This guest post is by Nishkarsh Tomar and Agrima Raman who are third-year B.A. LL.B. (Hons.) students at Dharmashastra National Law University, Jabalpur 

THE BACKGROUND

On the upsetting morning of July 29, 2019, users of Sephora woke up to a notification suggesting they change their passwords. The identities of millions of users were up for grabs on the dark web. Instances like this have surfaced before. Similar cases have unfolded in the past involving Biostar 2 and Yahoo, all pointing to a recurring issue where large corporations have neglected to safeguard the fundamental rights of their customers. This evokes parallels with the Oleum Gas Leak case (M.C. Mehta v. Union of India), where the escape of hazardous Oleum gas affected many. Just as the noxious fumes from Shriram Industries unleashed invisible terror, the mishandling of Sephora users’ Biometric data has far-reaching consequences, too.

Biometrics is using your body to unlock access. It is a unique way of identification through Biometric traits such as face, iris, palmprint and voice. Biometric data is so unique that not even identical twins share the same. In the age of advancing technology, Biometrics brings several advantages. Besides confirming identity, it facilitates negative identification to prevent duplicates. Hence, it is evident that Biometrics constitute sensitive information and given their unique and permanent nature, it requires the highest level of security. Acquiring Biometric data from customers imposes a significant stewardship responsibility on companies which should compel them to exercise utmost caution in its storage and management.

Biometric leaks put individual integrity and privacy at lifelong risk. Privacy has been recognized as a fundamental right intrinsic to Article 21 of the Indian Constitution. Imposition of Absolute liability on corporations for Biometric leaks, whether at fault or not, will ensure that they adhere to the limitations of fundamental rights and will imbue them with respect for human rights. This approach advances human rights jurisprudence as enunciated in M.C. Mehta v. Union of India.

Based on the above discussion Biometric leaks should attract Absolute liability and companies handling Biometric data should face the consequences, irrespective of fault.

COMPARATIVE ANALYSIS: OLEUM GAS LEAK CASE VS. BIOMETRIC LEAKS

M.C. Mehta v. Union of India and the Sephora Biometric data breach both centre on leaks, one physical and the other digital. While the Oleum gas leak threatened citizens physically, the compromise of unique and permanent Biometric data may have even more serious consequences. This can result in a lifelong intrusion into your privacy through identity theft. Once your Biometric data is stolen, you cannot reset your fingerprint or replace your retina.

In M.C. Mehta v. Union of India, the Hon’ble Supreme Court at paragraph 2 has held:

“If this Court is prepared to accept a letter complaining of violation of the fundamental right of an individual or a class of individuals who cannot approach the court for justice, there is no reason why these applications for compensation which have been made for enforcement of the fundamental right of the persons affected by the oleum gas leak under Article 21 should not be entertained.”

Thus, one of the reasons for which the Hon’ble Court imposed Absolute liability was that there was an infringement of the fundamental rights of the citizens at large. In substance, the harm caused by Biometric leaks is also significant. Biometrics is highly sensitive information as it directly relates to one’s identity and therefore falls in the precincts of privacy. Privacy has been recognised as an inalienable right under Article 21, evolving on a case-to-case basis. A stranger in possession of another person’s Biometric data is essentially infringing upon their liberty. 

In paragraph 7 while analysing the factual matrix of several cases, the Hon’ble Court has posited:

“…the fact of infringement was patent and incontrovertible, the violation was gross and its magnitude was such as to shock the conscience of the court and it would have been gravely unjust to the person whose fundamental right was violated, to require him to go to the civil court for claiming compensation.”

The potential harm resulting from a Biometric data leak is akin to a physical threat, as it can lead to lifelong identity theft, financial loss, and emotional distress. The violation is clear and incontrovertible, constituting a serious breach of digital and personal security. The scope and ramifications of Biometric data leaks should likewise concern the legal system. Rigorous data protection measures must be implemented to prevent Biometric leaks. Immediate and stringent legal action is also necessary to prevent future occurrences and to inject a sense of social conscience into the corporate structure.

In paragraph 31, the Hon’ble Court has held:

“If the enterprise is permitted to carry on an hazardous or inherently dangerous activity for its profit, the law must presume that such permission is conditional on the enterprise absorbing the cost of any accident arising on account of such hazardous or inherently dangerous activity as an appropriate item of its overheads.”

In the same spirit, storing sensitive information like Biometric data cannot be considered any less harmful given the repercussions it can have. A company should be made absolutely liable for any Biometric leak that occurs, whether due to internal or external reasons. In all instances of Biometric leaks, immediate crisis management was implemented to mitigate the damage. This highlights that companies are negligent in managing Biometric Data in their possession. Hence, imposing Absolute liability correlated to the magnitude and capacity of the company in Biometric leaks will ensure that they maintain higher standards of care in handling Biometric data. Profits are crucial for any corporation, penalties that reduce profitability act as a deterrent effect for the corporation. In the Oleum Gas leak incident, one of the solutions was to consider relocating the factory units. However, in cases of Biometric leaks, the damage is extensive, crossing international borders and timeless. 

Furthermore, at paragraph 31, the Hon’ble Court has held:

“Law has to grow in order to satisfy the needs of the fast changing society and keep abreast with the economic developments taking place in the country. As new situations arise the law has to be evolved in order to meet the challenge of such new situations. Law cannot afford to remain static.”

Our existing legislation dealing with Biometric leaks is riddled with loopholes. In some instances, they fail to provide adequate remedies to victims, in others, they afford companies ample opportunities to evade liability. With the changing times, one thing is certain technological advancements necessitate improved legal frameworks to bolster the rights of individuals in the virtual space as well.

