Centre for Internet & Society

The Telecom Regulatory Authority of India (TRAI), in March 2015 invited comments on its Consultation Paper for the regulation of over-the-top (OTT) services. In an unprecedented wave of public participation, TRAI received over a million e-mails in support of net neutrality.

This note sets out the law in relation to the unauthorized disclosure of personal information. Many thanks to Bhairav Acharya for his inputs on this.

Subsequently, on April 27, 2015, TRAI made all responses received by it public, including personal information like email addresses along with any information contained in email signatures, which invariably include a phone number or address. While disclosure of names was needed to ensure transparency in the consultation process, disclosure of personal information gave rise to criticism and questions around the legality of such disclosure.

This note sets out the law in relation to the unauthorized disclosure of personal information:
Section 43A of the IT Act provides for subordinate legislation to govern the manner in which sensitive personal data is collected and processed. The governance of personal information is dealt with under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“2011 Rules”). The 2011 Rules are made to give effect to Section 43A of the IT Act.

TRAI is a body corporate as per Section 3(2) of the TRAI Act. Hence, TRAI’s collection, storage, and disclosure of personal information is governed by the 2011 Rules. Rule 5(8) requires personal information collected to be held securely. TRAIs publishing of email addresses is a violation of Rule 5(8).

Rule 4 of the 2011 rules requires a body corporate to have a privacy policy. On its website, TRAI publishes a Privacy Policy. However, the Policy speaks of information gathered from the TRAI- Website. Even the wording on the Home Page of the TRAI website (that links to these policies) says “Website Policies”. It is unclear therefore, whether the Privacy Policy applies ONLY to the collection of information over the TRAI- Website or whether the Privacy Policy applies to TRAI overall.

Either way there is an argument to be made. TRAI has failed to draft and publicize a privacy policy for the personal information it collects directly. Without prejudice to the above, if the privacy policy on the TRAI website governs this collection of email addresses, then its unauthorized disclosure is a contravention of its own Privacy Policy, specifically paragraph 2.

Since the IT Act does not enact a specific penalty for contravention of section 43A in respect of personal information, TRAI’s unauthorized disclosure will be penalized through the residuary penalty contained in section 45 of the IT Act.

Hence TRAI is liable under Section 45 of the IT Act read with Rules 4 and 5(8) of the 2011 Rules. Section 45 provides a “residuary penalty”; for those provisions under the IT Act or Rules for whose contravention no other penalty has been prescribed. For this contravention, TRAI would have to pay a compensation of 25,000/- to the affected persons or a penalty of 25,000/- rupees.

TRAI may argue that it disclosed that personal information would be disclosed/published. However, the Call for Comments Press Release says that Comments will be published. Email addresses are not comments, and therefore TRAI did not issue a prior disclaimer for the publication of this personal information – hence the disclosure of e-mail addresses is still a violation.

The remedy for violation of Section 43A of the IT Act is the Adjudicating Authority appointed under Section 46(1), which requires a person not below the rank of Director in the appropriate government to receive complaints. Since TRAI is a body corporate as per the Act, it is unclear as to who the adjudicating officer in the present case should be; and is the matter of a separate research question.

The Appellate authority is the Cyber Appellate Tribunal constituted under Section 48 of the IT Act . It is not known if the tribunal has been constituted, and if it has; it is unknown whether it is staffed.

In the absence of clarity with regard to statutory authorities, a citizen whose personal information has been disclosed by TRAI without authorization may file a writ petition in the Delhi High Court under Article 226, or in the Supreme Court under Article 32 for issue of a writ of mandamus or prohibition, for appointment of the first adjudicating officer and also for issuance of directions in lieu of such an officer.

The views and opinions expressed on this page are those of their individual authors. Unless the opposite is explicitly stated, or unless the opposite may be reasonably inferred, CIS does not subscribe to these views and opinions which belong to their individual authors. CIS does not accept any responsibility, legal or otherwise, for the views and opinions of these individual authors. For an official statement from CIS on a particular issue, please contact us directly.