The prolific growth of information and communication related technology has spawned myriad social media networking sites. However, the use of these technologies also presents new dangers for the privacy of individuals. Information is at the risk of being gathered without an individual’s knowledge. It may be reused for unauthorized purposes, retained for months and years, passed on to third parties, and published or circulated without permission. Increasingly, data available on social media sites is being used by several entities to track individuals’ preferences, interests, movements, networks and activities. The information that is gathered is widely used, among other things, to customize an individual’s email access as well as webpage that the individual may visit. This raises questions of privacy and data protection.
The Information Technology Act, 2000 (“IT Act”) was focused on the recognition of electronic records and facilitation of e-commerce. The emphasis of the Information Technology (Amendments) Act, 2008 was on Cyber Terrorism and to a significant extent, Cyber Crime. However, it also contains provisions that apply to data protection and privacy. The two statutes are collectively referred to as the IT Act.
The scope of this article is to highlight some of the important provisions of the IT Act relating to data protection and privacy vis-à-vis social media.
The IT Act (section 43) imposes civil penalties in the event of the commission of certain acts without the permission of the owner or person in charge of the computer or computer systems such as: (i) securing access (without permission); (ii) downloading or copying of data stored in a computer or computer system; (iii) introducing computer viruses; (iv) damaging computers and or data stored therein; (v) disrupting computers; (vi) denial of access; (vii) abetting such acts; or (viii) illegal charging for services on another’s account. The IT Act has included two additional violations (i) destruction, deletion and alteration of information residing on a computer and (ii) theft, concealment, destruction, alteration, (or to abet in the theft, concealment, destruction, or alteration), of any computer source code used for a computer resource with an intention to cause damage.
Further, the IT Act holds any “Body Corporate” possessing, dealing with or handling any “sensitive personal data or information” in a computer resource it owns, controls or operates, liable for negligence, if it fails to maintain “reasonable security practices and procedures[i]” and thereby causes wrongful loss or wrongful gain to any person. “Body Corporate” is defined in the IT Act as any company and includes a firm, sole proprietorship (sic) or other association of individuals engaged in commercial or professional activities
Apart from the Civil Penalties contained in the IT Act there also are criminal provisions, a few of which relate to data protection.
The IT Act provides that any act set out under section 43, if committed “dishonestly or fraudulently,” would amount to a criminal offence, punishable with imprisonment of up to three years or fine of a maximum of Rupees Five Lakh (approximately US$ 10,000) or both. The IT Act also makes the receipt or retention of a stolen computer resource or communication device punishable with imprisonment up to three years or with fine up to Rupees One Lakh or both. The term “computer resource” is defined under the IT Act as a “computer, computer system, computer network, data, computer database or software.” This provision applicable to the receiver of stolen computer resources, such as data and software, could prove to be substantially useful when faced with issues of data misuse or theft from a social networking site.
Under the IT Act the onus of implementing “Reasonable Security Practices” is on the business entity. “Reasonable security practices and procedures” are defined as “security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem it.” Therefore, social media sites would be required to show that they have adopted such practices in case there is a violation on their site to help mitigate their liability.
Confidentiality and Privacy
The IT Act provides for the protection of physical or personal privacy of an individual. Also, the IT Act contains provisions against the dissemination of personal information obtained without the individual’s consent through an intermediary or under a services contract, with the intent to cause wrongful loss or wrongful gain. The maximum punishment prescribed for this offence is three years imprisonment, or fine up to Rupees Five Lakhs or both. These provisions protect privacy and personal information to a certain extent. In particular, service providers on the Internet, social networking sites, companies, firms, individuals and other intermediaries need to exercise caution in the collection, retention and dissemination of personal data.
The IT Act makes the dishonest or fraudulent use of a person’s electronic signature or identity, password or any other unique identification feature punishable as theft with imprisonment of up to three years and fine up to Rupees One Lakh.
The statute further makes cheating by impersonation through a computer resource punishable with imprisonment of up to three years and fine up to One Lakh Rupees.
The liability of an intermediary under this section is limited in specific instances, i.e., if he provides access to communication systems for transmission or temporary storage of third party information, data or communication links made available or hosted by him. The intermediary should however observe due diligence and comply with the prescribed guidelines, while discharging his duties.
The IT Act imputes vicarious liability in case of offences by companies and provides substantial and relevant rights allowing victims to seek redress in cases of violations. As most of the offences under the IT Act are cognizable, this provision is a cause for concern for social media entities and their management.
In comparison to the laws of developed nations, India requires laws that define data based on utility and importance. Rules related to data extraction and data destruction needs to be improvised. Stringent and comprehensive laws for the protection of data are the need of the hour. In 2011, the Government of India proposed the “Right to Privacy Bill”. However, we still await the final and conclusive draft of the Bill. Until then, businesses must implement appropriate safeguard policies and maintain an awareness of compliance obligations
Vidhi Agarwal is a partner at LawQuest International, a general practice law firm in Mumbai, India. She with a Masters Degree in Law as well as Commerce is admitted as an advocate to the Bar Council of Maharashtra and Goa. Vidhi may be reached at email@example.com.
Annu Sharma is an Associate at LawQuest. She has completed her LL.B from K.C. LawCollege, Mumbai. She holds a B.Sc Degree from K.C. College of Arts, Commerce and Science. She can be reached at firstname.lastname@example.org
By Vidhi Agarwal and Annu Sharma