers sufficient liberty (‘flexibilities’) to the Member States to adapt the ‘IP Regimes’ in consonance with their own socio-economic needs. It is legally binding and enforceable through the Dispute Settlement Understanding and is backed by sanctions. A consolidated overview16 of these ‘TRIPS-flexibilities’ aiding the availability of essential medicines is presented in Table 1. The ‘Doha Declaration’17 was adapted after a compromise was reached between the developing countries (mainly India and Brazil) and the developed countries (mainly US), which read as follows:

“We agree that the TRIPS Agreement does not and should not prevent Members from taking measures to protect public health. Accordingly, while reiterating our commitments to the TRIPS Agreement, we affirm that the Agreement can and should be interpreted and implemented in a manner supportive of WTO Members’ right to protect public health and, in particular, to promote access to medicines to all. In this connection, we reaffirm the right of WTO members to use, to the full, the provisions in the TRIPS Agreement, which provide flexibility for this purpose.”18

The Doha Declaration further recognises various flexibilities, “according to and in the light of Paragraph 4 of Declaration, while maintaining commitments in the TRIPS Agreement”.19 Going a step further, it reiterated, and even more explicitly, that public health rights prevail over individual IP rights. This move was possible as the developing countries were well prepared and operated as one block, while also enjoying the active support of international NGOs.7

Recently, UNHRC passed the following resolution,20 despite objections from UK, Switzerland and European Union, which is a big leap for the poor populations in accessing essential medicines,

1. Recognizes that access to medicines is one of the fundamental elements in achieving progressively the full realization of the right of everyone to the enjoyment of the highest attainable standard of physical and mental health; [OP1, HRC resolution 12/24 and OP 2, HRC resolution 23/14]

2. Stresses the responsibility of States to ensure access for all, without discrimination, to medicines, in particular essential medicines, that are affordable, safe, efficacious and of quality; [based on OP2, HRC resolution 12/24]

3. Calls upon States to promote access to medicines for all, including through the use, to the full, of the provisions of the Agreement on Trade- Related Aspects of Intellectual Property Rights which provide flexibility for that purpose, recognizing that the protection of intellectual property is important for the development of new medicines, as well as the concerns about its effects on prices; [OP7, “g”, HRC resolution 17/14 and OP 5, “h”, HRC resolution 23/14]”

However, in order to benefit from such flexibilities, a country needs to not only frame or amend its national IP laws but also ensure the availability of and access to technology, financial resources, and trained interdisciplinary humanresources. The experiences of developing countries like South Africa,21 Thailand,22, 23 and India24, 25 are indicative of the difficulties being faced by the other developing and the Least Developed Countries (LDCs) in implementing ‘TRIPS flexibilities’ for making essential medicines available to their populations at affordable rates. Significantly, the failure to push through its own public health draft at Doha did not deter the US from using its domestic laws to ‘arm-twist’ countries like Argentina, South Africa and Guatemala by putting them on the ‘USTR 301 Watch List’. This action compelled them to toe the US line in bypassing the “TRIPS flexibilities and accepting ‘TRIPS Plus’ laws to institute more stringent pharmaceutical intellectual property protection”, thereby preventing access to essential medicines in these countries.26 There is no clear definition of ‘TRIPS plus’ but in principle, it refers to commitments that go beyond the TRIPS Agreement.27

The US-FTAs: ‘TRIPS Plus’…or ‘US Plus’…or ‘TRIPS Multiple’…

The consistent differential perspective on the standard of protection in TRIPS as the ‘floor’ (minimum standard) of the US and as the ‘ceiling’ (maximum standard) of the developing countries continues to be a driving force behind the aggressive efforts being made by the US to raise the ‘ceiling’, eliminate TRIPS flexibilities and plug loopholes in TRIPS.36 While playing the multi-level, multi-forum global governance card, countries like the US are able to extract TRIPS plus commitments from the economically vulnerable parties through Bilateral Investment Treaties, Bilateral Free Trade Agreements and Regional Free Trade Agreements37 by exerting pressure through the use of the Special 301 clause under the Trade Act, 1974, and the imposition of unilateral sanctions and negotiation of investment treaties.38 The US has signed a slew of such agreements and is currently negotiating a few more as listed in Table 2.
Most of these stringent provisions, crafted in close nexus with the branded originator drugs pharmaceutical industry,36 aim at promoting originator drugs and eliminating or delaying the entry of generic medicines, thus preventing access to essential medicines at an affordable cost.39 The US–Morocco FTA is considered as the most stringent of all the US FTAs. A summary of the general ‘TRIPS plus’ provisions affecting the availability of essential medicines in the US FTAs is presented in Table 3.

*V = Vietnam, J = Jordan, S = Singapore, C = Chile, M = Morocco, A = Australia, D = DR-CAFTA, B = Bahrain

Consider the views of the pharmaceutical industry on TRIPS plus provisions, as put forward by Micky Kantor,44 a former USTR turned lobbyist for the pharmaceutical industry, while trying to explain that the provisions of free trade agreements are not violative of the TRIPS Agreement, which reads as follows:

“Characterizing these provisions as TRIPS-plus is misleading,…. While it is true that these provisions often are more specific and provide greater intellectual property protection than that provided by the TRIPS Agreement, that does not mean they violate the TRIPS Agreement.”45

However, subsequently in the same document, he made his dubious intention clear, which read:

“Article 31, the Doha Declaration and the Paragraph 6 Compromise are fundamentally ‘exceptions’ to the intellectual property protections embodied in the TRIPS Agreement…..But these exceptions can not swallow the rule: strong intellectual property protections remain essential to foster innovation and creativity.”46

An analysis of the TRIPS plus provisions listed above leaves no doubt that these FTAs undermine the TRIPS flexibilities with their intention to block the supplychain of generic medicines and are thus fatal in terms of ensuring accessibility to essential drugs.31, 47

The Free Trade Agreements, from Bilateral to Plurilateral Mechanisms

The success in coercing many countries to sign FTAs encouraged the US to take bilateral negotiations to the next higher level of plurilateral negotiations. The US had been unsuccessful in imposing its own intellectual property standards on the developing countries since the advent of the TRIPS and Doha negotiations. Consequently, it began negotiating bilateral trade agreements, with each successive agreement building more ‘pluses’ on the predecessors, to achieve a cumulative effect,49 and creating more regional trade blocks likes ACTA, TPP and TTIP. The negotiations for these regional agreements were shrouded in secrecy, away from the gaze of the public and NGOs, to avoid pre-emption of their next moves by these democratic stakeholders. When some of these draft agreements were leaked into the public domain, there was a hue and cry because of their ominous implications for civil liberties and access to essential medicines. The European Parliament rejected it, despite the fact that the EU and its 22 members had signed the agreement. The TPP has been signed in 2016, but is still not in force while the TTIP is still under negotiation. The TPP and TTIP together would be the largest critical mass of support for ‘US-forced’ TRIPS plus laws (Fig. 2).

When the Senate passed the Trade Promotion Authority, the US President termed itas “……an important step toward ensuring [that] the United States can negotiate and enforce strong, high- standards trade agreements…..”.49

A summary of the TRIPS plus provisions in the ACTA and TPP and their effects on the availability of affordable medicines is presented in Table 4, clearly pointing to a systematic attempt to create more stringent standards, thus increasing the “barriers to access generic medicines either by intensifying such IP protections as existence and duration of exclusivity or by reducing the use of flexibilities such as compulsory licenses or parallel import”.50 The introduction of third-party liabilities, exemplary deterrent penalties and criminal offences illustrates how the US is determined to choke the global supply lines of essential medicines.

Figure 2: Schematic map showing the emergence of a Mega Free Trade Area

The US Government explicitly leveraged bilateral FTAs to influence regional and multilateral negotiations on ‘TRIPS plus’, thus triggering the onset of plurilateralism through six distinct mechanisms, viz., “chain reaction, pressure for inclusion, coalition building, emulation, legal interpretation and adherence”. This has fostered instability and fragmentation among the WTO members.55 The ‘TRIPS plus’ bilteral, regional and plurilateral agreements have also made it difficult for the affected populations to access essential medicines not only due to the lack of capacity and resources but more so because of strikes by the developed countries. This prompted the developing countries to strike back at the WTO, WIPO, and international regimes, giving rise to fears of a potential TRIPS-war.56, 57 If a sufficient number of countries sign these agreements, leading to the adoption of TRIPS plus standards, theUS would be able to use Article 4 of TRIPS to legitimately exert pressure upon multilateral forums like the WTO and WIPO,50 for laying down new international standards in line with the TRIPS plus provisions.48 The intellectual property protection regime is hence seen to be monopolistically shifting from the ‘TRIPS plus’ to a ‘TRIPS multiple’ regime in congruence with the US Government’s ‘military– political’ goals.58

However, access to essential medicines is also dependent on the political will and policies of individual countries. Public interest groups and NGOs play a crucial role in improving accessibility to medicines. Ensuring stringent checks on corrupt practices by pharmaceutical companies and procurement officials would also help improve the situation. The capacity building of countries in terms of technology and human resources for generic manufacturing would be an important factor in making countries self-reliant in the manufacture of generic medicines. However, the apprehension persists that geo-political considerations may influence governments to succumb to pressures from their military allies, compelling them to fall in line with the efforts of the US to block access to generic medicines throughout the world.

Conclusion

The right to public health, including access to essential medicines, is a basic human right and has precedence over the individual right of intellectual property. Ample flexibilities in this regard have been incorporated in the TRIPS Agreement and have been reiterated in the Doha Declaration. However, countries like the US are using the mechanism of bilateral and plurilateral FTAs having ‘TRIPS plus’ provisions to usurp these ‘TRIPS flexibilities’ for denying access to essential medicines to populations in developing and least developed countries. The emerging mega-regionals like ACTA, TPP and TTIP would worsen the situation by putting the affected populations to more hardships. The developing and least developed countries need to unite to prevent the US from altering the international law in world trade in the near future. In addition, international NGOs, all citizens, legislators and the judiciary in these countries need to become decisively proactive to ensure the uninterrupted supply of essential medicines for the public. This can be achieved only by curtailing the hegemony of the West and allowing the less developed nations to exercise their prudence and freedom to make essential medicines easily available for their populations while keeping the complicated issue of patents at bay.

