Legal Service India - Breach of privacy and Confidentiality under information Technology Act, 2000
law  in India

Breach of privacy and Confidentiality under information Technology Act, 2000

Written by: Nimitha Salim, Semester VIII (4th Year), NUALS, Cochin, Kerala
click here for LIVE help-desk
Chat with us  (2 PM - 9 PM IST)
Legal Advice | Find a lawyer | Constitutional law | Judgments | forms | PIL | family law | Cyber Law | Law Forum | Income-Tax | Consumer laws | Company laws
Search On:laws in IndiaLawyers Search

Copyright Online in India
Right from your Desktop - Ph no: 9891244487

Home \ Cyber Law

Articles | Articles 2014 | Articles 2013 | Articles 2012 | Articles 2011 | Articles 2010 | Articles 2009 | Articles 2008 | Articles 2007 | Articles 2006 | 2000-05

Privacy as a concept involves what privacy entails and how it is to be valued. Privacy as a right involves the extent to which privacy is (and should be legally protected). “The law does not determine what privacy is, but only what situations of privacy will be afforded legal protection.” It is interesting to note that the common law does not know a general right of privacy and the Indian Parliament has so far been reluctant to enact one.

The meaning of the word “confidentiality” and “privacy” are somewhat synonymous. Confidentiality involves a sense of ‘expressed’ or ‘implied’ basis of an independent equitable principle of confidence. Privacy is the claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others. Right to privacy is more of an implied obligation. It is the ‘right to let alone.’1

In the legal parlance the issue of confidentiality comes up where an obligation of confidence arises between a ‘data collector’ and a ‘data subject.’ This may flow from a variety of circumstances or in relation to different types of information, which could be employment, medical or financial information. An obligation of confidence gives the data subject the right not to have his information used for other purposes or disclosed without his permission unless there are other overriding reasons in the public interest for this to happen.

That is, where an information for a purpose other than that for which it was provided.

Hence “right’ is an interest recognized and protected by moral or legal rules. It is an interest, the violation of which would be a legal wrong. Respect for such interest would be a legal duty. It is the basic principle of jurisprudence that every right has a correlative duty and every duty has a correlative right. But the rule is not absolute. It is subject to certain exceptions in the sense that a person may have a right but there may not be a correlative duty. Nevertheless, it would be prudent if the issues related to privacy (and confidentiality) are viewed as ‘rights along with duties’.

The Information Technology Act, 2000

The Indian Parliament enacted an Act called the Information Technology Act, 2000. It received the assent of the President on the 9th June, 2000 and is effective from 17th October, 2000. This Act is based on the Resolution A/RES/51/162 adopted by the General Assembly of the United Nations on 30th January, 1997 regarding the Model Law on Electronic Commerce earlier adopted by the United Nations Commission on International Trade Law (UNCITRAL) in its twenty-ninth session.

The aforesaid resolution of the U.N. General Assembly recommends that all States give favourable consideration to the Model Law on Electronic Commerce when they enact or revise their laws, in view of the need for uniformity of the law applicable to alternatives to paper-based methods of communication and storage of information.

It was a foresight on the part of the Government of India to initiate the entire process of enacting India’s first ever information technology legislation in the year 1997 itself.

There were three reasons:
(a) to facilitate the development of a secure regulatory environment for electronic commerce by providing a legal infrastructure governing electronic contracting, security and integrity of electronic transactions;

(b) to enable the use of digital signatures in authentication of electronic records; and

(c) to showcase India’s growing IT prowess and the role of Government in safeguarding and promoting IT sector and attracting FDI in the said sector.

It is important to understand that while enacting the Information Technology Act, 2000, the legislative intent has been not to ignore the national or municipal (local) perspectives of information technology and also to ensure that it should have an international perspective as advocated by the UNCITRAL Model Law on Electronic Commerce.

Enumeration of the main principles of the Information Technology Act, 2000

It is significant to note that by enactment of the Information Technology Act, 2000, the Indian Parliament provided a new legal idiom to data protection and privacy.

