Home » What Are The Key Elements Of A Valid Claim For A Data Breach Under It Act?

What Are The Key Elements Of A Valid Claim For A Data Breach Under It Act?

General Legal issues / By
What Are The Key Elements Of A Valid Claim For A Data Breach Under It Act?

In view of the rapid expansion of digital infrastructure in India, data security and privacy are gaining increasing attention. The Information Technology Act of 2000 is an answer to those concerns. The Supreme Court’s landmark judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) is a significant milestone that recognized the right to privacy as a fundamental right and was brought into life by Article 21 of the Indian Constitution. The recognition of this fundamental right is an important turning point in the realm of data protection claims. 

This article thereby highlights the cornerstones for establishing successfully a claim for a data breach under the IT Act, 2000, with references to the principles laid down in Supreme Court Puttaswamy judgment.

Need A Legal Advice

The internet is not a lawyer and neither are you. Talk to a real lawyer about your legal issue

Talk to a Lawyer

Legal Framework for Data Protection in India

The data protection in India is governed by the IT Act, 2000, complemented by the Rules, 2011, on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) (SPDI Rules). The key provisions establishing liability in case of data breaches include: 

  • Section 43A imposes liability on companies for failure to protect sensitive personal data; 
  • Section 72A sets out the punishment for disclosure of information in breach of a lawful contract. 

The Puttaswamy judgment culminated these provisions by enshrining the right to privacy into a constitutional right, thus broadening the ambit and enforceability of data protection claims.

Essential Elements of a Valid Data Breach Claim

A claimant would need to prove that the following essential elements constitute a valid data breach claim under the IT Act of 2000:

Existence of Sensitive Personal Data:

The claimant must prove that the compromised data falls under the purview of “sensitive personal data,” as defined under Rule 3 of the SPDI Rules. Such data may include but is not limited to:  

  • Passwords
  • Financial information (e.g., bank account or credit card details)
  • Health records
  • Biometric information
  • Sexual orientation
  • Other data that directly impacts privacy

The Supreme Court has emphasized that personal data, especially biometric and financial information, forms an integral part of the right to privacy.

ALSO READ:  Statements Recorded by Magistrates

Duty of Care:

  • The entity or organization collecting, processing, or storing data has a legal obligation to adopt reasonable security practices. Section 43A provides that any body corporate in possession of sensitive personal data must put in place reasonable security practices and procedures to protect such data. 
  • The Puttaswamy judgment further enforced the standards of high security essential for the protection of privacy rights concerning the collection of personal data.  

Breach of Security Practices:

Breaches can be caused by negligence, hacking, or unauthorized access. The wronged individual must show that the organization failed to comply with the basic security practice requirements specified under the IT Act and SPDI Rules. 

For example, lack of encryption measures, failure to provide access controls, or not performing regular security audits may indicate negligence.  

Unauthorized Disclosure or Access:

A claimant must establish unauthorized access to or disclosure of their data. Section 72A penalizes unauthorized information disclosure using knowledge obtained from a lawful contract breach. 

Individual consent, recognized by the Supreme Court as central to informational privacy, reinforces that there must be strict protocols governing data access. 

Demonstrable Harm or Loss:

Demonstrable harm or loss: In which case, under Section 43A, to claim damages, it must be proved that the claimant sustained actual harm by the data breach. Such harm may include:

  • Financial loss
  • Identity theft
  • Emotional distress
  • Reputational damage

In the Court’s view, the right to privacy means that an individual is protected from injuries due to misuse of their personal data and stress that errors in processing must cause a compensable injury to the victims of a breach to ground a good claim.

Remedies Available Under the IT Act

Victims of data breaches may seek the following remedies:

  • Compensation for losses: Section 43A provides the ground through which individuals can claim compensation for negligent data management. 
  • Criminal Penalties for data breaches under IT Act: It is imposed by Section 72A can lead to fines and imprisonment for unauthorized disclosures of information. 
  • Injunctions or restraining orders: Protective orders may be applied by the courts to prevent the further misuse or dissemination of compromised data.

