Semester II, Year 1

Subject: Torts

Road to strengthen the laws for Data protection and User Privacy
(Puttaswamy case and Personal Data Protection Bill, 2019)

Abstract
The terms data protection and data privacy are often used interchangeably, but there is an
important difference between the two. Data privacy defines who has access to data, while data
protection provides tools and policies to actually restrict access to the data. Compliance
regulations help ensure that user’s privacy requests are carried out by companies, and companies
are responsible to take measures to protect private user data. Data protection is a set of strategies
and processes you can use to secure the privacy, availability, and integrity of your data. It is
sometimes also called data security or information privacy. A data protection strategy is vital for
any organization that collects, handles, or stores sensitive data. A successful strategy can help
prevent data loss, theft, or corruption and can help minimize damage caused in the event of a
breach or disaster.

Data privacy is a guideline for how data should be collected or handled, based on its sensitivity
and importance. Data privacy is typically applied to personal health information (PHI) and
personally identifiable information (PII). This includes financial information, medical records,
social security or ID numbers, names, birthdates, and contact information. In India, PHI and PIIs
are termed as

Introduction (What is data)

Data surrounds us and is generated in virtually everything we do. One type is data that we may
voluntarily share, and the second type is the data which is generated literally every time we do
something – whether it be travel, order a meal or use transportation. There is no doubt that this
data is immensely valuable, and several companies are willing to pay for access to this data.
Indeed, in this age of universal and virtually free access of internet, data is the new currency.
What is even more intriguing that the full potential of the data is not known. As technology
progresses, newer applications emerge enhancing the value of the data.

The landmark judgment delivered in Justice (Retd.) KS Puttaswamy v. Union of India has
endorsed the notion that the threat of breach of confidential data has become a major concern
that affects us all. Under Indian law, as per the Information Technology Act, there exist some
remedies against the data processing entity for data breach. However, there is no clear-cut notion
of where the buck stops within that entity and there have not been cases awarding compensation
so far. A recent judgement delivered by the Supreme Court of the United Kingdom in WM
Morrison Supermarkets PLC v. Various Claimants lays down that vicarious liability shall not
apply in cases of data breach. For the first time, there is now clarity on how employers can be
held liable for any breach of confidential data by their employees. It is also entirely likely that
Indian courts, operating under the proposed Data Protection Act, will follow the precedent laid
down by the Supreme Court of the United Kingdom.

Present regulations
India is not a party to any convention on protection of personal data which is equivalent to the
GDPR or the Data Protection Directive. However, India has adopted or is a party to other
international declarations and conventions such as the Universal Declaration of Human Rights
and the International Covenant on Civil and Political Rights, which recognise the right to
privacy.

India has also not yet enacted specific legislation on data protection. However, the Indian
legislature did amend the Information Technology Act (2000) (“IT Act”) to include Section 43A
and Section 72A, which give a right to compensation for improper disclosure of personal
information. The Indian central government subsequently issued the Information Technology
(Reasonable Security Practices and Procedures and Sensitive Personal Data or Information)
Rules, 2011 (the “Rules”) under Section 43A of the IT Act. A clarification to the above Rules
was issued on 24 August 2011 (the “Clarification”). The Rules have imposed additional
requirements on commercial and business entities in India relating to the collection and
disclosure of sensitive personal data or information which have some similarities with the GDPR
and the Data Protection Directive.

India has introduced a biometric based unique identification number for residents called
‘Aadhaar’. Aadhaar is regulated by the Aadhaar (Targeted Delivery of Financial and Other
Subsidies Act) 2016 (“Aadhaar Act”) and rules and regulations issued thereunder. Entities in
regulated sectors such as financial services and telecom sector are subject to obligations of
confidentiality under sectoral laws which require them to keep customer personal information
confidential and use them for prescribed purposes or only in the manner agreed with the
customer.