VII. REFERENCES

  • 1 Universal Declaration of Human Rights, ed. United Nations (United Nations, 1948), Article 30.
  • 2 International Covenant on Economic, Social and Cultural Rights, in Treaty Series, 993, p.3, ed. United Nations (UN General Assembly, 1966), Article 12.
  • 3 International Covenant on Economic, Social and Cultural Rights, in Treaty Series, 993, p.3, ed. United Nations (UN General Assembly, 1966), Article 5.
  • 4 The World Health Report 2008: Primary Health Care Now More Than Ever, World Health Organization, 2008.
  • 5 World Health Statistics 2015, in Geneva: WHO, ed. World Health Organization (Geneva: World Health Organization, 2015), fig. 7,3rd graph.
  • 6 World Health Statistics 2015, in Geneva: WHO, ed. World Health Organization (Geneva: World Health Organization, 2015), fig. 5.
  • 7 Ellen FM’tHoen, TRIPS, pharmaceutical patents and access to essential medicines: A long way from Seattle to Doha, Chicago Journal of International Law, 3 (1) 2002.
  • 8 Alexandra Cameron et al., Medicine prices, availability, and affordability in 36 developing and middle-income countries: A secondary analysis, The Lancet, 373 (9659) 2009.
  • 9 Alexandra Cameron et al., Switching from originator brand medicines to generic equivalents in selected developing countries: How much could be saved?, Value in Health, 15 (5) 2012.
  • 10 Agreement on Trade-Related Aspects of Intellectual Property Rights, ed. World Trade Organization, 1869 UNTS 299; 33 ILM 1197 (1994), World Trade Organization, 1994.
  • 11 Free Trade Agreements signed by US with several countries under Trade Promotion Authority Act, 2002, which mandates IP protection in bilateral and multilateral agreements similar to US Domestic Law.
  • 12 Anti- Counterfeiting Trade Agreement, 2010, 10 of the 11 negotiating parties [Australia, Canada, EU (+22 members), Japan, Mexico, Morocco, New Zealand, Singapore, South Korea, Switzerland, United States] signed by 2012, except Switzerland. The 22 EU Member countries also signed. So far only Japan has ratified. European Parliament rejected ACTA on 4 July 2012 on grounds of potential threat to civil liberties.
  • 13 Trans-Pacific Partnership Agreement, 2016 (signed but not in force). An attempt by US to unite 12 countries in Pacific Rim.
  • 14 Transatlantic Trade and Investment Partnership, ed. US and EU (Under Negotiation).
  • 15 Cameron et al., Switching from Originator Brand Medicines to Generic Equivalents in Selected Developing Countries: How Much Could Be Saved?, Table 5, Value in Health, 15(5) (2012) 664 -73.The Graph in this paper is drawn by using this secondary data.
  • 16 Cameron et al., Switching from Originator Brand Medicines to Generic Equivalents in Selected Developing Countries: How Much Could Be Saved?, Table 5, Value in Health, 15(5) (2012) 664 -73. Consolidated Table is original to this paper.
  • 17 Declaration on the TRIPS Agreement and Public Health adopted on 14 November 2001, Doha WTO Ministerial 2001: TRIPS, ed. DOHA WTO MINISTERIAL 2001: TRIPS, WT/MIN(01)/DEC/2, and 20 November 2001 (Doha 2001).
  • 18 Declaration on the TRIPS Agreement and Public Health adopted on 14 November 2001, Doha WTO Ministerial 2001: TRIPS, ed. DOHA WTO MINISTERIAL 2001: TRIPS, WT/MIN(01)/DEC/2, and 20 November 2001 (Doha 2001), para 4.
  • 19 Declaration on the TRIPS Agreement and Public Health adopted on 14 November 2001, Doha WTO Ministerial
    2001: TRIPS, ed. DOHA WTO MINISTERIAL 2001: TRIPS, WT/MIN(01)/DEC/2, and 20 November 2001 (Doha 2001), para 5.
  • 20 UNHRC, Draft Resolution on Access to medicines in the context of the right of everyone to the enjoyment of the highest attainable standard of physical and mental health,32nd Session, Agenda No. 3 (2016).
  • 21 Patrick B, Globalization, Pharmaceutical pricing, and South African health policy: Managing confrontation with US firms and politicians, International Journal of Health Services, 29 (4) 1999.
  • 22 Mohara A et al., Impact of the introduction of Government use licenses on the drug expenditure on seven medicines in Thailand, Value in Health, 15 (1) 2012.
  • 23 Akaleephan C et al., Extension of market exclusivity and its impact on the accessibility to essential medicines, and drug expense in Thailand: Analysis of the effect of TRIPS-Plus proposal, Health Policy, 91 (2) 2009.
  • 24 Kapczynski A, Harmonization and its discontents: A case study of TRIPS implementation in India’s pharmaceutical sector, California Law Review, 97 (6) 2009.
  • 25 Lee Linda L, Trials and TRIPS-ulations: Indian Patent Law and Novartis Ag v Union of India, Berkeley Technology Law Journal, 23 (1) 2008.
  • 26 Ghanotakis E, How the US interpretation of flexibilities inherent in TRIPS affects access to medicines for developing countries, The Journal of World Intellectual Property, 7 (4) 2004.
  • 27 David Vivas-Eugui, Regional and Bilateral Agreements and a TRIPS-Plus World: The Free Trade Area of the Americas (FTAA), Quaker United Nations Office (QUNO), 2003.
  • 28 Grover A, Report of the Special Rapporteur on the Right of Everyone to the Enjoyment of the Highest Attainable Standard of Physical and Mental Health, UN General Assembly, Human Rights Council, 2009.
  • 29 Deere C, The implementation game: The TRIPS Agreement and the global politics of intellectual property reform in developing countries, OUP Oxford, 2008.
  • 30 Indian Patents Act, 1970, Section 3(d).
  • 31 Abbott Frederick M & Reichman Jerome H, The Doha Round’s public health legacy: Strategies for the production and diffusion of patented medicines under the amended TRIPS provisions, Journal of International Economic Law, 10 (4) 2007.
  • 32 Cecilia Oh, Compulsory licences: Recent experiences in developing countries, International Journal of Intellectual Property Management, 1 (1-2) 2006.
  • 33 Musungu Sisule F & Cecilia Oh, The Use of Flexibilities in TRIPS by Developing Countries: Can They Promote Access to Medicines? World Health Organization, South Centre Geneva, 2006.
  • 34 Nathan Ford et al., The role of civil society in protecting public health over commercial interests: Lessons from Thailand, The Lancet, 363 (9408) 2004.
  • 35 Developing countries can take lesson from European Union in detailing anti-competitive practices in pharmaceutical sector, Domanico Fabio & Kamilarova Elena, Final results of the commission pharmaceutical sector inquiry: Competition and regulatory concerns to address, Antitrust, 2009.
  • 36 Susan K Sell, TRIPS-Plus free trade agreements and access to medicines, Liverpool Law Review, 28 (1) 2007.
  • 37 Abbott Frederick M, Intellectual property provisions of bilateral and regional trade agreements in light of US Federal Law, UNCTAD-ICTSD Project on IPRs and Sustainable Development, Issue Paper, no. 12, 2006.
  • 38 Jorge María Fabiana, TRIPS-Plus provisions in trade agreements and their potential adverse effects on public health, Journal of Generic Medicines: The Business Journal for the Generic Medicines Sector, 1 (3) 2004.
  • 39 Correa Carlos María, Implications of bilateral free trade agreements on access to medicines, Bulletin of the World Health Organization, 84 (5) 2006.
  • 40 Fink C & Reichenmiller P, Tightening TRIPS: Intellectual property provisions of US Free Trade Agreements, Trade, The World Bank Group Trade Note, 7 February 2005.
  • 41 Fink C, Entering the jungle of intellectual property rights exhaustion and parallel importation, Intellectual Property and Development: Lessons from Recent Economic Research, Oxford, UK: Oxford University Press/Washington, DC: World Bank, 2005.
  • 42 Krikorian Gaëlle P & Szymkowiak Dorota M, Intellectual property rights in the making: The evolution of intellectual property provisions in US Free Trade Agreements and access to medicine, The Journal of World Intellectual Property, 10 (5) (2007).
  • 43 Jorge M F, TRIPS-plus provisionsin trade agreements and their potential adverse effects on public health, Journal of Generic Medicines, 1 (2004) 199–211.
  • 44 Kantor M, US Free Trade Agreements and the Public Health, Submission to the WHO’s Commission on Intellectual Property Rights, Innovation, and Public Health, http://www.who.int/intellectualproperty/submissions/US%20FTAs%20a nd%20the%20Public%20Health.pdf, 2005.
  • 45 Kantor M, US Free Trade Agreements and the Public Health, Submission to the WHO’s Commission on Intellectual Property Rights, Innovation, and Public Health, http://www.who.int/intellectualproperty/submissions/US%20FTAs%20a nd%20the%20Public%20Health.pdf, 2005, p. 3.
  • 46 Kantor M, US Free Trade Agreements and the Public Health, Submission to the WHO’s Commission on Intellectual Property Rights, Innovation, and Public Health, http://www. who.int/intellectualproperty/submissions/US%20FTAs%20a nd%20the%20Public%20Health.pdf, 2005, p. 9.
  • 47 Fink C, Entering the jungle of intellectual property rights exhaustion and parallel importation, Intellectual Property and Development: Lessons from Recent Economic Research, Oxford, UK: Oxford University Press/Washington, DC: World Bank, 2005; Fink C & Reichenmiller P, Tightening TRIPS: Intellectual property provisions of US Free Trade Agreements, Trade, The World Bank Group Trade Note, 7 February 2005.
  • 48 Drahos P, Bits and Bips, The Journal of World Intellectual Property, 4 (6) 2001.
  • 49 Statement by the President on Senate Passage of Trade Promotion Authority and Trade Adjustment Assistance, News Release, 2015, https://www.whitehouse.gov/the-press-office/2015/05/22/statement-president-senate-passage-trade-promotion-authority-and-trade-a.
  • 50 Krikorian G P & Szymkowiak D M, Intellectual property rights in the making: The evolution of intellectual property provisions in US Free Trade Agreements and access to medicine, Journal of World Intellectual Property, 10 (5) (2007) 388–418, at 393.
  • 51 Flynn Sean M & Madhani B, Acta and access to medicines, The Greens, European Free Alliance, 2011.
  • 52 Weatherall K, Politics, compromise, text and the failures of the Anti-Counterfeiting Trade Agreement, Sydney Law Review, 33, 2011.
  • 53 Baker B K, Acta-Risks of third-party enforcement for access to medicines, American University International Law Review, 26 2010.
  • 54 Jaeger T, Merging Acta into TRIPS: Does TRIPS-Based IP Enforcement Need Reform?, in TRIPS Plus 20, From Trade Rules to Market Principles, ed. Hens Ulrich, Reto M, Hilty, Matthaias Lamping & Joseph Drexl, Heidelberg: Springer, 2016.
  • 55 Morin Jean‐Frédéric, Multilateralizing Trips‐Plus Agreements: Is the US strategy a failure?, The Journal of World Intellectual Property, 12 (3) 2009.
  • 56 Peter K Yu, The rise and decline of the intellectual property powers, Campbell Law Review, 34 2012.
  • 57 TRIPS Wars: Developing Countries Strike Back, 2016, http://goo.gl/irhKcQ.
  • 58 Pérez-Rocha, The Transatlantic Trade and Investment Partnership (TTIP): Why Should the World Beware, Brussels, Rosa-Luxemburg-Stiftung, 2015.

Click for PDF view

Advertisements

A Study of the Privacy Attitudes of the Users of the Social Network(ing) Sites and Their Expectations from the Law in India

Posted on

International Conference on Intelligent Systems Design and Applications
ISDA 2017: Intelligent Systems Design and Applications pp 1038-1051 | Cite as

Click for more information

Abstract

In an era of information revolution and Web 2.0 technologies, the Social Network(ing) Sites (SNSs) have become a popular medium for the freedom of expression, the networking and maintaining the networks with the strangers and known others. A large amount of personal data is disclosed by the users intentionally or unknowingly on these social networking sites. The protection of this data at residence and in motion and its further processing by SNSs and their third parties is a cause of concern. In the present study, the attitude of Indian users of SNSs towards data privacy and their expectations from law in India have been explored and analyzed to validate the need for creation of a data privacy law in India. This study would provide timely guidance for policy makers who are currently engaged in framing a data protection framework on the directions of Supreme Court of India by following due process of law.

Source: https://link.springer.com/chapter/10.1007%2F978-3-319-76348-4_100

THE ROLE OF CONSENT IN LEGITIMISING THE PROCESSING OF PERSONAL DATA UNDER THE CURRENT EU DATA PROTECTION FRAMEWORK

Posted on

Asian Journal of Computer Science And Information Technology 7: 4 August (2017)

Sandeep Mittal
Cyber Security & Privacy Researcher
Former Director, LNJN NICFS (MHA)
New Delhi, India
sandeep.mittal@nic.in
Priyanka Sharma
Professor & Head,
Information Technology & Telecommunication,
Raksha Shakti University,
Ahmedabad, India

 

Abstract: A large amount of personal data is being collected in the form of metadata or personal identification data having the potential of invading the privacy of the data subject, even when collected anonymously. The consent is an instrument in the hands of data subjects to control their personal data in the context of EU data privacy framework. The consent plays an important role in legitimising the processing of personal data and EU has place high stakes on this concept at the cost of other legitimising factors like contract, which probably would be a more attractive proposition for market forces. There is a real possibility that by the time GDPR is adopted by member states, the enforcement of the violations of the provisions related to the consent becomes impossible and redundant in view of rapidly evolving information society services.

Keywords: Processing of Personal Data, Personal Data Protection, General Data Protection Regulation (GDPR), Right to Privacy, EU Data Protection Framework, Models of Consent

INTRODUCTION

A large amount of personal data is being collected in the form of metadata or personal identification data having the potential of invading the privacy of the data subject, even when collected anonymously. In EU, though most of the member states recognise privacy as a fundamental right, and the right to data protection is generally derived as extension to this right [1], [2]. However, EU Primary Law viz., Charter of Fundamental Rights (CFR) of the European Union of 2000 [3], [4], [5], [6], Treaty on European Union [7] and the jurisprudence of the CJEU [8], now recognise data protection as a fundamental right. But this right is not absolute and “must be considered in relation to its function in society” [9] and is subject to the principle of proportionality and limitations of Article 52(1) CFR. European Court of Human Rights (ECtHR) recognises processing of personal data and its protection as encompassing the right to privacy.[10] The Article 16 of the TFEU formally turned the right to data protection into a separate fundamental right.[11] The legitimate processing of personal data need considered justification, the consent of the data subject being one of these. In this essay, the legitimising role of consent under current EU Data Protection Framework and the new GDPR would be critically analysed.

EU Framework on Personal Data Protection

The Data Protection Directive (The Directive) [12] aims to harmonise the national laws with somewhat mutually incompatible dual aim of protecting the fundamental right to privacy regarding data processing and free flow of data among member states. The Article 2(h) of the Directive defines ‘the data subject’s consent’ as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” [13]. The Article 7 of the Directive lists the legal grounds which make data processing legitimate, the unambiguous consent [14] of the data subject being one of them. However it does not define how the unambiguity and the consent would be validated as both are affected by cognitive factors attributable to data subject’s behaviour, further becoming more complex in the online environment.

