Disclaimer: The views/opinions/arguments expressed here are solely those of the author and contributors, as named therein, in their private capacity and do not in any way represent the views of any entity of the Indian Government or any private organization(s) they are associated with. The views/opinions/arguments of the contributors are re-produced here with due permission.
The other day I participated in an interesting discussion. The discussion took place in an information privacy forum comprised of professionals from various industries. The topic of discussion was Legal ramifications of sharing screenshots of a conversation held on messengers such as WhatsApp, Hike, Telegram etc. (We’ll take WhatsApp as an example).
Point(s) of Discussion
The discussion was initiated by Nikhil Kulkarni. He put across the following questions:
If an individual forwards a screenshot of a WhatsApp group conversation to another individual outside that group; will such sharing be considered:
- Invasion of privacy of the members of the WhatsApp group?
- Punishable against provision IT Act section 43 (unauthorized sharing of computer data) or 43A (sharing of personal information without permission from the data owner)
I gave it some thought and offered the following views:
If sharing screenshots of WhatsApp messages is punishable, then by that logic forwarding audio and video files involving other people, who are not part of that particular conversation or group, should also be punishable, as such an act may hamper the privacy of the said individuals.
Following is an exceprt from their Terms and Conditions page:
“Legal and Acceptable Use. You must access and use our Services only for legal, authorized, and acceptable purposes. You will not use (or assist others in using) our Services in ways that: (a) violate, misappropriate, or infringe the rights of WhatsApp, our users, or others, including privacy, publicity, intellectual property, or other proprietary rights; (b) are illegal, obscene, defamatory, threatening, intimidating, harassing, hateful, racially, or ethnically offensive, or instigate or encourage conduct that would be illegal, or otherwise inappropriate, including promoting violent crimes; (c) involve publishing falsehoods, misrepresentations, or misleading statements; (d) impersonate someone; (e) involve sending illegal or impermissible communications such as bulk messaging, auto-messaging, auto-dialing, and the like; or (f) involve any non-personal use of our Services unless otherwise authorized by us.”
“Your Contacts and Others. Users with whom you communicate may store or reshare your information (including your phone number or messages) with others on and off our Services. You can use your Services settings and the block feature in our Services to manage the users of our Services with whom you communicate and certain information you share.”
Technically speaking, the moment when a user press the button to send a message, it implies that they are willing to share that information with the individual or group they are interacting with. The moment that message lands on other user’s device they become the owner of that information and should have the right to use it as they wish (unless the message is classified according to a mutually agreed classification scheme, which isn’t the case normally). Since they are not accessing this data in an unauthorized manner and the device on which that data resides in that moment, is in their ownership, they should not be punishable under section 43 as well.
At this point, Mr. Rahul Sharma joined the discussion with the following viewpoint:
I think Whatsapp is not “collecting” SPDI for processing against explicit consent, for a message sent by user in a group.
Soon, we heard back from Nikhil. He agreed with the explanation above, reluctantly. He countered it with following arguments:
I agree that application of section 43 on grounds of unauthorized sharing of computer data is questionable. But 43A is applicable to both body corporate and persons in India as per this clarification.
Also, basis the above explanation it effectively means that even though WhatsApp groups are restricted to few individuals; posting any messages on WhatsApp is as good as publishing them publicly (because others in the group can share them freely without any fear of litigation from you!).
This is quite counter-intuitive because WhatsApp tries its best to protect your information even from Govt. snooping by encrypting it! And on the other hand, just by posting something on WhatsApp, one is opening it up for potential public disclosure!
Thus, the discussion reached a point of an impasse. The responsibility to resolve it was then assigned to Cyber Law experts, within the group.
This is where Ms. Soumya Patnaik, a Cyber Law Practitioner, stepped up and resolved the dilemma with her comprehensive explanation of applicability of relevant sections of the IT Act, 2000:
Section 43 of IT Act
Section 43 of the IT Act makes unauthorized access and misuse of computer, computer system or network, or any data or information stored on such network/resource punishable.
The essential parts of this contravention therefore are:
- There must be a computer/computer system/computer network/ computer resource;
- Such computer must be owned by, or under the control of a person; and
- The person (alleged offender here), must have gained access to such computer or any data/ information stored on such computer without the permission of the owner (or possessor) of such computer, network or resource.
In the present context, person “A” is transferring or sending messages and albeit “personal information” of his own accord, to person “B”. Therefore, even though “B” transfers the information or message to a third party, the same does not involve any unauthorized access to data/information.
Thus, from the context of Section 43, there has been no contravention on the part of B.
Section 43A of the IT Act
As per Section 43A, any body corporate who is possessing, dealing or handling any sensitive personal data or information (“SPDI”) in a computer resource which it owns, controls or operates, and is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or gain to any person, such body corporate would be liable to damages by way of compensation to the affected person.
