ijalr

Trending: Call for Papers Volume 5 | Issue 1: International Journal of Advanced Legal Research [ISSN: 2582-7340]

INVASION OF PRIVACY: DATA BREACHES AND LEGAL RECOURSE – Ishan Choudhury

Part I: Scope and Limitations

The designated article, “Invasion of Privacy: Data Breaches and Legal Recourse, ” focuses broadly on understanding the concept of Privacy and its origin. It further examines the concept of data breaches in the contemporary scenario. Moreover, legal recourses regarding the same have also been outlined vividly.

However, this article has its limitations, primarily inthe Indian context. On the other hand, it briefly focuses on exploring the privacy scenarios with an international perspective. Specific legislations and case laws have also been cited and discussed. Examples of famous data breach incidents have also been outlined.

Part-II: Introduction To Right To Privacy

With due reference to Black’s Law Dictionary, “Privacy means right to be let alone; the right of a person to be free from any unwarranted publicity; the right to live without any interference by the public in matters with which public is not necessarily concerned.”

“Man’s house is his castle”- This particular saying talks about the inherited “Right to Privacy” of an individual. Privacy, basically, provides an individual “to be left alone in a core which is inviolable”. The concept of “right to be let alone”, as proffered by Warren and Brandeis in 1890, can be seen as the “first mature theory” in the sphere of privacy.

A group of jurists, including Douglas, link privacy to the protection of an individual’s liberty. On the other hand, jurists like Rehnquist adhere to “non-recognition of some unrecognised substantive due process rights as fundamental”. Justice White and Justice Harlan contend privacy “to protect the family from government interference”. Another view is that “privacy is a natural right”. Natural Rights are considered supreme to all other existing rights.

John Locke, in “Two Treaties on Civil Government”, mentions the “Right to Privacy” by talking about natural rights, which, as per him, are “inviolable” and “inalienable”. As per Locke, “the primary transaction between individuals and the government is the preservation of life, liberty and property.”

In the Contemporary scenario, the “Right to Privacy” is considered a “Fundamental Right”. In India, privacy is a fundamental right in concurrence with the “global human rights regime”.

However, with the advent of Information Technology(IT) came new solutions and developments in the service sector industry. However, with consistent technological developments, the threat of invasion of privacy. Privacy is an issue of grave concern and requires immediate attention and specific legislation for its safeguarding and protection. Data breaches have also been a prevalent trend, and their legal recourses have to be examined and implemented with efficacy.

Part-III: Analysis

FBI Director Robert Mueller had famously remarked- “Hackers for profit do not seek information for political power — they seek information for sale to the highest bidder. These once-isolated hackers have joined forces to create criminal syndicates. Organised crime in cyberspace offers a higher profit with a lower probability of being identified and prosecuted.”

Data Breaches

Concerningdata fromthe Pew Research Centre- “Over the past 15 years, more than 10 Billion records have been breached from over 9,000 data breaches in the United States, impacting a majority of Americans.” [1]

According to Resecurity, an American cyber security company, “personally identifiable information of 815 million Indian Citizens, including Aadhaar numbers and passport details, were being sold on the dark web.”

A data breach is “ an unintentional release of secure or personally identifiable information to an unsecured environment.”[2]Personally Identifiable Information” is concerned with one particular person. Examples are passwords, email addresses and credit card numbers. Excluding these, sensitive corporate information can also be frequently stolen. This may include business or trade secrets.

DATA BREACHES CAUSED AS A RESULT OF HUMAN ERROR

Data breaches can occur due to human neglect. It can be frustrating because these can be preventable as well. Emailing the wrong individual by mistake can be an example of the same. It can be as simple as a school principal accidentally publishing the sensitive medical records of the student on the school’s intranet.

DATA BREACHES CAUSED AS A RESULT OF SYSTEM GLITCH

This category of breaches is caused due to technology failure. Data dumps and errors in data transfer are specific examples of the same. The data breach of First American Financial Corporation’s insurance records is one of the most significant data breaches in 2019. It falls under the category of data breaches caused by a glitch in the system.

CRIMINAL BREACH OF DATA

Criminal attacks profoundly targeted by hackers areIndia’s most common form of data breach. Cyberattack on AIIMS led to encryption of data amounting to 1.3TB. The Cyberabad police data leak is also an example of this. In 2022, the Swachh City platform was also hacked, which put the data of 16 million users at risk. Another example in India is the Sun Pharma cuber attack, which profoundly impacted its business operations. A similar breach was also observed at Dr Reddy’s Laboratories.

“Malware infections”, “Hacking”, and “Social Engineering” are types of criminal breaches of data. One of the famous examples of malware infections was the “Pegasus Malware”, which mainly targeted the mobile phones of opposition politicians.

Legal Recourse To Data Breach

“If the right to privacy means anything, it is the right of the individual, married or single, to be freed from unwarranted governmental intrusion” …….

William J. Brennan

INDIAN CONTEXT

Article 21 of the Indian Constitution, a part of the “Golden Triangle”, lays down the cornerstone for the “Right to Privacy”.

It states- “No person shall be deprived of his life or personal liberty except according to procedure established by law.” These restrictions on personal liberty shall be “reasonable restrictions”.

