Indian law only determines the situations where privacy will be afforded legal protection9 min read . Updated: 05 Sep 2014, 03:35 PM IST
Interview with Sajai Singh, partner, J. Sagar Associate on the implications of a photo leak in India
Interview with Sajai Singh, partner, J. Sagar Associate on the implications of a photo leak in India
After the massive leak on 3 August involving nude pictures of many Hollywood celebrities like Jennifer Lawrence, Selena Gomez, Kate Upton and Ariana Grande, celebrities are confronted with a serious copyright issue. Celebrities who have accepted that the photos are real are trying to get them off the internet claiming that their copyright belongs to them. What are the legal consequences if the leak had happened in India. Mint spoke to Sajai Singh, partner at law firm J.Sagar Associate about the laws which can be provoked in case of a hack or leak of private data, the punishment it would attract and what you could do to safeguard yourself.
What is the first thing a celebrity can do after he or she has been hacked?
After the event has occurred the first action for the celebrity would be to prevent publication of the photographs. Action against any potential publisher would be under the Information Technology Act, 2000, Indian Penal Code, 1860 and tort law (and possibly under the Indecent Representation of Women (Prohibition) Act, 1986). Claims may be raised based on a breach of confidence, violation of privacy, trust and confidence. While an essential factor for any such claim would be to demonstrate that the photograph was confidential in nature, this may not be easy to establish for actors, if they have previously appeared in the nude.
What exactly is the definition of confidentiality, privacy and personal data by Indian laws?
Indian law does not determine what privacy is, but only the situations where privacy will be afforded legal protection. Therefore, it must also be shown that the photograph was disclosed in circumstances importing an obligation of confidence. The meaning of the word ‘confidentiality’ and ‘privacy’ are somewhat synonymous. Confidentiality invokes the equitable principle of confidence. Here ‘privacy’ would be understood as the claim of ‘aggrieved’ celebrities, who have determined for themselves when, how and to what extent their nude pictures are to be communicated to others. An argument that may be used by the ‘victims’ is that the photographs have been acquired by some form of hacking (or unlawful access to a computer resource), therefore, any viewer of such photographs may be assumed to have known the photograph was confidential.
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 provides protection to personal information. Prior to these Rules, in India remedies for invasions of privacy existed under tort law and the Supreme Court of India accorded limited constitutional recognition to the right to privacy (under Article 21). These Rules provide the only codified provisions protecting the privacy of individuals and their personal information. Rule 3 of the Rules provides an aggregated definition of sensitive personal data as follows:
Sensitive personal data or information of a person means such personal information which consists of information relating to –
(ii) financial information such as bank account or credit card or debit card or other payment instrument details;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for providing service; and
(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:
Provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
To apply the above Rules, first we would need to establish whether the nude pictures formed ‘sensitive personal data’.
Rule 8 - Reasonable Security Practices : Rule 8(1) of the Rules prescribes reasonable security practices and procedures necessary for protecting personal information and sensitive personal data, rule 8(2) asserts that the international standard ISO/IEC 27001 fulfils the protection standards required by rule 8(1): The international Standard IS/ISO/IEC 27001 on “Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard referred to in sub-rule
What will be Apple’s responsibility if such an event had occurred (with Apple involved) in India?
Apple Inc is renowned in the industry for being a leader in security, and would just need to establish that it followed the provisions under the Rules with regard to reasonable security practices and procedures and have a defence against any claim against it. Then there is the question of what were the terms and conditions of use of Apple services. Apple’s global terms state that ‘Apple does not represent or guarantee that the service will be free from loss, corruption, attack, viruses, interference, hacking, or other security intrusion, and Apple disclaims any liability relating thereto’! I doubt an action would lie under the Indian Consumer Protection Act, claiming that such terms were unreasonable.
Under Indian Copyright Act, the photographer of these photographs may raise a claim for breach of intellectual property, as the copyright in the photograph would belong to the photographer (unless it was commissioned work, and the copyright moved to the person who commissioned the photograph, then the right to sue would also in all probability move to such person).
What happens if a common man’s pictures are leaked?
Well, it is obvious that, unlike celebrities, the average individual would not have the resources to take action in such a situation. We must, therefore, rely on the government to protect our rights. The Government has provided all citizens the Right to life and personal liberty under Article 21 of the Constitution and the same may be invoked to cast a duty on the Government.
