This article is written by Jagriti Sanghi, an advocate practising in the Courts of Telangana. This article details the penalties and liabilities in cases of data privacy breaches.

Introduction 

​​The Right to Privacy is a fundamental right protected under Article 21 of the Constitution that enables an individual to control the use and disclosure of their personal information. This right can be exercised by an individual to prevent the collection, use, and disclosure of their personal information.

There are numerous types of personal information that could be collected and used by an individual. This includes, but is not limited to, medical records, financial records, and habits and activities.

There is a danger that the existence of computerised data about an individual could be used to create inaccurate or misleading information about him or her. This could be exploited by unauthorised third parties.

The Supreme Court stated in the State of Maharashtra v. Bharat Shanti Lai Shah (2008) that though interception of conversation constitutes an invasion of privacy, it can still be curtailed by following legal procedures. In order for the court to make the appropriate ruling, the procedure itself must be fair, just, and reasonable, and should not be arbitrary, frivolous, or oppressive. A person’s right to privacy cannot be infringed by an unrestrained authority. [Directorate of Revenue v. Mohd. NisarHolia (2008)].

What is a data privacy breach

A data breach can be defined as an incident in which one’s information is accessed without their consent. Therefore, a data breach can be said as the release of sensitive, confidential, or protected data. A report indicates that India ranked third in the whole world in terms of a number of breaches of data till November 2021 with total data breaches of 86.63 million Indian users. It is of serious concern in light of the financial and security damage the data breach can cause. Criminals can use the leaked information for numerous illegal activities such as fake ID cards, fraud bank calls, and so on.  

Smartphones, laptops, tabs, etc. have become indispensable products in the 21st century. It is very easy for anyone to gather details after a consumer downloads an app. The details often submitted are age, qualification, gender, location, interests, and Aadhar number. This is quite often sold for hefty amounts. Therefore, it is very crucial that there are stringent laws and their implementation to prevent such data breaches and transmission without consent. 

A data breach can result in the leak of several types of information such as:

• Financial Data—such as credit card numbers, bank details, tax forms, invoices, financial statements
• Medical or Personal Health Information (PHI)—as defined in the US HIPAA standard, “information that is created by a health care provider [and] relates to the past, present, or future physical or mental health or condition of any individual”
• Personally Identifiable Information (PII)—information that can be used to identify, contact or locate a person
• Intellectual property—such as patents, trade secrets, blueprints, customer lists, contracts
• Vulnerable and sensitive information (usually of military or political nature)—such as meeting recordings or protocols, agreements, classified documents

Data privacy and protection 

A person’s personal information should not be readily available to other individuals and organisations automatically for purposes of privacy and data protection. Those data must be subject to a substantial degree of control by each individual. Information about individuals is protected by law to prevent misuse on any medium, including computers. To protect personal data, administrative, technical, or physical measures are taken. Data protection and privacy are closely related. Information like a person’s name, address, telephone number, profession, family, choices, etc. is usually accessible in a multitude of places like schools, colleges, banks, directories, surveys, and various websites. It can lead to privacy intrusions such as incessant marketing calls when such information is passed to interested parties. The Information Technology (Amendment) Act, 2008 enumerates the main principles on privacy and data protection, and it defines liability for civil and criminal offences resulting from violations of the law. 

