SHARING OF PETITIONERS INTERNET ACTIVITY WITH THIRD PARTY IS ILLEGAL AND
VIOLATION OF RIGHT TO PRIVACY
Sharing of Manu Sharmas Internet activity by WindTel with a third party, especially one like Wind Entertainment is illegal and it has violated his right of privacy. The respondent in there capacity of being an intermediary has failed to preserve and retain the data of its subscriber and were negligent in implementing and maintaining reasonable security practices and procedures. They are also liable for the disclosure of the personal information of the petitioner without his consent and responsible for unauthorized interception of petitioners data. VIOLATION OF RIGHT TO PRIVACY The right to privacy has not been expressly guaranteed in the Constitution of India, nevertheless the Supreme Court has recognized this right by construing right to privacy as part of the right to protection of life and personal liberty. 1
In the absence of a general law governing privacy, the law of privacy in India has been developed through precedents. The right to privacy was reintroduced in the Indian legal system by this Court in Gobind v. State of Madhya Pradesh 2 . The constitutional holding that frequent domiciliary visit by police without a reasonable cause infringed upon the petitioners right to privacy firmly established the right for citizens of the country. 3 There are various other incidents where this Court has recognized the right to privacy as the right to be let alone
1 Article 21 of the Constitution of India 2 (1975) 2 SCC 148, see also Ms X v. Mr Z, AIR 2002 Delhi 217; Sharda v. Dharampal, (2003) 4 SCC 493 3 See, e.g., Khushwant Singh v. Maneka Gandhi, A.I.R. 2002 Del. 58 (India) (Per Devinder Gupta & Sanjay Kishan Kaul, JJ.); Elkapalli Latchaiah v. Govt. of Andhra Pradesh, 2001 (5) A.L.D. 679 (India) (Per S. B. Sinha, C.J. & V. V. S. Rao, J.); Tamil Nadu Tamil & English Schools Association v. State of Tamil Nadu, 2000 (2) C.T.C. 344 (Per A. S. Venkatachalamoorthy, J. et al.). and that a citizen has a right to safeguard his privacy. 4 It has also been held that the right to privacy is not an absolute right and restriction can be imposed on it for the prevention of crime, disorder or protection of health or morals or protection of rights and freedom of others. 5
In the historic judgment of Peoples Union for Civil Liberties v. Union of India 6 , where section 5 of the Indian Telegraph Act, 1885 was challenged which authorizes the Central and the State Government to resort to phone tapping. This Court held that telephone tapping is a serious invasion of an individuals right to privacy and it should not be resorted to by the State unless there is a public emergency or interest of public safety requires. And this Court laid down procedural safeguard for the exercise of power of phone tapping. Privacy in the technology driven world is a difficult proposition. Technology has become a kind of double-edged weapon, on one hand it equips the person to safeguard his privacy and on the other it helps in blowing the privacy cover, one may have. 7 A person accessing the internet often does so within the privacy of his own home and expects a reasonable level of privacy. 8 The communications when not with a human party are for the satisfaction of his or her own desires and curiosities. A person may divulge more information to a computer than to another person. Hence internet communications are inherently intimate and concern the core of the privacy of the person. 9
The right to privacy is a fundamental right. The petitioner has a right to use the internet freely and has the right to maintain his privacy relating to his internet history. The respondent not
4 R. Rajagopal v. State of T.N. (1994) SCC 632 5 Mr. X v. Hospital Z AIR 1995 SC 495 6 AIR 1997 SC 568 7 Information Technology- Law and Practice, Vakul Sharma, Third Edition, Universal Law Publishing Co. New Delhi, 2011. 8 Cyber Cafe in Gandhinagar, India, http://www.worldembassyinformation.com/india-cyber-cafe/cyber-cafe-in- gandhinagar.html (last visited July 5, 2010) 9 The Law of Online Privacy in India By Apar Gupta, (2011) PL April S-3 only shared the internet activity of the petitioner with a third party but also disclosed and threatened to disclose the information of the petitioner. The actions of the respondent are in complete violation of the right to privacy and he must be held liable for the same. CONTRAVENTION OF INFORMATION TECHNOLOGY ACT, 2000 The respondent actions of sharing internet activity of the petitioner was in complete contravention of various IT Act provision and rules, which has attracted several criminal as well as civil liabilities. DUTY TO PRESERVE AND RETAIN INFORMATION AND TO IMPLEMENT AND MAINTAIN REASONABLE SECURITY PRACTICES AND PROCEDURES WindTel being an ISP provider is an intermediary under 2 (1) (w) the IT Act. The IT Act has made intermediaries responsible for preservation and retention of information. 10 The term information includes data, message, text, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche. 11 Any activity on the part of intermediaries to preserve and retain any information may also require fulfillment of norms related to information (data) security and privacy, i.e., the onus is on the intermediaries to have reasonable security practices and procedures. Moreover intermediaries are body corporate as defined under section 43A Explanation (i) 12 . 13
Also section 43A of the Act has made it abundantly clear that where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining
10 Section 67C 11 Section 2(1)(v) 12 "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities 13 Information Technology- Law and Practice, Vakul Sharma, Third Edition, Universal Law Publishing Co. New Delhi, 2011. Page- 223-224 reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to an person, such a body corporate shall be liable to pay damages by way of compensation to the person so affected. In Amit D. Patwardhan v. Rud India Chains 14 , the Adjudicating Officer, found that the respondent had, by unlawfully obtaining the complainants bank account statements which constitute sensitive personal data, violated the complainants privacy. In the connected matter the adjudicating officer held that the Respondent, i.e. Bank of Baroda has failed to protect the confidential, private and sensitive data of customers, and is clearly in breach of various sections of IT Act such as 43A and several other rules and ordered the bank to pay compensation. 15
In other words, intermediaries shall have twin responsibilities, i.e. to preserve and retain any information, as well as to implement and maintain reasonable security practices and procedures. Non-compliance of these provisions may attract criminal as well as civil liabilities under section 67C and 43A respectively. 16
DISCLOSURE OF INFORMATION Section 72A of the Act provides punishment for disclosure of information in breach of lawful contract. This section creates liabilities for service providers, including an intermediary. It is in fact a kind of data protection measure, wherein a service provider who has secured access to any material containing personal information about a person, discloses such information
14 Complaint No. 1 of 2013 dated 16th January, 2013, before the adjudicating officer Sh. Rajesh Aggarwal, Secretary, (Information Technology), Government of Maharashtra. Decided on 15.4.2013 15 Amit D. Patwardhan v. Bank of Baroda, Complaint No. 15 of 2013 dated 28th June 2013, before the adjudicating officer Sh. Rajesh Aggarwal, Secretary, (Information Technology), Government of Maharashtra. Decided on 30.12.2013 16 Information Technology- Law and Practice, Vakul Sharma, Third Edition, Universal Law Publishing Co. New Delhi, 2011. Page-224 without the consent of the person concerned or in breach of lawful contract, with the intent to cause or knowingly that he is likely to cause wrongful loss or wrongful gain to such a person. Breach of confidentiality and privacy is aimed at public and private authorities, which have been granted power under the Act 17 . In District Registrar and Collector v. Canara Bank 18 , this Court said that the disclosure of the contents of the private documents of its customers or copies of such private documents, by the bank would amount to a breach of confidentiality and would, therefore, be violative of privacy rights of its customers. In Nirmalkumar Bagherwal v. Minal Bagherwal 19 , the order found that the complainants right to privacy was violated by both the respondents i.e. his wife and bank but, while determining the quantum of compensation, distinguished between the respondents in respect of the degree of liability; the respondent wife was ordered to pay a token compensation amount while the respondent bank was ordered to pay higher compensation to each of the three complainants individually. The rules made under this Act also protect the privacy of the individual. Rule 6 20 of reasonable security practices and procedures and sensitive personal data or information, requires the body corporate to obtain prior consent of the provider of the information before disclosing it to a third party. It further states that the body corporate or any other person on its behalf shall not publish the sensitive personal data or information. 21
UNAUTHORIZED INTERCEPTION
17 Dr. Shiv Shankar Singh, Privacy and Data Protection in India, (2012) PL February S-2 18 (2005) 1 SCC 496 19 Common Judgment in Complaint Numbers 08, 09, 10 dated 07th May 2013, before the adjudicating officer Sh. Rajesh Aggarwal, Secretary, (Information Technology), Government of Maharashtra. Decided on 26.08.2013 20 Rule 6. of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. 21 Id. Rule 6(3). The Procedure and Safeguards for Interception, Monitoring and Decryption of Information Rules, 2009, states that the directions for interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource under sub- section (2) of section 69 of the IT Act shall not be issued except by an order made by the concerned competent authority. 22 The interception power can only be exercised when orders are made by the competent authority and any other interception would be an unauthorized interception. The intermediaries are also required to put in place adequate and effective internal checks to ensure the unauthorised interception of messages does not take place and extreme secrecy is maintained and utmost care and precaution is taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that this matter is handled only by the designated officers of the intermediary and no other person of the intermediary shall have access to such intercepted or monitored or decrypted information. 23
Under these rules, the responsibility has been imposed on the intermediaries that they will be held liable in case of violation pertaining to maintenance of secrecy and confidentiality of information or any unauthorised interception or monitoring or decryption of information. 24
This rule prohibits the interception or monitoring or decryption of information without authorization of competent authority 25 and the disclosure of intercepted or monitored decrypted information by the intermediaries 26 . Any violation or contravention of these rules is made punishable accordingly under the relevant provisions of the laws for the time being in force.
22 Rule 3, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 23 Id. Rule 20. 24 Id. Rule 21. 25 Id. Rule 24. 26 Id. Rule 25.