This article is written by Shubhang Gupta, pursuing a Diploma in Cyber Law, Fintech Regulations and Technology Contracts from Lawsikho.com. Here he discusses “How to take legal actions against websites like Facebook, Twitter, Google etc. for breach of your privacy”.

Table of Contents

Toggle

Introduction

These days “Privacy” of our data has become a topic for discussion all over the globe. Have you ever wondered which “Privacy” has been discussed here? Is it your bedroom or home privacy? No, it’s your digital privacy which relates to your data available over the internet. With the advent of social media in our life, which provides easy accessibility to all our personal information like- name, location, contact number etc. are always prone to unauthorized access by a third party. We will look in detail about the whole concept of privacy and other related topics. With this discussion, it is also important for us to understand the term “Intermediary”. The term “Intermediary” has been defined under section 2(w) of the Information Technology Act, 2000.

What is privacy?

As such the term “Privacy” hasn’t directly mentioned under the Indian law. However, the Supreme Court backed the “Right to Privacy” in the case of Justice K.S. Puttaswamy v. Union of India, where the Hon’ble Supreme court holds that the right to privacy is protected as a fundamental constitutional right under Articles 14, 19 and 21 of the Constitution of India.

The whole concept of privacy under Indian law has two aspects which are a.) Personal Information and b.) Sensitive Personal Information. As per the provisions of the Information Technology (Reasonable Security and Procedures and Sensitive Personal Data) Rules, 2011 it defines both term which are as, “Personal Information” which means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person whereas, Sensitive personal data or information— Sensitive personal data or information of a person means such personal information which consists of information relating to—

• password;
• financial information such as Bank account or credit card or debit card or other payment instrument details;
• physical, physiological and mental health condition;
• sexual orientation;
• medical records and history;
• biometric information;
• any detail relating to the above clauses as provided to body corporate for providing service; and
• any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

To cope up with the modern aspect of privacy of a person, the proposed Personal Data Protection  Bill, 2019 increases the scope of the definition of personal data. it defines the personal data as, “personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.

Which provisions under the Indian law relate to the privacy?

In India, following provisions of the Indian law relates to the privacy of a person, which is as follows:

Information Technology Act, 2000

The Act was passed way back in 2000 till date only a few amendments were made in the act related to the protection of privacy of the citizens. Section 43A of the act, which deals with compensation for failure to protect data, had provided a limited scope of protection of privacy of the citizen’s data. The act has no other provision for the protection of privacy.

Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011  

These rules were made by the Government of India by exercising the powers conferred upon it by clause (ob) of subsection (2) of section 87 read with section 43A of the Information Technology, 2000. In this regulation provisions such as clause (i) of subsection 1 of section 2 and section 3 talks about the privacy of a person. This is the only regulation which sets out the definition of privacy under the Indian law. As this is only a piece of law which deals with the citizen’s privacy, but it’s not exhaustive in nature. The regulation has failed to punish the offenders, committing the breach of privacy, where privacy has increased its ambit.

How privacy can be breached on platforms such as Facebook, Google etc.?

Breaching your privacy means Intrusion into a person’s private space, own affairs, or wish for solitude. In the current scenario, where a great number of people all over the globe, have a parallel virtual identity with their own physical identity, makes the discussion on privacy more necessary. Hacking is the most common way of breaching the privacy of a person. For an example- a Facebook active user’s profile can be a source for many private data, which may range from a person’s political opinions, location etc to his contact number, private picture or videos etc.  If, in any case, a third party has access over such data or a hacker hacks someone’s ID and further uses it, then it becomes a matter of concern to protect such information from the third party.

Recently In 2018, the attackers exploited a feature in Facebook’s code to gain access to 50 Million user accounts and potentially take control of them. This kind of incident has increased the concern of many countries regarding their citizen’s data.  

What are the remedies available against these websites?

In India, if a person’s privacy is breached by another party on the websites like: Facebook, Google etc. then, possibly the aggrieved person has 2 options, a.) take legal actions available under the Indian law b.) Report to the concerned intermediary.

