Data PrivacyThe Interplay of Civil Remedies and Data Protection Frameworks

INTRODUCTION

With over 700 million Internet and smart phone users, India is generating mammoth amounts of data on a daily basis. In recent years, data has garnered interest on a global scale. People are now much more conscious of the importance of their data and its economic value.

Numerous Governments have identified how major businesses in the information technology market are abusing people’s rights around their personal data in order to enrich themselves. These unfair practises, however, have been prosecuted in recent years.

The businesses are being made responsible for violating the users’ and customers’ privacy. It is still in the development stage, but there is a need to construct a defined system for handling tortious liability in data breach instances.

The tort of privacy is steadily becoming recognised in several common law jurisdictions. Therefore, the time has come to broaden our vision towards solving the complex issues pertaining to data breaches and their impact on the privacy and well-being of the public at large.

The Digital Personal Data Protection Bill, 2022 (“the Bill”) introduced on November 18, 2022, was the attempt by the Ministry of Electronics and Information Technology, to frame a comprehensive regulation on data protection in India. Through this article, we shall delve into the measures taken by the Government to protect the interest of the citizens of India at large.

NEED FOR THE CIVIL REMEDIES

Various Governments around the world have attempted, in some way, to safeguard the security of their citizens’ data. For the current legal system, data protection jurisprudence is a relatively naïve concept, and many emerging countries have yet to identify the necessity for data protection laws.

While regulating this massive data market, legislators face numerous challenges. One of the biggest challenges to the growth of modern jurisprudence is ignorance of newly emerging technologies.

In terms of data law development, jurisdictions such as the European Union, the United Kingdom, and Canada are currently leading the way. The present legislation in these countries can successfully address a variety of challenges that individuals encounter across the world.

In the case of India, tremendous progress has been made in recent years. The development of this cause has been aided by many judgements and legislation, and more particularly by judicial activism. Currently, the Information Technology Act, 2000 (“IT Act”) minimally addresses the subject of data protection on the Internet.

However, due to the inadequacy of these measures, further legislation is required, thereby necessitating the enactment of the Bill. The Bill particularly empowers citizens to protect their data and provides legal recourse in the event of data privacy violations.

The concept of tort liability in data privacy was initially established in the United States of America (“USA”) during the nineteenth century, when the press and media expanded. The laws were enacted to protect people from the press’s intrusive activity, thereby limiting freedom of speech through reasonable constraints.

The laws which were enacted in the early stage clearly targeted renowned people who are more likely to be covered by the media. However, as the Internet grew in popularity, every person became a potential source of data, and organisations began to profit from this data by invading people’s privacy. This prompted lawmakers to broaden the reach of privacy legislation to include all citizens.

On a global scale, the question of whether corporate bodies should be held liable for compensating every harmed individual, remained unaddressed. The Courts were divided on this issue because the number of people involved was large and many were unaware of their loss, making it difficult for the Courts to determine the amount of compensation.

The Supreme Court of the United Kingdom (“UK”) unanimously held in favour of Google in the most recent case of Lloyd v. Google LLC (2021) 3 WLR 1268: 2021 UKSC 50, refusing the plea for compensation from 4 million Apple users who were improperly tracked by Google and the information accumulated was later sold.

The Supreme Court emphasised the difficulties in determining who suffered the loss and whether the representative claimant or the people they represent suffered any damage. This case exemplifies the difficulties of incorporating legal remedies into data privacy rules. Subsequently, the increasing complexity of technology has compelled the Indian Government to establish the Data Protection Board.

DATA PROTECTION BOARD OF INDIA

The Data Protection Board of India (“the Board”) is a statutory body which has been introduced under the Bill and will be established by the Central Government.

The Board’s key tasks include:

• monitoring compliance and implementing penalties,
• directing data fiduciaries to take appropriate measures in the event of a data breach, and
• considering grievances from impacted individuals.

