AIR INDIA DATA BREACH AND ITS LEGAL IMPLICATIONS


Introduction

According to Air India, the cyber-attack that exposed the personal information from millions of passengers from throughout the world comprised personal information recorded between August 26, 2011 and February 20, 2021. A data breach at the SITA[1] passenger network was reported by Air India to its passengers. Between March 25 and April 5, 2021, the identity of the persons harmed by the breach was provided. Based upon the information generated by the airline, breach exposed the personal information of 45 lakh passengers. SITA is a technology business established in Switzerland that specializes in air transport telecommunications. It offers services such as reservation systems and processing of passengers. In 2017, Air India had announced a partnership with SITA for improving its infrastructure for joining Star Alliance. As reported by SITA, it was the victim of a cyber-attack in the latter week of February, which resulted in the release of personal information on certain passengers of the airline. Air India had also advised any passengers who registered with the airline within the aforementioned dates to change their passwords to protect their personal data.


Cyber-attacks concerning airlines have become an all-too-regular feature of the news in recent years. For example, British Airways was fined £20 million in 2020 for a data breach that exposed the personal data of 400,000 customers two years prior. Airlines appear to have the most serious cybersecurity issues of any industry. This is not due to a lack of regulatory frameworks in the sector; rather, it is due to a mix of reasons. Organizations in the aviation industry maintain far more personal data about clients than companies in other industries such as passport information that is linked directly to financial information. Airlines are also one node in a vast, interconnected network of data transfers involving governments and other entities. These firms’ data is continuously traveling at rates hardly seen in other, and it can have numerous endpoints at once. Looking at such data breaches, it is important examine the present legal framework in relation to data privacy and data protection, its current status and how at times the government interferes with the same.


Data Privacy and Data Protection

Data privacy is defined as the right to protect one’s personal information on various internet networks. Such information includes data in relation to business, an individual or government and data providing through biometrics. On the other hand, data protection refers to “a set of laws in relation to privacy, procedures and processes aimed at limiting the amount of personal data stored, collected, and disseminated that intrudes on one’s privacy.”[2] Personal data is information about an individual that can be used for identifying him or her, whether acquired by a private company or the government.


Data Protection Laws


a. India

The fundamental right to privacy[3] is not specifically stated in Indian Constitution. In Justice KS Puttaswamy vs. Union of India’s[4] landmark judgement, the apex court ruled that the right to privacy is a basic right and an integral aspect of the right to life and personal liberty under Article 21 of the Indian Constitution[5]. India currently lacks a clear and precise data protection law, however, some provisions of the Information Technology Act, 2000[6] cater to the same.


Information Technology Act, 2000

It addresses concerns such as punishment and payment of compensation in occasions of misusing personal data, breach of contractual terms and wrongful disclosure pertaining to personal data. The relevant section in relation to data protection are sections 43A[7], 66C[8], 66E[9] and 72A[10]. Section 43A[11] deals with liability for agencies managing and possessing personal and sensitive information and failing to maintain reasonable security protocols that leads to unjust gain or loss to an individual. Section 66C[12] and 66E[13] deals with punishment for theft and privacy respectively. Section 72A[14] deals with disclosing information purposefully and knowingly without the permission of the concerned individual and enlists a punishment i.e., imprisonment for up to three years and a fine of up to Rs 5,000,000.


  • The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011[15]- It is concerned with the protection of personal data which is sensitive such as medical records, biometric data, passwords, sexual orientation, bank account details, etc.

  • Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002[16] - It looks into issues connected to the gathering of personal data from patients, including consent, that are governed by this law.

  • SEBI’s Data Sharing Policy - It intends to formalize data security practices in order to prevent the misuse of data.


b. International Conventions

In relation to data privacy, India has ratified certain conventions. Article 12 of the Universal Declaration of Human Rights[17] and Article 17 of the International Covenant on Civil and Political Rights[18] are two such provisions. These provisions basically state that there should be no arbitrary interference in relation to one’s privacy or something that hurts their reputation. On being subjected to such interference, each individual has the right to be protected by the law.


Current status of Personal Data Protection Law

Since 2006, there has been a push to enact a Personal Data Protection Act. The Ministry of Electronics and Information Technology (MeitY) formed an Experts Committee under the chairmanship of Justice N. Srikrishna to design a data protection law for India. The Personal Data Protection Draft Bill[19] contains a number of key provisions which define key concepts such as sensitive personal data, personal information and lays out the duty of a Data Controller. More importantly, it has acknowledged the personal data protection as a critical aspect of informational privacy and the right to privacy as a basic right.


Government interference with personal data

There are certain laws that allow the interference by the government with one’s personal data. One such provision is Section 69 of the Information Technology (Amendment) Act 2008[20]. Through it, any government agency can be compelled to monitor, decrypt or intercept, monitor, or decrypt any confidential or personal details created, stored, received or sent in any computer network by the government. This can be done when the government is convinced that it is essential in the interests of sovereignty, defence, friendly relations with other nations or public order. The Information Technology (Procedures and Safeguards for Blocking for Access to Information) Rules, 2009[21] gave the government the authority to prohibit access to a variety of websites.


Conclusion

To conclude, with the move towards digitalization, India needs a strong and effective data protection law to strengthen individual rights by giving them complete control over the private information while also assuring high data security. The recent Air India data breach highlights the utmost need to have an efficient legal mechanism for data privacy and data protection in place and also ensuring that the basic right to privacy is upheld.


[1] Société Internationale de Télécommunications Aéronautiques. [2] Right to Privacy (Accessed at https://www.iasgyan.in/daily-current-affairs/right-to-privacy on May 29, 2021). [3] INDIA CONST. art 21. [4] KS Puttaswamy vs. Union of India, (2017) 10 SCC. [5] Ibid, 3. [6] Information Technology Act, 2000, No.21, Acts of Parliament, 2000 (India). [7] Information Technology Act, 2000, s. 43A, No.21, Acts of Parliament, 2000 (India). [8] Information Technology Act, 2000, s. 66C, No.21, Acts of Parliament, 2000 (India). [9] Information Technology Act, 2000, s. 66E, No.21, Acts of Parliament, 2000 (India). [10] Information Technology Act, 2000, s. 72A, No.21, Acts of Parliament, 2000 (India). [11]Ibid, 7. [12]Ibid, 8. [13]Ibid, 9. [14]Ibid, 10. [15]Ministry of Communications and Information Technology (Department of information Technology), (Accessed at https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf at May 29, 2021). [16]Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2000 (Accessed at https://wbconsumers.gov.in/writereaddata/ACT%20&%20RULES/Relevant%20Act%20&%20Rules/Code%20of%20Medical%20Ethics%20Regulations.pdf at May 29, 2021). [17]Universal Declaration of Human Rights (UDHR), Art. 12. [18]International Covenant on Civil and Political Rights (ICCPR), Art. 17. [19] The Personal Data Protection Bill, 2019. [20]Information Technology (Amendment) Act, 2008 s. 69, No.10, Acts of Parliament, 2009 (India). [21] Information Technology (Procedures and Safeguards for Blocking for Access to Information) Rules, 2009 (Accessed at https://www.meity.gov.in/writereaddata/files/Information%20Technology%20%28%20Procedure%20and%20safeguards%20for%20blocking%20for%20access%20of%20information%20by%20public%29%20Rules%2C%202009.pdf on May 29, 2021).


Author- Sabrina Bath

LLM-II

Symbiosis Law School, Pune

32 views0 comments