"Legal Landscape of IoT and Mobile Devices: Navigating Regulations and Compliance
This content delves into the legal landscape surrounding IoT and mobile devices, exploring regulations, compliance requirements, and key legal provisions in India. It covers topics such as the Internet of Things, real-time applications in smart homes and cities, data protection laws like the DPDP Act, and the importance of privacy rights. The discussion also touches upon landmark cases and reports that have shaped the current legal framework for IoT technologies.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
"Legal Landscape of IoT and Mobile Devices: Navigating Regulations and Compliance" Satyendra Gupta Cyber Law Expert, I4C, MHA
Ministry Of Home Affairs Government Of India IoT Threat Landscape
Agenda What is IoT ? Introduction to IoT and Legal Frameworks Key Legal Provisions in India IT Act, 2000 DPDP Act BNS, 2023
What is IoT ? The term IoT, or Internet of Things, refers to the collective network of connected devices and the technology that facilitates communication between devices and the cloud, as well as between the devices themselves. The Internet of Things integrates everyday things with the internet.
IoT Real Time Applications Smart Homes: IoT enables automation of lighting, heating, security systems, and appliances, creating energy-efficient and convenient living environments. Home
IoT Real Time Applications Smart Cities: IoT solutions manage traffic, monitor air quality, and enhance public safety through connected infrastructure.
BACKGROUND Justice K. S. Puttaswamy (Retd) vs Union Of India in 2017 (Aadhaar Card) Right to privacy is a fundamental right under Article 21 of Constitution. 1 Srikrishna Committee (report on privacy and gave recommendations regarding Personal Data Protection Bill) 2 Personal Data Protection Bill (2018, 2019, 2021) 3 Digital personal Data Protection Bill, 2022 4 Digital personal Data Protection Act, 2023 5 The DPDP Act had been assented by the president on 11 Aug, 2023 6
Key Legal Provisions in India Comparative overview of Indian laws addressing IoT-related issues: Law/Policy Focus Area IoT Relevance Electronic transactions, security Information Technology Act, 2000 Unauthorised Access Data privacy, localization Digital Personal Data Protection Act, 2023 Data handling by IoT devices Broad guidelines; limited IoT focus National Cybersecurity Policy, 2013 Network security Smart Cities Mission Urban development Encourages IoT integration
THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023
DATA PRINCIPAL Section 2(j) DATA PROCESSOR Section 2(k) DATA FIDUCIARY Section 2(i) The individual to whom the personal data relates. In case where individual is a child or person with disability, parents or lawful guardian Eg. Client X Any person (state) who alone or in conjunction with other persons determines the purpose and means of processing of personal data. Eg. CA Y Any person who processes personal data on behalf of a Data Fiduciary Eg: Compu TAX, Genius
DATA A representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means. Personal Data means any data about an INDIVIDUAL who is identifiable by or in relation to such data. Personal Data (belonging to individuals) Section 2(t) Other then Applicable DATA Personal/Domest ic purpose Section 2(h) Public available or under any Law Not Applicable Non-personal Data (other than individual) Digital Personal data Section 2 (n) - Personal Data in Digital Form, or non-digital form and which is subsequently digitized. (e.g. Scanned Documents)
PERSONAL DATA Any data about an INDIVIDUAL who is identifiable by or in relation to such data Few Examples of Personal Data are: Email Address Home Address Phone number Date of Birth Photo Vehicle Registration No. Bank Credit Card No. Aadhaar No. Passport No. Account No. Mobile Device ID IP Address Cookie ID Password Location ID
GROUNDS OF PROCESSING Section 4 Personal Data can only be Processed for Lawful purposes. For Certain legitimate uses (deemed Consent) Consent from Data Principals
CONSENT Consideration for consent Clear, Affirmative and Unambiguous What does this imply? Individual gives consent by clear and affirmative action Silence, pre-ticked boxes, or inactivity does not amount to consent Informed Individual must be aware of, at least: (1) Controller s identity (2) Purpose of processing (3) Possibility to withdraw consent Specific Consent can not be hidden in the privacy policy or the T&C Consent must be a genuine and free choice and individuals must be able to refuse or withdraw it at any time without detriment Consent not valid when there is a clear imbalance between the individual and the controller Presumptions that consent is not freely given when: to different processing activities Covers all processing activities for the same purpose If there are more purposes, consent must be given for each purpose Prohibition of Bundled consent Freely Given Individual is not allowed to give separate consent The provision of service depends on consent while it is not necessary for the performance
WITHDRAWAL OF CONSENT Data Principal has right to withdraw their consent at any time 1 Ease of such withdrawal shall be similar to the ease with such consent was given 2 Upon withdrawal Data Processor needs to cease processing of data within reasonable time . 3 Non-compliance by the processor will be considered non-compliance by the data fiduciary as the Act does not place a direct obligation on Data Processor.
