When does privacy get violated as per Information Technology Act?

By Tanushree Dubey

Published on: November 03, 2023 at 01:58 IST

Privacy holds a special place in our lives, and it’s enshrined as a constitutional right under Article 21 of the Indian Constitution. Article 21 states, “No one can deprive a person of their life or personal liberty except through a procedure established by law.” it talks about the importance of privacy as part of an individual’s right to live a life with dignity and autonomy, free from unwarranted intrusions.

In the digital age has unfolded, understanding of privacy has extended into the online world, shaping the concept of digital privacy. Digital privacy involves safeguarding an individual’s data and information on the internet, which includes protecting sensitive data, communication records, and online activities from unauthorized access and misuse.

The digital era has brought new challenges to privacy. With the rise of data-driven technologies and online activities, and maintaining control over digital activities without fearing unwarranted interference is a critical aspect of this evolving landscape.

Safeguarding digital privacy is now intrinsic to preserving individual freedoms and protecting fundamental rights in the online sphere. This involves implementing robust data protection laws, establishing effective cybersecurity measures, and fostering a mutual commitment from government and private entities to respect individuals’ online privacy.

In this article, we’ll explore Data Privacy and Protection, covering challenges, types of sensitive data, privacy violations, and actions to take when privacy is compromised and relevant provisions under the Information Technology Act.

Data Privacy and Protection

In the realm of data privacy and protection, an individual’s personal information mustn’t be readily accessible to other individuals or organizations without the individual’s consent. Laws are in place to safeguard this data and prevent its misuse across various mediums, including digital platforms. Protecting personal data involves the implementation of administrative, technical, or physical measures.

The safeguarding of personal data is not only a legal requirement but also a moral imperative to prevent infringements on individual privacy. The Information Technology (Amendment) Act, 2008, outlines key principles of privacy and data protection, defining legal liability for civil and criminal offences resulting from violations of these laws.

Data privacy breaches represent a critical issue, require robust legal frameworks and enforcement mechanisms to safeguard individuals’ sensitive information from unauthorized access and misuse.

Digital Privacy Challenges:

In the digital age, the presence of smartphones, laptops, tablets, and various devices has made it remarkably easy for entities to gather personal information, often without the user’s full consent. Important details such as age, education, gender, location, interests, and even Aadhar numbers are frequently collected and, in some cases, sold for significant sums. Consequently, the need for stringent data protection laws and their rigorous enforcement is paramount to prevent unauthorized data breaches and the dissemination of personal information without consent.

Types of Data at Risk:

Data breaches can result in the exposure of various types of information, including:

• Financial Data: This includes information such as credit card numbers, bank details, tax documents, invoices, and financial statements.
• Medical or Personal Health Information (PHI): As defined by the US HIPAA standard, PHI relates to information created by healthcare providers concerning an individual’s physical or mental health and medical history.
• Personally Identifiable Information (PII): PII refers to data that can be used to identify, contact, or locate an individual.
• Intellectual Property: This category encompasses valuable assets like patents, trade secrets, blueprints, customer lists, and contracts.
• Vulnerable and Sensitive Information: This includes data of a sensitive or classified nature, often associated with military or political contexts, such as meeting records, protocols, agreements, and confidential documents.

When privacy is violated as per IT Act

Privacy violations under the Information Technology (IT) Act can occur in various scenarios. The IT Act primarily regulates issues related to electronic records, digital communication, and online activities. Here are some key points on when privacy can be violated under the IT Act:

1. Unauthorized Data Collection: Privacy can be violated when an entity or individual collects personal data without consent. The IT Act places obligations on organizations and individuals to obtain consent before collecting, storing, or processing personal information.
2. Data Breaches: When personal data is exposed due to inadequate security measures, it constitutes a privacy violation. The IT Act mandates organizations to implement reasonable security practices to protect sensitive data.
3. Unauthorized Access: If someone gains unauthorized access to another person’s digital accounts, email, or any other electronic communication, it is considered a breach of privacy and a violation of the IT Act.
4. Cyberbullying and Harassment: Online harassment, cyberbullying, or sending offensive content to an individual can be a privacy violation. The IT Act contains provisions against such actions.
5. Phishing and Identity Theft: Activities like phishing, where individuals are tricked into revealing their personal information, and identity theft are considered privacy violations. The IT Act addresses such fraudulent practices.
6. Sharing Personal Information: Sharing personal information with third parties without consent can violate an individual’s privacy. The IT Act places restrictions on how personal data should be handled and shared.
7. Invasion of Online Privacy: Unauthorized monitoring, surveillance, or hacking into an individual’s online activities, such as their emails, social media accounts, or messages, is a clear breach of privacy under the IT Act.
8. Non-Consensual Distribution of Intimate Content: Sharing intimate images or videos without consent is a severe privacy violation, and the IT Act includes provisions to address such offenses.

