The Right To Privacy

Published Date: 02 Nov 2017

Although the right to privacy is not explicitly protected, the Supreme Court has interpreted it to fall within the ambit of right to " protection of life and personal liberty" as provided under Article 21 of the Constitution of India. [1] Also, in People’s Union for Civil Liberties (PUCL) v Union of India, the Supreme Court held a person's invasion of privacy as ultra vires Article 21 of the Constitution of India and that the right to privacy is implicit in the right to life and personal liberty.

Statutory Safeguards:

In India, there is no specific legislation, which expressly deals with privacy and data protection. However, there are other statutes pertaining to information technology, intellectual property, crimes and contractual relations that provide for some safeguards in this field. The relevant laws that deal with data protection in India are:

The Information Technology Act, 2000 (hereinafter referred to as the "IT Act") is an act to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce", which involve the use of alternative to paper-based methods of communication and storage of information to facilitate electronic filing of documents with the Government agencies.

The Information Technology Act (hereinafter referred to as the IT Act) provides for protection against certain breaches with respect to data from computer systems to prevent unauthorized use of computers, computer systems and data stored therein.

The IT Act defines data as "a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored in the memory of the computer".

The IT Act does not expressly define "personal data". However, there are certain provisions which can be implied to be dealing with personal data protection within the IT Act. They are:

Section 43:

According to this Section,

If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network, —

(a) accesses or secures access to such computer, computer system or computer network;

(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;

(c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;

(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;

This section imposes civil liability in case of theft of data, computer database and unauthorized digital copying and access to computer data and databases. The section also takes unauthorized transmission of data into account.

Penalty for Damage to Computer, Computer Systems, etc. under the IT Act

Section 43 of the IT Act, imposes a penalty of INR 10 million inter alia, for downloading data without consent. The same penalty would be imposed upon a person who, inter alia, introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network.

43 A:

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees, to the person so affected.

According to this section, any body corporate possessing, dealing or handling any sensitive personal data or information in a computer resource, shall be held liable, by way of damages, where such body corporate is negligent in implementing and maintaining reasonable security practices and procedures which result in wrongful loss or wrongful gain to any person.

The term ‘reasonable security practices’ accordingly imply the steps which are desired to protect tampering of confidential data. The level of security can be specified in an agreement between the party holding the data and the owner of the data.

Although the amendment act does not specify the meaning of ‘sensitive personal data’ and states that it means some personal information definition may be included by the union government after consulting the professional and business associations.

Content - Personal information that ‘by content’ can be considered sensitive should be included in the purview of ‘sensitive personal information’. Example – Biometric data, Digital copies of personal photographs, Digital copies of ID Cards (license, passport, etc.)

Purpose - Personal Information that is used for authorization and authentication of any individual in any transaction / process. Example – User registration information, Internet banking user id and password, etc.

Impact - Personally identifiable information that could cause adverse impact in the form of embarrassment and / or harm to an individual. Example – Sexual Preferences, Health Information, etc.

The purpose of section 43 (a) is not bounded to unauthorized access gained remotely through a network. It applies also to unauthorized access made physically

Consequently, some issues have surfaced. First, 43 A of ITAA, 2008 is mostly about punishment. Although it stipulates norms for access, processing, and use of the sensitive personal data, the clarification goes a step further to change the very spirit of privacy rules. Given the differences, the legal status of the clarification and the original can be questioned at anytime.

As there is no legal clarity, the interpretation of the rules, the meanings of terms like "reasonable security," and so on are left to an industry body, Data Security Council of India (DSCI) which is a self-regulating body.

Even with a perfect clarification, India still lacks data breach notification laws or privacy provisions that adhere to any international framework. The DSCI has been very active publishing best-practices and frameworks for security, data protection, and privacy, but even with those, it would be difficult for the Indian BPO sector to adhere to multiple regulations of multiple countries whose companies they service. US clients alone would demand compliance with a slew of regulations like Sarbanes-Oxley, HIPAA (Healthcare Insurance Portability and Accountability Act), GLBA (Gramm Leach Bliley Act), the UK Data Protection Act, FDCPA (Fair Debt Collection Practices Act) and the US-EU Safe Harbor Agreement.

Hence this section ignores the need to check the liability caused due to loss of computer data, database theft, unauthorised digital copying, downloading, and extracting and transmitting the data, using the cookies etc.

The purpose of section 43 (a) is not bounded to unauthorized access gained remotely through a network. It applies also to unauthorized access made physically. Let’s look an example. A banker while talking about loan proposal with their prospective client. The Client leaves that place to receive an Emergency call on his cell. In the meantime, the client starts up the application programmes in the manager’s systems, say, and saw a different details of others clients. Then after, he becomes it is against the law he get charge of an offence of securing unauthorized access under this sub-section.

A different appealing point is that section 43(a) penalizes a person for "hacking", as it is known in general parlance, i.e., gaining unauthorized access into somebody else’s systems. Although, "hacking" as described under section 66 of the Information Technology Act, has a much wider implication.