PROCESSING DATA FOR CERTAIN LEGITIMATE USES Section 7 Voluntarily provided personal data by data principal 1 For the purpose of employment or those related to safeguarding the employer from loss or liability 2 For matters concerning public interest. Eg. Medical emergency, judicial use. 3 By the state and any of its instrumentalities for any function under any law for the time being in force in India 4
PROCESSING OF DATA OF CHILDREN & PERSON WITH DISABILITY Section 9 No processing that is likely to cause detrimental effect on well-being of child Obtain verifiable parental consent for child & person with disability. Exempted from processing restrictions: (a) for purpose to be prescribed (b) where processing is verifiably safe Government may specify age. No tracking or behavioral monitoring of children or targeted advertising directed at children
RIGHTS OF DATA PRINCIPAL Section 11-14 Right to access information regarding processing of personal Data 1 Right to Correction, completion, updating and erasure of her personal data for the processing. 2 Right of Grievance Redressal 3 Right to Nominate, on the event of Death/ Incapacity of Data Principal 4
OBLIGATION OF DATA FIDUCIARY Implement technical and organizational measures to ensure effective adherence with the Act. 1 Report personal data breaches to Data Protection Board and Data Principals 2 Abstain from processing personal data that may cause harm to children or undertake behavioral monitoring of children or targeted advertising directed at children. 3 Provide a clear, concise and comprehensible notice to Data Principals 4 Protect personal data in its possession or with and on behalf of data processor also. Delete and cause its data processor to erase data as soon as the purpose is accomplished 5 Engage with a Data Processor to process personal data on its behalf through a valid contract only. 6 Obtain verifiable parental consent before processing children s personal data 7
DUTIES OF DATA PRINCIPAL Section 15 Comply with provisions of all applicable laws. 1 To ensure not to impersonate another person while providing her personal data. 2 To ensure not to suppress any material information while providing her personal data for any proof of address issued by the state or any of its instrumentalities. 3 To ensure not to register a false or frivolous grievance or complaint with a Data Fiduciary. 4 To furnish only such information as is verifiably authentic, while exercising the right to correction or erasure under the provisions of this Act. 5 In case of any non-compliance of Duties by Data Principal Fine May extend to INR 10,000.
PERSONAL DATA BREACH Any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data. Even accidental disclosure that leads to a person data breach is covered Huge responsibility on implementing systems to prevent accidental disclosure No exceptions where a person is a victim of cyber attack or hack.
RETENTION OF PERSONAL DATA Data Fiduciary must erase and cause its Data Processor to erase the personal Data: Upon receipt of a withdrawal request, or as soon as it is reasonable to assume that the specified purpose is no longer being served. Whichever is earlier, unless retention is necessary for compliance of any law in force. DATA PROTECTION BOARD Set up to enforce the law and award penalties by central government.
PENALTIES Board determines monetary penalties : Dependent on nature, gravity, duration of the breach & repetitive nature. Sensitivity and type of Data. Gain or loss incurred. May extend to INR 50 Cr. May extend to INR 200 Cr. May extend to INR 150 Cr. May extend to INR 250 Cr. Failure of data fiduciary to take reasonable security safeguards to prevent personal data breach Breach of any other provision of this Act or rules made thereunder Failure to notify Data Protection Board of India and affected data principal in case of personal data breach Non-fulfilment of additional obligation in relation to personal data of children Non-fulfilment of additional obligation by significant data fiduciaries
The Information Technology Act, 2000 Section 43 of the IT Act of 2000 deals with penalties for unauthorized access and damage to computer systems, allowing affected individuals or entities to seek compensation for their losses. Section 65 deals with the "Tampering with computer source documents is punishable with imprisonment for up to three years, a fine of up to two lakh rupees, or both." Section 66 deals with unauthorized access (hacking), identity theft, and misuse of electronic records, prescribing penalties of up to three years imprisonment, a fine, or both. Section 66C Targets identity theft, prescribing penalties for up to three years imprisonment, a fine, or both. Section 66D Addresses cheating by personation using computer resources, imposing penalties of up to three years imprisonment, a fine, or both.
Contd. Section 66E Deals with the punishment for violation of privacy through digital means, including penalties of up to three years imprisonment, a fine, or both. Section 66B Addresses the punishment for dishonestly receiving stolen computer resources or communication devices. Offenders may face imprisonment for up to three years, a fine, or both. Section 66F Targets cyber terrorism with stringent penalties, including imprisonment for life. Section 67A Addresses the punishment for publishing or transmitting obscene material in electronic form, imposing penalties of up to five years imprisonment and a fine. Section 67B Addresses the punishment for publishing or transmitting material depicting children in sexually explicit acts, imposing penalties of up to seven years imprisonment and a fine.
BHARTIYA NYAYA SANHITA 2023 Section 303: Theft Section 303(2) "Theft is punishable by up to three years imprisonment or a fine. Subsequent convictions carry at least one year imprisonment and a fine." Section 111: Organized crime is any ongoing illegal activity such gain direct or indirect material benefits, including financial gain. i) "Organised crime syndicate" refers to a group of two or more individuals engaged in ongoing illegal activities, either individually or collectively, as a syndicate or gang. ii) "Continuing unlawful activity" is any legally prohibited act that is a cognizable Offence punishable by at least three years of imprisonment, committed by an individual or as part of an organised crime syndicate. It requires multiple charge- sheets filed within the last ten years, with a court taking cognizance of these Offences, and includes economic Offences. iii) "Economic offence" includes criminal breach of trust, forgery, counterfeiting currency, hawala transactions, mass- marketing fraud, or schemes to defraud banks, financial institutions, or other organizations for monetary gain.
Contd. Section Dishonestly Property "Cheating to induce delivery or alteration of property or valuable security is punishable by up to seven years' imprisonment and a fine." 318(4): Inducing Cheating Delivery and of 319 cheating by personation 319(2) shall be punished with imprisonment of either description for a term which may extend to five years, or with fine, or with both. Section 336: Forgery Section 344: Falsification of Accounts Forgery is a serious an offence with different consequences, including imprisonment for up to seven years and fines, depending on the intention behind it. If a clerk, officer, or employee intentionally alters or falsifies any work-related records, they may face up to seven years in prison or a fine, or both. Section 351: Criminal Intimidation Section 316 Criminal Breach of trust Section 336(3): Forgery for Purpose of Cheating Forgery with the intent to cheat can lead to imprisonment for up to seven years and a fine.