How does privacy get violated?

Digital privacy violations occur online, where vast amounts of personal information are constantly shared, stored, and transmitted. These violations can take many forms and can have serious consequences. To know the various ways in which digital privacy is violated is crucial to protecting oneself in the digital age.

• Data Breaches: Digital privacy breaches often involve unauthorized access to databases or systems containing personal information. That information includes sensitive data like usernames, passwords, credit card numbers, and personal identification details. When hackers gain access, it can result in a significant breach, leading to identity theft, financial fraud, and other harmful consequences.
• Surveillance and Monitoring: Surveillance and monitoring of online activities can be carried out by governments, organizations, or malicious actors without the knowledge of individuals. This practice includes tracking internet browsing habits, monitoring email communication, and scrutinizing social media posts, all of which infringe on personal privacy.
• Malware and Spyware: Malicious software, such as malware and spyware, can infiltrate a device and record its activities. This software captures sensitive information, such as keystrokes, login credentials, and personal messages. Hackers and cybercriminals often use this information for spying, data theft, or other illicit purposes.
• Social Engineering: Social engineering is a tactic where attackers manipulate individuals into revealing personal information. It can occur through, phishing emails, fraudulent phone calls, or deceptive websites. This form of manipulation exploits human psychology to gain access to personal data.
• Location Tracking: Many mobile devices and applications collect location data, which can be useful for various purposes. However, this data can also be exploited to track the movements of an individual, compromising their privacy.
• Data Sharing and Selling: Companies, websites, and social media platforms routinely collect vast amounts of user data. This information may be shared or sold to third parties for marketing, advertising, or other purposes without users’ full understanding or consent, leading to concerns about data privacy.
• Invasion of Personal Communications: Unauthorized access to emails, instant messages, and social media accounts can lead to the exposure of private conversations. This invasion of personal communication can have far-reaching consequences, potentially leading to embarrassment or reputational damage if sensitive information becomes public.
• Data Mining and Profiling: Organizations often collect and analyse personal data to create detailed profiles and make predictions about the behaviour of an individual, preferences, or characteristics. While this can be used for legitimate purposes, it can be perceived as an intrusion into privacy when it’s used for targeted advertising, influencing behaviour, or other undisclosed purposes.
• Internet of Things (IoT) Devices: The increase of IoT devices, such as smart home appliances and wearable technology, has introduced new challenges to digital privacy. These devices can collect data about a person’s activities, habits, and health. If this data is not properly secured, it can be accessed by unauthorized parties, raising concerns about privacy breaches.
• Unsecured Wi-Fi Networks: Connecting to unsecured Wi-Fi networks can expose personal data to hackers who intercept and monitor network traffic. This intrusion can lead to data theft and unauthorized access to online accounts.

Digital privacy violations have notable implications, including financial loss, identity theft, reputational damage, and a loss of personal freedom. Protecting digital privacy involves practicing caution regarding the information you share, using strong passwords, regularly updating software, and employing security tools such as firewalls and antivirus software. Additionally, it’s essential to be aware of privacy settings on various platforms and stay informed about the latest privacy threats and best practices for online safety.

What to do when your privacy get violated

• Document the Violation:

Detailed documentation is the first step. Record every relevant detail, including when, where, and how the violation occurred. Collect evidence such as screenshots, messages, or any other pertinent information. This documentation will be valuable for reporting the incident and potentially pursuing legal action.

• Change Passwords and Enable 2FA:

If the violation involves compromised online accounts, act swiftly. Change your passwords for all affected accounts, using strong, unique combinations. Implement two-factor authentication (2FA) wherever possible. 2FA provides an added layer of security by requiring a second verification step for account access.

• Report to the Authorities:

If the violation is a criminal offence, such as cyberbullying, harassment, hacking, or identity theft, report it to the appropriate law enforcement agency. Contact your local police station and provide them with all the evidence and information you’ve collected. Cooperation with the authorities is essential in pursuing legal action.

• Notify Affected Parties:

If others have been affected by the privacy violation, it’s a responsible practice to inform them. By doing this, they can also take steps to protect their privacy and security. Sharing information about the incident can help prevent further harm.