There are criminal offences under The Information Technology Act, 2000, such as unlawful access to computer resources (that is without permission), disclosure of computer record and altering computer data without permission, which may apply. The penalties for offences are listed later. However, to ascertain which provisions under the IT Act would apply first we would need to establish how the hackers gained access to the photographs.
While the IT Act does have extra-territoriality, I doubt there could be an easy identification of jurisdiction (and consequently the laws) for raising a claim in such a situation. The hacker, the cloud provider, the data and the Indian celebrity victim may all be in different countries (and subject to different laws).
What are the specific offences and punishments under the IT Act?
IT Act, Section 65, tampering with computer source documents: Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the being time in force, is punishable with imprisonment upto 3 years, or with a fine which may extend upto Rs. 2 Lakh, or with both. The object of the section is to protect the ‘intellectual property’ invested in the computer. It is an attempt to protect the computer source documents (codes) beyond what is available under Indian Copyright Law. This is a cognizable and non- bailable offence. To apply this section to the current scenario, we need to ensure that the essential ingredients for application of this section are met, which includes someone:
1. knowingly or intentionally concealing,
2. knowingly or intentionally destroying,
3. knowingly or intentionally altering,
4. knowingly or intentionally causing others to conceal,
5. knowingly or intentionally causing another to destroy,
6. knowingly or intentionally causing another to alter.
IT Act, Section 66, hacking computer system:(1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hacking; and (2) Whoever commits hacking shall be punished with imprisonment upto 3 years, or with fine which may extend upto Rs. 2 Lakh, or with both. The section talks about the hacking activity.
Again, before applying this provision to the circumstances, one would need to check the essential ingredients of the section-
1. Whoever with intention or knowledge.
2. Causing wrongful loss or damage to the public or any person.
3. Destroying or altering any information residing in a computer resource.
4. Or diminishes its value or utility or.
5. Affects it injuriously by any means.
Section 67, publishing obscene information in electronic form: Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest, or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstance, to read see or hear the matter contained or embodied in it, may be punished on first conviction with imprisonment of either description for a term which may extend to 5 years and with fine which may extend to Rs. 1 Lakh and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to 10 years and also with fine which may extend to Rs. 2 Lakh.
The first case here was The State of Tamil Nadu v/s Suhas Katti. This was a case about posting obscene, defamatory and annoying message about a divorcee woman on a Yahoo message group. The accused was found guilty of offences under Section 469, 509 IPC and 67 of IT Act 2000 and convicted to undergo RI for 2 years under 469 IPC and to pay fine of Rs.500/-and for the offence u/s 509 IPC sentenced to undergo 1 year simple imprisonment and to pay fine of Rs.500/- and for the offence u/s 67 of IT Act 2000 to undergo RI for 2 years and to pay fine of Rs.4000/- All sentences to run concurrently. The accused has since paid the fine and is lodged at Central Prison, Chennai. This is considered the first case convicted under IT Act Section 67. In Avnish Bajaj (CEO of bazzee.com) case, there were 3 accused, including the service provider (Avnish Bajaj, later acquitted). The sections relied upon were Section 292 (sale, distribution, public exhibition, etc., of an obscene object) and Section 294 (obscene acts, songs, etc., in a public place) of the Indian Penal Code (IPC), and Section 67 (publishing information which is obscene in electronic form) of the IT Act. In addition, the schoolboy faces a charge under Section 201 of the IPC (destruction of evidence), for there is apprehension that he had destroyed the mobile phone that he used in the episode. These offences invite a penalty of imprisonment ranging from 2 to 5 years, in the case of a first time conviction, and/or fines.
Section 72, penalty for breach of confidentiality and privacy: Any person who, in pursuance of any of the powers conferred under the IT Act, rules or regulation made there under, has secured assess to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such material to any other person may be punished with imprisonment for a term which may extend to 2 years, or with fine which may extend to Rs. 1 Lakh, or with both.
Sajai Singh is a Bangalore-based partner with law firm J.Sagar Associate. His sectors of expertise include media, entertainment, retail and franchising, knowledge based industries (IT/ITES/Life Sciences) and telecom.
Never miss a story! Stay connected and informed with Mint. Download our App Now!!