Even as India is working on a comprehensive data protection law, the existing Information Technology (IT) Act has provisions that allow the government to take action against companies, social media platforms or mobile application providers which exploit user data through unauthorised means.
Privacy analysts and legal experts say Section 43 and 43A, Section 66 and Section 72 of the IT Act along with the intermediary guidelines, have provisions to govern platforms such as Facebook on how they have handled user privacy. The experts, however, agree that India needs a full-blown data protection law since these provisions may not be sufficient to handle instances such as the recent one of Facebook data being harvested by Cambridge Analytica to allegedly influence elections across the world. They also express concern over weak enforcement citing the few judgements against companies that have misused data.
Cyber expert and Supreme Court Advocate Pavan Duggal said if someone accesses your systems without permission, copies or downloads data, it becomes the basis for seeking damages by way of compensation under Section 43 of the IT Act, and under Section 43A, one can seek unlimited damages in case sensitive personal data is unauthorisedly accessed.
“The way Indian law defines sensitive personal data, its very clear that the data Facebook had shared cannot be said to be sensitive personal data because its neither medical, biometric or financial.” He added that a person can file a criminal complaint against Facebook and Cambridge Analytica for an offence under Section 66 which says that if any person dishonestly or fraudulently without permission copies data or diminishes is value or utility that becomes an offense.
“This can be read with Section 85 which says that if an offence committed by a company then every person responsible for the day to day management shall also be guilty of the said offence. Also, both Cambridge Analytica and Facebook are intermediaries under Section 72 of IT Act, where they are bound to exercise due diligence. The onus is on these players to prove that they have exercised due diligence, which they will find very hard to prove.” Duggal added that these are the limited remedies we have but none of them are “effective” provisions. “When you talk of a comprehensive data protection regime, we don’t have that yet.”