Thursday, May 10, 2012

Tortious Liability in the Case of Misuse of Personal Information



This article is written by Ashutosh Singh.
(Also read article on basics of Law of  Torts.)

Introduction
DATA PROTECTION LAWS IN VARIOUS COUNTRIES: This part specifically deals with the laws relating to data protection and laws relating to protection of infringement of right to privacy in foreign countries. The role and contribution of European Union on data protection and privacy laws have also been mentioned in the chapter to show the concern of international organisations on privacy law.   The Privacy Act of 1974, United States of America Roots of the Privacy Act of 1974 can be traced as far back as 1965 when hearings were held by the House of Representatives Special Subcommittee on Invasion of Privacy.[7] Privacy Act of 1974 is a companion to and extension of the Freedom of Information Act of 1966 (FOIA).[8] The Privacy Act of 1974[9] establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual.[10] The prohibition of disclosure of information from a system of records is the main area of focus of The Privacy Act of 1974. The Act set forth some basic principles of “fair information practice” and provided individuals with the right of access to information about themselves and the right to challenge the contents of records. It required that personal information may only be disclosed with the individual’s consent or for purposes announced in advance. The Act required federal agencies to publish an annual list of systems maintained by the agency that contain personal information.
Tortious liability arises  from the breach of a duty primarily fixed by law: this duty is towards persons generally and its breach is redressible by an action for unliquidated damages.”[1] Salmond defined Tort as “a civil wrong for which the remedy is a civil law action for unliquidated damages and which is not exclusively the breach of contract or breach of a trust or other merely equitable obligation.” Furthermore, Limitation Act defines Tort as civil wrong which is not exclusively a breach of contract or breach of trust.[2]

From the above definitions of tort or tortious liability, the basic idea of what tortious liability becomes apparent. The first part of the topic deals about what tortious liability actually is; the same has been done taking into account of Indian as well as outside world context. The second part of the topic ‘misuse of personal information’ has been dealt with in light of various Indian and foreign statutes. ‘Misuse of personal information’ in true terms means 
misuse of anything which is private property of a person, say, data or work or property. Thus, misuse of personal information is the violation of privacy of an individual i.e., an invasion into privacy of a person.

Privacy is one of those commonsense concepts which can be understood, at some level, within every human society. To be sure, the meaning of privacy and the social conventions surrounding it varies dramatically. The variable nature of the meaning of privacy, as with any component of non-material culture, makes it difficult to arrive at an exact definition. Individual’s understandings and experiences of privacy vary by socio-historical contexts. Therefore, privacy is difficult to define and even more challenging to measure. Avoiding common obstacles to privacy research, privacy should be examined from the standpoint of its invasion.[3]

Late Chief Justice Koka Subba Rao, The jurisprudence of privacy has a fragmented history. The first insight of privacy dates back to 1890 in an article published in Harvard law review.[4] The history of recognition to right to privacy in India started with a dissenting opinion in Kharak Singh v. State of UP[5] and later on was affirmed by majority of judges in Govind v. State of MP.[6] It was held in the later case that right to privacy in India emanates from article 21 which talks about right to life and personal liberty.
Late Justice Subba Rao
The jurisprudence of privacy has a fragmented history. The first insight of privacy dates back to 1890 in an article published in Harvard law review.[4] The history of recognition to right to privacy in India started with a dissenting opinion by Justice Subba Rao in Kharak Singh v. State of UP[5] and later on was affirmed by majority of judges in Govind v. State of MP.[6] It was held in the later case that right to privacy in India emanates from article 21 which talks about right to life and personal liberty.

As the basic concepts regarding the topic “tortious liability in the case of misuse of personal information”, have been discussed above, the later parts of the article will throw light on tortious liability arising out of invasion into privacy. European Union on Data Protection and discussion on various privacy and data protection laws in India as well as in foreign countries will be the major goal of the article.



DATA PROTECTION LAWS IN VARIOUS COUNTRIES:
This part specifically deals with the laws relating to data protection and laws relating to protection of infringement of right to privacy in foreign countries. The role and contribution of European Union on data protection and privacy laws have also been mentioned in the chapter to show the concern of international organisations on privacy law.


The Privacy Act of 1974, United States of America
Roots of the Privacy Act of 1974 can be traced as far back as 1965 when hearings were held by the House of Representatives Special Subcommittee on Invasion of Privacy.[7] Privacy Act of 1974 is a companion to and extension of the Freedom of Information Act of 1966 (FOIA).[8] The Privacy Act of 1974[9] establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual.[10]
The prohibition of disclosure of information from a system of records is the main area of focus of The Privacy Act of 1974. The Act set forth some basic principles of “fair information practice” and provided individuals with the right of access to information about themselves and the right to challenge the contents of records. It required that personal information may only be disclosed with the individual’s consent or for purposes announced in advance. The Act required federal agencies to publish an annual list of systems maintained by the agency that contain personal information.




