ITA-2000 had made a
reference to “Breach of Confidentiality and Privacy” under Section 72
which had some times been confused as an attempt for protection of privacy
of individuals in the Cyber World. However, the scope of this section was
limited to the information collected by a person “in pursuance of any
powers conferred under this act”. Since such information could be
collected only by the Certifying Authorities or Controller or a Law
Enforcement officer, the operation of the section was limited to this
However, under Section 43
of the Act, “Securing Access and downloading or copying of information
without the permission of the owner of a computer system” was subject to a
liability to pay damages to the extent of Rs 1 Crore to the person who
suffers a damage. Similarly, “diminishing the value of information
residing inside a computer” was punishable under Section 66 with
imprisonment of 3 years and fine of Rs 2 lakh. These two provisions
provided protection for the privacy of personal information which may be
in the hands of any Computer system owner.
For example, if a girl had
provided a photograph and personal information to a matrimonial website
for a specific purpose and the same had been accessed unauthorizedly,
there could have been a cause of action to the girl if she had suffered
any damage. Similarly if there was in existence a video clipping of a film
actress kissing in private and the same had been accessed unauthorizedly,
there could have been a cause of action by the victim.
Even the Karan Bahree case
or the CitiBank-Mphasis case was well within the provisions of Section 43
and Section 66. Even the case of the lady in Coimbatore who cheated a
Canadian boy by sending a photograph of a film star as her own could have
been brought under the section since she had used an electronic photograph
of the actress without authority. Thus the ITA-2000 in its present form
can address both data protection requirements from the point of view of
the corporate users of data and also privacy protection needs from the
individual’s point of view.
The corporate handling the
sensitive data which is compromised had the defense of “Due Diligence” to
protect himself from loss due to external criminals.
However, with the cry of
some industrialists that “there is no Privacy protection law in India” and
“we need to amend ITA-2000 to provide for Privacy protection”, there has
been an attempt in the amendments to address “Privacy Protection needs”.
As a result changes have
now been made to Section 43 and Section 72 which need to be analysed.
following additions are now sought to be made in Section 43
43 (2) If any body corporate, that owns or
handles sensitive personal data or information in a computer resource that
it owns or operates, is found to have been negligent in
implementing and maintaining reasonable security practices and
procedures, it shall be liable to pay damages by way of compensation
not exceeding Rs. 1 crore to the person so affected.
Explanation.- For the purposes of this section,-
(oi) “body corporate” means any company and
includes a firm or other association of individuals engaged in commercial
or professional activities. …
(v) “Reasonable security practices and
procedures” means, in the absence of a contract between the parties or any
special law for this purpose, such security practices and procedures as
appropriate to the nature of the information to protect that information
from unauthorized access, damage, use, modification, disclosure or
impairment, as may be prescribed by the Central Government in consultation
with the self-regulatory bodies of the industry, if any.
(vi) “Sensitive personal data or information”
means such personal information, which is prescribed as “sensitive” by the
Central Government in consultation with the self-regulatory bodies of the
industry, if any.
(vii) “Without the permission of the owner”
shall include access to information that exceeds the level of authorized
permission to access.
Now as per the above
provisions, a responsibility is cast on a “Body Corporate” for exercising
due diligence. If however the data handler is not a body corporate or an
association of individuals, there is no liability. This could mean that
Government departments or even single individuals fall under the exempted
category. The Government will however have to notify “What is Sensitive
Data”, ”What is a Reasonable Security Practice” etc.
While the aspect of
exempting the Government and an individual website owner can be debated,
the changes proposed add some clarifications which are welcome.
The changes proposed in
Section 72 however have opened up some issues of concern. Here, the
amendments are attempted to define precisely what is “Private” in respect
of an electronic picture of an individual.
The first major change
that has been made in the existing provisions is to add the words
“Intentionally Discloses” instead of “Discloses” to invoke the penalty.