The Information Technology Act, 2000 [IT Act]

The Information Technology Act, 2000 [IT Act] deals with the following cyber issues & law:
data privacy, Information Security, cybercafé, digital signature technology, reasonable security
practices to be followed by corporate, role of intermediaries, role of Indian Computer Emergency
Response Team, child pornography, cyber terrorism, legal Recognition of Electronic Documents,
legal Recognition of Digital Signatures, Offenses and Contraventions and Justice Dispensation
Systems for cyber-crimes. The IT Act however does not contain adequate provision viz-a-viz
jurisdiction of the Court and the Police.

Cyber Crime is not formally defined anywhere, be it Information Technology Act, 2000 or any
other Act and statute. Simply put, cyber crime is unlawful acts wherein the computer is either a
tool or a target or both. Cyber crimes can involve criminal activities that are traditional in nature,
such as theft, fraud, forgery, defamation and mischief, all of which are subject to the Indian
Penal Code, 1860. We can categorize Cyber crimes in two ways:- (i) The computer as a Target,
(ii) The computer as a weapon. To target or attack a computer, the criminals use other
computers. This category of crime includes hacking, virus/worm attacks, DOS attack, etc. The
category of crimes where the computer is used as a weapon includes Cyber Terrorism, IPR
violations, Credit card frauds, EFT frauds, pornography etc. Commission of cyber crime may be
divided into three basic groups:

 By Or Against An Individual/ Individual Property- Harassment via Emails; Cyber

Stalking/ squating; Dissemination of obscene material; Defamation; Hacking/Cracking;
Indecent Exposure; Computer/ Cyber Vandalism; Transmittiming a Virus; Network
Trespassing; Unauthorized Control over Computer System; Hacking/Cracking;
intellectual property crimes, cyber trespass: internet time thefts
 Against An Organisation- Hacking & Cracking; Possession of unauthorised
Information; Cyber- Terrorism against Government Organisation; Distribution of Pirated
Software Etc.
 Against Society at Large- Pornography; Polluting the youth through indecent exposure;
Trafficking, online gambling, financial crimes, forgery,

K.S Puttaswamy Judgment

Title of the Case: Justice K.S.Puttaswamy (Retired). vs Union of India and Ors., 2017.

Court: Supreme Court of India

Bench: Sanjay Kishan Kaul, Dhananjaya Y. Chandrachud, R. K. Agrawal, J. S. Khehar, S. A.

Bobde, S. A. Nazeer, R. K. Agrawal, J. Chelameswar, A.M. Sapre JJ.

Brief facts of the case

A retired High Court Judge K.S. Puttaswamy filed a petition in 2012 against the Union of India
before a nine-judge bench of the Supreme Court challenging the constitutionality of Aadhaar
because it is violating the right to privacy which had been established on reference from the
Constitution Bench to determine whether or not the right to privacy was guaranteed as an
independent fundamental right under the constitution of India following past decisions from
Supreme Court benches.

Decision that has been passed by all nine judges holds:

1. The decision in M P Sharma vs. Satish Chandra which holds that the right to privacy is
not protected by the Constitution of India stands over-ruled;
2. The decision in Kharak Singh vs. State of UP to the degree that it holds that the right to
privacy is not protected by the Constitution also stands over-ruled.
3. The right to privacy is protected as an intrinsic part of the right to life and personal liberty
under Article 21 of the constitution of India and as a part of the freedoms guaranteed by
Part III of the Constitution.

Conclusion:

The Supreme Court of India once again appeared as the sole protector of the constitution creating
a legal framework for privacy protections in India. The judgment covers all the issues and
established that privacy is a fundamental inalienable right, intrinsic to human dignity and liberty
under Article 21 of the constitution of India. The judgment gives a way for the decriminalization
of homosexuality in India in Navtej Singh Johar v. Union of India (2018) and abolishing the
provisions of the crime of Adultery under in the case of Joseph Shine v. Union of India (27
September 2018.