The sensitive data can only be processed with the “explicit consent” of the data subject [15] who can always withdraw the consent, in which case the data processing must stop [16]. The member states can decide not to process sensitive data based on consent.[17] The data subject is not allowed to consent to waive the other data protections of the Directive.[18] While the consent to be legally valid, it has to be freely given, specific, informed and unambiguous, mere silence or inactivity does not signify consent.[19],[20]

The E-Privacy Directive provide privacy of electronic communications. The validity of consent under this would be interpreted with reference to the Directive [21], consent of all parties involved is required under Article 5(1), consent to be obtained prior to data processing under Articles 6(3), 9, 13 and 5(3) and consent cannot be withdrawn retrospectively under Articles 6 and 9. [22]

Thus, in the context of EU data privacy framework, the consent is an instrument in the hands of data subjects to control their personal data. However, the harmonisation of provisions of the Data Protection Directive is not uniform and smooth across the member states.

The Consent under General Data Protection Regulation (GDPR) [23]

The Table 1 is a highly condensed mention of the improved provisions relating to ‘consent’ in GDPR [24].

S. N. Article[25] Remarks
1. 4(11) ‘Consent’ means freely given, specific, informed and unambiguous indication of the data subject’s wishes by a statement or a clear affirmative action, signifying agreement.
2. 6(1)(a) ‘Consent’ to be lawful only when consent is for one or more specific purposes;
3. 6(4) When processing “for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent,” the controller should ascertain compatibility between intended and proposed purpose of data processing by accounting the link, context, nature, possible consequences and appropriate safeguards between the two.
4. 7 1. Data Controller to demonstrate that ‘consent’ was given.
2. The ‘consent’ which is part of a written declaration which also concerns other matters, the request for consent shall be presented as clearly distinguishable from the other matters, in an ‘intelligible and easily accessible form, using clear and plain language’. ‘Any part of such a declaration infringing this Regulation shall not be binding.’
3. The ‘consent’ can be withdrawn any time but would not affect the data processing retrospectively. The withdrawal of ‘consent’ to be as easy as giving it.
4. If ‘consent’ to processing of personal data is conditional to performance of contract, it would not be considered ‘given freely’.
5. 8 1. The personal data processing of child of 16 years of age to be unlawful in absence of consent of person having parental responsibility of such child.
2. The data controller to make reasonable effort to verify that lawful consent was given in case of child below 16 years.
.
6. 9 Special categories of personal data defined and its processing prohibited except on listed grounds, the ‘explicit consent’ being one of them and in accordance with applicable law.
7. 13(2)(c) Duty of the controller to provide information regarding the existence of the right to withdraw the ‘consent’ at any time, without affecting the lawfulness of processing retrospectively.

Discussion

The role of consent in legitimising the processing of personal data has been the consistent hallmark of the EU data protection framework. The framework and ‘models of consent’ [26] have evolved over time, strengthening the legitimising role of consent thus giving informational self-determination in EU approach to privacy. Many scholars have argued that in practice the consent correlates poorly with autonomy of data subject [27], which is a prerequisite and consequence of ‘consent’ [28]. The cognitive and psychological limitations coupled with demographic, cultural and racial profile of data subjects affects and influence the complex process of giving or withholding the consent. The GDPR being a Regulation would act as the single EU law with uniformity in application across member states. However, the entire process of legitimising consent has become very complex and, with passage of time, there is a real danger that it becomes irrelevant in future. The advent of internet of things, virtual reality and augmented reality would make this concept less practicable to apply to big data.

Conclusion

The consent plays an important role in legitimising the processing of personal data and EU has place high stakes on this concept at the cost of other legitimising factors like contract, which probably would be a more attractive proposition for market forces. There is a real possibility that by the time GDPR is adopted by member states, the enforcement of the violations of the provisions related to the consent becomes impossible and redundant in view of rapidly evolving information society services.

VII. REFERENCES

[1] EU Agency for Fundamental Rights (FRA), Data Protection in the European Union: the role of National Data Protection Authorities (Strengthening the fundamental rights architecture in the EU II), 2010) P. 14
[2] R Leenes and BJ Koops, Constitutional Rights and New Technologies. A Comparative Study Covering Belgium, Canada, France, Germany, the Netherlands, Sweden, and the United States (IT & Law Series), The Hague: TMC Asser Press 2007)
[3] Article 8
[4] Sionaidh Douglas-Scott, ‘The European Union and human rights after the Treaty of Lisbon’ (2011) 11 Human rights law review 645
[5] Klara Kanska, ‘Towards administrative human rights in the EU. Impact of the charter of fundamental rights’ (2004)
[6] R Alonso Garcia, ‘The general provisions of the charter of fundamental rights of the European Union’ (2002) 8 European Law Journal 492
[7] Article 6(1)
[8] Promasicae v Telefonica C-275/06 p 70
[9] Michal Bobek, ‘Joined Cases C-92 & 93/09, Volker und Markus Schecke GbR and Hartmut Eifert, Judgment of the Court of Justice (Grand Chamber) of 9 November 2010’ (2011) 48 Common Market Law Review 2005
[10] Paul De Hert and Serge Gutwirth, ‘Data protection in the case law of Strasbourg and Luxemburg: Constitutionalisation in action’, Reinventing data protection? (Reinventing data protection?, Springer 2009)
[11] Paul De Hert and Vagelis Papakonstantinou, ‘The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals’ (2012) 28 Computer Law & Security Review 130
[12] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Official Journal L 281 , 23/11/1995 P. 0031 – 0050 (Accessed at: http://www.refworld.org/docid/3ddcc1c74.html on 14 November 2016) (1995)
[13] Ibid Art. 2(h)
[14] Ibid Art. 7(a)
[15] Ibid Art. 8
[16] W Kotschy, ‘Directive 95/46/EC—Data protection directive’ (2010) Concise European IT law Kluwer Law International, Alphen aan den Rijn
[17] Directive 95/46/EC n.12
[18] Paul De Hert and Serge Gutwirth, ‘Privacy, data protection and law enforcement. Opacity of the individual and transparency of power’ (2006) Privacy and the criminal law 61
[19] , ARTICLE 29 DATA PROTECTION WORKING PARTY Opinion 15/2011 on the definition of consent (ARTICLE 29 DATA PROTECTION WORKING PARTY 2011)
[20] Volker und Markus Schecke [2010] EUECJ C-93/09 (Court of Justice of the European Communities (including Court of First Instance Decisions))
[21] Directive 95/46/EC Arts. 2(g), 7(a) and Recital 17.
[22] , ARTICLE 29 DATA PROTECTION WORKING PARTY Opinion 15/2011 on the definition of consent
[23] , Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) OJ L 119, 4.5.2016, p. 1–88 (2016)
[24] Ibid
[25] Ibid
[26] Eoin Carolan, ‘The continuing problems with online consent under the EU’s emerging data protection principles’ (2016) 32 Computer Law & Security Review 462
[27] Ibid
[28] , ARTICLE 29 DATA PROTECTION WORKING PARTY Opinion 15/2011 on the definition of consent

Click for PDF view

Old Wine With a New Label : Rights of Data Subjects under GDPR

Posted on

International Journal of Advanced Research in Computer Science, ISSN No. 0976-5697, Volume 8, No. 7, July – August 2017

Sandeep Mittal
Cyber Security & Privacy Researcher
Former Director, LNJN NICFS (MHA)
New Delhi, India
sandeep.mittal@nic.in

 

Abstract: Recent reforms in data privacy protection framework in European Union have lead to enactment of General Data Protection Regulation (GDPR). However, it remains debatable if GDPR would lead to significant improvement in the protection of privacy rights of individuals, which is always considered the fundamental right. The advent of technology and movement of data across geographical barriers and outsourcing of data processing jobs to countries outside the EU necessitated enactments of GDPR. An analysis is done to demonstrate that though some of the provision of GDPR remain generically remain similar to the Data Protection Directive, GDPR has incorporated some new provisions by choosing the ‘regulation’ as an instrument of law for better harmonisation, expensing the ‘right to be forgotten, legitimisation the role of consent, providing data protection by design and default, increasing accountability of data controllers and expanding the scope of provision of the directive to extra territorial jurisdiction would be remain to be seen whether GDPR is an old wine with the new label or something else in a wine bottle.

Keywords: Rights of Data; Data Protection Regulation; Accessing of Personal data; Internet of Things; Control of Users over Their Personal Data; Data Protection Framework; General Data Protection Regulation

I. INTRODUCTION

With about 46 per cent of the world’s population having access to it, the Internet has emerged as most popular medium of free expression, and as tool for conducting free trade and the use of smart devices. This propensity to use the Internet for various applications has thus resulted in the generation of a large volume of personal data online including (but not limited to) the name, address, mobile number, date of birth, email address, geographical location, health record of the user, among other things. This data has a high potential of secondary use which necessitates the protection of privacy and confidentiality of this personal data both at residence and in motion across the borders.[1] [2] [3] European Union Directive 95/46/EC (The Directive) [4] remained the basic instrument for protection of data privacy for over 20 years in European Union (EU) recognizing privacy as a fundamental human right.[5] However, the practical implementation of the Directive across the EU states and the seminal decisions of Court of Justice of European Union (CJEU) raised several issues regarding an understanding and need for individual rights to protection on the Internet in EU.[6] This, in turn, triggered the process of reform in the Data Privacy Protection Framework, leading to enactment of the General Data Protection Regulation (GDPR)[7], which is slated to usher in reforms and changes in the EU Data Protection Framework. The scope of this essay is to discuss whether the GDPR signifies any improvement over the current directive in terms of the Right of Individual Data Subjects.

II. THE TRIGGER

The Directive had almost become antiquated in view of the evolution of new technology such as Internet of Things (IoT), and Cloud, among others, giving rise to a new type of risk that was unknown when the Data Protection Directive was enacted. With the advent of advanced technology and the outsourcing of online services across borders, the adoption of divergent approaches to privacy prevalent both within and outside Europe have given rise to the concern for protection of data privacy in the EU.[8] [9] [10] [11] [12] However, the more immediate trigger for reformation in this policy was the taking of seminal decisions by the CJEU, which led to a lot of important changes in the understanding of the Data Protection Regulation legal framework. In Google Spain,[13] [14] [15] it was ruled that Google would be classified as the controller, as the search, indexing, and storage of information implied the processing of personal data as defined by the Directive. Therefore, search engines are obliged to remove the links to web pages from their results if so requested by the data subject. This gave rise to serious consequences for the search engine and its credibility, as also for the role of intermediaries, as this judgement empowered individuals to ascertain their ‘right to be forgotten’, affecting the free flow of information on the Internet in the process. Another case in which the decision changed the legal situation relating to the data protection law was the Schrems Judgement,[16] wherein the CJEU ruled that a third country ensuring an adequate level of protection cannot eliminate or reduce the power of national supervisory authority to assess the adequacy of data protection under the Directive. Further, the court declared that the Safe Harbor Agreement [17] with the USA was invalid. [2] (Burri and Schär 2016)[18] This judgement highlighted the various challenges that the existing data protection framework was facing in an overwhelming environment of use of advanced technology over two decades since the enactment of the Directive. The following section presents a discussion on the selected key provisions of the GDPR, which could prove to be in terms of their implications for the protection of the rights of individual data subjects.

III. THE DIRECTIVE VERSUS THE REGULATION

The legal instruments that are used by the EU are in the form of Communication, Directive and Regulation. A directive has to be transposed into the national law by enacting an amendment or new laws that would be applicable within the national territory inhabited by the members whereas a regulation can be directly applied as a law. Therefore, the problem of harmonisation of the Directive across the EU member-states has been overcome through the choice of regulation during enactment of the GDPR [19]. Albeit the Commission has promised a “strong, clear and uniform legislative framework at [the] EU level” that will “do away with the patchwork of the legal regime across the 27 member-states and remove the barrier to market entry” [20]. However, the coordination of the member countries, their respective data protection authorities, national laws and courts would not be an easy task to achieve by 2018, when the Regulation comes into force.

IV. EXPANSION OF SCOPE OF PERSONAL DATA

The 1995 Directive specifies that “personal data shall mean any data relating to identified or identifiable nature person data subjects”.[21] While the identified individual is more or less clear, identifiability is not explained in the Directive. This has been explained in the GDPR and expanded in Article 29 of the Working Party Document [22] and Article 41 of the GDPR has adopted the same approach. However, the Recital 23 has introduced a proportionality test (positing that identifiability is related to “mean reasonably and likely to be used” taking account of “all objective factors such as technology, effort and cost”) in order to assess each time the nature of the data that may help protect the identifiable individual. If the proportionality test is not passed, then such data will not be considered, as the personal data provision and the GDPR does not apply to anonymous data.[23] The regulation has also introduced a new class of data, that is, “pseudonymous data”, which alludes to the processing of personal data in such a way that data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and is subject to technology and organisational measures for ensuring its non-attribution to an identified and identifiable person”.[24] However, the questions that arise are: What is the relationship between pseudonymous data and personal data? Is pseudonymous data a sub-category of personal data, and does it fall under the scope of the GDPR? According to the Recital 23, “data which has undergone pseudonymization, which could be attributed to [a] natural person by use of additional information should be considered as information on an identifiable natural person”. [25] If this is so, then the proportionality test would have to be applicable to the information pertaining to an identifiable person and only then should it be considered as personal data for the purpose of data protection legislation. The GDPR would also not apply to information concerning a deceased person.[26] As regards the issue of sensitive data, the regulation has adopted and applied the same approach as the Directive. It propounds that sensitive data are data which reveal “racial or ethnical origin, political opinion, religious, philosophical believes, trade union membership, processing of genetic data, biometric data in order to uniquely identify a person or data concerning health or sex life or sexual orientation”.[27] Thus, genetic data, biometric data, and sexual orientation data are new categories included under sensitive data. The processing of data relating to criminal conviction and offences or relating to security measures is allowed only under the control of an official authority or after adequate safeguards have been provided under the law.[28] However, Articles 4 and 9 of the GDPR, while remaining similar to the Directive at the generic level, provide some improvement in terms of privacy protection.