The main principles on data protection and privacy enumerated under the Information Technology Act, 2000 are:
(i) defining ‘data’, ‘computer database’, ‘information’, ‘electronic form’, ‘originator’, ‘addressee’ etc.
(ii) creating civil liability if any person accesses or secures access to computer, computer system or computer network
(iii) creating criminal liability if any person accesses or secures access to computer, computer system or computer network
(iv) declaring any computer, computer system or computer network as a protected system
(v) imposing penalty for breach of confidentiality and privacy
(vi) setting up of hierarchy of regulatory authorities, namely adjudicating officers, the Cyber Regulations Appellate Tribunal etc.

Section 72. Penalty for breach of confidentiality and privacy

Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

The aforesaid section has a limited application only. It confines itself to the acts and omissions of those persons, who have been conferred powers under this Act, Rules or Regulation made there under.

Section 72 of the Act relates to any person who, in pursuance of any of the powers conferred by the Act or its allied rules and regulations has secured access to any:
i) Electronic record, ii)
book,
iii) Register,
iv) Correspondence,
v) Information,
vi) Document, or
vii) Other material.

If such person discloses such electronic record, book, register, correspondence, information, document or other material to any other person, he will be punished with imprisonment for a term, which may extend to two years, or with fine, which may extend to two years, or with fine, which may extend to one lakh rupees, or with both.

This section applies only to person who has gained access to the abovementioned information in pursuance to a power granted under Information Technology Act, its allied rules e.g. a police officer, the Controller etc. it would not apply to disclosure of personal information of a person by a website, by his email service provider etc.

Persons conferred with power under the Act
The Act has conferred powers to :
The Controller of Certifying Authorities (Ss. 17-18)
The Deputy and Assistant Controllers of Certifying Authorities (Ss. 17 and 27)
Licensed Certifying Authorities (S. 31) and Auditors (Rule 312)
The Adjudicating Officer (S 46)
The Presiding Officer of the Cyber Appellate Tribunal (Ss. 48-49)
The Registrar of the cyber Appellate tribunal (S. 56 and rule 263)
Network Service provider (S. 79)

Police Officer (Deputy Superintendent of Police) (S. 80)

The idea behind the Section 72 is that the person who has secured access to any such information shall not take unfair advantage of it by disclosing it to the third party without obtaining the consent of the disclosing party. An obligation of confidence arises between the ‘data collectors’ and a ‘data subject’.
Instances of cyber contraventions.

The Act provides a complete Chapter (Chapter IX) on cyber contraventions, i.e., section 43 (a) – (h) which cover a wide range of cyber contraventions related to unauthorised access to computer, computer system, computer network or resources.

Section 43 of the Act covers instances such as:

(a) computer trespass, violation of privacy etc.
(b) unauthorised digital copying, downloading and extraction of data, computer database or information;. theft of data held or stored in any media,
(c) unauthorised transmission of data or programme residing within a computer, computer system or computer network (cookies, spyware, GUID or digital profiling are not legally permissible),
(d) data loss, data corruption etc.,
(e) computer data/database disruption, spamming etc.,
(f) denial of service attacks, data theft, fraud, forgery etc.,
(g) unauthorised access to computer data/computer databases and
(h) instances of data theft (passwords, login IDs) etc.

The Information Technology Act, 2000 provides for civil liability in case of data, computer database theft, privacy violation etc.
The Act also provides a complete Chapter (Chapter XI) on cyber offences, i.e., sections 65-74 which cover a wide range of cyber offences, including offences related to unauthorised alteration, deletion, addition, modification, alteration, destruction, duplication or transmission of data, and computer database.

For example, section 65 [Tampering with computer source documents] of the Act is not limited to protecting computer source code only, but it also safeguards data and computer databases; and similarly section 66 [Hacking with Computer System] covers cyber offences related to (a) Illegal access, (b) Illegal interception, (c) Data interference, (d) System interference, (e) Misuse of devices, etc.

The Information Technology Act, 2000 provides for criminal liability in case of data, computer database theft, privacy violation etc.

Proposed amendments to the Information Technology Act, 2000 vis-à-vis data protection and privacy

The Expert Panel constituted by the Department of Information Technology, Ministry of Information Technology, Government of India in its recommendations4 proposed following amendments in the Act to strengthen data protection and privacy:

Section 43, Explanation

(v) “Reasonable security practices and procedures” means, in the absence of a contract between the parties or any special law for this purpose, such security practices and procedures as appropriate to the nature of the information to protect that information from unauthorized access, damage, use, modification, disclosure or impairment, as may be prescribed by the Central Government in consultation with the self-regulatory bodies of the industry, if any.

