The ease with which the spyware ‘Pegasus’ has reportedly been used to infect the smartphones of targeted individuals (through WhatsApp missed voice calls)—their privacy invaded—has once again exposed the vulnerability of personal data connected to the internet. Such surveillance can only be done illegally as it bypasses the authorised channels of lawful interception. Though unauthorised access to personal data amounts to hacking and is punishable under the Information Technology (IT) Act, bringing the guilty to book involves complicated procedures particularly as the data does not reside in India and the jurisdiction is extra-territorial. The Personal Data Protection law might solve some of these problems, but it is yet to see the light of day.
The draft of The Personal Data Protection Bill, 2018, submitted by the Justice B N Srikrishna Committee was released last year for public consultation, but it is yet to be introduced in Parliament. The Bill seems comprehensive to safeguard the privacy of individuals, as it draws largely from other countries’ experiences and addresses the nation’s need to protect databases concerning ‘identified or identifiable natural persons’. Though the Bill has been lauded by most of the stakeholders, the industry has expressed strong reservations about the mandatory provision of ‘localisation of data’ as this would not only require added investment for setting up servers in India, but may also affect the free movement of data across borders.
However, in view of the increasing transnational nature of crime of all sorts, the concerns of law enforcement agencies must also be addressed genuinely. At present, the only route to get evidence from other nations is through the enforcement of a Mutual Legal Assistance Treaty (MLAT). Sadly, not only is the whole process of using this channel tardy, there is also uncertainty about the outcome. Further, India has such bilateral treaties only with about 39 nations. So the provision of ‘localisation of data’ will give some relief to enforcement agencies in tracking down the culprits.
The point that needs more attention is the ‘state of culpability’ that is required to prove any offence under Sections 90, 91 and 92. Section 90 of the Bill says that “any person who knowingly or intentionally or recklessly, in contravention of the provisions of this Act, obtains or discloses or transfers or sells or offers to sell personal data to another person, which results in significant harm to a data principal, shall be punished with imprisonment up to three years and shall be liable to a fine which may extend to `2 lakh or both”. A similar provision exists for contraventions related to sensitive personal data. What is clear is that except for “selling or offer of selling personal data”, the significant harm may not necessarily be the result of “dishonest” or “fraudulent” intention which necessarily warrants incarceration in other laws.
The Indian Penal Code (IPC) and the Data Protection Bill nowhere define the states of culpability separately. The IPC defines the term ‘dishonestly’ and ‘fraudulently’ as an act done with an intent to cause a person ‘wrongful gain or wrongful loss’ or ‘to defraud’ but not otherwise. Though various levels of culpability like intentionally, knowingly and negligently have evolved over the years, the term ‘recklessly’ is yet to find its appropriate place vis-a-vis ‘negligently’. The ordinary meaning of the word ‘reckless’ in the English language is ‘careless’, ‘heedless’, ‘inattentive to duty’. Literally it means without reck; simply an old English word meaning ‘heed’, ‘concern’ or ‘care’.
Further, making all instances of obtaining data, disclosure, and transfer (without dishonest or fraudulent intention) punishable with imprisonment will only increase the burden of already overworked law enforcement agencies and the judiciary. In states, mostly police inspectors, the only ones made competent to investigate cases under the Bill, are the station house officers (SHOs) as well. It will be unfair to mandate SHOs to probe all such cases without making any distinction between the gravity of offences. This will also add to the extra burden on our already overcrowded jails as all offences have been made non-bailable. So it will be quite reasonable, at least to begin with, to make a fair distinction between the states of culpability.
Two examples will be relevant in this context: First, the US Model Penal Code (MPC) has incorporated the use of standardised ‘mens rea’ terms to determine levels of mental states. These terms are, in descending order, ‘purposely’, ‘knowingly’, ‘recklessly’ and ‘negligently’, with a fifth state of ‘strict liability’. Though the term ‘intentionally’ in Indian jurisprudence is considered equivalent to ‘purposely’ of the US, the term ‘recklessly’, being more culpable than ‘negligent’, must be clearly spelt out to avoid different interpretations. Second, the (Indian) IT Act, 2000, as amended in 2009, clearly differentiates between civil remedy in form of penalty and compensation for damage and punishable culpability in terms of imprisonment and imposition of fine. Unless hacking, i.e., unauthorised access to a computer, is done with ‘dishonest’ or ‘fraudulent’ intention (under Section 66), the remedy lies in awarding only compensation for the damages caused to the affected person (under Section 43).
Thus the import of similar provisions into the Data Protection Bill would not only lead to logical distinction between various acts of contravention but would also bring consistency with the existing laws in the matter of culpability. Similarly, besides making a clear distinction between the states of culpability, the existing scope of adjudication (for civil remedies) may suitably be widened and the enforcement agencies limited to criminal acts done with ‘dishonest’ and ‘fraudulent’ intent.
R K Vij
The author is a senior IPS officer in Chhattisgarh.
Views expressed are personal