Analysis and Criticism on the Judgement

Critics believe that this judgement is another chapter in the long list of instances of judicial
overreach by the Court. The Supreme Court has time and again interpreted the Constitution on
issues that are not expressly mentioned therein. It is, however, pertinent to mention that the
principle of interpreting fundamental rights is particularly well-settled and as such calling this
verdict judicial overreach is far-fetched. As Justice Chandrachud pointed out, this judgement
cannot be termed as a constitutional amendment brought by a judicial decision and in all fairness,
there is immense merit in this line of argument.
The Court has also been criticised for arguing in favour of a consent-based privacy framework
which may not be appropriate for the modern data-based disruptive technological setup. The
Court is basically recommending a framework that is well beyond its terms of reference and the
details of which are left for the executive to decide. But considering that the whole idea of
privacy invasion immensely benefits the state, it does not make much sense.

Personal Data Protection Bill, 2019

The Personal Data Protection Bill 2019 is based on recommendations from the Expert
Committee and suggestions received from stakeholders inside and outside of the central
government.

The bill opens with its aim:

“To provide for protection of the privacy of individuals relating to their personal data, specify
the flow and usage of personal data, create a relationship of trust between persons and entities
processing the personal data, protect the fundamental rights of individuals whose personal data
are processed, to create a framework for organisational and technical measures in processing of
data, laying down norms for social media intermediary, cross-border transfer, accountability of
entities processing personal data, remedies for unauthorised and harmful processing, and to
establish a Data Protection Authority of India for the said purposes and for matters connected
there with or incidental thereto.”

It goes on to outline three key points:

1. The right to privacy is a fundamental right and it is necessary to protect personal data as
an essential facet of informational privacy.
2. The growth of the digital economy has expanded the use of data as a critical means of
communications between persons.
3. It is necessary to create a collective culture that fosters a free and fair digital economy,
respecting the information privacy of individuals, and ensuring empowerment, progress
 and innovation through digital governance and inclusion and for matters connected
therewith or incidental thereto.

Contents of the bill

Many of the consent-related provisions in the Personal Data Protection Bill are akin to those
found in the European Union's General Data Protection Regulation (GDPR).

According to the bill, data fiduciaries and data processors must obtain consent from data
principals prior to processing their data. Data fiduciaries are any person, including the State, a
company, any juristic entity or any individual who alone or in conjunction with others
determines the purpose and means of processing of personal data. Similarly, data processors are
any person, including the State, a company, any juristic entity or individual, who processors
personal data on behalf of a data fiduciary. Data collectors are also subject to new reporting
requirements, such as requiring parental or guardian consent for the collection of data belonging
to children. The bill also provides right to data principals, those the data subjects whose data is
being collected.

Should the bill come into effect, data fiduciaries and data processors will have to:

1. Notify data principals about their data collection.

2. Seek consent prior to processing data about the data subject.
3. Collect and store evidence that a notice was given, and consent was received
4. Allow consumers to withdraw consent, as well as access, correct, and erase their data
5. Allow consumers to transfer their data, including any inferences made by businesses on
such data to other businesses.
6. make organizational changes to protect data, such as by following privacy-by-design
principles and creating security safeguards.
The bill also requires that all "sensitive personal data" be stored in India and that "critical
personal data" not be transferred out of India. This has been criticized as protectionist as it will
distort market-driven decisions and force companies' to use local data storage service providers.

Definition of Data in the bill

Data can be broadly classified into two types: sensitive and non-sensitive data. Due to the
introduction of general data protection laws globally, more and more personal data is now
considered sensitive. Personal data in the Personal Data Protection Bill 2019 is any such data that
relates to characteristics, traits, or attributes that could be used to identify an individual. In
contrast, non-personal data is including aggregated data that cannot identify an individual. For
example, an individual's location would constitute personal data, while information derived from
thousands of individual locations such as data to analyse traffic flows, is not considered personal
data. In addition to the above definition, the Bill makes further distinct for sensitive personal data
which is financial data, health data, official identifier, biometric data, genetic data, transgender
status, intersex status, caste or tribe, and religious or political beliefs.