• Secure Your Device:

If your device is stolen or compromised, it’s important to take immediate action. Use built-in security features such as “Find My Device” (for Android) or “Find My iPhone” (for Apple devices) to locate your device, lock it remotely, or wipe your data if necessary. This helps prevent unauthorized access to your device and data.

• Remove Compromised Information:

After a breach, delete sensitive or personal information from online platforms or websites where the violation occurred. Review your privacy settings and limit what you share. Minimizing your online exposure is an important preventive measure.

• Check Financial Accounts:

If financial information is involved in the violation, closely monitor your bank and credit card statements for any unauthorized transactions. Promptly report any suspicious activity to your financial institutions. They can help investigate and secure your financial assets.

• File a Complaint with Authorities:

In India, you can file a complaint related to privacy violations through the National Cyber Crime Reporting Portal (www.cybercrime.gov.in) or by visiting your local police station. Ensure that you provide all relevant information and evidence to support your case.

• Stay Informed:

Ongoing education is essential for protecting your digital privacy. Stay updated on cybersecurity threats, privacy issues, and best practices for online safety. Awareness and knowledge are powerful tools for safeguarding your personal information.

Remember that addressing a privacy violation can be a complex and time-consuming process. It’s important to remain vigilant in protecting your personal information in the future by implementing robust security practices, staying informed about potential threats.

What Happens If Privacy Gets Violated Under IT Act

In India, when privacy is violated, there are provisions and penalties under the Information Technology Act, which address breaches and unauthorized disclosures of personal data.

• Section 43A of the IT Act: Liability for Negligence

Section 43A of the Information Technology Act is a vital legal provision in India that emphasizes the protection of sensitive personal data in the digital era. It places responsibility on organizations, known as “body corporates,” to ensure the security of personal data they handle.

If these organizations fail to maintain adequate security measures, leading to wrongful gain or loss for individuals, they are liable to pay damages as compensation. This section underscores the importance of data protection in preserving individual privacy rights, striking a balance between data-driven operations and privacy protection..

• Section 72A of the IT Act: Unauthorized Disclosure of Information

Section 72A of the Information Technology Act addresses the unauthorized disclosure of personal information. It states that any person, including intermediaries, who, while providing services under the terms of a lawful contract, discloses information in breach of that contract, except as otherwise provided in the Act or any other prevailing law, violates privacy. The punishment for this offense can include imprisonment for up to three years or a fine of up to 5 lakhs rupees, or both.

This section applies to both individuals and companies and includes employees. Employees are covered as they have a lawful contract, typically an employment contract, with their employer. They access sensitive personal data or information while providing services to the employer’s clients under this contractual agreement.

• Section 43 of the IT Act: Civil Liability for Cybercrimes

Section 43 of the IT Act addresses civil liability in the event of various cybercrimes, including unauthorized access to computer systems, digital copying, data theft, and more. This section allows individuals, companies, employers, and employees to be held liable to pay damages in compensation for a wide range of cybercrimes, such as unauthorized access to computer databases, data theft, or disruption of computer data and databases.

These provisions collectively offer legal recourse and remedies when privacy is violated under the Information Technology Act in India. They ensure that individuals have the means to seek compensation and hold responsible parties accountable for breaches and disclosures of personal data.

• Section 66E of the IT Act: Privacy Violation Through Voyeurism

Section 66E of the Information Technology Act explicitly addresses privacy violations through voyeurism. This section makes it illegal to capture, transmit, or publish images of the private parts of an individual or images of them in a state of undress or engaged in a private act without their consent. Violation of Section 66E can result in penalties, including imprisonment for up to three years or a fine.

These provisions collectively offer legal recourse and remedies when privacy is violated under the Information Technology Act in India. They ensure that individuals have the means to seek compensation and hold responsible parties accountable for breaches and disclosures of personal data and images, including violations of privacy through voyeurism.

Prominent Instances of Citizen Privacy Infringement Through Data Breaches

• Massive Aadhaar and Passport Data Leak (2023)

In 2023, a significant privacy breach in India sent shockwaves through the nation, exposing the personal data of over 800 million residents, including sensitive Aadhaar and passport details, on the dark web. Resecurity, a prominent US-based cybersecurity solutions provider, uncovered this staggering breach. It revealed the activities of a threat actor known as ‘pwn0001,’ who boldly offered access to an immense dataset containing 815 million records, all labelled “Indian Citizen Aadhaar & Passport. “Although official confirmation was never there, it is reported that the leaked data is linked to information collected during the COVID-19 pandemic by the Indian Council of Medical Research (ICMR). Most alarmingly, ‘pwn0001’ was willing to part with the entire Aadhaar and Indian passport dataset for a steep price of $80,000. This breach underscores the urgent necessity for robust data security measures and highlights the persistent challenges to digital privacy in an increasingly interconnected world.

Read more : Aadhar Card Vulnerabilities: Understanding scams and protective measures

• SBI Employee Data Breach (2023)

In a highly alarming privacy breach incident, the personal information of more than 12,000 employees of the State Bank of India (SBI) was compromised and exposed on Telegram channels. The breached data encompassed sensitive details such as names, addresses, contact numbers, PAN numbers, account numbers, and photo IDs.

The breach came to light when a Telegram channel, identified as @sbi_data, posted a file on July 8, which contained the personal information of SBI employees. The channel’s bio bore an ominous message, reading, “Spread Chaos Comrades!” The file itself was ominously titled “SBI Employee Data Dump.” Swiftly, this file proliferated across various channels and social media platforms, causing alarm and concern among affected individuals.

What made this breach even more worrisome was that the threat actor responsible not only exposed employee data but also claimed to have access to the financial details of millions of consumers. To compound the situation, they asserted that the compromised data had been shared on publicly accessible leak forums.

Furthermore, the breach included the posting of screenshots displaying SBI account balances and transaction details, laying bare extensive financial information. This incident serves as a stark reminder of the urgent and critical necessity for organizations and institutions to implement robust cybersecurity measures that can effectively safeguard sensitive information from malicious actors and potential breaches.

The SBI Employee Data Breach of 2023 highlights the persistent challenges posed by cybersecurity threats and the imperative for vigilance in safeguarding privacy and sensitive data in the digital age.

• Air India Data Breach Incident (2021)

In February 2021, a significant privacy violation incident shook Air India, the national airline of India, affecting a staggering 4.5 million global customers. This breach resulted in the exposure of records spanning from 2011 to 2021 and was attributed to unauthorized access to Air India’s Data Management Service Provider, SITA PSS.

Air India acted swiftly in response to this violation, promptly notifying its users. They urged their customers to update their passwords as a precautionary measure against potential misuse of their compromised data. The impact of this violation extended beyond Air India, also affecting Star Alliance and One World Airlines, both of which relied on SITA to manage their databases.

The Air India data breach stands as a poignant example of a privacy violation that underscores the pressing need for stringent data security measures. These measures are vital in safeguarding sensitive information from unauthorized access and cyberattacks. This incident serves as a reminder of the critical importance of upholding privacy and trust for customers and clients in an increasingly digital world.

• Domino’s India Data Privacy Breach (2021)

In May 2021, Domino’s India, a renowned pizza brand, confronted a substantial privacy breach affecting approximately 1 million customers. This breach led to the exposure of personal information belonging to customers, encompassing details such as names, addresses, delivery locations, phone numbers, and email IDs. Astonishingly, the scope of this data breach extended to a staggering 18 million orders placed through Domino’s mobile and computer systems.

This incident serves as a poignant reminder that even well-established and widely recognized brands are susceptible to data breaches. It underscores the imperative for ongoing vigilance and the implementation of robust data protection measures, emphasizing the critical importance of safeguarding customer data from the ever-present threats of cyberattacks. This breach is a testament to the evolving challenges of privacy and data security in the digital age.

Conclusion

The landscape of privacy, both in the physical and digital realms, remains a cornerstone of individual rights and freedom. Privacy, as a fundamental right under Article 21 of the Indian Constitution, has taken on new dimensions in the digital age. The emergence of digital privacy concerns, alongside ongoing challenges to safeguarding sensitive information, underscores the evolving nature of privacy and the necessity for robust data protection measures.

The rise of digital technologies, while offering numerous benefits, has brought forth new challenges to preserving personal privacy. Data breaches, surveillance, and the unauthorized disclosure of personal information have become realities in the digital world. The numerous notable privacy breaches mentioned in this article serve as glaring examples of the need for ongoing vigilance and stringent security measures.

In this ever-evolving digital landscape, continuous education and awareness are critical. Staying informed about privacy threats and best practices for online safety is paramount. It is only through collective efforts of individuals, organizations, and governments that the right to privacy can be upheld and fortified. Protecting personal information and respecting privacy are not just legal obligations but also moral imperatives.

Edited By Bharti Verma, Associate Editor at Law Insider