What exactly is the definition of confidentiality, privacy and personal data by Indian laws?

Indian law does not determine what privacy is, but only the situations where privacy will be
afforded legal protection. Therefore, it must also be shown that the photograph was disclosed in
circumstances importing an obligation of confidence. The meaning of the word confidentiality
and privacy are somewhat synonymous. Confidentiality invokes the equitable principle of
confidence. Here privacy would be understood as the claim of aggrieved celebrities, who have
determined for themselves when, how and to what extent their nude pictures are to be
communicated to others. An argument that may be used by the victims is that the photographs
have been acquired by some form of hacking (or unlawful access to a computer resource),
therefore, any viewer of such photographs may be assumed to have known the photograph was
confidential.

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal
Data or Information) Rules, 2011 provides protection to personal information. Prior to these
Rules, in India remedies for invasions of privacy existed under tort law and the Supreme Court
of India accorded limited constitutional recognition to the right to privacy (under Article 21).
These Rules provide the only codified provisions protecting the privacy of individuals and their
personal information. Rule 3 of the Rules provides an aggregated definition of sensitive personal
data as follows:

Sensitive personal data or information of a person means such personal information which
consists of information relating to

(i) password;

(ii) financial information such as bank account or credit card or debit card or other payment
instrument details;

(iii) physical, physiological and mental health condition;

(iv) sexual orientation;

(v) medical records and history;

(vi) Biometric information;

(vii) any detail relating to the above clauses as provided to body corporate for providing service;
and
(viii) any of the information received under above clauses by body corporate for processing,
stored or processed under lawful contract or otherwise:

Provided that, any information that is freely available or accessible in public domain or furnished
under the Right to Information Act, 2005 or any other law for the time being in force shall not be
regarded as sensitive personal data or information for the purposes of these rules.

To apply the above Rules, first we would need to establish whether the nude pictures formed
sensitive personal data.

Rule 8 - Reasonable Security Practices : Rule 8(1) of the Rules prescribes reasonable security
practices and procedures necessary for protecting personal information and sensitive personal
data, rule 8(2) asserts that the international standard ISO/IEC 27001 fulfils the protection
standards required by rule 8(1): The international Standard IS/ISO/IEC 27001 on Information
Technology - Security Techniques - Information Security Management System - Requirements
is one such standard referred to in sub-rule

Section 67 and 67A of the IT act prohibit the publication and distribution of obscene and
sexually explicit material respectively, while 67B forbids all publication, distribution, facilitation
and consumption in any manner of child pornography. Section 66E of the same act deal with
punishment for violation of privacy, and explicitly forbids capturing, publishing or transmitting
the image of a private area of any person without his or her consent

In cases where the victims nude or obscene photos are uploaded without consent, the accused is
booked under different sections of the IT act and the Indian Penal Code(IPC). Also the subject
can book cases of defamation under section 500 and 506 of IPC and section 66e and 67a under
the IT act also provide legal remedies under which one can charge the accused.
What happens if a common mans pictures are leaked?
Well, it is obvious that, unlike celebrities, the average individual would not have the resources to
take action in such a situation. We must, therefore, rely on the government to protect our rights.
The Government has provided all citizens the Right to life and personal liberty under Article 21
of the Constitution and the same may be invoked to cast a duty on the Government.

There are criminal offences under The Information Technology Act, 2000, such as unlawful
access to computer resources (that is without permission), disclosure of computer record and
altering computer data without permission, which may apply. The penalties for offences are
listed later. However, to ascertain which provisions under the IT Act would apply first we would
need to establish how the hackers gained access to the photographs.

While the IT Act does have extra-territoriality, I doubt there could be an easy identification of
jurisdiction (and consequently the laws) for raising a claim in such a situation. The hacker, the
cloud provider, the data and the Indian celebrity victim may all be in different countries (and
subject to different laws).

What are the specific offences and punishments under the IT Act?