The Section clearly defines “body corporate” to mean “any company, including a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.”
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Privacy Rules”) have been formulated under Section 43A of the IT Act, and therefore, may not, and cannot be read separately from Section 43A.
As per the Privacy Rules, SPDI is a certain category of personal information that includes: (a) password; (b) financial information; (c) physical, physiological and mental health condition; (d) sexual orientation; (e) medical records and history; (f) biometric information; (g) any detail relating to these categories. Therefore, as you would note, SPDI forms a much narrower category than the broader category of ‘personal information’. What Section 43A and the Privacy Rules deal with, are in fact, SPDI, and not the broader category of ‘personal information’.
Further, on a review of the Privacy Rules, you would observe that the onus rests on the body corporate that is collecting such SPDI, or handling such SPDI, to obtain “consent” of the data subject. It then requires the body corporate to also inform the data subject of the purpose for which such information is being collected, how it will be used, who it will be transferred, how and where it will be stored, etc.
Now, in a situation where the data subject volunteers to give out information (even if it is SPDI), to a body corporate or any other person, the provisions that require the body corporate to obtain prior consent, etc., are entirely defeated. The only other provision that would apply in this case may be the onus to maintain reasonable security practices and procedures, and to not transfer it to a third party, without consent.
The notification referred above does mention “any person”, but the intent of the notification is not to defeat Section 43A (which clearly applies to bodies corporate only). Even if we do agree with your argument that the onus under Section 43A applies to bodies corporate as well as individual persons, I am not sure of the practical enforcement of the obligations as against individuals. How does an individual like you and I maintain ‘reasonable security practices and procedures’ and further, for what purpose is such an individual collecting someone else’s SPDI like financial information, etc.?
Also, please note that clarifications are in the nature of administrative directions and cannot override the provisions of a statute, in this case, Section 43A of the IT Act (which clearly refers to bodies corporate alone).
In this case:
- It is very unlikely that the information being transferred amounts to SPDI;
- The very fact that the information is being voluntarily transferred to another person over a WhatsApp group defeats the requirement of prior consent; and
- The parties involved here are individuals and not bodies corporate.
Section 72A of the IT Act
This brings us to Section 72A of the IT Act, which states as follows:
“Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause, or knowing that he is likely to cause wrongful loss or wrongful gain, discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to 3 years, or with fine which may extend to Rs. 3 lakh, or with both.”
In my opinion, this would be the relevant provision in the present context. Assuming a friend has shared certain personal information (this could be any personal information, and not just SPDI) with you, and you share it without your friend’s consent, with a third party, you may be punishable under Section 72A.
Even then, the operative words here are: (a) with the intent to cause; or (b) knowing that he is likely to cause wrongful loss of wrongful gain.
Therefore, unless it can be proved that you had such intent, or that any prudent/reasonable person would know that such sharing would cause wrongful loss to your friend, you would still not be punishable under this provision.
Shreya’s friend Sonakshi, is a lawyer. Sonakshi had sent a picture of her visiting card (which contained her name, address, contact number and email id) to Shreya, over WhatsApp. Shreya has another friend, Soumya. Soumya needs a lawyer, and seeks Shreya’s help. Shreya, albeit well-meaningly, shares the image of Sonakshi’s visiting card, with Soumya. Soumya’s phone gets hacked, and Sonakshi’s personal information is now in the hands of the hacker, who has started stalking and harassing Sonakshi. In this case, would Shreya be liable under Section 72A, because she shared the information with Soumya, without Sonakshi’s consent?
- At the time of sharing the information, she did not intended to cause any wrongful loss to Sonakshi; and
- No reasonable person could have anticipated that Soumya’s phone would get hacked and Sonakshi’s personal details would be with the hacker who would eventually stalk and harass her.
In the words of Ms. Patnaik:
Under our current privacy regime, I think we are safe. Section 72A is applicable in case of disclosure under a lawful contract. Therefore, where personal messages are being shared, on strict interpretation, it is unlikely to trigger Section 72A [this point was also highlighted by Mr. Sharma]. However, of course, we should try to not share other’s information, images, messages, etc. with third parties, without their consent. If the information is even remotely SPDI, such as health related information, we should definitely not publish it!
Finally, WhatsApp is pretty much like Facebook actually, or any other social medium, and anyone sharing personal information on it should just beware that it is being published all over.
Do you agree with the verdict? Would you like to appeal against it? Leave your arguments in the comments section and lets keep the discussion going. This article is also available for discussion on Nikhil Kulkarni’s website.
Uday Mittal (OSCP, Associate CISSP, DCPP) is the founder of Yaksas CSC. He has over 4 years of experience in dealing with various issues related to cyber security. He is actively working towards educating people on cyber security risks and steps to mitigate them. He’s also a member of (ISC)2, ISACA and DSCI.