Introduction
The concept of privacy is centuries old, and many jurists have tried to define it according to their understanding. It becomes essential to know the meaning of privacy in this interconnected world where data flows on the internet up for anyone’s grab. This is a fourth-generation where data is the new market, currently open for exploitation in the absence of appropriate regulations. According to its liberal understanding, privacy can be defined as the “expectation of the appropriate use of one’s data”. [1] To be more specific, the attention here is on “personal data”, which helps identify a person, for example, biometric information. Data can be treated as a property in modern times, and like other properties, the authorities need to protect data from unfair use.
Data has been at the center of attention in recent years throughout the world. The awareness regarding the significance of one’s data and its economic value has increased drastically. Many western jurisdictions have recognised people’s rights upon their personal data and how big players in the information technology market are violating it to make a fortune for themselves. However, in the past few years, these unfair practices have been brought to justice. The companies are held liable for compromising the privacy of their customers/users. There is a need to establish a developed procedure for dealing with the tortious liability in the data breach cases; it is still in its development stage. Many common law jurisdictions are slowly recognising the tort of privacy in various cases. In Vidal-Hall v. Google Inc.[2], of 2015 the Court successfully held the company liable for compensating the aggrieved party for the distress caused, even though there was no financial loss.2 And, in Campbell v. MGN Ltd.[3] the Court considered the nexus between the breach of privacy and Article 8 of the European Convention of Human Rights (ECHR).
In the context of India, the Supreme Court judgment of 2017 in K.S. Puttaswamy v. Union of India[4] played a pivotal role in the field of data privacy jurisprudence, wherein the Court recognised the right to privacy as a fundamental right to life under Article 21 of the Indian Constitution[5]. After that, the development of the Personal Data Protection Bill with the recommendations of the B.N. Srikrishna Committee paved the way for statutory provision explicitly dealing with the regulation of data in India. This paper seeks to elucidate upon the tortious liability introduced in the Bill and how it can be influenced from the similar models of foreign jurisdictions, specifically the European Union’s General Data Protection Regulation (GDPR) and some other common law countries like the United Kingdom and the United States of America. The critical analysis of the Act will help us understand certain limitations present and subsequent solutions to remove those impediments.
This article will examine the need for tortious provision in the realm of data protection. Furthermore, it will critically analyse the civil remedies present in the Personal Data Protection Bill, 2019[6].It will also study the judicial bodies present to regulate tort cases under the provisions of the draft Bill by comparing the Indian model to other western liberal models, specifically GDPR (General Data Protection Regulation) of European Union (EU).
The article is divided into four chapters, based on the need for tortious liability in general to the specific instances of India and other countries. The first chapter will discuss how contractual obligations are insufficient to protect the user’s data, and tort law is crucial. The chapter then discusses various instances where the need for civil remedy was necessary in order to deliver justice. Chapter two will talk about the compensation provisions present in the Personal Data Protection Bill and how effective they will be in resolving the issue. The third chapter will then talk about the specific problems the author found in the Bill and offer solutions to rectify them and the last chapter will be the conclusion.
Tort liability for data protection
In one way or another, many countries have tried to ensure the safety of their citizen’s data. Data protection jurisprudence is relatively newer for the current legal system, and many developing countries are yet to recognise the need for data protection laws. Lawmakers are facing many problems while regulating this giant data market. The unawareness of recently emerged technologies is one of the major impediments towards the development of this jurisprudence. Jurisdictions like the EU, UK and Canada are the current torchbearers in terms of the development in data laws. The current laws in these countries can successfully deal with various issues people face around the world.
In the case of India, in the recent few years, significant development has been made. Through various judgments and legislation, especially judicial activism has played a pivotal role in the development of this cause—currently, the Information Technology Act, 20007 (IT Act) deals with the issue of data protection on the internet. However, the inadequacy of these provisions has invoked the need for separate legislation. Parliament is in the process of developing a Bill called the Personal Data Protection Bill, 2019 (PDP Bill). This Bill, if enacted, will specifically empower the citizens to safeguard their data and provide them legal remedies against data privacy violations. This draft Bill has provisions enabling compensation to the aggrieved by the offender, introducing tort liability in data protection.