Criticism of the Bill

The biggest concern about the bill among academics and activists is the exemptions granted to
the government. Section 35 states that exceptions can be made to collection rules, reporting
requirements, and other requirements whenever the government feels it "necessary or expedient"
in the "interests of sovereignty and integrity of India, national security, friendly relations with
foreign states, and public order." Justice B.N. Srikrishna, a former judge of the Supreme Court of
India, has said that the bill could turn India into an "Orwellian State". In an interview with the
Economic Times, Srikrishna said, “They have removed the safeguards. That is most dangerous.
The government can at any time access private data or government agency data on grounds of
sovereignty or public order. This has dangerous implications”. Dvara Research, a financial
systems policy research institution in India, echo Srikrishna's criticism identifying seven
consumer protection concerns that could weaken the citizens' right to privacy. In The Hindu,
Apar Gutpa, Executive Director of the Internet Freedom Foundation, "Privacy is mentioned just
once in this voluminous document — 49 mentions of ‘security’ and 56 mentions of
‘technology’". And Foreign Affairs warns of India's growing surveillance state with "new
technologies that threaten freedoms in the world's largest democracy".

Comparisons with General Data Protection Regulation (EU)

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on
data protection and privacy in the European Union (EU) and the European Economic Area
(EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The
GDPR's primary aim is to enhance individuals' control and rights over their personal data and to
simplify the regulatory environment for international business.[1] Superseding the Data
Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the
processing of personal data of individuals (formally called data subjects in the GDPR) who are
located in the EEA, and applies to any enterprise—regardless of its location and the data
subjects' citizenship or residence—that is processing the personal information of individuals
inside the EEA.

The GDPR was adopted on 14 April 2016 and became enforceable beginning 25 May 2018. As
the GDPR is a regulation, not a directive, it is directly binding and applicable but does provide
flexibility for certain aspects of the regulation to be adjusted by individual member states.

Rule 3 of the Information Technology Act (Reasonable Security Practices and Procedures and
Sensitive Personal Data or Information) Rules, 2011, also known as the “SPDI Rules, already
defines what is known as the “sensitive data.” It is evident that India does have rules and
regulations citing sensitive data (name, contact, passwords, etc.) and defining them.

However, the difference in PDP and GDPR that stands out the most and renders the efficiency of
GDPR much more viable is the user experience. GDPR gives a much secure and nuanced sense
to user experience as it focuses more on individual user experiences, and data transaction and
processing are much more privatized. On the other hand, PDP puts a larger emphasis on public
data circulation and does not explicitly mentions anything about the User Experience and
privatization of any kind of sensitive data. Individual rights are guaranteed in the GDPR in
Chapter 3 (Art. 12-23), but there are no such rights/principles mentioned in the PDP bill of India,
which raises concerns on a holistic level. Moreover, there is already a digital divide between
Indians, as many do not have access to the bare minimum device from which they can go online,
bringing in the fundamental Right of Equality (Article 14 of the Indian Constitution) in the
picture.

Cybercrimes in Tort Law (Cyber-Tort)

A cyber tort, then, is when harm is done to a business or an individual online. The ways in which
you could suffer a legal injury on the Internet parallel real-world dangers, and include the
following:

 Use of online services, such as social media, to tarnish your organization’s image.
 Trademark infringement
 Illegal downloading or dissemination of intellectual property
 Having domain names pilfered in what is legally termed “conversion”.

Denial of service attacks and exposure to potentially harmful software such as spyware would
also fall under the umbrella of cyber torts.