Data Protection Act (DPA), 1984 of United Kingdom
U.K. parliament framed its Data Protection Act (DPA) in the year 1984 which thereafter repealed by the DPA of 1998. This Act is basically instituted for the purpose of providing protection and privacy of the personal data of the individuals in UK. The UK has had a Data Protection act since 1984 which gave individuals rights as data subjects. These rights include giving access to data stored about us, a right to have inaccurate information corrected or removed and to claim compensation if stored information is misused.  It has its origins in the European Rights Convention, article 8 - giving individuals a right to respect for their private life.[11]

The provisions in the Data Protection Act, 1984 of UK has been improved and modified by the amendment act in 1998 which came into force on 1.3 2010. Bringing forth new dimensions to the right to privacy based on the directives of European Union. The primary purpose of current data protection legislation is to protect individuals against possible misuse of information about them held by others.




Privacy and Personal Information Act 1998 of New South Wales
 This is an act which provides for the protection of personal information and for the protection of the privacy of individuals generally; to provide for the appointment of a Privacy Commissioner; to repeal the Privacy Committee Act 1975; and for other purposes and personal information act 1998.

 The Privacy and Personal Information Protection Act 1998 (NSW) is an Act to provide for the protection of personal information and for the protection of the privacy of individuals generally. The Privacy and Personal Information Protection Act 1998 (NSW) sets out the ways in which the personal information of an individual should be dealt with by a public authority and the rights of such an individual to control access to and the accuracy of their personal information. This paper will focus on the impact of the Privacy and Personal Information Protection Act 1998 (NSW) to councils.[12]


European Union on Data Protection
After the formation of the European Union in the year 1993, the EU has played a key role in the development and introduction of national data protection law in a number of legal systems in the European Union, which did not have such legislation previously. According to the new article 6 of the Treaty of European Union enjoys “the same legal value as the Treaties” – enshrines data protection as a fundamental right under Article 8, which is distinct from respect for private and family life under Article 7. This feature sets the EU Charter of Fundamental Rights apart from other key human rights documents which, for the most part, treat the protection of personal data as an extension of the right to privacy. This inclusion of data protection as an autonomous fundamental right is a recognition by the EU of the importance of technological progress, and an attempt to make sure that fundamental rights take account of this progress. The undeniable fact that our lives are now becoming a continuous exchange of information, and that we live in a continuous stream of data, means that data protection is gaining importance and moving to the centre of the political and institutional system. This evolution is clearly visible when comparing the EU Charter with the 1950 European Convention of Human Rights of the Council of Europe (ECHR).[13]

Deficiencies of Data Protection Authorities
At a structural level, the lack of independence of several Data Protection Authorities (DPAs) poses a major problem. In a number of Member States concerns are reported about the effectiveness and capability of the officers of Data Protection Authorities to perform their task with complete autonomy. At the functional level, understaffing and a lack of adequate financial resources among several Data Protection Authorities constitutes a major problem. At the operative level, a major problem is represented by the limited powers of several Data Protection Authorities. In certain Member States, they are not endowed with full powers to investigate, intervene in processing operations, offer legal advice and engage in legal proceedings.

DATA PROTECTION LAWS IN INDIA AND RIGHT TO PRIVACY



Right to privacy, Information Technology Act was passed in the year 2000 and further amended in the year 2008 via amendment act. The Indian Parliament enacted an Act called the Information Technology Act, 2000. It received the assent of the President on the 9th June, 2000 and is effective from 17th October, 2000. This Act is based on the Resolution A/RES/51/162 adopted by the General Assembly of the United Nations on 30th January, 1997 regarding the Model Law on Electronic Commerce earlier adopted by the United Nations Commission on International Trade Law (UNCITRAL) in its twenty-ninth session.
Information Technology Act, 2000
Information Technology Act was passed in the year 2000 and further amended in the year 2008 via amendment act. The Indian Parliament enacted an Act called the Information Technology Act, 2000. It received the assent of the President on the 9th June, 2000 and is effective from 17th October, 2000. This Act is based on the Resolution A/RES/51/162 adopted by the General Assembly of the United Nations on 30th January, 1997 regarding the Model Law on Electronic Commerce earlier adopted by the United Nations Commission on International Trade Law (UNCITRAL) in its twenty-ninth session.[14] (Image taken from here.)
One of the basic purposes of Information Technology Act, 2000 is to safeguard the privacy of a person however related and confined only to technology areas. It is the sole statute which deals with right to privacy or data protection. The act in itself is the soul act representing the safeguard to infringement of privacy and embeds in it specific sections which deal with data protection and privacy in particular. Specific provisions of Information Technology Act, 2000 which deal with right to privacy and data protection are discussed below: 

