The Vulnerability of Data: A Look at Data Breaches and the Statutory Framework in India

This article has been written by Himanshu Batar of IMS Unison University, Dehradun and has been curated by Yashasvi Kanodia from NMIMS’ Kirit P. Mehta School of Law, Mumbai.

Smartphones, tablets and computers have become the sine qua non of existence within the 21st century and are needed for everything, from ordering groceries to hailing a cab, and as much as they have helped us, they also have made us more vulnerable to crime too. Now, we are not just vulnerable in the real or physical world, we are vulnerable in the digital world too, wherein we blindly trust softwares, people or organizations even with our most private Information.

Data Protection refers to the set of privacy laws, policies and procedures that aim to minimise intrusion into one’s privacy caused by the collection, storage and dissemination of private data. Personal data generally refers to the information or data which relate to an individual who will be identified from that information or data whether collected by any Government or any private organization or an agency.

The world has suffered various data breaches over the years. Closer home, a cybersecurity firm Cyble Inc, on May 23, 2020 found that the information of various Indian job seekers was leaked on the dark web for free of cost. This leak involved sensitive personal data like home addresses, qualifications, work experiences and more. The firm also said that the Aadhaar card details of Indians were also found to have been leaked when the source of the leak was being investigated. This data leak is claimed to have been originated from a knowledge aggregator or resume aggregator, which compiles data collected from various sources. Another report states that the Bhim wallet app website was compromised, in conjunction with sensitive personal data like Aadhaar card number, PAN number, residence proof, bank records etc. The National Payments Corporation of India (NPCI) has however denied this report completely.

The Constitution of India does not patently grant the Fundamental Right to Privacy. However, the Courts had included it within the scope and purview of other fundamental rights, i.e., Freedom of Speech and Expression under Art 19(1)(a) and Right to Life and Personal Liberty under Art. 21 of the Constitution of India. However, these Fundamental Rights under the Constitution of India are subject to reasonable restrictions given under Art 19(2) of the Constitution which will be imposed by the State. Recently, within the landmark case of Justice K S Puttaswamy (Retd.) & Anr. vs. Union of India and Ors., the constitution bench of the Hon’ble Supreme Court has held Right to Privacy as a fundamental right, subject to certain reasonable restrictions.  With respect to this, there are certain provisions that are there to see that this right is not violated. The current legislation regarding the data breaches in India is Information Security Act, 2000.

As given under  the Section 43A of the (Indian) Information Technology Act, 2000, a body corporate who is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices leading to wrongful loss or wrongful gain to a person, then such body corporate could also be held susceptible to pay damages to the person so affected. It is important to notice that there’s no upper limit specified for the compensation which will be claimed by the affected party in such circumstances. The Government has notified the information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The provisions only deals with protection of “Sensitive personal data or information of a person”, which incorporates such personal information which consists of data relating to:- Passwords; Financial information like bank account details or mastercard or open-end credit or other payment instrument details; Physical, physiological and mental health conditions; Sexual orientation; Medical records and history; or Biometric information.

Section 43 deals with the compensation in data threat cases; Section 66 deals with the punishments in these cases and Section 69 deals with some of the exceptions.  As per the Section 69 of the Information Technology Act, 2000, the Government of India can be exempt from this general rule of Section 43A in case the Government is satisfied that it is the necessity and it is in the interest of:

  • the sovereignty or integrity of India,
  • defence of India,
  • security of the State,
  • friendly relations with foreign States or
  • public order or
  • for preventing incitement to the commission of any cognizable offence relating to above or
  • for investigation of any offence

A Division Bench of the Allahabad High Court while dealing with the statutory framework regarding data breaches in a proceeding for quashing of FIR in Amit Kumar Jaduan v State of UP and others examined Sections 43, 47 and 66 of the Act. The important observations made by the court in the present case are summarised hereunder:

  • The person who is owner or a person-in-charge of the computer, computer system or computer network against whom the act of default has been committed should not have consented for the act of default.
  • There must be some damage or loss arising out of the act of the defendant to the person so affected.
  • The difference between Section 43 and 66 is that the pre-requisite of the latter is the existence of mens rea, while under Section 43 of the Act, it is whether the Act committed includes the consent of the owner or person who is in charge of the computer, computer network, or computer system or not.
  • Simultaneous actions can be maintained under Section 43 and 66 because of lack of provision which bars the same.
  • While the jurisdiction of civil courts is barred for offences related to Section 43 and there is a special court in the form of an adjudicating authority under the Act to try offences under Chapter IX of the Act, there is no special court created for offences prescribed under chapter XI which consists of Sections 65 to 74 related to offences. Regular criminal courts will have the jurisdiction depending on their power to adjudicate depending upon the quantum of punishment prescribed in the Code of Criminal Procedure.

The point to note is that the problem in availing of these remedies in law is that in most cases of data breaches, the main culprit, i.e. the hacker, is not known or is a professional hacker who will be operating remotely out of international territories. Thus, instituting proceedings in these cases may not result in any actual gain to the victim of the crime but in many such cases, there will be an entity which failed to protect user data. In cases like these, the company that failed to do so becomes the party in question. This is why the reporting of these data breaches is of vital importance. There is no provision in the Act that mandates reporting data breaches. This drawback has been sought to be fixed in the Personal Data Protection Bill of 2019, but that is yet to be finalised and brought into law. It is, therefore, desirable that India finalises and enacts the data protection law at the earliest to patch these lacunas in the current statutory framework.

 References: