An unprecedented amount of personal data is available online and when aggregated a
persons life becomes transparent over time.
1 Increasing the level of privacy harm is the fact that the data is stored in vast private databases by a few conglomerates due to the concentrated nature of the online service industry. 2 However, when this data may be seen non-contextually it may lead to incorrect inferences being drawn, e.g. a persons search query logs may be entirely for the purposes of research and not a personal medical condition. What is most worrying is that a person whose data is being gathered does not have any notice causing a harm of exclusion. This is exclusion in information processing and not information gathering hence, there should not be any reason for such exclusion. Here, it is not out of place to heed the EU Law on Privacy which contains a basic prohibition against databases. Then there is also the probable harm of secondary use, where the information gathered will be used for purposes other than for which it was gathered. 3
Vijay Prakash v. Union of India, A.I.R. 2010 Del. 7 (India) (Per S. Ravindra Bhat, J.). After considering the English law on the point of privacy, the court notes that, it may be seen from the above discussion, that originally, the law recognized relationships through status (marriage) or arising from contract (such as employment, contract for services, etc.) as imposing duties of confidentiality. Raja v. P. Srinivasan, (2009) 8 M.L.J. 513 (India) (Per M. Chockalingam & R. Subbiah, JJ.). The applicant sought to restrain the respondent, the publisher of a weekly, from publishing inter alia, family photographs of the applicant accompanied by write ups
1 See Omer Tene, What Google Knows: Privacy and Internet Search Engines, 2008 UTAH L. REV. 1433. Cited in The Law of Online Privacy in India By Apar Gupta, (2011) PL April S-3 2 Id. at 1456-1463. 3 The Law of Online Privacy in India By Apar Gupta, (2011) PL April S-3 leveling allegations of corruption. The appellant had contended that these photographs contained images of his wife and minor child who were not connected to his public office and public acts and hence the publication of their images contemporaneously infringed their right to privacy. The court granted an interim injunction restraining the defendant from publishing any such news articles as well as photographs of the plaintiffs wife and minor child. In District Registrar and Collector v. Canara Bank 4 it was held by this Court that: the exclusion of illegitimate intrusion into privacy depends on the nature of the right being asserted and the way in which it was brought into substantive judgment. If these factors are relevant for defining the right to privacy, they are quite relevant whenever there is invasion of that right by way of searches and seizures at the instance of the State.
The right to privacy refers to the specific right of an individual to control the collection, use and disclosure of personal information. Personal information could be in the form of personal interests, habits and activities, family records, educational records, communications (including mail and telephone) records, medical records and financial records, to name a few. An individual could easily be harmed by the existence of computerised data about him/her which is inaccurate or misleading and which could be transferred to an unauthorised third party at high speed and very little cost. This growth in the use of personal data has many benefits but it could also lead to problems. 5
There is no limitation imposed on the compensation that can be awarded. Section 43A which provides for civil action for security breaches is based on the concept of
4 (2005) 1 SCC 496 5 Dr. Shiv Shankar Singh, Privacy and Data Protection in India, (2012) PL February S-2 “sensitive personal information”. Other than that, there is no special protection in Indian law for sensitive personal information. Section 43A provides for compensation to an aggrieved person whose personal data including sensitive personal data may be compromised by a company, during the time it was under processing with the company, for failure to protect such data whether because of negligence in implementing or maintaining reasonable security practices. This provision, therefore, provides a right of compensation against any one other than the person in charge of the computer facilities concerned, effectively giving a person a right not to have their personal information disclosed to third parties, or damaged or changed by those third parties. The section is equally able to be used by data controllers or the subjects of personal information against third parties. It is only that they will be “affected” in different ways which justify compensation. It also provides that accessing data in an unauthorised way is a civil liability. 6
Sections 66E, 72 and 72A require the consent of the persons concerned but within limited scope as it would be difficult to consider that it could provide a sufficient level of personal data protection. Indeed, these sections confine themselves to the acts and sections provide for monitoring violation of privacy, breach of confidentiality and privacy, and disclosure of information in breach of lawful contract. Breach of confidentiality and privacy is aimed at public and private authorities, which have been granted power under the Act. In District Registrar and Collector v. Canara Bank23, the Supreme Court said that the disclosure of the contents of the private documents of its
6 Dr. Shiv Shankar Singh, Privacy and Data Protection in India, (2012) PL February S-2 customers or copies of such private documents, by the bank would amount to a breach of confidentiality and would, therefore, be violative of privacy rights of its customers. 7
On August 23, 2014 Manu Sharma received summons in a complaint case filled by WindTel sister company Wind Entertainment regarding allegation that Sharma had downloaded pirated songs of their movie Sugar rush, all rights of which were owned by Wind Entertainment. Wind Entertainment claimed that they have conclusive proof of Sharmas illegal activity owning to the detailed ISP logs that the company had in its possession. This shows that the respondent has shared the internet history of the petitioner to a third party. This is the violation of the right to privacy of the petitioner. In Vinod Kaushik v. Madhvika Joshi 8 the adjudicating officer found that the respondent had violated the privacy of the complainant and his son by her unauthorised access of their email accounts and sharing of their private communication
7 Dr. Shiv Shankar Singh, Privacy and Data Protection in India, (2012) PL February S-2 8 Complaint No. 2 of 2010, before the adjudicating officer Sh. Rajesh Aggarwal, Secretary, (Information Technology), Government of Maharashtra. Decided on 10.10.2011