SHARING OF PETITIONERS INTERNET ACTIVITY WITH THIRD PARTY IS ILLEGAL AND

VIOLATION OF RIGHT TO PRIVACY

Sharing of Manu Sharmas Internet activity by WindTel with a third party, especially one like
Wind Entertainment is illegal and it has violated his right of privacy. The respondent in there
capacity of being an intermediary has failed to preserve and retain the data of its subscriber
and were negligent in implementing and maintaining reasonable security practices and
procedures. They are also liable for the disclosure of the personal information of the
petitioner without his consent and responsible for unauthorized interception of petitioners
data.
VIOLATION OF RIGHT TO PRIVACY
The right to privacy has not been expressly guaranteed in the Constitution of India,
nevertheless the Supreme Court has recognized this right by construing right to privacy as
part of the right to protection of life and personal liberty.
1

In the absence of a general law governing privacy, the law of privacy in India has been
developed through precedents. The right to privacy was reintroduced in the Indian legal
system by this Court in Gobind v. State of Madhya Pradesh
2
. The constitutional holding that
frequent domiciliary visit by police without a reasonable cause infringed upon the petitioners
right to privacy firmly established the right for citizens of the country.
3
There are various
other incidents where this Court has recognized the right to privacy as the right to be let alone

1
Article 21 of the Constitution of India
2
(1975) 2 SCC 148, see also Ms X v. Mr Z, AIR 2002 Delhi 217; Sharda v. Dharampal, (2003) 4 SCC 493
3
See, e.g., Khushwant Singh v. Maneka Gandhi, A.I.R. 2002 Del. 58 (India) (Per Devinder Gupta & Sanjay
Kishan Kaul, JJ.); Elkapalli Latchaiah v. Govt. of Andhra Pradesh, 2001 (5) A.L.D. 679 (India) (Per S. B. Sinha,
C.J. & V. V. S. Rao, J.); Tamil Nadu Tamil & English Schools Association v. State of Tamil Nadu, 2000 (2)
C.T.C. 344 (Per A. S. Venkatachalamoorthy, J. et al.).
and that a citizen has a right to safeguard his privacy.
4
It has also been held that the right to
privacy is not an absolute right and restriction can be imposed on it for the prevention of
crime, disorder or protection of health or morals or protection of rights and freedom of
others.
5

In the historic judgment of Peoples Union for Civil Liberties v. Union of India
6
, where
section 5 of the Indian Telegraph Act, 1885 was challenged which authorizes the Central and
the State Government to resort to phone tapping. This Court held that telephone tapping is a
serious invasion of an individuals right to privacy and it should not be resorted to by the
State unless there is a public emergency or interest of public safety requires. And this Court
laid down procedural safeguard for the exercise of power of phone tapping.
Privacy in the technology driven world is a difficult proposition. Technology has become a
kind of double-edged weapon, on one hand it equips the person to safeguard his privacy and
on the other it helps in blowing the privacy cover, one may have.
7
A person accessing the
internet often does so within the privacy of his own home and expects a reasonable level of
privacy.
8
The communications when not with a human party are for the satisfaction of his or
her own desires and curiosities. A person may divulge more information to a computer than
to another person. Hence internet communications are inherently intimate and concern the
core of the privacy of the person.
9

The right to privacy is a fundamental right. The petitioner has a right to use the internet freely
and has the right to maintain his privacy relating to his internet history. The respondent not

4
R. Rajagopal v. State of T.N. (1994) SCC 632
5
Mr. X v. Hospital Z AIR 1995 SC 495
6
AIR 1997 SC 568
7
Information Technology- Law and Practice, Vakul Sharma, Third Edition, Universal Law Publishing Co. New
Delhi, 2011.
8
Cyber Cafe in Gandhinagar, India, http://www.worldembassyinformation.com/india-cyber-cafe/cyber-cafe-in-
gandhinagar.html (last visited July 5, 2010)
9
The Law of Online Privacy in India By Apar Gupta, (2011) PL April S-3
only shared the internet activity of the petitioner with a third party but also disclosed and
threatened to disclose the information of the petitioner. The actions of the respondent are in
complete violation of the right to privacy and he must be held liable for the same.
CONTRAVENTION OF INFORMATION TECHNOLOGY ACT, 2000
The respondent actions of sharing internet activity of the petitioner was in complete
contravention of various IT Act provision and rules, which has attracted several criminal as
well as civil liabilities.
DUTY TO PRESERVE AND RETAIN INFORMATION AND TO IMPLEMENT AND MAINTAIN
REASONABLE SECURITY PRACTICES AND PROCEDURES
WindTel being an ISP provider is an intermediary under 2 (1) (w) the IT Act. The IT Act
has made intermediaries responsible for preservation and retention of information.
10
The term
information includes data, message, text, images, sound, voice, codes, computer
programmes, software and databases or micro film or computer generated micro fiche.
11
Any
activity on the part of intermediaries to preserve and retain any information may also require
fulfillment of norms related to information (data) security and privacy, i.e., the onus is on the
intermediaries to have reasonable security practices and procedures. Moreover
intermediaries are body corporate as defined under section 43A Explanation (i)
12
.
13

Also section 43A of the Act has made it abundantly clear that where a body corporate,
possessing, dealing or handling any sensitive personal data or information in a computer
resource which it owns, controls or operates, is negligent in implementing and maintaining

10
Section 67C
11
Section 2(1)(v)
12
"body corporate" means any company and includes a firm, sole proprietorship or other association of
individuals engaged in commercial or professional activities
13
Information Technology- Law and Practice, Vakul Sharma, Third Edition, Universal Law Publishing Co. New
Delhi, 2011. Page- 223-224
reasonable security practices and procedures and thereby causes wrongful loss or wrongful
gain to an person, such a body corporate shall be liable to pay damages by way of
compensation to the person so affected.
In Amit D. Patwardhan v. Rud India Chains
14
, the Adjudicating Officer, found that the
respondent had, by unlawfully obtaining the complainants bank account statements which
constitute sensitive personal data, violated the complainants privacy. In the connected matter
the adjudicating officer held that the Respondent, i.e. Bank of Baroda has failed to protect the
confidential, private and sensitive data of customers, and is clearly in breach of various
sections of IT Act such as 43A and several other rules and ordered the bank to pay
compensation.
15

In other words, intermediaries shall have twin responsibilities, i.e. to preserve and retain any
information, as well as to implement and maintain reasonable security practices and
procedures. Non-compliance of these provisions may attract criminal as well as civil
liabilities under section 67C and 43A respectively.
16

DISCLOSURE OF INFORMATION
Section 72A of the Act provides punishment for disclosure of information in breach of lawful
contract. This section creates liabilities for service providers, including an intermediary. It is
in fact a kind of data protection measure, wherein a service provider who has secured access
to any material containing personal information about a person, discloses such information

14
Complaint No. 1 of 2013 dated 16th January, 2013, before the adjudicating officer Sh. Rajesh Aggarwal,
Secretary, (Information Technology), Government of Maharashtra. Decided on 15.4.2013
15
Amit D. Patwardhan v. Bank of Baroda, Complaint No. 15 of 2013 dated 28th June 2013, before the
adjudicating officer Sh. Rajesh Aggarwal, Secretary, (Information Technology), Government of Maharashtra.
Decided on 30.12.2013
16
Information Technology- Law and Practice, Vakul Sharma, Third Edition, Universal Law Publishing Co. New
Delhi, 2011. Page-224
without the consent of the person concerned or in breach of lawful contract, with the intent to
cause or knowingly that he is likely to cause wrongful loss or wrongful gain to such a person.
Breach of confidentiality and privacy is aimed at public and private authorities, which have
been granted power under the Act
17
. In District Registrar and Collector v. Canara Bank
18
,
this Court said that the disclosure of the contents of the private documents of its customers or
copies of such private documents, by the bank would amount to a breach of confidentiality
and would, therefore, be violative of privacy rights of its customers.
In Nirmalkumar Bagherwal v. Minal Bagherwal
19
, the order found that the complainants
right to privacy was violated by both the respondents i.e. his wife and bank but, while
determining the quantum of compensation, distinguished between the respondents in respect
of the degree of liability; the respondent wife was ordered to pay a token compensation
amount while the respondent bank was ordered to pay higher compensation to each of the
three complainants individually.
The rules made under this Act also protect the privacy of the individual. Rule 6
20
of
reasonable security practices and procedures and sensitive personal data or information,
requires the body corporate to obtain prior consent of the provider of the information before
disclosing it to a third party. It further states that the body corporate or any other person on its
behalf shall not publish the sensitive personal data or information.
21

UNAUTHORIZED INTERCEPTION

17
Dr. Shiv Shankar Singh, Privacy and Data Protection in India, (2012) PL February S-2
18
(2005) 1 SCC 496
19
Common Judgment in Complaint Numbers 08, 09, 10 dated 07th May 2013, before the adjudicating officer
Sh. Rajesh Aggarwal, Secretary, (Information Technology), Government of Maharashtra. Decided on
26.08.2013
20
Rule 6. of the Information Technology (Reasonable security practices and procedures and sensitive personal
data or information) Rules, 2011.
21
Id. Rule 6(3).
The Procedure and Safeguards for Interception, Monitoring and Decryption of Information
Rules, 2009, states that the directions for interception or monitoring or decryption of any
information generated, transmitted, received or stored in any computer resource under sub-
section (2) of section 69 of the IT Act shall not be issued except by an order made by the
concerned competent authority.
22
The interception power can only be exercised when orders
are made by the competent authority and any other interception would be an unauthorized
interception. The intermediaries are also required to put in place adequate and effective
internal checks to ensure the unauthorised interception of messages does not take place and
extreme secrecy is maintained and utmost care and precaution is taken in the matter of
interception or monitoring or decryption of information as it affects privacy of citizens and
also that this matter is handled only by the designated officers of the intermediary and no
other person of the intermediary shall have access to such intercepted or monitored or
decrypted information.
23

Under these rules, the responsibility has been imposed on the intermediaries that they will be
held liable in case of violation pertaining to maintenance of secrecy and confidentiality of
information or any unauthorised interception or monitoring or decryption of information.
24

This rule prohibits the interception or monitoring or decryption of information without
authorization of competent authority
25
and the disclosure of intercepted or monitored
decrypted information by the intermediaries
26
. Any violation or contravention of these rules
is made punishable accordingly under the relevant provisions of the laws for the time being in
force.

22
Rule 3, Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of
Information) Rules, 2009
23
Id. Rule 20.
24
Id. Rule 21.
25
Id. Rule 24.
26
Id. Rule 25.