This means that even the Certifying Authorities or the Controller or the
Law Enforcement authorities disclose any private information collected
from the member of the public, they cannot be held liable unless it is
proved that they had “intentionally disclosed” the information. In other
words, the protection that was earlier available has been in fact
The second change is an
addition of the following sub clause.
Save as otherwise provided under this Act, if any intermediary who by
virtue of any subscriber availing his services has secured access to any
material or other information relating to such subscriber, discloses such
information or material to any other person, without the consent of such
subscriber and with intent to cause injury to him, such
intermediary shall be liable to pay damages by way of compensation not
exceeding Rs. 25 lakhs to the subscriber so affected.
We may note the words
“with intent to cause injury to him”. The section therefore is talking of
liability in the case of a “Pre contemplated Crime” and not “Protection
against Negligent Handling of Data”.
The high compensation
figure of RS 25 lakhs has no significance since the current section 43
already had a higher limit of RS 1 crore. Now in certain respects, this
section 72 may be in conflict with Section 43 and any intermediary would
like to take advantage of the presence of this section and argue that he
will not be responsible for any breach of privacy unless it was
We cannot therefore
classify this provision as “privacy Protection” in its true spirit.
The third important change
proposed in the section is the addition of the sub clause (3) as follows.
Whoever intentionally captures or broadcasts an image of a private area of
an individual without his consent, and knowingly does so under
circumstances violating the privacy of that individual, shall be liable to
pay compensation not exceeding Rs. 25 lakhs to the person so affected, and
shall also be liable for imprisonment for a term not exceeding one year or
with fine not exceeding Rs 2 Lakhs, or with both on the complaint of the
person so affected.
Explanation: For the purpose of this section
with respect to an image, means to videotape, photograph, film, record by
means to electronically transmit a visual image with the intent that it be
viewed by a person or persons;
private area of the individual” means the naked or undergarment clad
genitals, pubic area, buttocks, or female breast of that individual;
breast” means any portion of the female breast below the top of the
circumstances violating the privacy of that individual” means –
circumstances in which a reasonable person would believe that he or she
could disrobe in privacy, without being concerned that an image of a
private area of the individual was being captured; or
circumstances in which a reasonable person would believe that a private
area of the individual would not be visible to the public, regardless of
whether that person is in a public or private place.
laboured definition of “private area” is unlikely to be considered a wise
move since leaving it to the judgement of the judge in a given case would
have been far better.
of the term “Under garment clad..” needs clarity since this could mean
that a picture used in the ad of VIP briefs could be a disputed picture.
Similarly, a picture of a lady in the swim suit without any undergarments
could also be in dispute.
the use of the term “film” and “Video tape” in “capture” means that a non
Cyber Crime involving taking a picture from a non digital camera is also
covered under these provisions making this Amended Act stray into the non
the unintended fall outs of this attempt at defining private parts is that
the famous “Kareena Kissing Case” would perhaps be outside the scope of
this section since no private part has been captured and broadcast in this
The fifth change proposed
in the section is the addition of the sub clause (4) which states as
No court shall take cognizance of any offense punishable under sub-section
(3) except upon a complaint filed by the aggrieved person in writing
before a Magistrate
It is difficult to
understand the need for this provision unless a policy decision has been
taken to keep the Police out of Cyber Crimes as much as possible. This
means that complaints in cases such as that of the Trisha Video or the
Kareena Video or the Delhi MMS cannot be made to the Police.
Despite the presence of
several Cyber Crime Police stations all over the Country, complainants
still do not know where and how to lodge complaints. Now, if they have to
step into a Magistrate’s Court for lodging the Complaints, the possibility
of many victims suffering in silence is high.
The additions made to
Section 72 which some journalists have termed as defining “Video
Voyeurism” as a crime had been more than adequately covered under the
Section 67 without the need to resort to “Drafting Voyeurism” just because
such drafting has been used in some US laws.
In summary therefore the
proposed amendments to Section 72 do not afford the protection of privacy
as anticipated by the industry. It in fact weakens the existing provisions
in some respects.
September 2, 2005