Modes of Committing Cyber tort

Out of numerous ways to conduct data and privacy breach-based tort online, five of which are
strongly prevalent amongst the hackers are as follows:

1. Unauthorized access to computer systems or networks/Hacking - This kind of offence

is normally referred as hacking in the generic sense. However, the framers of The
Information Technology Act 2002 have nowhere used this term and also the term
“unauthorised access” has a wider connotation than the term “hacking”.
2. Theft of information contained in electronic form -This includes information stored in
computer hard disks, removable storage media, magnetic disks, flash memory devices
etc. Theft may be either by appropriating or rather misappropriating the data physically or
by tampering them through the virtual medium.
 3. Salami attacks - This kind of crime is normally prevalent in the financial institutions or
for the purpose of committing financial crimes. An important feature of this type of
offence is that the alteration is so small that it would normally go unnoticed. E.g. The
Ziegler case wherein a logic bomb was introduced in the bank’s system, which deducted
10 cents from every account and deposited it in a particular account.
4. Virus/worm attacks - Viruses are programs that attach themselves to a computer or a
file and then circulate themselves to other files and to other computers on a network.
They usually affect the data on a computer, either by altering or deleting it. Worms,
unlike viruses do not need the host to attach themselves to. They merely make functional
copies of themselves and do this repeatedly till they eat up all the available space on a
computer's memory. E.g. love bug virus, which affected at least 5 % of the computers of
the globe. The losses were accounted to be $ 10 million. The world's most famous worm
was the Internet worm let loose on the Internet by Robert Morris sometime in 1988 which
almost brought the development of Internet to a complete halt.
5. Trojan attacks - This term has its origin in the word ‘Trojan horse’. In software field
this means an unauthorized programme, which passively gains control over another’s
system by representing itself as an authorised programme. The most common form of
installing a Trojan is through e-mail. E.g. a Trojan was installed in the computer of a lady
film director in the U.S. while chatting. The cyber-criminal through the web cam installed
in the computer obtained her nude photographs. He further harassed this lady.

Civil and Criminal Cyber Torts

Civil Cyber Wrongs

A civil cyber wrong is one which is committed online and is civil in nature, such as a tort of
defamation committed online through a computer (or any device which has access to the internet
and is able to modify the information or post anything online, such as a mobile phone, or a
tablet) is used as a tool to commit that kind of wrong. Although not defined or addressed as civil
cyber wrongs, the essence of civil liability is defined under section 43 of the IT Act, 2000.

Criminal Cyber Wrongs

A criminal cyber wrong is a serious threat and it must be dealt with as soon as possible,  a
criminal cyber wrong is a criminal wrong committed online through the use of technology,
crimes such as Hacking, information theft, denial of service attacks, etc. Although not addressed
as criminal cyber wrongs in any acts, but various wrongs of criminal nature are defined under the
IT Act, 2000, such as Child pornography defined under Section 67-A of the act.

Immunity Provided to social intermediaries under Indian Law

Section 79 of the Information Technology Act, 2000, gives immunity to network service
providers. According to Section 79 of the Act, a 'network service provider' (defined as a person
who on behalf of another person receives, stores or transmits the electronic messages) shall not
be liable under the Act, or Rules or Regulations made there under, for any third party
information or data made available by him if he proves that the offence or contravention was
committed without his knowledge or that he had exercised all due diligence to prevent the
commission of such offence or contravention.

Preventive Measures for Cyber Crimes

Prevention is always better than cure. A netizen should take certain precautions while operating
the internet and should follow certain preventive measures for cybercrimes which can be defined
as:

1. Identification of exposures through education will assist responsible companies and firms
to meet these challenges.
2. One should avoid disclosing any personal information to strangers via e-mail or while
chatting.
3. One must avoid sending any photograph to strangers by online as misusing of photograph
incidents increasing day by day.
4. An update Anti-virus software to guard against virus attacks should be used by all the
netizens and should also keep back up volumes so that one may not suffer data loss in
case of virus contamination.
5. A person should never send his credit card number to any site that is not secured, to guard
against frauds.
 6. It is always the parents who have to keep a watch on the sites that your children are
accessing, to prevent any kind of harassment or depravation in children.
7. Web site owners should watch traffic and check any irregularity on the site. It is the
responsibility of the web site owners to adopt some policy for preventing cyber crimes as
number of internet users are growing day by day.
8. Web servers running public sites must be physically separately protected from internal
corporate network.
9. It is better to use a security programmes by the body corporate to control information on
sites.
10. Strict statutory laws need to be passed by the Legislatures keeping in mind the interest of
netizens.

