The Data Protection Regime And Compliance In India

The landmark judgment delivered in Justice (Retd.) KS Puttaswamy v. Union of India has endorsed the notion that the threat of breach of confidential data has become a major concern that affects us all.

Under Indian law, as per the Information Technology Act, there exist some remedies against the data processing entity for data breach. However, there is no clear-cut notion of where the buck stops within that entity and there have not been cases awarding compensation so far.

A recent judgement delivered by the Supreme Court of the United Kingdom in WM Morrison Supermarkets PLC v. Various Claimants lays down that vicarious liability shall not apply in cases of data breach. For the first time, there is now clarity on how employers can be held liable for any breach of confidential data by their employees.

It is also entirely likely that Indian courts, operating under the proposed Data Protection Act, will follow the precedent laid down by the Supreme Court of the United Kingdom.

The Morrison Judgment

In 2013, Andrew Skeleton, a disgruntled employee of M/s. WM Morrison Super Markets PLC (Morrison), was working with their internal audit team and was entrusted with the task of collating payroll data of the employees. Mr. Skeleton made a copy of the payroll data and, out of vengeance, proceeded to leak the same online.

Thousands of Morrison employees affected by the breach of data filed suits for compensation from Morrison. Two lower courts as well as the Court of Appeal ruled that Morrison was vicariously liable. Aggrieved by the said orders, Morrison had preferred an appeal to the Supreme Court of the United Kingdom (UK).

The UK Supreme Court, while considering the applicability of the UK Data Protection Act 1998 (UK Act), held that the liability of the data controller including that of his employee is based on reasonable care. The judgment, authored by Lord Reed, agreed with arguments advanced by Morrison that the UK Act indicated that “liability was to be imposed only on data controllers, and only where they had acted without reasonable care”.

The ratio laid down by Lord Nicholls in Majowrski v. Guy’s and St. Thomas NHS Trustthat a “precondition of vicarious liability is that the wrong must be committed by an employee in the course of his employment” was followed in the present case. Therefore, it was held that since the UK Act does not include vicarious liability, Morrison could not be held liable for the actions of its employee.

The Data Protection Regime in India

Data breach from computer systems, including payment of compensation and punishment in case of wrongful disclosure and misuse of personal data, are governed by the Information Technology Act, 2000, specifically Sections 43-A and 72-A therein.

The collection and disclosure of sensitive personal data or information are laid out under the Information technology (Reasonable Security Practices and Procedure and Sensitive Personal Data or Information), Rules 2011. Under the 2011 Rules, body corporates are required to have a Privacy Policy, obtain prior consent for collection of personal data, have restrictions on data usage for lawful and necessary purposes and non-transferability of personal data. Therefore, there exists tortious remedies against private entities for any breach of sensitive personal data.

In the Puttaswamy case, the Supreme Court had affirmed that the Right to Privacy is a constitutional right. Therefore, any party, complaining of privacy breach has the right to initiate appropriate legal proceedings, under writ jurisdiction, for the enforcement of their rights against the state.

A recent case pending before the Kerala High Court involving a customer relationship management software called Sprinklr has brought these issues into focus and may be a test case to understand how liability is fixed.

The Personal Data Protection Bill, 2019 (PDP Bill) has been tabled before the Lok Sabha and is yet to be enacted. The PDP Bill proposes a legal framework to provide for data autonomy, regulate the flow of data, to establish the right of the data providers, establishment of a framework for the processing of data, establishment of data protection authority, and to provide remedies and penalties for the violation or unauthorized processing or use of data.

It is expected that the passage of PDP Bill will lead to a replacement of the legal framework and repeal of the Section 43-A of the IT Act and 2011 Rules.

Data Breach and Damages

Under the IT Act, the 2011 Rules and the PDP Bill, there are penalties provided for data breach. However, none of these statutes provide for vicarious liability of the employer arising out of the act or breach committed by the employee.

It would therefore be instructive to turn to general principles of tort law relating to vicarious liability such as:

(i) The act committed by the employee should be within the scope of employment,

(ii) duly authorized by the employer and

(iii) in the course of the employment.

Though the existing statutory provisions as well as the PDP Bill are silent on vicarious liability, common law application of vicarious liability principles listed above may still guide courts in fixing accountability for any breach. However, the key determinant in assessing liability would be whether sufficient and reasonable safety measures have been put in place before the data breach.

The Way Forward

A survey by Ernst and Young in 2018 titled Global Forensic Data Analytics Survey revealed that 60% of Indian companies were unaware of data privacy best practices such as General Data Protection Regulations (GDPR). According to the survey, only 31% felt that they were GDPR compliant.

Today, under the restrictions imposed by the COVID-19 lockdown, private sector companies have adapted to a work-from-home model. With courts moving to e-filing process as well, there is a tremendous increase in the amount of data transfer and transmission of sensitive personal information.

Therefore, it is imperative and timely to assess in the present scenario whether organizations have implemented sufficient safeguards for protecting data, if adequate and reasonable safety measures are in place, and that those personnel handling sensitive data are properly trained.

During the COVID-19 lockdown, the notion of informational privacy as expressed in the Puttaswamy judgment assumes increased significance. Justice RF Nariman described informational privacy as “which does not deal with a person’s body but deals with a person’s mind, and therefore recognizes that an individual may have control over the dissemination of material that is personal to him”.

In the same judgement, Justice Dr DY Chandrachud held that “informational privacy is a facet of the right to privacy” and thatthe “dangers to privacy in an age of information can originate not only from the state but from non-state actors as well”.

In this context, and from the ratio laid down in the Morrison judgment, it would be imperative for all organizations to draw a roadmap towards setting higher data privacy standards.

The authors are Muthupandi Ganesan, Manuraj Shunmugasundaram and Shrinikethan Tellakulla, Advocates at Ganesan and Manuraj Legal LLP.