Breach of privacy and Confidentiality under information Technology Act, 2000
Privacy as a concept involves what privacy entails and how it is to be valued. Privacy as a right involves the extent to which privacy is (and should be legally protected). “The law does not determine what privacy is, but only what situations of privacy will be afforded legal protection.” It is interesting to note that the common law does not know a general right of privacy and the Indian Parliament has so far been reluctant to enact one.
The meaning of the word “confidentiality” and “privacy” are somewhat synonymous. Confidentiality involves a sense of ‘expressed’ or ‘implied’ basis of an independent equitable principle of confidence. Privacy is the claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others. Right to privacy is more of an implied obligation. It is the ‘right to let alone.’1
In the legal parlance the issue of confidentiality comes up where an obligation of confidence arises between a ‘data collector’ and a ‘data subject.’ This may flow from a variety of circumstances or in relation to different types of information, which could be employment, medical or financial information. An obligation of confidence gives the data subject the right not to have his information used for other purposes or disclosed without his permission unless there are other overriding reasons in the public interest for this to happen. That is, where an information for a purpose other than that for which it was provided.
Hence “right’ is an interest recognized and protected by moral or legal rules. It is an interest, the violation of which would be a legal wrong. Respect for such interest would be a legal duty. It is the basic principle of jurisprudence that every right has a correlative duty and every duty has a correlative right. But the rule is not absolute. It is subject to certain exceptions in the sense that a person may have a right but there may not be a correlative duty. Nevertheless, it would be prudent if the issues related to privacy (and confidentiality) are viewed as ‘rights along with duties’.
The Information Technology Act, 2000
The Indian Parliament enacted an Act called the Information Technology Act, 2000. It received the assent of the President on the 9th June, 2000 and is effective from 17th October, 2000. This Act is based on the Resolution A/RES/51/162 adopted by the General Assembly of the United Nations on 30th January, 1997 regarding the Model Law on Electronic Commerce earlier adopted by the United Nations Commission on International Trade Law (UNCITRAL) in its twenty-ninth session.
The aforesaid resolution of the U.N. General Assembly recommends that all States give favourable consideration to the Model Law on Electronic Commerce when they enact or revise their laws, in view of the need for uniformity of the law applicable to alternatives to paper-based methods of communication and storage of information.
It was a foresight on the part of the Government of India to initiate the entire process of enacting India’s first ever information technology legislation in the year 1997 itself.
There were three reasons:
(a) to facilitate the development of a secure regulatory environment for electronic commerce by providing a legal infrastructure governing electronic contracting, security and integrity of electronic transactions;
(b) to enable the use of digital signatures in authentication of electronic records; and
(c) to showcase India’s growing IT prowess and the role of Government in safeguarding and promoting IT sector and attracting FDI in the said sector.
It is important to understand that while enacting the Information Technology Act, 2000, the legislative intent has been not to ignore the national or municipal (local) perspectives of information technology and also to ensure that it should have an international perspective as advocated by the UNCITRAL Model Law on Electronic Commerce.
Enumeration of the main principles of the Information Technology Act, 2000
It is significant to note that by enactment of the Information Technology Act, 2000, the Indian Parliament provided a new legal idiom to data protection and privacy. The main principles on data protection and privacy enumerated under the Information Technology Act, 2000 are:
(i) defining ‘data’, ‘computer database’, ‘information’, ‘electronic form’, ‘originator’, ‘addressee’ etc.
(ii) creating civil liability if any person accesses or secures access to computer, computer system or computer network
(iii) creating criminal liability if any person accesses or secures access to computer, computer system or computer network
(iv) declaring any computer, computer system or computer network as a protected system
(v) imposing penalty for breach of confidentiality and privacy
(vi) setting up of hierarchy of regulatory authorities, namely adjudicating officers, the Cyber Regulations Appellate Tribunal etc.
Section 72. Penalty for breach of confidentiality and privacy
Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.
The aforesaid section has a limited application only. It confines itself to the acts and omissions of those persons, who have been conferred powers under this Act, Rules or Regulation made there under.
Section 72 of the Act relates to any person who, in pursuance of any of the powers conferred by the Act or its allied rules and regulations has secured access to any:
i) Electronic record, ii) book, iii) Register, iv) Correspondence, v) Information, vi) Document, or vii) Other material. If such person discloses such electronic record, book, register, correspondence, information, document or other material to any other person, he will be punished with imprisonment for a term, which may extend to two years, or with fine, which may extend to two years, or with fine, which may extend to one lakh rupees, or with both.
This section applies only to person who has gained access to the abovementioned information in pursuance to a power granted under Information Technology Act, its allied rules e.g. a police officer, the Controller etc. it would not apply to disclosure of personal information of a person by a website, by his email service provider etc.
