Can users claim compensation for a data breach?
Section 43A of the IT Act is viewed as the holy grail provision under which users can claim compensation for a data breach. A victim of the Air India breach has recently claimed Rs. 30 lakh compensation from the National Airline under the provision. Firms, sole proprietorships, and associations of individuals engaged in commercial or professional activities that collect and process sensitive personal data of Indian citizens are liable to pay compensation under this section if they fail to protect the personal data they collect.
Wrongful loss, or not?
Section 43A is no doubt the flag-bearing provision that recognizes and also provides relief in cases of breach of personal data, but the section comes with its own inherent limitations. ‘‘Section 43A as it stands today provides adequate powers to the adjudicatory authority to decide compensation to the party,” says Prashant Mali, a Cyber Lawyer and thought leader. However, he adds, “43A is just the beginning of the recourse for the protection of data. But the IT act comes with inherent lacunae.”
Section 43A says that when a body corporate fails to take reasonable care in implementing the reasonable security practices and procedures and as a result cause ‘wrongful loss’ or ‘wrongful gain’ to any person, then such body corporate will become liable to pay compensation under this section.
But what is the meaning of ‘wrongful loss or wrongful gain’, terms that the IT Act does not define?
The Standing Committee Report which deliberated on the IT amendment Bill (2006), specifies that the Department of Information Technology stated that – ‘the words ‘wrongful loss’ or ‘wrongful gain’ have been provided in tune with the Indian Penal Code (IPC). These terms are well defined under Section 23 of the Indian Penal Code. However, the IPC limits its context to the appropriation of property.
Whether data qualify as a ‘property’ is a jurisprudential question, which is still evolving, especially in the Indian context. Although the Puttaswamy Judgment observes that privacy postulates a bundle of entitlements and interests which lie at the foundation of ordered liberty, the Judgment does go into explaining the nature of data.
Is the loss of privacy a loss enough?
Section 47 of the IT Act specifies the factors on which the adjudicatory officer shall rely to decide compensation. However, it is pertinent to conclude that both Section 43A and 47 view ‘loss’ purely in monetary terms and have not envisaged ‘loss of privacy’ as a sufficient ground for seeking compensation. This could have a lot to do with the fact that these rules were drafted a decade ago, and that privacy was not yet a fundamental right in India.
In a typical case of theft, the person from whom any property is stolen wrongfully loses the property and the person who removes such property from his possession wrongfully gains such property. But in the case of loss of personal data, what is the wrongful loss to that person? Besides no direct monetary loss, there is not even any permanent dispossession of data. One may argue that a person may lose control over her information due to the data breach and as a result, her privacy is violated. But the law does not provide any mechanism to quantify the loss or even an appropriate assessment of the body corporate’s negligence which could be then quantified to impose a finite amount of fine.
Is the Section useful then?
India has witnessed major data breaches over the years and although the breach in itself makes headlines, little publicity is given to what relief the law has ultimately provided to the aggrieved persons. The Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003, give a format that victims can use to file a grievance before the Adjudicating Officer. The Rules further guide how the Adjudicating Officer shall conduct proceedings.
‘Compensation has been granted but in cases where monetary loss has occurred to a party, due to the negligence of body corporates in protecting personal information’ says Pune-based Cyber Lawyer Advocate Vaibhav Salunke. Adjudicating Officers often decide cases of fraudulent money withdrawal from bank accounts and award compensation commensurate with the loss suffered. But he largely agrees that the IT Act does not envisage loss of privacy as wrongful loss and thus it is outside the purview of 43A. ‘But a writ can always lie to the High Court or Supreme Court, in cases like these’ he says.
As India now recognizes the Right to Privacy as a Fundamental Right under the constitution, it is about time the IT Act is equipped to envisage a scenario where the loss of sensitive information, resulting in loss of privacy will become an actionable right. Further, the lawmakers should also give due consideration to a provision for class action suits, where the public can approach the adjudicatory body to seek compensation, in cases of major public data breaches.
Do subscribe to our Telegram channel for more resources and discussions on tech-law. To receive weekly updates, don’t forget to subscribe to our Newsletter.