The Central Government will specify the following: (i) the composition of the Board, (ii) the selection method, (iii) the terms and conditions of appointment and service, and (iv) the way of dismissal.

The Board will act as a stepping stone for India’s data protection legislation and will be an independent supervisory and adjudicatory body.

REMEDIES UNDER THE BILL

 The following analysis hereinafter is based on the basic concept of jurisprudence that is “ubi jus ibi remedium” that ‘where there is a right there is a remedy.’ If the rights of the aggrieved party, herein the Data Principal, is/are infringed, they seek reprieve under the existing civil remedies.

Any Data Principal who has suffered harm because of any violation of any provision under the Bill, when enacted as an Act or Rules or Regulations made thereunder, shall have right to approach the Board under Section 21 of the Act, as and when it is enacted.

This Section empowers the Board to conduct any sort of inquiry pertaining to data protection, which also includes a reasonable opportunity of being heard. Moreover, the Board also has the power to issue summons to the person and examine them on oath. In furtherance to above, the Board also has powers under Section 25 of the Bill to impose penalty not exceeding Rs. 500 crores.

As per Section 21(13) of the Bill, all individuals are bound by the orders of the Board similar to a decree passed by a Civil Court. Thus, the Board has all the powers of a Civil Court as provided in the Code of Civil Procedure, 1908. Hence, the Civil Remedies that can be sought from the Board are as follows:

1. In circumstances where due to ongoing processing of Data Principal’s data, he is harmed or aggrieved, he may seek to stop the Data Processor or Data Fiduciary from further processing his data through an Injunction order under Specific Relief Act, 1963. Injunction can be perpetual or temporary depending upon the needs of the Data Principal.

2. In circumstances where the harm caused to the Data Principal can be quantified in terms of monetary loss, he may seek damages from the Data Processor/ Data Fiduciary. Damages can be liquidated and unliquidated, depending upon the agreement between the parties, as well as the circumstances surrounding the data breach.

3. Another important relief that can be sought by the Data Principal is under Specific Relief Act, 1953. Essentially ‘data’ is also property of an individual, and the Data Principal can enforce his rights over the same. In circumstances where the Data Processor/Data Fiduciary are not following the contract between them and Data Principal in processing his data, he may seek to recover his data, rescind the contract, seek a declaratory decree that the data is belonging to Data Principal and the Data Processor/Data Fiduciary must delete all data belonging to Data Principal which they don’t have authority to process.

Moving forward, in the Bill, the provisions under Section 22 provide for review and appeal, wherein the Board may review its own order through a larger group or bench than the group or bench which conducted the previous hearings.

Moreover, if the claimant is still not satisfied with the order, he shall approach the High Court by preferring an appeal. Alternatively, if the Board is of the opinion that the said dispute shall be resolved through mediation or other dispute resolution process, then it may direct the same under Section 23 of the Bill.

AMLEGALS REMARKS

In the recent past, the Government of India have tried to regulate the Privacy Laws and Data Protection of individuals through various Data Protection Bills over the past couple of years. The Bill attempts to set clear provisions to define several concepts that need clear demarcations.

The Bill has tried to remove various discrepancies in the previous bills introduced by the Government regarding data privacy and protection. It is huge step forward from the former Data Protection Bill of 2019 which lacked essentials that the present Bill tries to rectify.

Yet, the Bill misses to address the ‘all important aspect’ of safeguards and remedies in case of breach. The Bill, although in its provisions inculcates the setting up a quasi-judicial body in form of the Board, that has the power to inquire, investigate, conduct proceedings, and finally pass the orders which the body itself can review and make necessary changes. However, there is a significant loophole in laying down a stringent statutory framework for remedies.

Having said that, the future of data privacy jurisprudence looks promising in India because of the constant and proactive measures that the Government and judiciary are attempting to take, which may prove to be valuable in the future.

– Team AMLEGALS 

For any query or feedback, please feel free to get in touch with falak.sawlani@amlegals.com or mridusha.guha@amlegals.com