 In People’s Union for Civil Liberties vs. Union Of India[3], it was held that “We have; therefore, no hesitation in holding that right to privacy is a part of the right to life and personal liberty enshrined under Article 21 of the Constitution. Once the facts in a given case constitute a right of privacy. Article 21 is attractive. The said right cannot be curtailed except according to procedure established by law.”

In Kharak Singh vs State of Uttar Pradesh[4], Justice Subba Rao linked privacy with personal liberty. He observed- “concept of liberty in Article 21 was comprehensive enough to include privacy and that a person’s house, where he lives with his family is his castle and that nothing is more deleterious to a man’s physical happiness and health than a calculated interference with his right to privacy.”

One of the landmark judgements of the Supreme Court of India is K.S. Puttaswamy vs. Union Of India and Ors.[5]. In this case, a nine-judge bench of the Supreme Court “reaffirmed the Right to Privacy as a Fundamental Right.”

An essential aspect of the “Right to Privacy” concerns revealing a patient’s personal information to a medical practitioner. The doctor must maintain this information within strict confidentiality. In the case of X vs. Z. Hospital[6], the doctor had showcased to the patient’s fiancée that he was infected with HIV. This led to the breakdown of their marriage, and the doctor was sued. However, the Court held that the doctor wasn’t liable for breach of “Right to Privacy” because the revelation of the information was necessary for public welfare.

The Contemporary era is under the sphere of a virtual space. Cybercrimes have become prevalent, where a computer or network is the main target. Initially, cyber security wasn’t governed in India by a statute. But, with continued rates of cyber security concerns, the “Information Technology Act, 2000[7] came into being to regulate cybercrimes. Sections 66(A-F), Section 65 and Section 43(a-h) govern prime importance. Criminal liability for cyber crimes in India is also defined under the IPC. Certain offences are mentioned as follows:-

  • “Web-jacking”: “Section 383, Indian Penal Code, 1860”
  • Facilitating threatening messages via email: “Section 503, Indian Penal Code, 1860.”
  • Cyber Frauds: “Section 420, Indian Penal Code, 1860”
  • Drafting “False” documents: “Section 464, Indian Penal Code, 1860”
  • “Theft of computer hardware”: “Section 378, Indian Penal Code, 1860”
  • “Cyber Stalking”: “Section 354D, Indian Penal Code, 1860”

INTERNATIONAL CONTEXT

According to “Article 51 of the Indian Constitution”, a part of DPSP, “the state should endeavour to foster respect for international law and treaty obligations in the dealings of organised peoples with one another.”

“Article 12 of the Universal Declaration of Human Rights” recognises the “Right to Privacy”. It states- “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

“Article 17 of the International Covenant on Civil and Political Rights” states-  “No one shall be subjected to an arbitrary and unlawful interference with his/her privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation, and that everyone has right to the protection of the law against such interference or attacks.”

The Indian Judiciary has relied upon “USA Privacy laws” to interpret privacy matters. Amidst the lack of the inalienable “Right to Privacy”, Warren and Brandies mentioned the protection of an individual’s privacy. Thus, it was mentioned in the “First Amendment of Bill of Rights”.

In Griswold vs. Connecticut[8], the U.S. Supreme Court held-  “Forbidding use of contraceptives by the state intrudes in the constitutional right to marital privacy.” In support of the majority, Justice Douglas held that “The right to privacy has emanated from penumbras of the American Bill of Rights.”

Senator Hollings, in 2002, introduced the “Online Personal Privacy Act”. As per this act-“If there is a misuse of personal data and a person can prove harm, he or she may then sue for up to $5,000 per usage.”

Concerning the European Countries, they adopted the guidelines of the “United Nations” and the “Council of Europe Convention for the Protection of Human Rights” in 1950. In 1995, the “European Union” adopted the “Data Protection Directive” to protect personal data.

Part-IV: Conclusion

In conclusion, it can be understood that the “Right to Privacy” is an essential and inalienable right of an individual. The above project provides a dissertation on the invasion of privacy. It encapsulates its origin and traces the opinions of eminent jurists upon the same. Furthermore, a discussion about the data breaches is also mentioned along with their types.

Legal recourses regarding data breaches are also discussed in furtherance of the project. Specific legislations with respect to Indian laws and international context are quoted. Prominent case laws are also mentioned, and sections from the “Indian Penal Code, 1860” and the “IT Act,2000” are cited. Topics related to Cyber attacks have been discussed.

Part-V: References

The secondary sources referred for the completion of this project are furnished as below:-

[1] Aaron Smith, Americans and Cybersecurity, PEW RES. CENTER (Jan. 26, 2017), https://www.pewinternet.org/2017/01/26/americans-and-cybersecurity

[2] State Data Breach Notification Laws, supra note 8; Maxfield & Latham supra note 8, at 30

[3]1997 (3) SCC 433

[4]1963 AIR 1295

[5]2019 (1) SCC 1

[6] (2003) 1 SCC 500

[7] The Information Technology Act, 2000, No.21, Acts of Parliament, 2000(India)

[8] 381 U.S. 479(1965)