Concept of data protection 

Data protection is covered in the Information Technology Act, which came into force in the year 2000, although not in every aspect. As a matter of fact, the Information Technology (Amendment) Act, 2008 enacted by the Indian Parliament contains provisions for the protection of personal data. In Section 2(1) of the Act, “Data” refers to a representation of information, knowledge, facts, concepts, or instructions that is prepared or has been prepared in a formalised manner, is intended to be processed by a computer system or computer network, and may be stored within the computer’s memory, or maybe on magnetic or optical storage media, punched cards, or punched cassettes. Further, the IT Act defines certain key terms with respect to data protection such as access to personal data. However, no definition is provided for personal data in this Act, and the concept of “data” is more relevant in the context of cybercrime than in the field of IT, “Computer, Computer network, Computer resource, Computer system, Computer database, Data, Electronic form, Electronic record, Information, Intermediary, Secure system, and Security procedure”. In essence, this Section is intended to protect the individual’s right not to unfairly take advantage of any information by disclosing it to a third party without their prior consent. The definition of ‘third party information’ includes ‘any information that intermediary deals with in his capacity as an intermediary’. A provision in Section 79 entails that an intermediary will not be liable to third parties for information, data, or communication links accessed or communicated by him without regard to subsection (2) or (3). As a result of data protection, a technical framework of security measures is employed to ensure that data is protected from unforeseen, unintended, unwanted, or malicious uses.

Penalties and liabilities in case of breach of data privacy

India does not have a separate and composite personal data protection law to safeguard materials of personal information and data transmitted, stored, and shared. The Personal Data Protection Bill, 2019 is still in the passage and has not been passed as a law. For now, the penalties and liabilities under the InformationTechnology Act are discussed as follows:

Section 43A of the IT Act

According to the Section 43A of the IT Act where a body corporate, possessing, dealing, or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in maintaining reasonable security measures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

The concept of ‘sensitive personal information under Section 43A provides for civil action in case of security breaches. Other than that, sensitive personal information is not protected by Indian law. According to Section 43A of the Act, the aggrieved person may be entitled to compensation if the company failed to keep his or her personal data protected while they were being processed by the company, whether as a result of negligently implementing or maintaining reasonable security measures.

Therefore, by granting a right of compensation to anyone other than the person who manages the computer facility, a person will have the right to prevent their personal information from being disclosed to third parties or damaged or changed by those third parties. In addition to being able to be used by data controllers, it may also be used by individuals with personal data against third parties. Compensation is justified only because they are ‘affected’ differently. Additionally, it states that accessing data unauthorised is a civil offence.

Section 43A of the IT Act would not apply to the employee/individual since he/she does not come within the ambit of a body corporate. Section 43A mainly deals with the failure of a body corporate to protect data. 

Section 72A of the IT Act

In Section 72A, it is given that any person, including an intermediary when providing services under the terms of a lawful contract, discloses information in breach of that contract except as otherwise provided in this Act or any other law for the time being in force breaches privacy. It is unlawful for anyone who has secured access to material containing personal information about another person to disclose, without their consent, or in violation of a lawful contract, any personal information relating to another person. The punishment is upto 3 years imprisonment or a fine of up to 5 lakhs rupees or both. 

Section 72A of the IT Act would apply to an individual/company. It will apply to an employee as well since all the ingredients are met. An employee has a lawful contract i.e. employment contract with the Employer. Employees get access to sensitive personal data or material containing personal information while providing services to the clients of the employer under the contract of employment. 

Section 45 of the IT Act

Section 45 of the IT Act is a residuary clause that states that whoever contravenes any rules made under the IT Act, for the breach of which no penalty has been separately provided, shall be liable to pay compensation or penalty of up to 25,000 rupees. Section 45 applies to an individual, company, employer, employee. 

Section 43 of the IT Act

Civil liability in case of a computer database theft occurs when a computer trespass is committed, unauthorised digital copying is made, data is downloaded or extracted, privacy is violated, etc., under the Information Technology (Amendment) Act 2008. Additionally, Section 43 states that a person shall be liable to pay damages in compensation for a wide range of cybercrimes, including:

1. unauthorised access to computer systems, computer networks, or resources; 
2. illegal digital copying, downloading, or extraction of data or information stored on a computer; and thefts of data held or stored on any media.; 
3. inserted a computer virus or contaminant into any computer system or computer network; 
4. transmitted undisclosed data or software from a computer, computer system, or computer network; 
5. disrupted computer data/ database, spamming, etc.; 
6. breaches of security, data thefts, frauds, forgeries, etc.;
7. unauthorised access to computer databases/data; 
8. instances of theft of passwords, login IDs, etc.; 
9. destroys, deletes, or alters any information in a computer resource, etc., and 
10. steals, conceals, destroys, or alters any computer source code used for a computer resource with the intention of causing it harm. 

