Let's Build a Responsible Cyber Society


 

Privacy Protection under ITAA-(P) 2005

 

...a law for the privileged, by the privileged and to protect the privileged.

 

ITA-2000 had made a reference to “Breach of Confidentiality and Privacy” under Section 72 which had some times been confused as an attempt for protection of privacy of individuals in the Cyber World. However, the scope of this section was limited to the information collected by a person “in pursuance of any powers conferred under this act”. Since such information could be collected only by the Certifying Authorities or Controller or a Law Enforcement officer, the operation of the section was limited to this context. 

However, under Section 43 of the Act, “Securing Access and downloading or copying of information without the permission of the owner of a computer system” was subject to a liability to pay damages to the extent of Rs 1 Crore to the person who suffers a damage. Similarly, “diminishing the value of information residing inside a computer” was punishable under Section 66 with imprisonment of 3 years and fine of Rs 2 lakh. These two provisions provided protection for the privacy of personal information which may be in the hands of any Computer system owner.  

For example, if a girl had provided a photograph and personal information to a matrimonial website for a specific purpose and the same had been accessed unauthorizedly, there could have been a cause of action to the girl if she had suffered any damage. Similarly if there was in existence a video clipping of a film actress kissing in private and the same had been accessed unauthorizedly, there could have been a cause of action by the victim. 

Even the Karan Bahree case or the CitiBank-Mphasis case was well within the provisions of Section 43 and Section 66. Even the case of the lady in Coimbatore who cheated a Canadian boy by sending a photograph of a film star as her own could have been brought under the section since she had used an electronic photograph of the actress without authority. Thus the ITA-2000 in its present form can address both data protection requirements from the point of view of the corporate users of data and also privacy protection needs from the individual’s point of view. 

The corporate handling the sensitive data which is compromised had the defense of “Due Diligence” to protect himself from loss due to external criminals.  

However, with the cry of some industrialists that “there is no Privacy protection law in India” and “we need to amend ITA-2000 to provide for Privacy protection”, there has been an attempt in the amendments to address “Privacy Protection needs”. 

As a result changes have now been made to Section 43 and Section 72 which need to be analysed. 

The following additions are now sought to be made in Section 43  

43 (2) If any body corporate, that owns or handles sensitive personal data or information in a computer resource that it owns or operates, is found to have been negligent in implementing and maintaining reasonable security practices and procedures, it shall be liable to pay damages by way of compensation not exceeding Rs. 1 crore to the person so affected. 

Explanation.- For the purposes of this section,-

(oi) “body corporate” means any company and includes a firm or other association of individuals engaged in commercial or professional activities.  …

(v) “Reasonable security practices and procedures” means, in the absence of a contract between the parties or any special law for this purpose, such security practices and procedures as appropriate to the nature of the information to protect that information from unauthorized access, damage, use, modification, disclosure or impairment, as may be prescribed by the Central Government in consultation with the self-regulatory bodies of the industry, if any. 

(vi) “Sensitive personal data or information” means such personal information, which is prescribed as “sensitive” by the Central Government in consultation with the self-regulatory bodies of the industry, if any. 

(vii) “Without the permission of the owner” shall include access to information that exceeds the level of authorized permission to access. 

Now as per the above provisions, a responsibility is cast on a “Body Corporate” for exercising due diligence. If however the data handler is not a body corporate or an association of individuals, there is no liability. This could mean that Government departments or even single individuals fall under the exempted category. The Government will however have to notify “What is Sensitive Data”, ”What is a Reasonable Security Practice” etc. 

While the aspect of exempting the Government and an individual website owner can be debated, the changes proposed add some clarifications which are welcome. 

The changes proposed in Section 72 however have opened up some issues of concern. Here, the amendments are attempted to define precisely what is “Private” in respect of an electronic  picture of an individual.  

The first major change that has been made in the existing provisions is to add the words “Intentionally Discloses” instead of “Discloses” to invoke the penalty. This means that even the Certifying Authorities or the Controller or the Law Enforcement authorities disclose any private information collected from the member of the public, they cannot be held liable unless it is proved that they had “intentionally disclosed” the information. In other words,  the protection that was earlier available has been in fact removed. 

