INTRODUCTION
Data is one of the primary and most important assets for any organization. With the penetration of internet in the day-to-day life leading to the growth of the data economy; sharing and accessing information including personal information has become faster and easier than ever before.
However, the arbitrary and unregulated use of data, particularly personal data, collected from such sources has raised concerns amongst individuals with respect to their autonomy and privacy.
With increased concern and awareness amongst the public regarding data privacy, it has become a need for businesses and organizations to practice transparency, ensure the application of data privacy measures and incorporate robust privacy policies for the data being collected, processed, and stored.
Any incident of data loss or data breach can cause severe setbacks for businesses. Failure to protect data can lead to a loss in terms of goodwill finances and customer trust.
Since data protection is one of the most important challenges of digital transformation in companies of all sizes, most organizations are subjected to some privacy standards. IT companies and e-commerce giants have ensured due diligence in incorporating data privacy measures. However, cyber security attacks and data breaches have been a hard way to learn the importance of data privacy for many organizations.
The most recent data breach that has made the headlines amidst the trend of data breaches is the self-reported data breach by Akasa Air to Indian Computer Emergency Response Team (CERT-In).
BACKGROUND
The Country’s newest airline, Akasa Air, has experienced a data leak due to a technical configuration error in August 2022 after starting its operations on 07.08.2022. Personal information such as the name, email address, gender and phone numbers of some of the Akasa Air passengers have been disclosed to “unauthorized persons”.
The Airlines itself reported the incident to CERT-In, which is a Government authorized nodal agency tasked to deal with matters of this nature.
Furthermore, it was also informed that there was no “intentional hacking attempt” and no travel-related information, travel records or payment information was compromised.
In order to mitigate the risks, the “unauthorised access” was stopped by completely shutting down the elements of the system. Eventually, the login and sign-up services were resumed.
REMEDIAL ACTION AND INDIAN LAWS GOVERNING DATA PRIVACY
India does not have dedicated Data Protection legislation, protecting the privacy rights that can be construed in the sphere of transactions between individuals and companies or between two persons over the internet.
Moreover, the Data Protection Bill, 2019 (amended in 2021) has been withdrawn by the Government. Unlike the European Union (EU) and the United Kingdom (UK), India does not have any regulations for reporting such data breaches and therefore, the companies cannot seek remedial measures under the Central or State Laws.
However, the important legislation in India dealing with data protection is the Information Technology Act, 2000 (IT Act).
The IT Act addresses the relief in civil cases in the nature of compensation and punishment in cases of wrongful disclosure and misuse of personal data in a criminal case, as well as violations of contractual obligations relating to personal data.
Section 43-A of the IT Act principally addresses compensation for negligent implementation and maintenance of adequate security measures and procedures in connection to Sensitive Personal Data or Information (SPDI).
According to Section 43A of the IT Act, a body corporate that possesses, deals with, or handles any sensitive personal data or information and is negligent in implementing and maintaining reasonable security practices, resulting in wrongful loss or wrongful gain to any person, may be held liable to pay damages to the person so affected.
It is crucial to remember that in such cases, there is no maximum limit on the amount of compensation that can be requested by the aggrieved party.
Furthermore, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (IT Rules), have also been published by the Central Government.
The IT Rules solely address the protection of “SPDI of a person,” which includes personal information, including:
- Information linked to Passwords;
- Financial information such as bank account, credit card, debit card, or other payment instrument information;
- Conditions of physical, physiological, and mental health;
- Sexual Orientation;
- Medical history and records; and
- Data is derived through biometrics.
The IT Rules provide acceptable security policies and procedures that the body corporate or any person who collects, receives, possesses, stores deals with, or handles information on its behalf is obligated to follow when dealing with SPDI.
In the event of a breach, the body corporate or any other person acting on its behalf may be held liable to pay damages to the individual harmed.
AMLEGALS REMARKS
India has recently witnessed several data breaches in the recent past including Air India, Big Basket, Money Control, and MobiKwik. Moreover, given the rise in the use of the Internet, it is critical that India should adopt rigorous privacy and personal data protection regulations.
The threat to privacy is also an impediment to establishing a secure environment for Internet communication. Unless these challenges are solved, India will be unable to provide data protection.
Currently, only a couple of legislations govern the area of data privacy in India and they have extremely finite reach. The IT Act and the IT Rules are the two major legislations regulating Data Privacy in India as on date. However, these legislations cover only certain aspects and not the concept of Data Privacy as a whole.
A legislative framework must be designed that specifies the techniques and purposes for the assimilation of personal data both offline and online. Consumers must be made aware of the risks associated with willingly sharing the information, and no data should be gathered without an individual’s expressed consent.
Also, easily accessible and affordable recourses for the investigation of complaints and disputes, awarding of damages wherever applicable, and processes for verifying the accuracy of claims made by the Data Controller on its privacy policies must be included by enforcement mechanisms.
Currently, judicial precedents prohibit the infringement of an individual’s right to privacy by Government authorities or private entities. However, a comprehensive law must defend against both Government and Private Party encroachment.
Regulators should focus on enacting Data Protection Legislation as that would provide some clarity to the corporate entities and the common people regarding data privacy and its several facets.
-Team AMLEGALS, assisted by Ms. Devanshi Jain (Intern)
For any queries or feedback, please feel free to get in touch with chaitali.sadayet@amlegals.com or aditi.tiwari@amlegals.com.
Leave a Reply