Persons conferred with power under the Act
The Act has conferred powers to :
The Controller of Certifying Authorities (Ss. 17-18)
The Deputy and Assistant Controllers of Certifying Authorities (Ss. 17 and 27)
Licensed Certifying Authorities (S. 31) and Auditors (Rule 312)
The Adjudicating Officer (S 46)
The Presiding Officer of the Cyber Appellate Tribunal (Ss. 48-49)
The Registrar of the cyber Appellate tribunal (S. 56 and rule 263)
Network Service provider (S. 79)
Police Officer (Deputy Superintendent of Police) (S. 80)
The idea behind the Section 72 is that the person who has secured access to any such information shall not take unfair advantage of it by disclosing it to the third party without obtaining the consent of the disclosing party. An obligation of confidence arises between the ‘data collectors’ and a ‘data subject’.
Instances of cyber contraventions.
The Act provides a complete Chapter (Chapter IX) on cyber contraventions, i.e., section 43 (a) – (h) which cover a wide range of cyber contraventions related to unauthorised access to computer, computer system, computer network or resources.
Section 43 of the Act covers instances such as: (a) computer trespass, violation of privacy etc. (b) unauthorised digital copying, downloading and extraction of data, computer database or information;. theft of data held or stored in any media, (c) unauthorised transmission of data or programme residing within a computer, computer system or computer network (cookies, spyware, GUID or digital profiling are not legally permissible), (d) data loss, data corruption etc., (e) computer data/database disruption, spamming etc., (f) denial of service attacks, data theft, fraud, forgery etc., (g) unauthorised access to computer data/computer databases and (h) instances of data theft (passwords, login IDs) etc.
The Information Technology Act, 2000 provides for civil liability in case of data, computer database theft, privacy violation etc.
The Act also provides a complete Chapter (Chapter XI) on cyber offences, i.e., sections 65-74 which cover a wide range of cyber offences, including offences related to unauthorised alteration, deletion, addition, modification, alteration, destruction, duplication or transmission of data, and computer database.
For example, section 65 [Tampering with computer source documents] of the Act is not limited to protecting computer source code only, but it also safeguards data and computer databases; and similarly section 66 [Hacking with Computer System] covers cyber offences related to (a) Illegal access, (b) Illegal interception, (c) Data interference, (d) System interference, (e) Misuse of devices, etc.
The Information Technology Act, 2000 provides for criminal liability in case of data, computer database theft, privacy violation etc.
Proposed amendments to the Information Technology Act, 2000 vis-à-vis data protection and privacy
The Expert Panel constituted by the Department of Information Technology, Ministry of Information Technology, Government of India in its recommendations4 proposed following amendments in the Act to strengthen data protection and privacy:
Section 43, Explanation (v) “Reasonable security practices and procedures” means, in the absence of a contract between the parties or any special law for this purpose, such security practices and procedures as appropriate to the nature of the information to protect that information from unauthorized access, damage, use, modification, disclosure or impairment, as may be prescribed by the Central Government in consultation with the self-regulatory bodies of the industry, if any.
Section 43, Explanation (vi) “Sensitive personal data or information” means such personal information, which is prescribed as “sensitive” by the Central Government in consultation with the self-regulatory bodies of the industry, if any.
It is obligatory to note that not only the aforementioned proposed amendments would pave the way of self-regulation in terms of defining what constitute: “reasonable security practices and procedures” and “sensitive personal data or information” but also grant statutory protection to sensitive personal data.
Further, the proposed amendments have enlarged the scope of section 66 by making it consistent with the provisions of the Indian Penal Code, 1860, and also providing extent of criminal liabilities in case of data, computer database theft, privacy violation etc. Moreover, newly proposed sub-section (2) of section 72 makes the intermediaries (network service providers) liable for data and privacy violations. Now, such intermediaries to pay damages by way of compensation to the subscriber so affected.
The Information Technology Act, 2000 and Privacy Protection: A Critique
The Information Technology Act, 2000 is not data or privacy protection legislation per se. It does not lay down any specific data protection or privacy principles. The Information Technology Act, 2000 is a generic legislation, which articulates on range of themes, like digital signatures, public key infrastructure, e-governance, cyber contraventions, cyber offences and confidentiality and privacy. It suffers from a one Act syndrome.
In fact the Information Technology Act, 2000 deals with the issue of data protection and privacy in a piecemeal fashion. There is no an actual legal framework in the form of Data Protection Authority, data quality and proportionality, data transparency etc. which properly addresses and covers data protection issues. Even if the new proposed amendments to the Information Technology Act, 2000 were adopted, India would still lack a real legal framework for data protection and privacy.
1 Warren and Brandeis, ‘The Right to Privacy’ (1890) Harvard Law Review, IV (5)
2 The Information Technology (Certifying Authorities )Rules, 2000.
3 The Cyber Regulations Appellate Tribunal (Procedure) Rules, 2000
4 Expert Panel submitted its report in August, 2005
The author can be reached at: firstname.lastname@example.org