V. STRONGER RIGHTS

The “right to be forgotten” is currently one of the most hotly debated issue because of the Google Spain judgement and has been incorporated in Article 17 of the GDPR. A data subject can now get his personal data erased and put an end to further processing if the data in question is no longer necessary for the purpose for which it was collected irrespective of whether a data subject as an individual is the subject or whether his personal data is being processed.[29] However, this right is not absolute.[30] The right to be forgotten includes an obligation on the part of the data controller who has made the personal data public to inform other controllers who would process such personal data to erase any links, copies, or replications pointing to that personal data. Also, while doing so, the data controller concerned would have to take reasonable steps in accordance with the technology and resources available to him for use including technology measures.[31] However, Article 17 may lead to certain problems, some of which are delineated below:

i) The controller may not even know or be able to contact all the third parties.

ii) The third party may have different legal grounds for not agreeing to erasure of the request of the original controller.

iii) The issue of who the third party controller would be in the case of ‘Internet-bounces’ is ambiguous, as the modern Internet has blurred the distinction between the controller and the data subject, leading to a grey area in the data protection law.

However, it is claimed that actually the right to be forgotten would become an absolute right only when the data is removed by every controller but ironically, modern technology developments do not allow data subjects to know the identity of the controller(s) processing their data. [32] Therefore, theoretically, it may be claimed as a ‘right to be forgotten’, but with practical implementation in the future, it may become ‘a right forgotten’.

VI. IMPROVED CONTROL OF USERS OVER THEIR PERSONAL DATA

A host of other rights are included in the GDPR, including the right to transfer information,[33] the right of access to personal data,[34] the right to data portability,[35] and the right to object.[36] A data subject cannot be subjected to a decision based on automatic processing including profiling, which has legal or other considerable effects on the data subject. However, this right is limited if the processing is necessary for contractual obligation between the data subject and the data controller or is authorised by law as applicable in the EU, or in any of its member-states of which the data controller is a subject or if it is based on the data subject’s explicit concern.[37] The right to data portability is a considerable and significant protection for users, who now have the potential right to receive their personal data in a structured, commonly used and machine-readable format. This can be transferred to another controller without hindrance from the controller who is controlling the original personal data.[38] However, it has been argued by a few that data portability may hamper innovation by making it freely available, and thereby hurting the self-correcting power of the market.[39]

The GDPR, however, limits the access right of the subject in a situation wherein the data controller is not in a position to identify the subject. The right to confirmation and the right to access to data represent greater risk of harm if the information is disclosed to someone who is not a data subject.[40] If the person requesting for this data provides additional information that facilitates his identification for restoring the right to full access to the subject, the right itself becomes a risk.[41] For example, if the data subject is asked to prove his identity by providing a copy of his passport, this proves that the person requesting for the data could be someone with the same name as data subject, but does not prove that he himself is the data subject.[42] Therefore, this right entails an undue risk to the privacy of the individual concerned and is a necessary limitation of the data protection right.



VII. THE ROLE OF CONSENT

Article 2H of the Directive defines the data subject’s consent as “any freely given specific information and indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.[43] Article 7 (2) of the Directive also lists the legal grounds that make data processing legitimate, with the unambiguous consent of the data subject being one of them.[44] However, the Directive does not define how the unambiguity and the consent would be validated as both are affected by cognitive factors attributable to the data subject’s behaviour, becoming even more complex in the online environment. In the context of the EU’s data privacy framework, the consent is an important instrument in the hands of the data subjects for controlling their personal data. The GDPR has placed a responsibility on the data controller to demonstrate that the consent was given by the data subject.[45] It stipulates that the consent to process personal data is conditional to the performance of a contract, and that it would not be considered ‘given freely’.[46] The GDPR also provides that the personal data processing of a child of or below 15 years of age is unlawful in the absence of the consent of the person having the parental responsibility of such a child.[47] The data controller also has the responsibility of making a reasonable effort to verify that such a consent is lawful.[48]

However, it remains to be seen if in practice, the consent of the data subject correlates autonomy [49] with its legitimacy. Several cognitive and psychological imitations, coupled with the demographic, cultural and racial profile of the data subject, affect and influence the complex process of giving or withholding of consent. The data subject has the right to withdraw his consent at any time, as the regulation explains that “it shall be as easy to withdraw as [to] give any consent”[50].

VIII. THE MISSING RIGHT TO EXPLANATION

It has been widely claimed that the right to explanation of a decision made by an automatic or artificial intelligence algorithm system will be legally mandated by the [3](Wachter, Mittelstadt, and Floridi 2016)GDPR,[51] which is viewed as a mechanism for ensuring better accountability and transparency.

The right to explanation can possibly to derived from:[52]

i) Safeguard against automated decision making;[53]
ii) Notification duties; [54] and
iii) Right to access [55]

Scholars have argued that Article 22 of the GDPR has the potential of dual interpretation as a ‘prohibition’ or the ‘right to object’, and would need to be clarified before the GDPR is implemented by 2018. Without any such clarification, prior to enforcement, Article 23 will allow for a conflicting interpretation of the right of the data subject to control any automated decision-making across the EU member-states. This conflict would become inevitable especially because different interpretations protect very different interests. Article 22, while being interpreted as ensuring prohibition, offers greatest protection of the data subject. On the other hand, if interpreted as a right, Article 22 creates a loophole that allows the data controller to prevent the person requesting for information access to Article 22 to requester under the automated decision-making rule unless an objection against that is raised by the data subject [56]. Thus, the GDPR does not guarantee transparent and accurate automated decision-making and there is no legally binding right to an explanation in this context.

IX. DATA PROTECTION BY DESIGN VERSUS DEFAULT

Article 25 of the GDPR provides new obligations under the title of “Data Protection by Design[57] and by Default”.[58] This obligation requires the data controller to build in data protection functionality in his system. It has been suggested that the issue of ‘Data Protection by Design and by Default” may become a real game-changer if implemented by the data controller, processor, producer, and the supervising authority. However, it would not be an easy task for all stakeholders to benefit from this right as it would require in-depth knowledge and resources, and access to state-of-the-art technology, unless researchers, practitioners and supervisory authorities collaborate with each for a meaningful implementation of the said right.[59]

X. DATA CONTROLLER AND PROCESSOR HAVE BEEN MADE MORE ACCOUNTABLE

The GDPR has also introduced the novel concept of Data Protection Impact Assessment (DPIA).[60] When the data processing based on the use of new technology is likely to result in a high risk to the right and freedom of a natural person, the data controller is obligated to carry out an impact assessment.[61] The Regulation prescribes the minimum elements that should be considered for the DPIA, that is, a description of the processing operation, an assessment of the necessity and proportionality of processing with reference to the purpose of assessment of risk to the right of the data subjects, the remedial measures taken, and freedoms and safeguards.[62] The data controller must consult the supervising authority before processing the data wherever the DPIA points to a high risk to the processing of data. The supervisory authority has been given the power to impose limitations including banning the processing of data.[63] The data protection [4](“Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) OJ L 119, 4.5.2016, p. 1–88 ” 2016)authority can also impose a fine up to a maximum of 2 crore Euros, or in the case of business, 4 per cent of the total business turnover, whichever is higher.[64]

XI. THE EXTRA-TERRITORIAL SCOPE OF APPLICATION

Article 31 of the GDPR mentions that the scope of territorial application of the Directive covers the process of accessing of personal data in the context of activities leading to the establishment of a controller or a processor in the EU, regardless of whether the processing of data has taken place or not. Thus, independent obligations have been implemented on the person responsible for processing the data. The GDPR may also apply to a controller or processor of data who is not established in the EU under certain conditions having wide ramifications.[65] This would potentially mean that many companies incorporated outside the EU but targeting the EU market would be brought to book.[66]

XII. CONCLUSION

The issue of protection of the privacy of an individual is always considered as a fundamental right in the EU, and is the hallmark of the data protection framework. The advent of technology and movement of data to a cloud across geographical barriers, and outsourcing of data processing jobs to countries outside the EU have made the data protection directive of 1995 a little redundant in terms of its ability to overcome practical difficulties and judicial enactments. The GDPR has, therefore, been enacted to provide better privacy protection to individuals. It has also been demonstrated that though the basic principle and guidelines of the Data Protection Directive and GDPR are generically similar, the inclusion of some new provisions in the GDPR regulations provides for a better protection of the privacy rights of individual data subjects. Some of the provisions of the new Directive that signify better protection of the right of individual subjects include the choice of ‘regulation’ as an instrument of law for better harmonisation, expansion of scope of the ‘right to be forgotten’ in the case of personal data, improved control of users over their personal data, better legitimisation of the role of consent in data processing, data protection by design and default, increased accountability of data controllers for their actions, and the extra-territorial scope of application of the provisiosn of the Directive. However, some provisions like Article 22 of GDPR need to be clarified before GDPR is implemented the next year in order to avoid their conflicting dual interpretation. It remains to be seen how the GDPR is actually implemented and what its impact would be when it come into force in 2018.