FLAWS IN CURRENT REGULATORY FRAMEWORKS

In India, two key pieces of legislation specify consequences for corporations that violate an individual’s Biometric information: the Digital Personal Data Protection Act, 2023, and The Information Technology Act, 2000.
Section 33(2) of the Digital Personal Data Protection Act, 2023 considers a catena of factors such as the nature, gravity, and duration of the breach, proportionality, and its impact for imposing penalties, it allows the Data Protection Board to impose a penalty of up to 250 crore rupees. However, despite these substantial penalties, the act does not compensate the victim. 

Section 34 of the Digital Personal Data Protection Act, 2023 states:

“All sums realised by way of penalties imposed by the Board under this Act shall be credited to the Consolidated Fund of India.”

Therefore, the Digital Personal Data Protection Act, 2023 framework does not address the rights of individuals whose Biometric data has been compromised. The loss that a victim suffers cannot be equitably remedied by mere financial penalties. Imposing Absolute liability will prioritize victim compensation and deterrence of negligent practices. 

Similarly, Section 43A of the Information and Technology Act, 2000 deals with compensation for failure to protect data, it states: 

“Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.”

Briefly, it touches upon the idea of awarding compensation to the affected person. However, a conspicuous lacuna that can be noticed is that it lays down a prerequisite condition. The section states that compensation can be sought by the affected person only if the body corporate has been negligent in maintaining reasonable security standards. In other words, the word ‘negligent’, provides a safe haven to the body corporates to absolve themselves of their liability. This enables them to conveniently evade their duty of protecting the individual’s data.

Furthermore, Section 43A explanation (i) of the Information and Technology Act, 2000 defines body corporate in the following manner:

“Body corporate means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;”

The body corporates can escape liability by simply attesting that they are not involved in any commercial or professional activity. This can be achieved owing to the fact that the ambit of ‘commercial or professional activities’ has not yet been laid down in any piece of legislation.

Moreover, Section 45 of the Information and Technology Act, 2000 states:

“Whoever contravenes any rules or regulations made under this Act, for the contravention of which no penalty has been separately provided, shall be liable to pay a compensation not exceeding twenty-five thousand rupees to the person affected by such contravention or a penalty not exceeding twenty-five thousand rupees.”

The statutory provision stipulates a compensation of ₹25,000 for victims. However, this amount is woefully inadequate, especially when dealing with the serious consequences of Biometric leaks, and it risks sending the wrong message to companies regarding their responsibility toward privacy.

LEGISLATIVE FRAMEWORKS ABROAD

The Biometric Information Privacy Act of 2008 is the foremost and most prominent legislation in Illinois in the United States of America on Biometric data. In, Rosenbach v. Six Flags the Hon’ble Supreme Court of the United States of America recognized that apart from controlling their own Biometric data, individuals must have the right to sue companies illegally collecting their information to hold them accountable. The Supreme Court remarks that lawmakers must continue with such legislation without chipping away at any of the protections it offers.

The General Data Protection Regulation is yet another demonstration of exemplary drafting and commitment to inclusivity, by catering to every stakeholder’s needs, its Recital 146 reads as follows: 

“…Data subjects should receive full and effective compensation for the damage they have suffered. Where controllers or processors are involved in the same processing, each controller or processor should be held liable for the entire damage…” 

It talks about the concept of indemnity. This Recital specifies the nature of the damages. It states that these damages in the form of compensation must be full and effective, thus representing the idea of the adequacy of compensation. 

Furthermore, Article 82(1) of the General Data Protection Regulation states:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” 

It elaborates upon the right of compensation and liability. It states that any person who suffers any material or even non-material damage shall have a right to claim compensation from the parties concerned. Therefore, the idea of applying Absolute liability upon those companies which fail to provide security to their customer’s Biometric data, thus resulting in data leaks must be encouraged. Moreover, it furthers the idea of corporate social responsibility by compelling the businesses to act ethically thus providing a positive social value towards the masses. It would impose a social cost on these companies, thus aligning with the principles of corporate social responsibility.

CONCLUSION

Biometric leaks and the Oleum gas leak intersect on the common theme of leakage, highlighting the suitability of Absolute liability. Companies continue to create dangerous products that invade people’s privacy, and the leakage of Biometric data, which pertains to highly sensitive information, can result in lifelong risks to the affected person. Unfortunately, our existing legislation falls short of prescribing any appropriate penalties for companies responsible for Biometric leaks. Therefore, adopting Absolute liability within Indian legislation will ensure adequate compensation for victims while also holding companies accountable and incentivising them to fortify their data systems with robust safeguards. 

Absolute liability in Biometric data breaches is a necessity in India. The irreplaceability of Biometric information is its uniqueness, it can never get reset once compromised. This will infringe directly on fundamental rights, especially privacy under Article 21 of the Indian Constitution, resulting in intrusion and identity theft for someone’s entire life. Legal precedents like M.C. Mehta v. Union of India highlight the magnitude of harm Biometric leaks can cause and underscore the need for stringent measures akin to those imposed for environmental hazards. The Biometric Information Privacy Act, 2008 and the GDPR, exemplify the importance of robust legal protections and compensation for data breaches. Absolute liability could serve as a mechanism to ensure that proactive measures are taken in data security, with alignment of legal frameworks to technological changes and corporate responsibility for safeguarding Biometric data. As social norms evolve, Absolute liability becomes imperative to establish safeguards against the potentially catastrophic consequences of Biometric data mishandling. 

This guest post is by : Nishkarsh Tomar and Agrima Raman who are third-year B.A. LL.B. (Hons.) students at Dharmashastra National Law University, Jabalpur