The concept of tort liability in data privacy was first introduced in the USA (United States of America) during the 19th century when the press and media grew tremendously. The laws were made to safeguard people from the intrusive behaviour of the press, hence curbing the freedom of speech through reasonable restrictions. The laws then explicitly focused on famous personalities who are more likely to be covered by the news media. However, as the internet started growing, every person became a possible source of data, and companies started banking on this data by infringing people’s privacy. This invoked lawmakers to expand the scope of privacy laws, covering every citizen. However, the question of whether companies should be held responsible for compensation to every aggrieved individual remained unanswered. The courts were divided on this issue as the number of individuals involved were huge and unaware of their loss, making it difficult for the courts to decide the magnitude of the compensation. In the most recent case of Lloyd v. Google LLC,8the Supreme Court of United Kingdom (UK) unanimously ruled in favour of Google (appellant), denying the request of compensation to 4 million Apple users, who were wrongfully tracked by Google and the information accumulated was sold after that. The Court stressed upon the difficulty of ascertaining the individuals who incurred the loss and whether the representative claimant or the people they are representing suffered any loss. This case is an example of the challenges present in introducing civil remedies in data privacy laws. The expanding technologies have brought many complications in its regulation, impelling lawmakers to develop more sophisticated and detailed laws.
Why do we need tort for data protection
One can think why do we need to introduce tort if determining the compensation is problematic in some instances. After all, we already have a well-established branch of criminal law, and we can try the offenders with those provisions as well. This argument is valid to some extent, but there is a drawback that needs to be addressed. Companies work towards a singular goal: profit; big companies like Google, Apple, and Facebook earn considerable profit from people’s data. If we hold them criminally liable for a data privacy violation, they will be fined for it. However, if they are held responsible for compensating every aggrieved individual, the quantum of the amount will increase many folds. Criminal liability will not be sufficient enough to prevent these mega-companies from misusing their vast database.
According to the data driven marketing institute study, an average individual roughly generates $60.00 through advertising space sold by Facebook.9 With an estimated active user base of 3.5 billion, the total market value for the trade of personal data stands at $210 billion. Furthermore, the value of general information like name, birth date, age, gender is roughly $0.0007 per data item. However, the personal data of user’s consumption and interests are valued much higher, both individually and cumulatively. The value of data gets much more when used illegally as a commodity. The illegal use of data has significant social and political costs beyond the sale price of such data. The case of Cambridge Analytica’s abuse of personal data, wherein millions of users’ data emanated from Facebook, demonstrates how the use of aggregate data does not deviate from harm to an individual data subject.10It can be evidently perceived that the harm is public, hence generating criminal liability. However, criminal liability will fail to consider the harm of each data subject individually, as was the case in Lloyd v. Google LLC11.12 To resolve this issue, there is an urgent need to develop a comprehensive tort law that will successfully create a mechanism to ascertain the harm of every claimant who suffered a loss.
Civil remedies in Personal Data Protection Bill, 2019
In India, the scenario has changed drastically after various judicial interventions. The Supreme Court, in its landmark judgment of K.S. Puttaswamy v. Union of India13 paved the way for the development of legislations like the PDP Bill. This Bill was made with the recommendations of the B.N. Srikrishna Committee, which was formed after the Supreme Court judgment14. This Bill is the first-ever attempt of lawmakers towards regulating data and securing privacy. If enacted, this Bill will supplement the present IT Act, 2000, which is responsible for regulating the data on the internet currently. The provisions of the IT Act were insufficient and failed to consider many important aspects of data protection on the internet. However, on the other hand, the PDP Bill is comprehensive legislation, defining data and segregating it into different types, creating tribunals for enforcement.