XIII. REFERENCES
[1] M. M. Group. (2015, 24.11.2015). World Internet Users Statistics and 2015 World Population Stats. Available: http://www.internetworldstats.com/stats.htm
[2] S. R. Salbu, “European Union Data Privacy Directive and International Relations, The,” Vand. J. Transnat’l L., vol. 35, p. 655, 2002.
[3] J. Kang, “Information privacy in cyberspace transactions,” Stanford Law Review, pp. 1193-1294, 1998.
[4] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Official Journal L 281 , 23/11/1995 P. 0031 – 0050 (Accessed at: http://www.refworld.org/docid/3ddcc1c74.html on 14 November 2016), 1995.
[5] ibid.
[6] M. Burri and R. Schär, “The Reform of the EU Data Protection Framework,” Journal of Information, vol. 6, 2016.
[7] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) OJ L 119, 4.5.2016, p. 1–88 2016.
[8] D. R. Nijhawan, “Emperor Has No Clothes: A Critique of Applying the European Union Approach to Privacy Regulation in the United States, The,” Vand. L. Rev., vol. 56, p. 939, 2003.
[9] J. R. Reidenberg, “E-commerce and trans-atlantic privacy,” Hous. L. Rev., vol. 38, p. 717, 2001.
[10] D. Zwick and N. Dholakia, “Contrasting European and American approaches to privacy in electronic markets: property right versus civil right,” Electronic Markets, vol. 11, pp. 116-120, 2001.
[11] M. Boban, “DIGITAL SINGLE MARKET AND EU DATA PROTECTION REFORM WITH REGARD TO THE PROCESSING OF PERSONAL DATA AS THE CHALLENGE OF THE MODERN WORLD,” in Economic and Social Development (Book of Proceedings), 16th International Scientific Conference on Economic and Social, 2016, p. 191.
[12] G. Shaffer, “Globalization and social protection: the impact of EU and international rules in the ratcheting up of US data privacy standards,” Yale Journal of International Law, vol. 25, pp. 1-88, 2000.
[13] S. Singleton, “Balancing a Right to be Forgotten with a Right to Freedom of Expression in the Wake of Google Spain v. AEPD,” Ga. J. Int’l & Comp. L., vol. 44, pp. 165-195, 2015.
[14] A. Bunn, “The curious case of the right to be forgotten,” Computer Law & Security Review, vol. 31, pp. 336-350, 6// 2015.
[15] C. Rees and D. Heywood, “The ?right to be forgotten? or the ?principle that has been remembered?,” ibid.vol. 30, pp. 574-578, 10// 2014.
[16] “Maximillian Schrems v Data Protection Commissioner, C-362/14, Court of Justice of the European Union,” ed: Court of Justice of the European Union 2015.
[17] M. A. Weiss and K. Archick, “US-EU Data Privacy: From Safe Harbor to Privacy Shield,” Congressional Research Service, 2016.
[18] M. Burri and R. Schär, “The Reform of the EU Data Protection Framework,” Journal of Information, vol. 6, 2016.
[19] P. de Hert and V. Papakonstantinou, “The new General Data Protection Regulation: Still a sound system for the protection of individuals?,” Computer Law & Security Review, vol. 32, pp. 179-194, 2016.
[20] V. Reding, “The European data protection framework for the twenty-first century,” International Data Privacy Law, p. ips015, 2012.
[21] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Official Journal L 281 , 23/11/1995 P. 0031 – 0050 (Accessed at: http://www.refworld.org/docid/3ddcc1c74.html on 14 November 2016), 1995.
[22] Article 29 Working Party Opinion 4/2007
[23] Regulation (EU) 2016/679, 2016. Recital 23
[24] ibid. Article 43 (b)
[25] ibid. Article 23
[26] ibid. Article 23a
[27]ibid. Article 9
[28] ibid. Article 23
[29]ibid. Article 17 (1)
[30] ibid. Article 17 (3) Recital 65
[31] ibid. Article 17 (2) Recital 66 & 67
[32] A. Mantelero, “The EU Proposal for a General Data Protection Regulation and the roots of the ?right to be forgotten?,” Computer Law & Security Review, vol. 29, pp. 229-235, 6// 2013.
[33]Regulation (EU) 2016/679, 2016. Article 12
[34]ibid. Article 13, 14, 15, 19
[35] ibid. Article 20
[36]ibid. Article 21, 22
[37]ibid. Article 22 (2)
[38] ibid. Article 21
[39] M. Burri and R. Schär, “The Reform of the EU Data Protection Framework,” Journal of Information, vol. 6, 2016.
[40] Regulation (EU) 2016/679, 2016.
[41] A. Cormack, “Is the Subject Access Right Now Too Great a Threat to Privacy,” Eur. Data Prot. L. Rev., vol. 2, p. 15, 2016.
[42] ibid.
[43] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Official Journal L 281 , 23/11/1995 P. 0031 – 0050 (Accessed at: http://www.refworld.org/docid/3ddcc1c74.html on 14 November 2016), 1995.Article 2H
[44] ibid. Article 7 (a)
[45] Regulation (EU) 2016/679, 2016. Article 7 (1)
[46] ibid. Article 4 (4)
[47] ibid. Article 8 (1)
[48] ibid. Article 8 (2)
[49] E. Carolan, “The continuing problems with online consent under the EU’s emerging data protection principles,” Computer Law & Security Review, vol. 32, pp. 462-473, 2016.
[50] Regulation (EU) 2016/679, 2016. Article 7(3)
[51] S. Wachter, B. Mittelstadt, and L. Floridi, “Why a right to explanation of automated decision-making does not exist in the General Data Protection Regulation,” 2016.
[52] ibid.
[53] Regulation (EU) 2016/679, 2016. Article 20 (3) read with Recital 71
[54] ibid. Article 13, 14 read with Recital 60, 61, 62
[55] ibid. Article 15 read with Recital 63
[56] S. Wachter, B. Mittelstadt, and L. Floridi, “Why a right to explanation of automated decision-making does not exist in the General Data Protection Regulation,” 2016.
[57] Regulation (EU) 2016/679, 2016. Article 25(1)
[58] ibid. Article 25(2)
[59] E. Hanson, “The History of Digital Desire, vol. 1: An introduction,” South Atlantic Quarterly, vol. 110, pp. 583-599, 2011.
[60] Regulation (EU) 2016/679, 2016. Article 33
[61] ibid. Article 35
[62] ibid. Article 35(7)
[63] ibid. Article 58
[64] ibid. Article 83, 85, 86
[65] ibid. Article 3(2)
[66] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) OJ L 119, 4.5.2016, p. 1–88 2016. Recital 23

Click for PDF view

Critical Analysis of Divergent Approaches to Protection of Personal Data

Posted on Updated on

International Journal of Advanced Research in Computer Science, ISSN No. 0976-5697, Volume 8, No. 7, July – August 2017

Sandeep Mittal
Cyber Security & Privacy Researcher
Former Director, LNJN NICFS (MHA)
New Delhi, India
sandeep.mittal@nic.in

 

Abstract: The protection of privacy and confidentiality of personal data generated on internet at residence and in motion within and across the border is a cause of concern. The European Union and United States have adopted divergent approaches to this issue mainly due to varying socio-cultural backgrounds. With the globalisation of businesses facilitated by internet revolution, the economic considerations out-weighed the rights consideration, and the right based approach started buckling the pressure of economic based approach but was checked by the Schrem’s case. The negotiation under TTP and TTIP has a tendency to forgo the privacy rights of the individuals over business considerations in tune with the US tactics of weakening the privacy laws through Free Trade Agreements. It has been demonstrated that a balanced approach in which individual control over data is desirable but should not be absolute, control rights are reinforced by structural safeguards or architectural controls would be desirable.

Keywords: Personal Data; Internet Governance; Right to Privacy; Data Privacy Protection; Trans-Pacific Partnership (TPP); Transatlantic Trade and Investment Partnership (TTIP); Protection of Privacy;

I. INTRODUCTION

The number of Internet users in the world has increased by 826 per cent, from 16 million in 1995 to 3,270 million in the last 15 years, accounting for about 46 per cent of the world population.[1]. The Internet has emerged as a preferred medium of expression of free speech, conducting trade and business, and running daily errands like controlling multipurpose home devices, thereby generating large volumes of personal data. This data includes names, addresses, mobile numbers, dates of birth, emails, geographical locations, and health records like the BMI and can aid in advertising for marketing purposes. Internet users access the Internet through an ‘Internet Service Provider’ (ISP), who provides infrastructure, allowing users to access the Internet and user-generated content. This big data, which has been disclosed voluntarily or incidentally through interactive means (for example, Online Surveys) or technological (for example, Cookies) has a high potential for secondary uses. The right of privacy in general is “the right of the individual to be left alone; to live quietly, to be free from unwarranted intrusion to protect his name and personality from commercialisation.” [2] [3] The protection of privacy and confidentiality of this personal data at the residence and in motion within and across the borders is a cause for concern, [4] [5] [6] [7] more particularly in the developed economies like the European Union (EU) and the US. The EU and US have adopted divergent approaches [8] [9] [10] [11] to this issue. The scope of this essay is to critically analyse these comparative but divergent approaches for protecting privacy.

II. THE EUROPEAN UNION APPROACH

The basic premise of the EU privacy protection approach is embodied in the EU Directive 95/46, [12] recognising privacy as a fundamental human right as demonstrated by the repetition of the term ‘fundamental right and freedom’ 16 times in the Directive. Para 10 of the adoption statement of the Directive states,

“Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community;” [13]

The Directive 1995/46 [14] gives far-reaching powers and complete control over personal data to individuals, thus creating severe legal issues not only for domestic and international businesses but also for sovereign nations in dealing with personal data. [15] The basic framework of this Directive is summarized [16] as follows:

a) Companies to inform users regarding their policy in handling the personal data collected from them.
b) Affirmative consent of users to be obtained to collect, use, and disseminate the data.
c) Documentation and registration of the above consent with ‘data authorities’, who would retain the data in their own databases.
d) Accessibility of the database to individuals for amendments and/or rectifications in their data.
e) Identity of the companies collecting the data to be disclosed to the consumers.
f) Explicit bar on trans-border data transfer if the laws destination country lacks adequate data protection.

The spirit of fundamental rights has been further reiterated and refined in the EU Directive 2002/58/EC [17]. This Directive prohibits any type of interception or surveillance, erasure and anonymisation of processed data and location-related data, an opt-out regime for itemised-billing and calling-line identification. Most importantly, inclusion of the opt-in regime for cookies [18] needs to be stored in the browser, with all these conditions being subject to consent, with certain exceptions like security or criminal acts.
The ‘consent’ in the 2002 Directive has been replaced with ‘informed consent’ in the Directive 2009/136/EC.[19] Recently, the EU passed Regulation (EU) 2016/679, which would replace the existing privacy law in the EU by 25 May 2018. It is a comprehensive regulation covering businesses outside the EU, with the data too residing outside the EU. It has also incorporated provisions regarding the custodian’s explicit informed and verifiable consent for children below 13 years of age, and penalty up to 4 per cent of the global business annual turnover of the preceding financial year, in case of violation of privacy. Thus, the approach of the EU to protect the privacy of an individual essentially remains ‘regulatory, State-controlled and penal’ and devoid of self-management. [20] [21] [22] [23]

III. THE US APPROACH

The US approach to the protection of online privacy is ‘self-regulatory’, favouring voluntary market-based approaches over central regulation depending mainly on industry norms, and codes of conduct, among other things. The laws are in piece-meal form, sporadic, inadequate or non-existent, demonstrating that the protection of privacy is not an issue for the political and democratic systems in the US. [24] Most of the privacy provisions in various US Acts like The Driver’s Privacy Protection Act of 1984, the Video Privacy Protection Act of 1988, The Electronic Communications Privacy Act of 1986, and The Cable Communications Policy Act of 1984 are akin to knee-jerk reactions to public scandals and outcries.[25] [26] There is neither a comprehensive law nor any comprehensive mechanism to enforce the protection of privacy in the US, leaving everything to ‘industry self-regulation’.[27] However, due to the interdependence of EU-US businesses over each other and the presence of a well-crafted law in the EU, there is a tendency among US companies to draft some kind of a voluntary code for data protection, which would act as a ‘privacy-protection face-mask’ to purport as having respect for privacy protection, on the one hand, and as a smoke-screen to keep the government regulation at bay, on the other. Even the US negotiated ‘Safe Harbour Privacy Principles’ as an alternative to the adequacy clause in Article 25 of Directive 95/46/EC, wherein US businesses qualifying as ‘safe harbours’ would be deemed to have provided adequate privacy protection. [28] This ‘safe-harbour’ concept is a self-certifying framework mechanism based on seven principles,[29] as enumerated below:[30]

a) Notice to individuals regarding the likely uses of their data and the mechanism available to them for complaint and grievance redressal.
b) ‘Opt-out’ choice to individuals with regard to the collection of data and its dissemination to third parties.
c) Transfer of data only to third parties having adequate privacy protection.
d) Reasonable security assurance measures to prevent the loss of collected information.
e) Measures to ensure the integrity of data.
f) Accessibility of data to individuals for correction or deletion of incorrect data.
g) Enforcement mechanism for these guidelines.

However, there is little or no regulation by the Government except the ‘safe harbour registration, on payment of a nominal fee and the guidelines’ implementation is self-certified through either trained employees or through private industry-funded bodies. For example, TRUSTe investigates the companies that provide funding to it, thus inviting criticism. [31] The ‘safe harbour’ provision was struck down as invalid [32] by the Court of Justice of the European Union in 2015 as below,

“1. Article 25(6) of Directive 95/46/……. as amended by Regulation (EC) No 1882/2003….., read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, by which the European Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.
2. Decision 2000/520 is invalid.” [33]

Subsequently, in view of the invalidation of the ‘safe-harbour framework’ and Regulation (EU) 2016/679 [34] likely to be in place by mid May 2018, with provisions of heavy penalties of up to 4 per cent of the international annual turnover during the preceding financial year, the US Government has negotiated an “EU-U.S. Privacy Shield” with the European Commission, which is purportedly more stringent and robust than the ‘safe harbour framework’.[35] In future, the US would bring pressure upon the EU to include the privacy protection framework while negotiating the TTIP, but the EU would have to limit itself within the framework prescribed by the CJEU.[36] [37] [38]

IV. THE EU APPROACH VERSUS THE US APPROACH

While the EU approach recognises the protection of privacy as a fundamental human right, the US approach is to adopt an iota of interference in the privacy rights of individuals, treating these rights as a commodity, thus leaving the issue to market forces as stated by scholars.[39] [40]

“The US approach contrasts the EU approach to data privacy. [41] Whereas in the EU, it is the responsibility of the government to protect citizens’ right to privacy, in the U.S., markets and self-regulation, and not law, shape information privacy. In the EU, privacy is seen as a fundamental human right; in the U.S., privacy is seen as a commodity subject to the market and is cast in economic terms David Aaron, who negotiated the Safe Harbor, noted that in Europe: Privacy protection is an obligation of the state towards its citizens. In America, we believe that privacy is a right that inheres in the individual. We can trade our private information for some benefit. In many instances Europeans cannot. This can have important implications when it comes to e-commerce.”[42]

Does this statement give an impression that the US has closed its eyes to the stringent data privacy laws in the EU? Superficially, it may appear so but that is only an illusion. The US is vigorously using its negotiating skills in drafting Free Trade Agreements (FTAs) with trading partners across the globe, incorporating crippling provisions, putting fetters on the data privacy concerns, in the name of facilitating free trade. Disguised in this is the message that if a partner wants free trade with the US, its data privacy laws should not act as impediments to the free flow of data to the US. Two such FTAs of interest are the Trans-Pacific Partnership (TPP), which has already been signed but is not in force, and the Transatlantic Trade and Investment Partnership (TTIP) being negotiated between the EU and the U.S. in secrecy, wherein the U.S. has well-intentioned moves to soften the relatively stringent privacy law, thus giving a protection shield to US businesses from prosecution under the ‘post-SchremEU Law’ [43]. The TTIP is under negotiation, but the intentions of the US with regard to the protection of privacy are obvious in the TPP agreement.