The ITAA, 2008 inserted Section 43A10, a vital beginning to the string of data protection laws in the country. Section 43A provided for the payment of compensation, by a person in possession, etc. of sensitive personal data, who is negligent in maintaining and implementing reasonable security practices and procedures and thus resulted in any wrongful loss or wrongful gain. The Central Government was empowered to prescribe, by promulgation of Rules, the definition and content of "sensitive personal data or information". It is in the background of Section 43A that the Rules of 2011 were promulgated, seeking to define the content of sensitive personal data or information and "reasonable security practices and procedures" apart from enlisting collection, disclosure and protective measures.

65:

SECTION 65: TAMPERING WITH THE COMPUTER SOURCE DOCUMENTS:

"This Section states that:

Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer program, computer system or computer network, when the computer source code is 32 required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both."[3]

The above section deals with the protection of Computer Source Code. Computer Source code includes listing of programs, design and layout of the program, commands and analysis of computer resources.

SECTION 66: HACKING THE COMPUTER SYSTEM

"This Section states that:

(1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hacking.

(2) Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both."[4]

This section species the law relating to hacking and is quoted as data protection provision in India. If there is important data stored on the computer which has a value/utility and is to be treated as confidential and such data is been accessed by the unauthorised party then the section is applied. For example if a sensitive email is there on a computer and an unauthorised person accesses the document then the confidentiality of the email is lost then in such case the party liable for the loss comes under this provision.

According to this section, if the confidential data stored on a computer possesses a value or utility, such data ought to be protected. If the confidentiality of the data is lost thereby diminishing its value, the person causing it shall be held liable.

S 72:

Penalty for Breach of Confidentiality and Privacy

Section 72 of the IT Act provides for penalty for breach of confidentiality and privacy. The Section provides that any person who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned, discloses such material to any other person, shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to INR 100,000, or with both.

This provision deals with the information collected by a person who secures the information in pursuance of powers that he or she exercises under the Act. This section imposes a criminal liability on the disclosure of such information to third parties without the consent of the owner of the information. This provision is, however, extremely narrow in its application, being relevant only to offences by authorities such as Adjudicating Officers, the members of the CRAT or Certifying Authorities under the Act.

Section 72A, on the other hand, has a wider scope as it extends to disclosure of personal information to third parties while providing services under a lawful contract and therefore not limiting itself to information disclosed by virtue of "powers granted under the IT Act". According to this section, any person providing services under lawful contract can be held liable if the concerned person accessing personal information discloses such information without the consent of the owner of the information or in breach of a lawful contract.

The Section further widens its scope as it uses the term ‘intermediary’, which include telecom service providers, ISPs, web-hosting service providers, online payment sites, search engines, online shopping portals etc., who can also be held liable when acting on behalf of the principal data holder.

s 79

Section 79 of the Indian Cyberlaw makes network service providers liable for all third party data or information made available by them in all cases barring two. This Section is primarily in the form of a clarificatory provision, as it uses the words "for the removal of doubts, it is hereby declared…" Considering the fact that Indian Cyberlaw is indeed a special law, it is clear from the cumulative reading of the law that this provision, relating to the liability of network service providers for third party data or information, is indeed a special provision and would prevail over anything inconsistent in any other law in force in India. It is not that the law does not provide any exit mechanism for network service providers from the ambit of liability for third party data or information. In fact, the Indian Cyberlaw gives a fair chance to network service providers to come out of the liability rim if they are able to prove that they had no knowledge of any contravention of the provisions of law. Alternatively, the law provides that if a network service provider proves that despite due diligence, he could not prevent the commission of any offence or contravention under the law, he is free from any kinds of liability for third party data or information made available by him. It is extremely difficult to prove non-knowledge in a court of law or in the event of a dispute. Normally, proof of non-knowledge is a very hard option to exercise. As a result, the only way forward for any network service provider, including a BPO unit, to disclaim any liability for third party data or information made available by him, is to prove that he had exercised all due diligence. Due diligence, as a concept, has not been defined in the Indian Cyberlaw. However, it goes without saying that complying with the Indian Cyberlaw would indeed come within the ambit of due diligence. BPO operations in India are already complying with various relevant laws in different target foreign jurisdictions. However, there is urgent need for added compliances under the Indian Cyberlaw. The Indian Cyberlaw has normally been perceived to be applicable for the cyber medium and companies concerning internet. However, the generic definitions and drafting of its various provisions leave no doubt that the provisions of the IT Act, 2000 are fully applicable to any entity which uses computers, computer systems or computer networks for the purposes of dealing with third party electronic information or data, whether for processing, transmitting or any other purpose. With the passage of time, foreign clients shall increasingly insist upon Indian BPO units to provide proof of the fact that they had exercised adequate due diligence within the meaning of the Indian Information Technology Act, 2000, to prevent their liability for third party data or information made available by them. This is all the more so, as under some US laws, CEOs and CFOs in that country have to certify various information security and accounting practices adopted by them when they outsource data. It is, therefore, in the best interests of the BPO sector to have documentary evidence to show that they have indeed exercised all due diligence within the meaning of the Information Technology Act, 2000.