Section 43, Explanation (vi) “Sensitive personal data or information” means such personal information, which is prescribed as “sensitive” by the Central Government in consultation with the self-regulatory bodies of the industry, if any.

It is obligatory to note that not only the aforementioned proposed amendments would pave the way of self-regulation in terms of defining what constitute: “reasonable security practices and procedures” and “sensitive personal data or information” but also grant statutory protection to sensitive personal data.
Further, the proposed amendments have enlarged the scope of section 66 by making it consistent with the provisions of the Indian Penal Code, 1860, and also providing extent of criminal liabilities in case of data, computer database theft, privacy violation etc. Moreover, newly proposed sub-section (2) of section 72 makes the intermediaries (network service providers) liable for data and privacy violations. Now, such intermediaries to pay damages by way of compensation to the subscriber so affected.

The Information Technology Act, 2000 and Privacy Protection: A Critique

The Information Technology Act, 2000 is not data or privacy protection legislation per se. It does not lay down any specific data protection or privacy principles. The Information Technology Act, 2000 is a generic legislation, which articulates on range of themes, like digital signatures, public key infrastructure, e-governance, cyber contraventions, cyber offences and confidentiality and privacy. It suffers from a one Act syndrome.

In fact the Information Technology Act, 2000 deals with the issue of data protection and privacy in a piecemeal fashion. There is no an actual legal framework in the form of Data Protection Authority, data quality and proportionality, data transparency etc. which properly addresses and covers data protection issues. Even if the new proposed amendments to the Information Technology Act, 2000 were adopted, India would still lack a real legal framework for data protection and privacy.

1 Warren and Brandeis, ‘The Right to Privacy’ (1890) Harvard Law Review, IV (5)
2 The Information Technology (Certifying Authorities )Rules, 2000.
3 The Cyber Regulations Appellate Tribunal (Procedure) Rules, 2000
4 Expert Panel submitted its report in August, 2005

The author can be reached at: nimitha@legalserviceindia.com / Print This Article

Lawyers

Lawyers Search

• Find a lawyer
• Know your legal options
• Information about your legal issues

File Mutual Consent Divorce

Right Away
Call us at Ph no: 9650499965
Copyright Registration Online Right from your Desktop...
*Call us at Ph no: 9891244487

Legal Advice

Get legal advice from Highly qualified lawyers within 48hrs.
with complete solution.

    Your Name                Your E-mail
          

Legal Service India

lawyers in Delhi
lawyers in Chandigarh
lawyers in Allahabad
lawyers in Lucknow
lawyers in Jodhpur
lawyers in Jaipur
lawyers in New Delhi
lawyers in Nashik
Contract laws
Protect your website
Army law
lawyers in Mumbai
lawyers in Pune
lawyers in Nagpur
lawyers in Ahmedabad
lawyers in Surat
Faridabad lawyers
Noida lawyers
lawyers in Dimapur
Trademark Registration in India
Woman issues
Famous Trials
lawyers in Kolkata
lawyers in Janjgir
lawyers in Rajkot
lawyers in Indore
Gurgaon lawyers
Ghaziabad lawyers
lawyers in Guwahati
Protect your website
Law Colleges
Legal Profession
Transfer of Petition
Lawyers in India - Search by City legal Service India
lawyers in Chennai
lawyers in Bangalore
lawyers in Hyderabad
lawyers in Cochin
lawyers in Agra
lawyers in Siliguri
Lawyers in Auckland
Cause Lists
Immigration Law
Medico Legal
lawyers in Dhaka
lawyers in Dubai
lawyers in London
lawyers in New York
lawyers in Toronto
lawyers in Sydney
lawyers in Los Angeles
Wills
Cheque bounce laws
Lok Adalat, legal Aid and PIL

About Us | Privacy | Terms of use | Juvenile Laws | Divorce by mutual consent | Lawyers | Submit article | Lawyers Registration | Sitemap | Contact Us

legal Service India.com is Copyrighted under the Registrar of Copyright Act ( Govt of India) © 2000-2015
ISBN No: 978-81-928510-0-6