The TPP is the first legally binding international agreement affecting data privacy, with provisions for the enforcement of violations. “The TPP only imposes the most limited positive requirements for privacy protection, but imposes stronger and more precise limits on the extent of privacy protection that TPP parties can legally provide.”[44] Let us take a peep into the TPP’s provisions affecting data security, as enumerated in Table 1. [45] [46] [47]

A perusal of the TPP’s provisions, as delineated in Table 1, would send a ‘chill wave’ down the spines of proponents of data protection privacy. The entire exercise seems to be an attempt by the US to by-pass the local data privacy laws to protect businesses operating from its soil and to pre-empt litigation against its own business interests. The vigour with which the US is pursuing these FTAs is evident from the passage of the Trade Promotion Authority Bill by the Senate, which was termed as “……an important step toward ensuring [that] the United States can negotiate and enforce strong, high- standards trade agreements…..” by the US Presiden [48]

Table 1: Effects of TPP on Data Privacy Protection [49] [50] [51]

S. N. TPP Article Brief Title How it affects Data Privacy
1. 14.2.2
14.2.4
Scope includes any measures affecting trade by electronic means a) Scope is much wider as it applies to measures affecting trade (not limited only to measures governing or applicable to trade) by electronic means (not limited only to electronic commerce). Thus the scope is much wider than it looks.
b) Measures affecting the supply of service performed or delivered electronically are subject to obligations contained in relevant articles of Chapters 9 (Investment), 10 (Cross-Border Trade in Services) and 11 (Financial Services).
2. 14.8 Vague & unenforceable
Requirements for Protection of personal information
a) Obligation on parties to provide legal framework for the protection of personal information of the users of electronic commerce only. Not applicable if electronic commerce not involved.
b) No mention of protecting information as protecting human rights.
c) ‘Measure is defined to include a ‘practice’ or ‘law’, thereby implying that even legal framework is given a go-bye to include ‘self-regulation’ practice in U.S. (Article 1.3)
d) Parties free to adopt different legal approaches but should encourage cross-border compatibility which is left vague with no standards or mechanism of enforcement included.
e) Party shall endeavour to adopt non-discriminatory practices to provide data privacy protection would mean that this would not be limited only to citizens but equally to non-residents also.
3. 14.11 Restrictions on data export limitations a) Each party may have its own regulatory requirements regarding transfer of information by electronic means and may allow cross-border transfer of data if it pertains to business of a service suppliers from one of the TPP Parties. Any exceptions to this would have to be justified by applying four requirements of Article 14.11.3 as follows,
(i) Legitimate public policy Objective.
(ii) Not an arbitrary or unjustifiable discrimination.
(iii) Not a disguised restriction on trade.
(iv) Restrictions imposed on transfer of data not greater than that required to achieve the objective.
Onus of burden to prove Clauses (ii) and (iii) above would lie on party imposing the restrictions.
4. 14.13 Ban on data localisation a) A TPP Party Service supplier is not required to use computing facilities or data localisation facilities in the territory of a TPP Party where he want to conduct business.
b) In case of any exception, the four-step test of data export limitations.
5. 28 Complex Dispute Settlement Procedures The dispute settlement procedures are lengthy and complex and could even lead to revoke the benefits under free trade.
6. 9 Investor-State Dispute Settlement (ISDS) An investor from one party in territory of other party must be accorded for dispute settlement purpose,
a) ‘National Treatment’
b) ‘Most-Favoured-Nation Status’ &
c) Fair and equitable treatment
d) Full protection and security
e) Prohibition of direct or indirect expropriation of investment except for public purpose or fair compensation.

A study of the TTIP Text, [52] which was being negotiated in secrecy, reveals that privacy concerns are being sacrificed over so-called free trade. The salient features of the privacy provisions are as follows: [53]
a) Article 33(2) provides for only ‘adequate safeguards’ and ‘not legislation’ for protection of privacy, and is thus very mild.
b) Article 33(1) provides unrestricted cross-border transfer of personal data for providing financial services.
c) Article 7(1) provides general exceptions exempting measures for protecting the privacy of personal data subject to three qualifications, [54] that the measures:
(i) must be necessary,
(ii) must not constitute ‘arbitrary or unjustifiable discrimination between countries where like conditions prevail’, and
(iii) must not be ‘a disguised restriction on establishment of enterprises, the operation of investments or cross-border supply of services’.
It remains to be seen how the two contrasting approaches to the protection of privacy culminate into each other in the name of free trade. The rights-based approach is getting crushed under the growing weight of the economics-based approach being adopted by the combined might of the EU-US nexus.

V. CONCLUSION

The varying cultural backgrounds of the societies of the EU and US were initially reflected in their contrasting approaches to the protection of privacy. With the globalisation of businesses facilitated by the Internet revolution, the economic considerations out-weighed the rights considerations, and the rights- based approach started buckling under the pressure of the economics-based approach. However, the Schrem’s case put a brake on this tendency. The EU may be reminded that it cannot negotiate the privacy rights of individuals. However, the TTIP text discloses the position of the EU on privacy protection. This stance of EU is not very conducive to the protection of privacy. They seem to be eager to forego the privacy rights of individuals over business considerations in tune with the tactics adopted by the US to weaken the privacy laws through FTAs. Recent developments like BREXIT, the trade expansionist policy followed by the US and the probable future dependence of the EU on the US for its economic survival and stability would decide if these two comparative and contrasting approaches to the protection of privacy would remain so or would evolve into a ‘willingly-accepted-forced’ compromise by sacrificing the privacy rights of individuals. What is desirable is a balanced approach in which individual control over data is desirable but not absolute, control rights are reinforced by structural safeguards or architectural controls, and self-management is possible [55] for protecting privacy in an age of voluntary disclosure and secondary uses of personal data.

VII. REFERENCES

[1] M. M. Group. (2015, 24.11.2015). World Internet Users Statistics and 2015 World Population Stats. Available: http://www.internetworldstats.com/stats.htm
[2] A. Lindey, Lindey on Entertainment, Publishing, and the Arts: Agreements and the Law vol. 2: C. Boardman Company, 2005.
[3] S. Sorensen, “Protecting Children’s Right to Privacy in the Digital Age: Parents as Trustees of Children’s Rights,” Child. Legal Rts. J., vol. 36, p. 156, 2016.
[4] S. R. Salbu, “European Union Data Privacy Directive and International Relations, The,” Vand. J. Transnat’l L., vol. 35, p. 655, 2002.
[5] J. Kang, “Information privacy in cyberspace transactions,” Stanford Law Review, pp. 1193- 1294, 1998.
[6] J. P. Graham, “Privacy, computers, and the commercial dissemination of personal information,” Tex. L. Rev., vol. 65, p. 1395, 1986.
[7] D. H. Flaherty, “On the utility of constitutional rights to privacy and data protection,” Case W. Res. L. Rev., vol. 41, p. 831, 1990.
[8] J. M. Assey Jr and D. A. Eleftheriou, “EU-US Privacy Safe Harbor: Smooth Sailing or Troubled Waters, The,” CommLaw Conspectus, vol. 9, p. 145, 2001.
[9] D. R. Nijhawan, “Emperor Has No Clothes: A Critique of Applying the European Union Approach to Privacy Regulation in the United States, The,” Vand. L. Rev., vol. 56, p. 939, 2003.
[10] J. R. Reidenberg, “E-commerce and trans-atlantic privacy,” Hous. L. Rev., vol. 38, p. 717, 2001.
[11] D. Zwick and N. Dholakia, “Contrasting European and American approaches to privacy in electronic markets: property right versus civil right,” Electronic Markets, vol. 11, pp. 116-120, 2001.
[12] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Official Journal L 281 , 23/11/1995 P. 0031 – 0050 (Accessed at: http://www.refworld.org/docid/3ddcc1c74.html on 14 November 2016), 1995.
[13] ibid. paras 1, 2, 10 and art 1, para1.
[14] ibid.
[15] J. S. Bauchner, “State sovereignty and the globalizing effects of the Internet: A case study of the privacy debate,” Brook. J. Int’l L., vol. 26, p. 689, 2000.
[16] D. R. Nijhawan, “Emperor Has No Clothes: A Critique of Applying the European Union Approach to Privacy Regulation in the United States, The,” Vand. L. Rev., vol. 56, p. 939, 2003.
[17] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) Official Journal of the European Union, Vol. L 201 (2002), pp. 0037-0047 by European Parliament and the Council of the European Union ( Accessed at: http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32002L0058 on 14 November 2016), 2002. Recital 1,2,3 and 11.
[18] ibid. Recitals 24, 25, art 5(3)
[19] Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (Text with EEA relevance) OJ L 337, 18.12.2009, p. 11–36, 2009. Art 3 (5).
[20] F. Giampaolo, “Overview of the main topics of EU Regulation 2016/679-General Data Protection Regulation.”
[21] F. Mauro and D. Stella, “Brief Overview of the Legal Instruments and Restrictions for Sharing Data While Complying with the EU Data Protection Law,” in International Conference on Web Engineering, 2016, pp. 57-68.
[22] M. Boban, “DIGITAL SINGLE MARKET AND EU DATA PROTECTION REFORM WITH REGARD TO THE PROCESSING OF PERSONAL DATA AS THE CHALLENGE OF THE MODERN WORLD,” in Economic and Social Development (Book of Proceedings), 16th International Scientific Conference on Economic and Social, 2016, p. 191.
[23] H. Kranenborg, “O. Lynskey, The Foundations of EU Data Protection Law,” ed: Oxford University Press, 2016.
[24] F. H. Cate, “Principles of Internet Privacy,” Conn. L. Rev., vol. 32, p. 877, 1999.
[25] G. Shaffer, “Globalization and social protection: the impact of EU and international rules in the ratcheting up of US data privacy standards,” Yale Journal of International Law, vol. 25, pp. 1-88, 2000.
[26] J. R. Reidenberg, “E-commerce and trans-atlantic privacy,” Hous. L. Rev., vol. 38, p. 717, 2001.
[27] S. Listokin, “Industry Self-Regulation of Consumer Data Privacy and Security,” J. Marshall J. Info. Tech. & Privacy L., vol. 32, p. 15, 2015.
[28] J. M. Assey Jr and D. A. Eleftheriou, “EU-US Privacy Safe Harbor: Smooth Sailing or Troubled Waters, The,” CommLaw Conspectus, vol. 9, p. 145, 2001.
[29] Safe Harbor Framework Overview available at, https://build.export.gov/main/safeharbor/eu/eg_main_018476 (Accessed 15 November 2016)
[30] Original documents can be retrieved at, http://webarchive.loc.gov/all/20150405033356/http%3A//export.gov/safeharbor/eu/eg_main_018493.asp (Accessed on 15 November 2016)
[31] G. Shaffer, “Globalization and social protection: the impact of EU and international rules in the ratcheting up of US data privacy standards,” Yale Journal of International Law, vol. 25, pp. 1-88, 2000.
[32] “Maximillian Schrems v Data Protection Commissioner, C-362/14, Court of Justice of the European Union,” ed: Court of Justice of the European Union 2015. Accessed at, http://curia.europa.eu/juris/document/document.jsf?docid=169195&doclang=en (Accessed on 15 November 2016)
[33]ibid.
[34] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) OJ L 119, 4.5.2016, p. 1–88 2016.
[35] EU-U.S. Privacy Shield Framework Principles Issued by the U.S. Department of Commerce. (2016) Accessed at, http://ec.europa.eu/justice/data-protection/files/privacy-shield-adequacy-decision-annex-2_en.pdf ( accessed on 15 November 2016).
[36] D. Bender, “Having mishandled Safe Harbor, will the CJEU do better with Privacy Shield? A US perspective,” International Data Privacy Law, p. ipw005, 2016.
[37]L. J. Sotto and C. D. Hydak, “The EU-US Privacy Shield: A How-To Guide,” Law360, pp. 1-4, 2016.
[38] M. A. Weiss and K. Archick, “US-EU Data Privacy: From Safe Harbor to Privacy Shield,” Congressional Research Service, 2016.
[39] S. J. Kobrin, “Safe harbours are hard to find: the trans-Atlantic data privacy dispute, territorial jurisdiction and global governance,” Review of International Studies, vol. 30, pp. 111-131, 2004.
[40] L. B. Movius and N. Krup, “US and EU privacy policy: comparison of regulatory approaches,” International Journal of Communication, vol. 3, p. 19, 2009.
[41] S. J. Kobrin, “Safe harbours are hard to find: the trans-Atlantic data privacy dispute, territorial jurisdiction and global governance,” Review of International Studies, vol. 30, pp. 111-131, 2004.
[42] L. B. Movius and N. Krup, “US and EU privacy policy: comparison of regulatory approaches,” International Journal of Communication, vol. 3, p. 19, 2009.
[43]“Maximillian Schrems v Data Protection Commissioner, C-362/14, Court of Justice of the European Union,” ed: Court of Justice of the European Union 2015.
[44]G. Greenleaf, “The TPP & Other Free Trade Agreements: Faustian Bargains for Privacy?,” Available at SSRN 2732386, 2016. Accessed on 20/11/2016 at, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2732386&download=yes
[45] ibid.
[46]B. K. T. Israel. (2015, The Highlights of the Trans-Pacific Partnership E-commerce Chapter. Accessed at http://www.citizen.org/documents/tpp-ecommerce-chapter-analysis.pdf on 20/11/2016.
[47] G. Greenleaf, “International Data Privacy Agreements after the GDPR and Schrems,” 2016.
[48] “Statement by the President on Senate Passage of Trade Promotion Authority and Trade Adjustment Assistance,” ed. Washington DC: The White House, 2015.
[49] B. K. T. Israel. (2015, The Highlights of the Trans-Pacific Partnership E-commerce Chapter. Accessed at http://www.citizen.org/documents/tpp-ecommerce-chapter-analysis.pdf on 20/11/2016.
[50]G. Greenleaf, “The TPP & Other Free Trade Agreements: Faustian Bargains for Privacy?,” Available at SSRN 2732386, 2016.
[51] G. Greenleaf, “International Data Privacy Agreements after the GDPR and Schrems,” 2016.
[52] TTIP Text available at http://trade.ec.europa.eu/doclib/docs/2015/july/tradoc_153669.pdf (Accessed on 20/11/2016)
[53] G. Greenleaf, “The TPP & Other Free Trade Agreements: Faustian Bargains for Privacy?,” Available at SSRN 2732386, 2016.
[54] TTIP Text available at http://trade.ec.europa.eu/doclib/docs/2015/july/tradoc_153669.pdf (Accessed on 01/12/2016)
[55] H. Kranenborg, “O. Lynskey, The Foundations of EU Data Protection Law,” ed: Oxford University Press, 2016.