Conclusion

Capacity of human mind is unfathomable. It is not possible to eliminate cyber crime or either
cyber torts from the cyber space. It is quite possible to check them. History is the witness that no
legislation has succeeded in totally eliminating crime from the globe. The only possible step is to
make people aware of their rights and duties (to report crime as a collective duty towards the
society) and further making the application of the laws more stringent to keep a check.
Undoubtedly the Act is a historical step in the cyber world.We would conclude with a word of
caution for the pro-legislation school that it should be kept in mind that the provisions of the
cyber law are not made so stringent that it may retard the growth of the industry and prove to be
counter-productive and at the same time a vigil check should be kept on its misappropriation and
further consequences. Since users of computer system and internet are increasing worldwide,
where it is easy to access any information easily within a few seconds by using internet which is
the medium for huge information and a large base of communications around the world. Certain
precautionary measures should be taken by netizens while using the internet which will assist in
challenging this major threat Cyber Crime.
It is not possible for any government of any nation to prevent cyber torts or any other online
wrongs committed on a daily basis by people. But it is possible for the governments to adapt and
evolve their technology and keep a check on the online activities of everyone in the cyberspace.

As historically speaking, there has been no legislation in any world which has been able to
eliminate a wrong against which it has been created. Same goes for the cyber laws in India as the
cyber world is ever growing, more new ways are developing every day in which loopholes on the
internet are being found and wrongs are being committed.

As a lot of people may be unaware of the wrongs that can happen online and the penalties
associated with them, the government should devise a strategy to publicize the offences and the
penalties associated with them so that even a regular individual can be informed of the outcome
of such actions.
 ACKNOWLEDGEMENT AND DECLARATION

I humbly submit that Index of Authorities, references and links used for the purpose of research
in the project are duly recognized under the column of “Index of Authorities”. Furthermore, this
project is for no degree purpose in any other institution rather than Dr. Ram Manohar Lohiya
National Law University, Lucknow and has been created for academic check in the session of
2020-21. I thank and acknowledge Ms.Ankita Yadav (Professor, Torts Law) for giving me a
chance to  research on this topic and to all the sources which turned out to be helpful and
informative in the  course of project making.
 BIBILIOGRAPHY AND AUTHORITIES

Cases Cited
1. Justice K. S. Puttaswamy (Retd.) V Union of India, (2017) 10 SCC 1.
2. United Kingdom in WM Morrison Supermarkets PLC v. Various Claimants, (2019) QB
772.
3. Navtej Singh Johar v. Union of India, AIR 2018 SC 4321.
4. Joseph Shine v. Union of India, 2018 SC 1676.

Legislations Cited
1. Personal Data Protection Bill, 2019
2. General Dara Protection Rules, 2016.
3. Informational Technology Act, 2000

Web Materials
1. https://www.hellocounsel.com/cyber-crime/
2. http://www.legalservicesindia.com/article/1134/Cyber-Torts.html
3. https://www.interpol.int/en/Crimes/Cybercrime
4. https://blog.ipleaders.in/cyber-torts/
5. https://blog.ipleaders.in/need-know-cyber-laws-india/
6. https://www.icsi.edu/media/webmodules/publications/Cyber_Crime_Law_and_Practice.pdf
7. https://unctad.org/page/cybercrime-legislation-worldwide
8. http://www.halsburylawchambers.com/internet-law-a-brief-introduction-to-cyber-torts/
 Submitted By- Yash Bhatnagar
Submitted to- Ms. Ankita Yadav
Year 1, Semester 2
(Professor, Law of Torts)
Dr. Ram Manohar Lohiya National
Law University, Lucknow. Dr. Ram Manohar Lohiya National
Law University, Lucknow
Enr. No. 200101157