In this article, the discussion will be limited to the civil remedies present in the draft PDP Bill, 2019. Section 64(1) of the Bill says,
Any data principal who has suffered harm as a result of any violation of any provision under this Act or the rules or regulations made thereunder, by a data fiduciary or a data processor, shall have the right to seek compensation from the data fiduciary or the data processor, as the case may be.15
This section empowers the data principal to claim compensation in case their privacy is violated. Data principal under Section 3(14) is “the natural person to whom the data relates”.16 This compensation can be claimed from “data processor” and “data fiduciary”, which are defined under Sections 3(15) and (13), respectively. According to the definitions, data processors and data fiduciary can be any person, including State, companies, juristic entity or an individual.
Moving forward in the Bill, there are institutions created for the adjudication of compensation claims. Under Section 6216, the Central Government will appoint an adjudicating officer to adjudge the claims under Section 64. The claimant will first approach the adjudicating officer if unsatisfied with the decision, can appeal further to the Appellate Tribunal. Section 67 of the draft Bill17 guides the Central Government to establish an Appellate Tribunal to hear and dispose of any appeal from the order of the adjudicating officer.
The adjudicating officer
Section 62 of the Bill states, “For the purpose of adjudging the penalties under Sections 57 to 61 or awarding compensation under Section 64, the authority shall appoint such Adjudicating Officer as may be prescribed.”18 So an officer will be appointed by the Central Government to hear on the matters of compensation claims under Section 64. The Bill gives powers to the officer to summon anyone related to the case and demand for relevant documents as evidence if it deems fit. The officer can also impose penalties under the relevant provisions if satisfied that there is a failure of compliance with those provisions.
The Appellate Tribunal
This Tribunal is one of the most crucial aspects of the PDP Bill, as the Bill provides vast institutional autonomy to this institution. According to Section 67(1), the Tribunal has a wide range of appellate jurisdiction over the adjudicating officer.19 A chairperson will head the Tribunal, which the Central Government will appoint. The Chairperson will be entrusted with a wide range of powers and functional autonomy. For instance, Section 71 of the Bill gives the power of constituting Benches to the Chairperson. Then the decision of distributing responsibilities to those Benches will rest on the Chairperson as well. The Chairperson can also transfer a case from one Bench to another if it deems fit. The Central Government will appoint the members of the Tribunal as per Section 70 of the Bill.20
The aggrieved party can appeal to this Tribunal within thirty days from the receipt of the order appealed against. However, the Tribunal can accept any appeal even after the date of expiry if it is satisfied with the reason for not filing within the said period. Interestingly, the Tribunal is vested with the same powers as a civil court but do not need to abide by the procedure established under the Code of Civil Procedure, 190821. The Bill gives complete procedural autonomy to the Appellate Tribunal with only one condition: following the principles of natural justice. Autonomy is essential to adjudicating in this case as it is crucial to adapt to the changing technologies and deliver justice.
Fundamental issues present in the Bill
The attempt of the Government is commendable as the PDP Bill successfully addresses many concerns currently present. However, some fundamental issues are left in the Bill, which should be dealt with before its enactment. The institutions established under the PDP Bill have some critical flaws which can adversely affect the whole purpose of the legislation. Firstly, the influence of the Government over these bodies. Section 68(2) states, “The Central Government may prescribe the manner of appointment, term of office, salaries and allowances, resignation, removal and the other terms and conditions of service of the Chairperson and any member of the Appellate Tribunal.”22 The Bill has already defined the meaning of data processor and data fiduciary under Section 3; wherein State is also included under its meaning. Therefore, there will be a clear violation of the principles of natural justice in claims where the State is involved. The influence of the State in the Appellate Tribunal needs to be reduced as this institution is a quasi-judicial body, and its autonomy is crucial for maintaining justice and fairness. Secondly, the accountability of these institutions is reduced because of their excessive procedural autonomy. The complete freedom to establish their functioning can be detrimental as there will be a lack of checks and balances over the working of the Tribunal. The powers of the Tribunal are equivalent to a civil court without the need to follow the Civil Procedure Code, 1908. However, this autonomy has its perks; for example, the increased efficiency, as there will be lesser procedural barriers and the ability to adapt to the changing circumstances, which is crucial as the internet technologies are developing rapidly, creating the need to develop more complex regulations. Hence, it can go either way, but accountability is still essential, and it would not be wise to sacrifice it for any other reason.