IT Act, Section 65, tampering with computer source documents: Whoever knowingly or
intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal,
destroy or alter any computer source code used for a computer, computer programme, computer
system or computer network, when the computer source code is required to be kept or
maintained by law for the being time in force, is punishable with imprisonment upto 3 years, or
with a fine which may extend upto Rs. 2 Lakh, or with both. The object of the section is to
protect the intellectual property invested in the computer. It is an attempt to protect the
computer source documents (codes) beyond what is available under Indian Copyright Law. This
is a cognizable and non- bailable offence. To apply this section to the current scenario, we need
to ensure that the essential ingredients for application of this section are met, which includes
someone:

1. knowingly or intentionally concealing,

2. knowingly or intentionally destroying,

3. knowingly or intentionally altering,

4. knowingly or intentionally causing others to conceal,

5. knowingly or intentionally causing another to destroy,

6. knowingly or intentionally causing another to alter.

IT Act, Section 66, hacking computer system:(1) Whoever with the intent to cause or knowing
that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes
or alters any information residing in a computer resource or diminishes its value or utility or
affects it injuriously by any means, commits hacking; and (2) Whoever commits hacking shall be
punished with imprisonment upto 3 years, or with fine which may extend upto Rs. 2 Lakh, or
with both. The section talks about the hacking activity.

Again, before applying this provision to the circumstances, one would need to check the essential
ingredients of the section-

1. Whoever with intention or knowledge.

2. Causing wrongful loss or damage to the public or any person.

3. Destroying or altering any information residing in a computer resource.

4. Or diminishes its value or utility or.

5. Affects it injuriously by any means.

Section 67, publishing obscene information in electronic form: Whoever publishes or

transmits or causes to be published in the electronic form, any material which is lascivious or
appeals to the prurient interest, or if its effect is such as to tend to deprave and corrupt persons
who are likely, having regard to all relevant circumstance, to read see or hear the matter
contained or embodied in it, may be punished on first conviction with imprisonment of either
description for a term which may extend to 5 years and with fine which may extend to Rs. 1
Lakh and in the event of a second or subsequent conviction with imprisonment of either
description for a term which may extend to 10 years and also with fine which may extend to Rs.
2 Lakh.

The first case here was The State of Tamil Nadu v/s Suhas Katti. This was a case about posting
obscene, defamatory and annoying message about a divorcee woman on a Yahoo message group.
The accused was found guilty of offences under Section 469, 509 IPC and 67 of IT Act 2000 and
convicted to undergo RI for 2 years under 469 IPC and to pay fine of Rs.500/-and for the offence
u/s 509 IPC sentenced to undergo 1 year simple imprisonment and to pay fine of Rs.500/- and for
the offence u/s 67 of IT Act 2000 to undergo RI for 2 years and to pay fine of Rs.4000/- All
sentences to run concurrently. The accused has since paid the fine and is lodged at Central
Prison, Chennai. This is considered the first case convicted under IT Act Section 67. In Avnish
Bajaj (CEO of bazzee.com) case, there were 3 accused, including the service provider (Avnish
Bajaj, later acquitted). The sections relied upon were Section 292 (sale, distribution, public
exhibition, etc., of an obscene object) and Section 294 (obscene acts, songs, etc., in a public
place) of the Indian Penal Code (IPC), and Section 67 (publishing information which is obscene
in electronic form) of the IT Act. In addition, the schoolboy faces a charge under Section 201 of
the IPC (destruction of evidence), for there is apprehension that he had destroyed the mobile
phone that he used in the episode. These offences invite a penalty of imprisonment ranging from
2 to 5 years, in the case of a first time conviction, and/or fines.

Section 72, penalty for breach of confidentiality and privacy: Any person who, in pursuance
of any of the powers conferred under the IT Act, rules or regulation made there under, has
secured assess to any electronic record, book, register, correspondence, information, document or
other material without the consent of the person concerned discloses such material to any other
person may be punished with imprisonment for a term which may extend to 2 years, or with fine
which may extend to Rs. 1 Lakh, or with both.

Sajai Singh is a Bangalore-based partner with law firm J.Sagar Associate. His sectors of
expertise include media, entertainment, retail and franchising, knowledge based industries
(IT/ITES/Life Sciences) and telecom.