Legal actions are available under Indian law

Under the Indian law, an aggrieved person has the right to bring an action against the third party.

1. As per the Section 72A of the Information Technology Act, 2000 it deals with punishment for disclosure of information in breach of lawful contract. This section provides that:

“any person including an intermediary who, while providing services under the terms of a lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.”

This section is applicable only in the situation where any person or an intermediary himself has access to the data of their clients without the consent of the concerned person.

2. As per section 3(2)(a) of the Information Technology (Intermediary Guidelines) Rules, 2011, it states that:

“(2) Such rules and regulations, terms and conditions or user agreement shall inform the users of computer resource not to host, display, upload, modify, publish, transmit, update or share any information that — (a) belongs to another person and to which the user does not have any right to.”

By incorporating this provision of law, the act puts a duty on an intermediary to inform the users of computer resource not to share any information which belongs to another person and to which the user of computer resource doesn’t have any right to such information. If in any case, an intermediary has failed to inform users of computer resource about such restriction, then the onus of liability may be shifted on such an intermediary. An aggrieved person may also make an intermediary as a party to the legal action for breaching his privacy.

3. An aggrieved person may also bring legal action against an intermediary under section 405 of the Indian Penal Code, 1860 which deals with the Criminal breach of trust. It states that:

“Whoever, being in any manner entrusted with property, or with any dominion over property, dishonestly misappropriates or converts to his use that property, or dishonestly uses or disposes of that property in violation of any direction of law prescribing the mode in which such trust is to be discharged, or of any legal contract, express or implied, which he has made touching the discharge of such trust, or willfully suffers any other person so to do, commits “criminal breach of trust”.

An intermediary is always bounded by the trust of their user to protect their privacy. Whenever a user shares his personal information or sensitive information with an intermediary, impliedly, it puts a responsibility upon such intermediary to protect their data from unauthorized access. Clearly, a user and an intermediary shares a fiduciary relationship between them, any willful violation committed by an intermediary may lead to criminal breach of trust. Hence, an aggrieved person can bring an action against such intermediary.  

Report to the concerned intermediary

With the huge increase in the number of cases related to breaching of privacy, the websites like Facebook, Google etc. now, provide their own mechanism to report such incidents to the intermediary directly.  

• Google

Google has its own mechanism to report a vulnerability in its product and service. By opening Google select about, and then select application security. After a window opens then select reporting security issues, Then select “I have a privacy doubt or a privacy-related question about Google products and services” from the list.

• Facebook

Facebook also offers a mechanism to report a privacy violation. Select the help centre from Facebook’s home page. Then select a contact from the available options. A new window will open then select report a privacy violation. Here you can report about the kind of violation like, image, video and other etc.

Under which regulation, the intermediaries are obliged to safeguard your privacy

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 enumerates the provisions related to the privacy of data that should be maintained by an intermediary under the act. The act also set out the definition of some important terms like personal information and sensitive personal information under Indian law. This regulation puts responsibility on body corporate to provide a policy for privacy and disclosure of information. This regulation also provides a mechanism for the collection of information from the users. It puts the burden upon an intermediary to implement reasonable practices and procedures to protect the privacy of the users. It also contains the mechanism for disclosing of information to any third party.

Conclusion

It is apparent that with the development of new complex technologies and resources for committing an offence over the internet, the Information Technology Act, 2000 has proved its incapacity to prosecute and put the criminals behind the bar. The act didn’t contain any provision which is directly or expressly related to the privacy of a user but also failed to provide rigorous punishment to the criminals.

References

• Section 2 (1) (i) of the Information Technology (Reasonable Security and Procedures and Sensitive Personal Data) Rules, 2011.
• Section 3 of the Information Technology (Reasonable Security and Procedures and Sensitive Personal Data) Rules, 2011.
• Section 3(28) of the personal data protection bill, 2019.
• Section 72A of the Information Technology Act, 2000.
• section 3(2)(a) of the Information Technology (Intermediary Guidelines) Rules, 2011.
• Section 405 of the Indian Penal Code, 1860.

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.