On Sunday, an Air India flyer sent a legal notice to the airline seeking damages of Rs 30 lakh for the breach of personal data of 4.5 million passengers, including her husband and herself. Air India had informed the complainant of the data leak a month earlier, after it emerged that its passenger service system provider fell prey to a cyberattack in February.
However, in the absence of a data protection law, India lacks a mechanism for compensation or grievance redress of consumers in such cases, say experts.
Advocate Virag Gupta, a New Delhi-based cyber law expert, explains that a legal notice is a good beginning in the Air India case, but it raises many questions. These include whether sensitive personal information has been leaked and whether the airline is responsible or not, given that a passenger service system provider was also involved. There is also the question of compensating other passengers apart from the complainant. The existing legal scenario, he adds, relies on companies’ policies in such matters to establish whether there has been a violation.
Prasanth Sugathan, legal director at Software Freedom Law Center, India, points out that under the Information Technology Act, 2000, there is a legal framework that offers limited protection to people via Section 43(A) (dealing with compensation for failure to protect data).
“The problem is, you need to show the adjudicating officer that there is either a financial loss or somebody else has gained out of it. Only then there could be some compensation,” he explains.
Companies are liable to pay damages by way of compensation when while handling “sensitive personal data”, they are negligent in implementing and maintaining reasonable security practices and procedures, says New Delhi-based advocate Krishnesh Bapat, Centre for Communication Governance Digital Rights fellow at the Internet Freedom Foundation. “Such negligence must cause ‘wrongful loss or wrongful gain’ to any person. Thus, under the current legal regime, a company owning up to a data breach does not ipso facto allow consumers to claim compensation,” he iterates.
The Centre’s Information Technology (reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, define sensitive personal data or information as: password; financial information such as bank account, credit/debit card or other payment instrument details; physical, physiological and mental health condition; sexual orientation; medical records and history; biometric information; any detail relating to the above clauses as provided to body corporate for providing service; and any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
If conditions demanding proof of breach of sensitive personal data and negligence by the company leading to wrongful loss or wrong gain are met, “a consumer can file a complaint with an adjudicating officer appointed under Section 46 of the IT Act (power to adjudicate)”, says Bapat.
Last July, the Consumer Protection Act, 2019, came into force. And according to Section 10 of the amended Act, the Central Consumer Protection Authority (CCPA) was set up with effect from July 24, 2020.
“The CCPA is viewed as the beginning of class action suits (where a group of people can collectively bring a claim to court) in India, but it is yet to be operational in the field,” says Gupta. “In the US, for instance, normally consumers can say that they are impacted and are initiating action as a class. But here it appears power has been taken from the consumer, and the authority (CCPA) will file the complaint,” he adds.
The way forward, according to Bapat, is a data protection regime to provide sufficient redress to consumers. “The Consumer Protection Act, 2019, does not deal with protection of data. Consumers will have to argue that the breach of data constituted an unfair trade practice or violated their consumer rights. Both of these are independent standards under this Act, and may be difficult to meet in most cases,” he adds.
Sugathan agrees. “With a comprehensive law in place, there will be an adjudicative officer and an appellate Tribunal that one could approach to seek damages,” he says.
With a cyberattack, the immediate fear is of loss of control over one’s personal data. But so far the law does not provide safeguards to prevent the misuse of such data. So, depending on the nature of the data, users can take steps to prevent its misuse, and the first is to find out exactly what data has been breached, says Bapat.
“Many websites like Have I Been Pwned give regular updates to people if they have been the victim of a data breach. The affected users should also make sure they change the password associated with the account and enable two-factor authentication.”