The second change is an addition of the following sub clause. 

72 (2) Save as otherwise provided under this Act, if any intermediary who by virtue of any subscriber availing his services has secured access to any material or other information relating to such subscriber, discloses such information or material to any other person, without the consent of such subscriber and with intent to cause injury to him, such intermediary shall be liable to pay damages by way of compensation not exceeding Rs. 25 lakhs to the subscriber so affected. 

We may note the words “with intent to cause injury to him”. The section therefore is talking of liability in the case of a “Pre contemplated Crime” and not “Protection against Negligent Handling of Data”.  

The high compensation figure of RS 25 lakhs has no significance since the current section 43 already had a higher limit of RS 1 crore. Now in certain respects, this section 72 may be in conflict with Section 43  and any intermediary would like to take advantage of the presence of this section and argue that he will not be responsible for any breach of privacy unless it was “intentional”.  

We cannot therefore classify this provision as “privacy Protection” in its true spirit. 

The third important change proposed in the section is the addition of the sub clause (3) as follows. 

72 (3) Whoever intentionally captures or broadcasts an image of a private area of an individual without his consent, and knowingly does so under circumstances violating the privacy of that individual, shall be liable to pay compensation not exceeding Rs. 25 lakhs to the person so affected, and shall also be liable for imprisonment for a term not exceeding one year or with fine not exceeding Rs 2 Lakhs, or with both on the complaint of the person so affected.  

Explanation: For the purpose of this section 

(a)“capture” with respect to an image, means to videotape, photograph, film, record by any means;

(b)“broadcast” means to electronically transmit a visual image with the intent that it be viewed by a person or persons;

(c)“a private area of the individual” means the naked or undergarment clad genitals, pubic area, buttocks, or female breast of that individual;

(d)“female breast” means any portion of the female breast below the top of the areola; and

(e)“under circumstances violating the privacy of that individual” means – 

(i) circumstances in which a reasonable person would believe that he or she could disrobe in privacy, without being concerned that an image of a private area of the individual was being captured; or

(ii) circumstances in which a reasonable person would believe that a private area of the individual would not be visible to the public, regardless of whether that person is in a public or private place. 

This laboured definition of “private area” is unlikely to be considered a wise move since leaving it to the judgement of the judge in a given case would have been far better. 

The use of the term “Under garment clad..” needs clarity since this could mean that a picture used in the ad of VIP briefs could be a disputed picture. Similarly, a picture of a lady in the swim suit without any undergarments could also be in dispute. 

Further the use of the term “film” and “Video tape” in “capture” means that a non Cyber Crime involving taking a picture from a non digital camera is also covered under these provisions making this Amended Act stray into the non Cyber World. 

One of the unintended fall outs of this attempt at defining private parts is that the famous “Kareena Kissing Case” would perhaps be outside the scope of this section since no private part has been captured and broadcast in this case. 

The fifth change proposed in the section is the addition of the sub clause (4) which states as under. 

72 (4) No court shall take cognizance of any offense punishable under sub-section (3) except upon a complaint filed by the aggrieved person in writing before a Magistrate

 It is difficult to understand the need for this provision unless a policy decision has been taken to keep the Police out of Cyber Crimes as much as possible. This means that complaints in cases such as that of the Trisha Video or the Kareena Video or the Delhi MMS cannot be made to the Police.

 Despite the presence of several Cyber Crime Police stations all over the Country, complainants still do not know where and how to lodge complaints. Now, if they have to step into a Magistrate’s Court for lodging the Complaints, the possibility of many victims suffering in silence is high.

 The additions made to Section 72 which some journalists have termed as defining “Video Voyeurism” as a crime had been more than adequately covered under the Section 67 without the need to resort to “Drafting Voyeurism” just because such drafting has been used in some US laws.

 In summary therefore the proposed amendments to Section 72 do not afford the protection of privacy as anticipated by the industry. It in fact weakens the existing provisions in some respects.

[Will continue]

Naavi

September 2, 2005

Copy of the Amendments