To address these issues in the Bill, the example of some foreign jurisdictions with a more developed data privacy jurisprudence can be taken. The European Union’s GDPR (General Data Protection Regulation) provides the remedy for compensation under Article 82.23 The article states,
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
Furthermore, Article 79 of the GDPR deals with the enforcement of the given provisions stating,
- Right to an effective judicial remedy against a controller or processor.—Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
This article provides judicial proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the member State referred to in Article 79(2). These provisions empower the people to exercise their rights in courts which is an effective measure as the court system is independent of the State and can maintain a better standard of fairness. In India, the established civil court system should be made an alternative for the claimant for ensuring justice so that people have free choice.
Conclusion
The article has established the need for a tort for misuse of personal data with the help of various studies. Then, the article studied the provisions and institutions of the draft PDP (Personal Data Protection) Bill, 2019. The powers of the Appellate Tribunal were critically analysed, and the presence of excessive influence of Central Government was discovered. Solutions like the inclusion of civil courts for the claimants to appeal were suggested, inspired by the European Union legislation model called GDPR (General Data Protection Regulation). At last, the evolution of tort for misuse of personal data in other common law jurisdictions like the UK and Canada was discussed.
The future of data privacy jurisprudence looks promising in India because of the proactive measures shown by the judiciary and the Government. However, there is no space for complacency as there is still a lot left to be done. The PDP Bill, since its beginning, came into controversy because of its certain provisions, which provided the Government unchecked power to violate the privacy of its citizens based on vaguely worded exceptions. The head of the Committee, Justice B.N. Srikrishna himself, criticised the Government for construing his Committee’s recommendation in a very biased way. Therefore, it should be the Government’s priority to address all these issues; otherwise, it will paralyse the development of data protection law in India. With this, the author would like to conclude this article.
* Law student, National Law University, Delhi, India. Author can be reached at <kumar.aryan21@nludelhi.ac.in>.
[1] Bhairav Acharya, The Four Parts of Privacy in India, Vol. 50, No. 22 (30-5-2015), pp. 32-38, Economic and Political Weekly, available at <https://www.jstor.org/stable/24482489>.
[2]2016 QB 1003 :(2015) 3 WLR 409 : 2015 EWCA (Civ) 311.
[3] (2004) 2 AC 457 : (2004) 2 WLR 1232 : 2004 UKHL 22 (Campbell).
[5] Constitution of India, Art. 21.
[6]Personal Data Protection Bill, 2019.
7Information Technology Act, 2000.
8(2021) 3 WLR 1268 : 2021 UKSC 50.
9Nathan Eagle, What’s the Value of Your Personal Data, Medium (9-9-2014) available at <https://medium.com/annual-meeting-of-the-new-champions-2014/whats-the-value-of-your-personal-data-86f4db87bfa2> (accessed on 10-11-2021).
10Confessore, N., 2018, Cambridge Analytica and Facebook: The Scandal and the Fallout So Far, New York Times 2018, available at <https://www.nytimes.com/2018/04/04/us/politics/cambridge-analytica-scandal-fallout.html>(accessed on 14-11-2021).
11(2021) 3 WLR 1268 : 2021 UKSC 50.
12Trakman, L., Walters, R. and Zeller, B., 2020, Tort and Data Protection Law: Are There Any Lessons to be Learnt?, available at <http://www.ssrn.com/link/UNSW-LEG.html>(accessed on15-9-2021).
14K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
15Personal Data Protection Bill, 2019, S. 64(1).
16Personal Data Protection Bill, 2019, Ss. 3(13), (14) and (15).
16Personal Data Protection Bill, 2019, S. 62.
17Personal Data Protection Bill, 2019, S. 67.
18Personal Data Protection Bill, 2019, S. 62.
19Personal Data Protection Bill, 2019, S. 67(1).
20Personal Data Protection Bill, 2019, Ss. 70 and 71.
21Code of Civil Procedure, 1908.
22Personal Data Protection Bill, 2019, S. 68(2).
23General Data Protection Regulation, Arts. 79, 79(2) and 82.
