Increasing Data Breaches and its Legal Implications in India

Since the passing of the K.S. Puttaswamy Judgment in 2017 where the right to privacy was finally accepted as a fundamental right by the courts entrenched in article 21 of the constitution, we have seen many discussions taking place on data protection and digital privacy. One of such topics which we hear a lot in the news however are unaware of is the data breaches that take place of one’s personal data.

Recently there have been two major data breaches that took over the news one was where Dominos India suffered a breach and personal data of more than 18 crore people were stolen and has recently been put up on sale on the dark web. The second was the breach on the Air India servers where important data like the financial details, passport details of 45 lack customers were stolen by the hackers.

In the UK after the coming of the General Data Protection Regulation (GDPR) companies or organisation that hold, and process personal data are liable for the protection of the data. If the data being processed by them is stolen, then they are liable to pay hefty penalties on the same. However, in India, the situation is different due to the lack of legislation in the same regard. A bill has been proposed in the parliament but as of now is under discussion. Therefore, as of now, there is no specific legislation governing such breaches however, some rules under the Information Technology Act, 2000 (IT Act) and the India Penal Code.

Information Technology Act 2000

Under the IT Act, the companies or the organisation holding the data are not held liable for breach of the data. Section 43 provides for a penalty for damage to the computer. It states that any person “downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium” and “steal, conceal, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage” shall be liable to pay the person who is affected by such offence. Nowhere under this section is the person holding the data liable.

Further, under section 79 of the IT act, the companies holding are referred as intermediaries and have been exempted from liability under certain scenarios like the function of the intermediary is to host or store the information provided by third parties or observes due diligence in discharging their duties in such scenarios, they will not be liable. In essence, if they prove that the function was to store the data and they exercised due diligence before the data breach they will not be held liable.

However, section 43A of the IT act provides if the body corporate who posses or deals with sensitive personal data is negligent in handling, maintaining security procedure and practices only then can they be held liable for the wrongful loss or gain which may happen. This although puts some liability on the companies however, the security procedure and the practices that are provided are very lenient in the current times where so much technological development has taken place. Hence making the companies somehow avoid the liabilities of a data breach.

Punishment of the offences described above is as proved under sections 65 and 66. For breach of data, a punishment of imprisonment of 3 years and a maximum fine of 2 lacks can be imposed.

Indian Penal Code

The IPC does not hold violation of the right to privacy as a criminal offence under the act. However, using the provisions of the act the breach of privacy can be inferred under the act.

Section 120B of the IPC defines provides for punishment for criminal conspiracy. If two or more people agreed and committed the act of stealing data from the servers of different companies, they can be held liable under the section.

Section 403 of the IPC makes dishonest misappropriation of movable property a crime, similarly, the personal data to one is their movable property and can be argued under this section.

Conclusion

Taking into consideration the above laws we see that there is a negligible amount of liabilities that are being imposed on these organisations that have access to the data of its customer. Moreover, we as consumers give our personal data like our name, address, number, financial information to big organisations without knowing the implication it may have on us.

Furthermore, as technology changes on a daily basis and the rules under the Indian laws are not apt for regulating the big organisations in the privacy sector. With the increasing number of data breaches that are taking place and the increased use of internet services due to the covid-19 pandemic, it is important for the parliament to legislate quickly and pass the Personal Data Protection Bill, 2019 wherein the government can protect the citizens by governing the data processing done by the companies and the organisations.

References

1. Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors, 2017 10 SCC 1

2. Information and Technology Act, 2000

3. Indian Penal Code, 1860

About Author

Nishant Goyal

A final year law student at OP Jindal Global University.