Click for PDF view

Enough Law of Horses and Elephants Debated…, …Let’s Discuss the Cyber Law Seriously

Posted on

International Journal of Advanced Research in Computer Science, ISSN No. 0976-5697, Volume 8, No. 5, May-June 2017

Sandeep Mittal, IPS
Director
LNJN National Institute of Criminology & Forensic Science
Ministry of Home Affairs, New Delhi, India
sandeep.mittal@nic.in
Prof. Priyanka Sharma
Professor & Head
Information Technology & Telecommunication,
Raksha Shakti University, Ahmedabad, India
ps.it@rsu.ac.in

 

Abstract: The unique characteristic of cyberspace like anonymity in space and time, absence of geographical borders, capability to throw surprises with rapidity and potential to compromise assets in virtual and real world has attracted the attention of criminal minds to commit crimes in cyberspace. The law of crimes in the physical world faces challenge in its application to the crimes in cyberspace due to issues of sovereignty, jurisdiction, trans-national investigation and extra-territorial evidence. In this paper an attempt has been made to apply routine activity theory (RAT) of crime in physical world to crime scene cyberspace. A model for crime in cyberspace has been developed and it has been argued that the criminal law of crime in physical world is inadequate in its application to crimes in virtual world. To handle crime in cyberspace there is a need to address issues of ‘applicable laws and ‘conflicting jurisdiction by regulating the architecture of the internet through special laws of cyberspace. A case has been put forward for having an International Convention of Cybercrime with Council of Europe Convention on Cybercrime as yard stick.

Keywords: Cybercrime; Cyber Law; Cyberspace; Routine Activity Theory (RAT); Cyber-criminology; EU Convention on Cybercrime; Law of Horse

I. INTRODUCTION

The ‘Internet’ has today become an essential part of our lives and revolutionised the way communication and trade take place far beyond the ambit of national and international borders. It has, however, also allowed unscrupulous criminals to misuse the Internet and exploit it for committing numerous cybercrimes pertaining to pornography, gambling, lottery, financial frauds, identity thefts, drug trafficking, and data theft, among others [1]. Cyberspace is under both perceived and real threat from various state and non-state actors [2] [3] [4]. The incidence of cyber-attacks on information technology assets symbolises a thin line between cybercrime and cyber war, both of which have devastating outcomes in the physical world [5] [6]. The scenario is further complicated by the very nature of cyber space, manifested in its anonymity in both space and time, and asymmetric results that are disproportionate to the resources deployed, and the fact that the absence of international borders in cyber space makes it impossible to attribute the crime to a tangible source [7]. In the context of these characteristics of cyberspace, ‘the transnational dimension of cybercrime offence arises where an element or substantial effect of the offence or where part of the modus operandi of the offence is in another territory’, bringing forth the issues of ‘sovereignty, jurisdiction, transnational investigations and extraterritorial evidence’; thus necessitating international cooperation [8]. The evolution of cybercrimes from being simple acts perpetrated by immature youngsters to complex cyber-attack vectors through the deployment of advanced technology in cyberspace has necessitated the development of a distinct branch of Law, The Law of Cyberspace. However, the question of whether ‘the law of cyberspace’ can evolve into an independent field of study or would remain just an extension of the criminal laws of the physical world in the virtual world has become the subject of an interesting debate among legal and social science scholars. The scope of this essay is to critically analyse and compare traditional crimes with cybercrimes to assess if a new set of laws is required for tackling crimes in cyberspace or otherwise.

II. THE CYBER-ZOO: THE ELEPHANT VERSUS THE HORSE AS SYMBOLS OF CYBERSPACE REALITIES

In his poem, ‘The Blind Men and the Elephant’, John Godfrey Saxe describes the dilemma of six blind men while trying to describe the elephant (which) “in (this) sense represents reality, and each of the worthy blind sages represents a different approach to understanding this reality. In all objectivity, and in line with the poem of John Godfrey Saxe, all the sages (blind men) have correctly described their piece of reality, but fail by arguing that their reality is the only truth.” [9] To quote,

“And so these men of Indostan,
Disputed loud and long,
Each in his own opinion,
Exceeding stiff and strong,
Though each was partly in the right,
And all were in the wrong!”[10]

In the context of this article, cyberspace can be compared with the elephant, which is understood and described differently by different stakeholders in the realms of sociology, criminology, law, technology, and commerce, among other disciplines. However, each of the stakeholder largely ignores the perspective of the others while also understating or overstating the complexity inherent in the physical and virtual processes manifested through the interplay of ‘technology with technology’ and ‘technology with humans’ in virtual space, which, in turn, is not constrained by the barriers of geography, culture, ethnicity and sovereignty of state, but still has manifestation in the physical world. A few legal scholars have also explored the concept of the cyber elephant for determining the principles needed to regulate cyberspace [11].

In 1996, Judge Frank Easterbrook delivered a lecture [12] at the University of Chicago where he discussed his ideas on ‘property in cyberspace’. He explained that coalescing two fields, without knowing much about either, in the name of ‘cross-sterilisation of ideas’ is putting [lawyers] at the ‘risk of multi-disciplinary dilettantism’. He argued that there are a large number of cases relating to various aspects of dealing with horses such as the sales of horses, people being kicked by horses, theft of horses, racing of horses or medical care of horses, but this alone cannot be the reason for designing a course on “The Law of Horses”, as that would signify shallow efforts towards understanding the unifying principles of such a law [13]. This led to the current debate on the need for a separate law of cyberspace [14]. However, scholars have strongly challenged the position taken by Judge Easterbook [15] [16] [17].

III. TRADITIONAL CRIMES IN THE REAL WORLD VERSUS CYBERCRIMES

Acquiring a deep understanding of the theories of traditional crime in the physical world and their application to crimes in cyberspace would help us in identifying the factors that might govern the regulation of cyberspace. The basic components of acts of crime in the real world and how they intrinsically differ from crimes in cyberspace have been discussed and summarised in Table 1 [18]. Brenner concludes that “cybercrime differs in several fundamental respects from real-world crime and the traditional model is not an effective means of dealing with cybercrimes” [19] and that the “matrices for the real world crime do not apply to cybercrime, as it differs in the methods that are used in its commission and in the nature and extent of the harms it produces” [20]. Interestingly, Brenner had earlier adopted a more conservative stand on the law applying to cybercrime [21].
Theories of criminology have been applied to cyberspace to explore its interaction with the human dimension, as perceived by criminologists (potential dilettante) [23] [24]. The Routine Activity Theory (RAT) relating to crime in the real world has been studied by scholars to analyse if it can be transposed to cybercrime or otherwise [25]. RAT assumes that the minimum three factors required for a crime are an ‘opportunity’ in the form of a suitable target (victim), a ‘motivated offender’ with criminal inclination, and the ‘absence of a capable guardian’ (a law enforcement agency, the neighborhood, etc.). Lack of any one of these factors would prevent the occurrence of the crime [26] [27]. The different controls in traditional crimes and cybercrimes seen in the context of RAT have been depicted in Figure 1 [28] [29] [30].

The three constituents of RAT, viz. the Victim, Offender and Guardian, have been represented by the three vertices of the largest triangle. Each of these three controls is further dependent on sub-factors, which, in turn, are represented as three triangles (for each of these sub-factors, a low value is assigned to the Centre and a high value to the vertex) placed respectively, at each of the vertices of the main triangle. The distinction between traditional crime (Red) and cybercrime (Blue) due to the complex interplay of multiple factors is obvious. Last but not the least, the blue triangle in the Centre characterises cybercrime. The basic tenets of RAT thus fit in well with the paradigm of cybercrimes.

Table 1: Traditional Crimes versus Cybercrimes [22]

1. Proximity—the perpetrator and the victim are physically proximate at the time of committing of the crime. No physical proximity is required between the offender and the victim.
2. The crime is a ‘one-to-one’ event involving the perpetrator(s) and victim(s). A perpetrator can automate the process of victimisation and commit thousands of cybercrimes with high speed at the same time.
3. The committing of the crime is subject to ‘physical constraints’ governing all activities in the physical world. Real-world constraints do not affect perpetrators of cybercrimes, as they can be committed with anonymity, at lightning speed, and traverse beyond transnational borders.
4. The demographic contours and geographical patterns of the incidence of crime are identifiable. It is difficult to identify the patterns and contours of cybercrime due to the lack of uniformity in the definition of cybercrimes, absence of laws, technologies evolving at a faster pace, the anonymity that the perpetrator of the cybercrime enjoys in space and time, and the under-reporting of cybercrimes due to the fact that it poses a risk to many reputations.

It has been argued that the routine activity approach has both significant continuities and discontinuities in the configuration of terrestrial and virtual crimes. “While motivated offenders are likely to be almost homogeneous in both environments, the construction of suitable targets is complex, with similarity on value scale but significantly different in respect of inertia, visibility and accessibility.” [31] The concept of the ‘capable guardian’ fits in well in both settings but the degree of fitness varies. However, the spatio-temporal environment of routine activities is organised in the real world but organically disorganised in the virtual world [32]. Thus, these features of cyberspace make it a domain-distinct from the real world,[33] resulting in noticeably low level of reporting of cybercrimes as compared to that of traditional crimes, as depicted in Figure 2 [34].

Figure 1: RAT and Interplay of Different Controls in Traditional Versus Cyber Crimes

 

Figure 2: A Comparison of Traditional Property Crimes versus Cybercrimes over a Period of Five Years in India
(Source of Statistics: Crime in India Statistics, NCRB)

 

Thus, the various factors that incite an individual to commit a cybercrime include the lack of deterrents, increased anonymity, and repressed desires to offend in the real world [35]. While the issue of repressed desires can be handled in traditional ways, the other two issues need to be handled through regulation of both the law and technology, or one of the two facilitating regulation of the other. The absence of any perimeter in cyberspace also makes it easily permeable, thereby making it difficult to assign an appropriate capable guardian for overseeing activities in cyberspace [36].

Thus an individual commit cybercrime due to the lack of deterrents, Some economists have averred that people are actively involved in “transforming their relationships into social capital and their experiences into human capital (conventional or criminal)” and that these economic considerations are more compelling than the criminologist’s simple theory that a crime occurs in response to ‘associations’ and ‘events’ [37]. In fact, altering the criminal’s economic choice pattern may also help alter his behavior [38] [39]. The model of cybercrime portrayed in Figure 1 does not contradict this contention.

IV. MOVING FROM THE ‘DILETTANTISM’ OF CYBER-CRIMINOLOGY TO THE LAW OF CYBERSPACE

After analysing and understanding the various factors that contribute to the commission of a crime in cyberspace, it may be suggested that any law enacted to regulate cyberspace would have to address the following three unique features of cyberspace [40]:

(a) As ‘computer-assisted’ low-cost efforts produce asymmetric results disproportionate to the resources deployed, the law should thus develop mechanisms for increasing the cost entailed in the crime and decrease the probability of its success. For example, there should be a thorough investigation of the crimes wherein victims implemented security measures to make their systems fool proof and exercised due diligence, whereas an enhanced-sentencing regime should be employed where dual-use technology like encryption techniques or anonymity has been used to commit the crime.