Section 43 of IT Act, 2000[15] ­–
Penalty for damage to computer, computer system, etc
If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network –
(a) accesses or secures access to such computer, computer system or computer network
(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium
(c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network
(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network
(e) disrupts or causes disruption of any computer, computer system or computer network
(f) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means
(g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made there under
(h) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network,
he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.
Henceforth, this act lays down fundamental areas where the act focuses on the breach of privacy and subsequently the punishment in form of compensation.

Section 65 of Information Technology Act, 2000[16]-
Tampering with computer source documents .- Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy, or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
Thus, the above section provides for the intentional concealment of facts in computers and establishes the punishment in form of compensation which may extend to Rs. 2 lakh.

Section 66 of Information Technology Act, 2000[17]
Hacking with Computer System
(a) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hacking.
(b) Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
As mentioned above section 66 of Information Technology Act deals with the hacking of computer systems and provides for the punishment both in form of compensation and imprisonment.

Section 70 of Information Technology Act, 2000[18]
Protected system - (1) The appropriate Government may, by notification in the Official Gazette, declare that any computer, computer system or computer network to be a protected system.
(2) The appropriate Government may, by order in writing, authorise the persons who are authorised to access protected systems notified under sub-section (I).
(3) Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.
Herein, section 70 of the Information Technology Act, 2000 prescribes the authorisation of certain persons to view the protected systems and in case of an unauthorised access to computer system, the accused will have to face imprisonment as well as fine.

Section 72 of Information Technology Act, 2000 -
Penalty for Breach of confidentiality and privacy - Save as otherwise provided in this Act or any other law for the lime being in force, if any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made there under, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.
Section 72 hence explains about the breach of confidentiality and privacy and punishment if such otherwise mentioned in the act is done. As we have discussed all the related provisions concerned to Information Technology Act, 2000 ; the next of our concern and importance is “Personal Data Protection Act, 2006” which has been passed by Rajya Sabha only and it has not been yet approved by Lok Sabha.

Personal Data Protection Act, 2006
On the footprints of other various nations and to create a firm legal system and to protect the personal rights concerned with the fundamental freedom of individuals, Indian Parliament decided to pass an act on privacy and data protection and named it Personal Data Protection Act, 2006.
A bill to provide for protection of personal data and information of an individual collected for a particular   purpose   by   one   organization,   and   to   prevent   its   usage   by   other organization for commercial or other purposes and entitle the individual to claim compensation or damages due to disclosure of personal data or information of any individual without consent and for matters connected therewith or incidental thereto.[19]
Rule 5 of the bill contains that –
Every person whose personal data or details have been processed or disclosed for direct marketing or for any commercial gain without consent shall be entitled to compensation for damages in such manner as may be prescribed.
Rule 9 of the same act provides that –
Whoever contravenes or attempts contravene or abets the contravention of the               provisions of this Act shall be punishable with imprisonment for a term, which may extend to three years or with fine, which may extend up to ten lakh rupees or with both:
Provided that the compensation for damages claimed under section 5 shall be in addition to the fine imposed under this section.
It appears quite dramatically that firstly the abovementioned bill is passed from only the Rajya Sabha and then Information Technology Act, 2000 is amended in 2008.