Impact of the Puttaswamy Judgment on Data Protection

The Puttaswamy case reinforced several critical principles that continue to shape data protection claims:

  • Data Minimization: Organizations should collect only the minimum data reasonably necessary for a desired related purpose. 
  • Purpose limitation: Derive the data collection, allowing it to be used only for the intended purpose. 
  • Informed consent: The entity should have obtained a clear and express form of organization informing its user on how their data would be used. 
  • Accountability: There must be accountability when an organization acting on one’s behalf mishandles information.
ALSO READ:  Waived off waiting period of six months of mutual divorce

Landmark Cases Following Puttaswamy

The Puttaswamy judgment has influenced key developments in data privacy, including:

  • Aadhaar Judgment (2018): Supreme Court declared through the Aadhaar judgment of 2018 that Aadhaar data must be accessed, controlled, transferred, and processed in a secure manner. It thus emphasized the principles of consent, data minimization, and accountability with strong protection measures. 
  • WhatsApp Data Privacy India Case: In the interim, the courts have also examined the data-sharing practices of WhatsApp under the privacy principles articulated in Puttaswamy, with compliance regarding Indian data protection going under examination.

Building a Strong Data Breach Claim: Best Practices

For considering ways to strengthen a claim under the IT Act, individuals may wish to keep the below best practices in mind:

  • Document the Breach: Create a detailed record about every possible thing related to when and how the breach happened, including records on the communication with the data handler. 
  • Gather Evidence of Harm: Secure proof of all harm, financial loss, identity theft, mental anguish, and other specific damages. 
  • Get Legal Help: An expert in this area can advise which provisions of the IT Act are applicable and assist you in making a stronger claim.
  • Notify the Authorities: Report the data breach promptly to the Cyber Crime Cell of your local police and regulatory authorities, including CERT-In.

By acting in this manner, individuals can enhance their prospects of being successful with a claim regarding a data breach.

Conclusion

The Puttaswamy judgment largely defines all the data protection endeavors going on in India with the right to privacy as a fundamental right. If someone wants to claim damages under the IT Act, they will have to show the sensitive nature of the compromised data, duty of care, breach of security, unauthorized access, and harm from those acts. 

ALSO READ:  Exception of Anticipatory Bail for Proclaimed Offenders

And, as the country progresses towards a robust data protection regime, with the Digital Personal Data Protection Act still awaiting action, the principles set out in Puttaswamy will continue to inform and empower the judiciary in reading and strengthening the right to privacy of individuals within a digital framework.

One can talk to a lawyer from Lead India for any kind of legal support. In India, free legal advice online can be obtained at Lead India. Along with receiving free legal advice online, one can also ask questions to the experts online free through Lead India.

FAQs

1. What is the KS Puttaswamy judgment’s role in cases of data breach under the IT Act? 

The KS Puttaswamy judgement is undoubtedly historic in nature, as it proclaims that the right to privacy is a fundamental right under Article 21 of the Indian Constitution. The judgment gave a significant fillip to data protection with its insistence on the necessity of informed consent, data minimization, and accountability. In the context of the IT Act, it adds gravitas to the need for organizations to maintain security practices and respect users’ privacy rights whenever engaged in the practice of handling sensitive data. 

2. What type of data is considered “sensitive personal data” under the IT Act?

Sensitive personal data, as explained in Rule 3 of the SPDI Rules, includes: 

  • passwords; 
  • financial information e.g., credit cards or bank details; 
  • health records; 
  • biometric information; 
  • sexual orientation; and 
  • any other data that can impact privacy rights. 

The Puttaswamy judgement, with its incorporation of sensitive personal data protection in the objective of achieving individual privacy, instilled a strong sense of importance to the protection of this data. 

3. What remedies do the victims have under the IT Act against data breaches? 

The IT Act gives powers for taking the following remedies in a case of a data breach: 

  • Section 43A, in this case, allows for the compensation claim by the individual for losses due to negligent handling of existing data; 
  • Section 72A punishes with fines and imprisonment for the unauthorized disclosure of information; and 
  • injunctions or cease orders wherein further misuse of the compromised data is restrained by court orders.
Social Media