(b) There is a need to add third parties (such as Internet Service Providers or ISPs) to the traditional ‘offender-victim’ scenario of the crime. The law could consider imposing responsibilities on these third parties though it may be difficult to implement in view of the costs and liabilities implied in such actions. For example, in the United States, the Digital Millennium Copyright Act (DMCA) specifies the liability of ‘online-intermediaries’ in case of intellectual property right violations but no liability of ‘online-intermediaries’ is provided for defamation under The Communications Decency Act (CDA).

(c) The invisibility of the action in cyberspace and anonymity of the offender limit the capability of the guardian to regulate. It is possible for the law to address this issue. For example, the law may make implementation of IPV06 mandatory for the more specific attribution of acts in cyberspace or the law may mandate a change in the Internet architecture to include controls that would help in the identification of the perpetrators. As most of the Internet architecture is designed, maintained, controlled and governed by private bodies, the law would have to factor in the responsibilities and liabilities of these private stakeholders through either state regulation or self-regulation. Another example would be to make the use of digital signatures (using PKI) mandatory for communication in cyberspace, which in itself would not only prevent the occurrence of many crimes but also assist in the detection of crimes that still manage to be perpetrated despite the imposition of stringent checks.

Therefore, technology-intensive cybercrimes compel us to revisit the role and limitations of criminal law, just as criminal law forces us to reinvent the role and limitations of technology [41]. However, there is a symbiotic relationship between the two.

The adage, “On the Internet, nobody knows that you’re a dog” [42] is as true today as it has been throughout the history of the Internet, but the problem plaguing law enforcement agencies today is that, “on the Internet, nobody knows where the dog is” [43]. This is because the functionality of the Internet and its architecture are technologically indifferent to geographical location [44], leaving no scope for coherence in real space and cyberspace, wherein the latter is characterised by ‘geographical indeterminacy’ [45]. This gives rise to the legal issue of ‘appropriate jurisdiction’ or even ‘conflicting jurisdiction’ for cybercrimes. Criminal law is territorial in its applicability, and as territory itself is indeterminate in cyberspace, the applicable law and the appropriate jurisdiction would need to be determined in accordance with the principles of private international law, as is being done in the resolution of e-commerce disputes. But, do the principles of the civil liability transpose well into the realm of criminal liability? Although this is procedurally possible, the answer would still be substantively ‘no’, particularly when the definition of cybercrime itself may not be known in many jurisdictions. These legal issues need to be addressed for detection, investigation, prosecution and conviction of the criminals in cyberspace. And international cooperation is imperative in order to find where the ‘dog’ is, as it involves issues of sovereignty, jurisdiction, transnational investigations and examination of extraterritorial evidence.

V. THE CODE: THE INTERNET DOG, TECHNOLOGY, THE LAW, AND THE INTERNET GOD

Lawrence Lessig, in his theoretical model of cyberspace regulation [46], argued that behaviour is regulated by four constraints, viz., laws, social norms, markets, and nature [47]. The law, however, indirectly regulates behaviour while directly influencing the other three constraints, namely, social norms, markets, and nature. Applying this concept to cyberspace, Lessig postulated that in cyberspace, the equivalent of ‘nature’ is ‘code’ [48], with the latter being a more pervasive and effective constraint in cyberspace. The code is also more susceptible to being changed by law than the nature. Therefore, both the ‘code’ and ‘law’ have the potential of regulating the behaviour in cyberspace [49]. It has been argued that regulation in cyberspace would be more efficient and effective if the law regulates code rather than individual behavior [50].

The ‘code’ being expounded by Lessig was meant to include merely the software. With the advent of advanced technology in cyberspace, however, it is obvious that code would have to include not only the software, but also the concomitant hardware, Internet protocols, standards, biometrics, and privately controlled governance structures. All these components collectively contribute to the character and peculiarities of the Internet, making it the way it is. The code could then be safely given a new name, viz., ‘cyberspace architecture’ [51], with every component of this architecture having the potential of being regulated by law.

However, as pointed out earlier, even if various national Governments have enacted some type of law pertaining to cybercrimes, inconsistencies and disharmony remain in their application in transnational environments as criminal law is territorial. This necessitates international cooperation in either an informal or formal manner. Further, evidence gathered through the former is not admissible in courts, while evidence gathered through the latter is delayed due to the prevalence of long-drawn procedures, resulting in the escape of the ‘dog’. The solution could thus lie in the creation of an ‘International Framework on Cybercrime’ for addressing various legal issues relating to cyberspace.

The Council of Europe Convention on Cybercrime (the Convention) [52] is the first comprehensive framework on cybercrime which puts forth ‘instruments to improve international cooperation’ [53] and ‘duly takes into account the specific requirements of the fight against cybercrime’ [54]. The Convention has the potential of becoming an International Cyber Law like the Private International Law that has evolved over a period of time, but would have to be used in harmony with the substantive criminal law of the territory. The complex interaction between the two underscores the necessity for the enactment a separate set of laws to handle cybercrime.

VI. CONCLUSION

Cyberspace is increasingly becoming a favourite domain for criminals for not only committing crimes but also for maintaining secret global criminal networks. This is because the organic nature of cyberspace is manifested in anonymity in space and time, immediacy of effects, non-attribution of action, and the absence of any international borders. Due to the unique nature of cyberspace, it is difficult to apply the laws of criminal liability for traditional crimes to cybercrimes. An examination of the traditional theories reveals that cybercrime is fundamentally different from crimes in the real world, and the traditional models are not effective in dealing with cybercrime. However, the dynamics of cybercrime was explained by transposing the factors operating in Routine Activity Theory (RAT) to cyberspace. It was demonstrated that the higher levels of anonymity, confidence and technological skills enjoyed by the offender motivate him to choose and target a victim who has been rendered vulnerable by the prevalent low level of security, trust and crime-reporting emanating from poorly defined laws, poor technical skills, and deficit of trust in the law enforcement machinery. The detection, investigation, prosecution, and successful conviction of the perpetrator of a cybercrime require the law to address the specific features of crime in virtual space. Anonymity and invisibility of action in cyberspace and its ‘geographic indeterminacy’ give rise to the legal issues of ‘applicable laws’ and ‘conflicting jurisdiction’. The architecture of the Internet needs to be governed by law, which has the potential to improve the behaviour of criminals in cyberspace. This would also entail international cooperation to address the issues of sovereignty, jurisdiction, transnational investigations, and extraterritorial evidence. It is suggested that the Council of Europe Convention on Cybercrime could be a yardstick for initiating measures in this direction. However, all this does not preclude the need for a separate set of laws for handling cybercrimes and providing legal remedies against them.

VII. REFERENCES

[1] Sandeep Mittal, ‘A Strategic Road-map for Prevention of Drug Trafficking through Internet’ (2012) 33 Indian Journal of Criminology and Criminalistics 86
[2] Marco Gercke, Europe’s legal approaches to cybercrime (Springer 2009)
[3] Marco Gercke, ‘Understanding cybercrime: a guide for developing countries’ (2011) 89 International Telecommunication Union (Draft) 93
[4] David L Speer, ‘Redefining borders: The challenges of cybercrime’ (2000) 34 Crime, law and social change 259
[5] Sandeep Mittal, ‘Perspectives in Cyber Security, the future of cyber malware’ (2013) 41 The Indian Journal of Criminology 18
[6] Sandeep Mittal, ‘The Issues in Cyber- Defense and Cyber Forensics of the SCADA Systems’ (2015) 62 Indian Police Journal 29
[7] Sandeep Mittal, ‘A Strategic Road-map for Prevention of Drug Trafficking through Internet’
[8] Open-ended Intergovernmental Expert Group on Cybercrime, Comprehensive Study on Cyber Crime, 2013)
[9] https://wildequus.org/2014/05/07/sufi-story-blind-men-elephant/ (Accessed on 13/04/2017)
[10] http://www.constitution.org/col/blind_men.htm (Accessed on 13/04/2017)
[11] Martina Gillen, ‘Lawyers and cyberspace: Seeing the elephant’ (2012) 9 ScriptED 130
[12] Frank H Easterbrook, ‘Cyberspace and the Law of the Horse’ (1996) U Chi Legal F 207
[13] Ibid at 207, para 3
[14] Joseph H Sommer, ‘Against cyberlaw’ (2000) Berkeley Technology Law Journal 1145
[15] Lawrence Lessig, ‘The law of the horse: What cyberlaw might teach’ (1999) 113 Harvard law review 501
[16] Andrew Murray, ‘Looking back at the law of the horse: Why cyberlaw and the rule of law are important’ (2013) 10 SCRIPTed 310
[17] James Baxendale, ‘FORTIETH ANNIVERSARY ISSUE: EQUINE CONSIDERATIONS AND COMPUTER LAW-REFLECTIONS FORTY YEARS ON’ (2010) 36 Rutgers Computer & Tech LJ 161
[18] Susan W Brenner, ‘Toward a criminal law for cyberspace: A new model of law enforcement’ (2004) 30 Rutgers Computer & Tech LJ 1
[19] Ibid at page 104
[20] Susan W Brenner, ‘Cybercrime Metrics: Old Wine, New Bottles?’ (2004) 9 Va JL & Tech 13
[21] Susan W Brenner, ‘Is There Such a Thing as’ Virtual Crime’?’ (2001)
[22] Brenner, ‘Toward a criminal law for cyberspace: A new model of law enforcement’
[23] Miltiadis Kandias and others, An insider threat prediction model (Springer 2010)
[24] Sandeep Mittal, ‘Understanding the Human Dimension of Cyber Security’ (2015) 34 Indian Journal of Criminology and Criminalistics 141
[25] Majid Yar, ‘The Novelty of ‘Cybercrime’ An Assessment in Light of Routine Activity Theory’ (2005) 2 European Journal of Criminology 407
[26] Ibid
[27] Lawrence E Cohen and Marcus Felson, ‘Social change and crime rate trends: A routine activity approach’ (1979) American sociological review 588
[28] Nir Kshetri, ‘The simple economics of cybercrimes’ (2006) 4 IEEE Security & Privacy 33
[29] Yar, ‘The Novelty of ‘Cybercrime’ An Assessment in Light of Routine Activity Theory’
[30] Majid Yar, Cybercrime and society (Sage 2013)
[31] Yar, ‘The Novelty of ‘Cybercrime’ An Assessment in Light of Routine Activity Theory’. at page424
[32] Ibid
[33] Mittal, ‘A Strategic Road-map for Prevention of Drug Trafficking through Internet’
[34] Statistics Source: Crime in India Statistics, NCRB, Ministry of Home Affairs, Government of India, New Delhi.
[35] Karuppannan Jaishankar, ‘Establishing a theory of cyber crimes’ (2007) 1 International Journal of Cyber Criminology 7
[36] Susan W Brenner, ‘Toward a criminal law for cyberspace: Product liability and other issues’ (2004) 5 Pitt J Tech L & Pol’y i
[37] Bill McCarthy, ‘New economics of sociological criminology’ (2002) 28 Annual Review of Sociology 417
[38] JR Probasco and William L Davis, ‘A human capital perspective on criminal careers’ (1995) 11 Journal of Applied Business Research 58
[39] Kshetri, ‘The simple economics of cybercrimes’
[40] Neal Kumar Katyal, ‘Criminal law in cyberspace’ (2001) 149 University of Pennsylvania Law Review 1003
[41] Ibid
[42] https://www.washingtonpost.com/blogs/comic-riffs/post/nobody-knows-youre-a-dog-as-iconic-internet-cartoon-turns-20-creator-peter-steiner-knows-the-joke-rings-as-relevant-as-ever/2013/07/31/73372600-f98d-11e2-8e84-c56731a202fb_blog.html?utm_term=.8cc4b79354f7
[43] Alexandre López Borrull and Charles Oppenheim, ‘Legal aspects of the Web’ (2004) 38 Annual review of information science and technology 483
[44] Though every computer or smart device has a machine address which can be easily spoofed, we are talking here specifically about geographical location. The remote access, incognito logins, encrypted platforms for communication, anonymous remailers and availability of ‘cached’ copies of frequently accessed internet resources further complicate and make impossible to attribute actions in cyberspace.
[45] Dan L Burk, ‘Jurisdiction in a World without Borders’ (1997) 1 Va JL & Tech 1
[46] Lessig, ‘The law of the horse: What cyberlaw might teach’
[47] In real space nature is represented by architecture.
[48] That includes software that makes internet to behave as it is.
[49] Graham Greenleaf, ‘An endnote on regulating cyberspace: architecture vs law?’ (1998)
[50] Lessig, ‘The law of the horse: What cyberlaw might teach’
[51] Greenleaf, ‘An endnote on regulating cyberspace: architecture vs law?’
[52] Council of Europe, Convention on Cybercrime, 23 November 2001, available at: http://www.refworld.org/docid/47fdfb202.html [accessed 26 February 2017]
[53] Ibid. Articles 23-35
[54] Ibid. Preamble

Click for PDF view