Right to Privacy
The above mentioned heading that is right to privacy is a unique and fast growing concept in the field of tort law under which a new course of action or a new distinctive subject for damages arising out of unjustified and unlawful invasion of private affairs of a person was instituted and recognised. It is herein necessary to mention that right to privacy is not only a subject area which is the whole and sole authority of tort law, right to privacy is specifically dealt by the constitutional law; however this practice in constitutional law is a new concept. The right to privacy in the recent perspective has acquired a distinctive constitutional importance. So, the related areas, concerned subject matter and case laws are not only tortious in nature but also constitutional in nature. When we discuss about privacy it is extremely essential to hereby notice that the subject area concerned with ‘right to privacy’ is intermixed with the notions and ideas of tort law as well as constitutional law.
Right to privacy is a concept which emanates and is implicitly provided in article 21 which is right to life and personal liberty of the Indian constitution. Supreme Court in a leading case held that right to privacy is “right to be let alone”.[20] A citizen has the right to safeguard privacy of his own, his family, marriage, pro-creation, motherhood, child bearing and education. No one has the freedom to publish anything concerning the above matters without his consent- whether truthful or otherwise and whether laudatory or critical. If any person does such unreasonable act, the person will be held liable for the same and will have to pay damages in an action brought forward by the opposition party.
In Kharak Singh v State of Uttar Pradesh[21], the Supreme Court of India held that right to privacy can be traced from or emanates from article 21 by the majority view. Justice Subba Rao in his concurring view observed that “right to privacy is a part of right to liberty under article 21, part of right to freedom of speech and expression under article 19 (1) (a) and it is also a part of right to movement under article 19 (1) (d) of Indian constitution.” Justice Mathew also accepted the same view in Govind v State of Madhya Pradesh[22] as propounded by Justice Subba Rao. Privacy primarily or basically or mainly concerns the individual. It relates and is overlapped by the right to liberty. In Govind v State of Madhya Pradesh,[23] it was opined that: -
The right to privacy in any event will have to go through a process of case to case development. Therefore, even assuming that the right to personal liberty, the right to move freely through the territory of India and the freedom of speech create an independent right to privacy as an emanation from them which one can characterise as a fundamental right, it cannot be said that the aforesaid right is absolute.
It was held in PUCL v Union of India[24] that right to privacy has certain restrictions imposed on it. The right to privacy is hence not an absolute right. The diameters and parameters of infringement of right to privacy will be different when a person voluntarily or willingly thrust him or herself into a controversy or voluntarily invites or raises any controversy.  

CONCLUSION/ SUGGESTION
The insight I attained while writing this article is the importance and relevance of data protection laws or privacy rights in a developing nation like India. Misuse of personal information is a growing phenomenon in the field of tort law. I will like to conclude my article stating that right to privacy or right arising out of misuse of personal information is a straight forward infringement of the fundamental rights provided in article 21 of Indian constitution and it’s violation not only results in degradation of humanitarian values but also leads to the degradation of moral values prevalent in the society and henceforth it needs a fast counter. It may well be asserted that the misuse of personal information gives rise to liability in respect to constitutional tort.
As a move to enhance the glory of Indian legal system and strengthen its value, I will like to further suggest that the personal data protection bill passed by the Rajya Sabha in 2006 must be approved by Lok Sabha as soon as possible. A separate commission/committee for personal data protection and privacy should be established by the Indian Parliament for speeding up of disposal of concerned legal issues.  


This article is written by Ashutosh Singh. 


 "Author would like to thank Chaitanya and Ashish for providing valuable insights in the Article".

Ashutosh is a Second year law student at National Law University, Orissa. His interest areas include Constitutional Law, Criminal Law and International Human Rights. His aim is to become a successful Lawyer and Author. He love exploring the disputed and unsettled areas of law and write critical comments on them. This apart, his hobbies are cooking, mooting, debating, and watching cricket.





[1] W.V.H. Rogers (ed.), “Winfield and Jolowicz on Torts” 5 (1990).
[2] Limitation act, 1963, § 2 M.
[3] Debbie V S Kasper, The Evolution (Or Devolution) Of Privacy, Sociological Forum, Vol. 20, No. 1, March 2005.
[4] Louis Brandeis and Samuel Warren, The Right to Privacy, (1890) 4 Harv L. R. 193.
[5] Kharak Singh v. State of UP, AIR 1963 SC 1295.
[6] Govind v. State of MP, AIR 1975 SC 1378.
[7] Aruthur A. Bushkin and Samuel I. Schaen, The Privacy Act of 1974 - A Reference Manual for Compliance System Development Corporation (McLean, Virginia), 1975.
[8]Dr. Faizan Mustafa, Privacy Issues in Data Protection : National and International Laws, (2004) PL WebJour 16.
[9] The Privacy Act of 1974, 5 U.S.C. § 552a.
[15] Information Technology Act, 2000, § 15.
[16] Information Technology Act, 2000, § 65.
[17] Information Technology Act, 2000, § 66.
[18] Information technology act, 2000, § 72.
[19] Bill No. XCI of 2006.
[20] R Raj Gopal v State Of TamilNadu, (1994) 6 SCC 632.
[21] Kharak Singh v State of Uttar Pradesh, (1964) 1 SCR 332.
[22] Govind v State of Madhya Pradesh, AIR 1975 SC 1378.
[23] Govind v State of Madhya Pradesh, AIR 1975 SC 1378.
[24] PUCL v Union of India, AIR 1997 SC 568.

3 comments:

  1. Fabulous article.

    ReplyDelete
  2. Nicely descripted.

    ReplyDelete
  3. Very simply and perfectly descripted Mowing The Law.

    ReplyDelete