The Explanation (ii) of Section 43 refers to a computer database as “an organised collection of information, knowledge, facts, concepts, or instructions in text, image, audio, or video prepared or prepared under formal circumstances, or ones produced by computers, computers, or computer networks intended to be used by computers, computers, or computer networks.” 

This provision applies to individuals, companies, employers, and employees. 

Breach of data privacy and confidentiality violation

Under the IT Act, terms such as violation of confidentiality and privacy are defined.

1. A violation of privacy is defined in Section 66-E as disregarding the privacy of a person by intentionally or knowingly taking, publishing, or broadcasting an image of his or her private areas without his/her consent. The punishment is up to 3 years of imprisonment or fine up to rupees two lakhs or both. 
2. According to Section 72, any person gaining access to any electronic record, book, register, correspondence, information, document, or other materials without the consent of the person concerned discloses such materials to any other person without the consent of the person concerned, is subject to the punishment up to 2 years of imprisonment, or fine up to 1 lakh rupees or both. 
3. In Section 72A, it is given that any person, including an intermediary when providing services under the terms of a lawful contract, discloses information in breach of that contract except as otherwise provided in this Act or any other law for the time being in force breaches privacy. It is unlawful for anyone who has secured access to material containing personal information about another person to disclose, without their consent, or in violation of a lawful contract, any personal information relating to another person. The punishment is up to 3 years imprisonment or a fine of up to 5 lakhs rupees or both. 

The IT Act punishes the breach of privacy. As it would be difficult to consider that Sections 66E, 72, and 72A would provide a sufficient level of protection, Section 66E requires consent from the concerned persons. However, Section 72A only requires consent within a limited scope. Essentially, this section applies only to those who are conferred with powers under the Act. 

A Supreme Court ruling in District Registrar and Collector v. Canara Bank (2005) held that a bank’s disclosure of content or copies of private documents of its customers would amount to a breach of confidentiality, thereby violating the privacy rights of those individuals.

Conclusion

Information contained in computer systems may be sensitive, and privacy is a basic human right. Under the Information Technology Act, Chapters IX, and XI describe liability for violations of data confidentiality and privacy arising out of unauthorised access to computers, computer systems, computer networks or resources, unauthorised additions, deletions, modifications, destructions, duplications or transmissions of data, computer databases, etc. Financial information, health information, business proposals, intellectual property, and sensitive information may be protected. The Constitution recognizes privacy rights, but their growth and development are entirely at the mercy of the judiciary. Using extremely repressive methods is no longer an option in today’s connected world where it is so difficult to prevent information from entering the public domain. The Information Technology (Amendment) Act, 2008 addresses data protection, but not exhaustively. Assimilation of the right to privacy and personal data requires specific standards to be established under the IT Act. In conclusion, it is enough to say that the IT Act poses problems in terms of protecting data and that a separate statute is much needed for data protection striking a reasonable balance between personal liberty and privacy.

References

1. ​​https://link.springer.com/article/10.1140/epjb/e2015-60754-4 
2. http://www.jstor.org/stable/45148583
3. http://www.ehcca.com/presentations/privacysymposium1/steinhoff_2b_h1.pdf 
4. http://elplaw.in/wp-
5. https://www.mondaq.com/india/data-protection/861424/personal-data-protection-bill-2018–offences-and-penalties 
6. https://www.google.com/url?q=https://www.mondaq.com/india/data-protection/929512/malicious-personal-data-breach-by-an-employee–consequences&sa=D&source=docs&ust=16419673189319

---

Students of Lawsikho courses regularly produce writing assignments, and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

https://t.me/lawyerscommunity

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.