May 8th, 2020, Kathmandu
Cyberattacks or threats have proved to be a pandemic in the technology sector. There have been reports of several incidents of a data breach, phishing, spamming, etc. since the COVID-19 pandemic. Obviously, these cyber crimes are not new but they have increased since people have started maintaining social distance and working remotely.
The constitution of 2015 contains an article declaring the right to privacy and protection of information as a fundamental right. But, do service providers and other companies that deal with data have proper privacy policies? Are they liable to provide any compensation to their customers or employees in case of a data breach?
We talked about data privacy and protection and the importance of proper policies with a Cybersecurity expert.
Mr. Babu Ram Aryal is a lawyer who has over 15 years of experience in Telecommunication (Including Internet and Cyber Law) and Media Technology, Intellectual Property, International Business, Foreign Investment, and other commercial laws.
Here’s a piece from an interview with Mr. Aryal regarding data privacy and protection in the context of Nepal.
Interview with Babu Ram Aryal, CEO at Delta Law Pvt. Ltd.
Q. Why are Cyber Law and Data Privacy important when it comes to digitizing several sectors?
A: Cybersecurity is important when it comes to both online and offline use of electronic devices. The difference is that data or information can be easily manipulated and archived online.
For instance, the two of us are talking on a phone and you record our call with the intention of editing it and misusing the information against my consent. This is where data protection and privacy come into action.
Talking about the current scenario, institutes are conducting courses online using video conferencing. Information like personal data and behavioral patterns is easily noticeable on the internet these days. As a result, this may lead to identity theft or data manipulation in many ways.
Similarly, people can store and share the documents or files in the cloud easily with lower space requirements. This can also put your property at risk. In the past, it was a hassle to make a soft-copy of the teacher’s notes. But now, it is being digitized and made available online. With the comprehensive use of such resources online, it puts the intellectual property at risk as well.
Data protection deals with the protection of individual or organizational data while data privacy deals with the sharing and access of data. Since these concepts also deal with stalking online, cyberlaw can protect individuals from unwanted online experiences.
Q. To maintain data privacy and prevent data breaches, do Nepalese companies invest in security?
A: Firstly, we have to understand that there are multiple layers of security. The companies have to guide their employees and customers through its policy-level security. And, in the context of Nepal, it is very rare.
When there is no proper policy or guidelines, then they are not liable for implementing the physical level of security like firewalls. And, they won’t be liable for providing remedies to the customers in case of a data breach.
Thus, without a proper policy, the infrastructure becomes weak and the protection layer becomes vulnerable.
A: As I mentioned earlier, companies should make strong policies regarding the different layers of security. Similarly, service providers who have a huge database of customer information must raise awareness. In fact, they should be aware of the preventive measures of data breach themselves.
Basically, there are policies concerned with the national level and institution level. If the companies can maintain an institutional level policy for data protection, the policy will guide the behavior of the employees as well.
Furthermore, law enforcement agencies should also be equally active. It is because no matter how careful you are at times, you can never be sure of potential cyber threats surrounding you. In such cases, law enforcement can protect our rights and privacy.
You May Also Like: What To Do If Your Data Was Breached? Have You Become a Victim?
Q. Are the current cyber laws and policies enough for data protection and data privacy?
A: We have cyber laws and policies that address unauthorized access and misuse of information. However, there is no sufficient policy and cyber law that address data protection guidelines and measures. Similarly, there are no proper guidelines regarding data control by the concerning service provider or organization.
Also, what to do if a customer’s data is leaked? Without proper policies, the data breached company won’t be liable for any compensation to the customers. As long as data protection policies that comply with the law are not implemented, there is always a risk of a data breach.
Therefore, we need policies that guide data access, data exchange, and data share. Moreover, to mitigate the risks of a data breach, policy-makers can coordinate and prepare a response team. With proper coordination and timely response, data breaches may reduce in the future.
Q. Any suggestion for the general public?
A: What I would like to suggest is to be careful of the data that you share and exchange online. People should try to monitor their online activities as well. They shouldn’t provide personal detail online if they are not sure about the security of the application or website.
People need to apply behavioral caution online and limit their online activities whenever possible. And, another important thing is to discuss their data privacy matters first-hand with the service providers before buying the service.