Protection of Action taken in Good Faith in Personal Data Protection Bill, 2019 - A Comparative Analysis with Indian and International Jurisprudence

Privacy, as an essential human right recognized under Article 12 of the Universal Declaration of Human Rights[1], has also been guaranteed under Article 21 of Constitution of India[2] as a fundamental right by the Supreme Court in Justice K.S. Puttuswamy v Union of India.[3] It is imperative to realize that, to preserve the integrity and dignity of a human being, one's personal life needs to kept private i.e. non-accessible to the public view. Privacy enables a person to create a barrier and manage as to what kind of information and to what extent it can be accessed by the public.

In the current epoch of digital revolution, where most of the privacy of an individual can be accessed by social media companies like Facebook, Twitter or Microsoft, it became a critical factum to create specific rules and regulations in order to preserve privacy of an individual. Therefore, in the wake of such revolution, most of countries like Latin America, Chile, Columbia, Mexico and all of the Europe created specific statutes which legalized the privacy of their citizens. In India however, a committee of experts headed by Justice B.N. Srikrishna submitted a report which lead to enunciation of Personal Data Protection Bill, 2019.[4]

Analysis - Good Faith In Personal Data Protection Bill, 2019

In the aforementioned Bill, the terms Data Principal and Data Fiduciary are stated, in which the former includes any individual whose privacy is in question and the latter regards to any individual or a team which established the purpose and means of processing that specific data.

Handling any individual's privacy requires an element of trust, and therefore, Data Fiduciary are intended to perform their set of regulations in accordance with the expectations of the Data Principal and the specific statute. Any act which is not performed in good-faith or not intended to be in compliance with the said statute would be considered a violation of the Bill. Under article 88 of the Data Protection Bill, 2019, it states that no suit, prosecution or any other legal proceedings shall lie against the Authority or Chairperson... for anything which is done in good faith or intended to be done under this act. Good faith has not been defined under the said act but have been used in numerous legislation and statutes in India for example, 2(h) of the Limitation Act, 1963[5] which defines good faith as an act not done with due care and attention.

In Jitender Kumar Gupta v Sukhbir Singh Saini, the court held that:
What amounts to good faith or due diligence on the part of the plaintiff will depend upon facts of each case and no hard and fast rule can be laid down for the same. In any event of the matter, the said provision of law will not help a party who is guilty of negligence, lapse or inaction and in a casual approach continues to pursue a remedy before a court of law where no prudent person after exercising reasonable care would invoke or continue to pursue such a remedy.[6] However, in the case law of the European Court Of Justice, the notion of Good faith refers to the legitimate belief on the part of the parties regarding the certain existences of certain applicable rules of law.

ECJ has consistently held that national courts must apply the rules of community law as interpreted by the ECJ, but in the case of Sarah Margaret Richards v Secretary of State for Work and Pensions, the court has held that, this restriction can be spared if there is a significant uncertainty regarding the implications of community provisions and the legal relationships have been formed in Good faith.[7]

In General Clauses Act, 1897, the term good faith has been defined under section 3(22), which states that:
a thing shall be deemed to be done in good faith where it is in fact done honestly, whether it is done negligently or not[8].

However, in the headnote of the same section, it has been stated that, unless there is anything repugnant in the subject or context, which basically infers that, this definition of the term would not be applicable if it poses a conflict with the intention of the said provision or the statute.

In Maung Aung Pu v Maung Si Maung, it was cited that the Indian Contracts Act, 1872 didn't have the definition of the term good faith however, with the reference to the General Clauses Act, the court stated that the definition would not be applicable simply because the term would pose an incompatibility with the said provision.[9]

The definition of good faith in Indian Penal Code, 1860 is mentioned under section 52, which states a negative corollary as, an act done without due care and attention.[10] Due care, or reasonable care, has been defined in Blackstone's dictionary as, such a degree of care, precaution, or diligence as may fairly and properly be expected or required, having regard to the nature of the action, or of the subject-matter and the circumstances surrounding the transaction.[11]

It is such care as an ordinary prudent person would exercise under the conditions existing at the time, he is called upon to act. Moreover, the preamble of the Data Protection Act, 2019 emphasizes on the element of trust with reference to the data privacy of an individual, therefore, the threshold for application of the defense of protection of action taken in good faith becomes higher and the courts would probably have to satisfy whether at the time, the data fiduciary or any relevant authority complied with due care and attention.

It's also imperative to understand the fiduciary relationship that the data fiduciary or any individual processing the data under the scope of article 88 in the said act and the data principal holds to infer the good faith immunity.

The relationship can be analogized to the public information officer, defined under section 5(3) of the RTI Act, 2005 as an authority which deals with the requests and assists the concerned individual filing the RTI under the RTI Act, 2005.

In Central Board of Secondary Education v Aditya Bandyopadhyay, the court expanded the term fiduciary relation as, The term fiduciary refers to a person having a duty to act for the benefit of another, showing good faith and candour, where such other person reposes trust and special confidence in the person owing or discharging the duty. The term fiduciary relationship is used to describe a situation or transaction where one-person (beneficiary) places complete confidence in another person (fiduciary) in regard to his affairs, business or transaction(s).

The term also refers to a person who holds a thing in trust for another (beneficiary).The fiduciary is expected to act in confidence and for the benefit and advantage of the beneficiary and use good faith and fairness in dealing with the beneficiary or the things belonging to the beneficiary[12]. Under section 8(1)(j) and section 11 of the RTI Act, 2005, the requirements of privacy and confidentiality while assisting and processing the RTIs to the relevant public authority creates such a fiduciary relationship with higher standards of trust and honesty. Furthermore, under section 21 of the said act, there is similar immunity granted as article 88 of the DPB, 2019, which creates further requirement of test under action taken in good faith or intended to do under the act.

In Harjeet Singh v DM (North), the central information commission held that, the SPIO was exempted from protection under the good faith clause under the RTI Act, since he wasn't due diligent enough, acted negligently and recklessly while processing the relevant documents and through factual circumstances, also was deduced to having mala fide intentions[13].

In Swift Knit Pvt. Ltd v ITO which dealt with the mistake of bona fide which exempted an accountant from the liability imposed under the Income Tax Act, the court held that, Bona fide error is a very general and sweeping statement. It should be demonstrated with circumstantial evidence as to how this error has happened; what is operating force in the mind of person who has prepared the return, and how he failed to comprehend a particular item[14].

In Central Estates Ltd v Woolgar which was a case in which the courts have attempted to decipher the meaning of good faith as accordance with the Leasehold Reforms Act, 1967, Megaw Law LJ stated that, The words 'in good faith', in my opinion, mean 'honestly'. A claim is not made honestly if it is made with the intention of committing a criminal offence, or of facilitating the future commission of a criminal offence[15].

This seems a contrast with Indian statutes granting far more restrictions and limitations on how good faith clause can be used in order to exempt from liabilities of the violating parties, but it also depends on the intention of the legislator behind that statute.

In Herrington and Carmichael v The Trustee, the case which dealt with the defense of good faith by creditor on preferential payments, Russel J held that:
good faith requires more than personal honesty, it required an acknowledgment of the creditor that the action would also not amount to such preferential payment[16]. Therefore, the type of relationship that the statute creates also becomes an important factum to derive the threshold with the regards to the applicability of the good faith defense.

In article 88 of the DPB, 2019, the second part of the section also includes the defense, intended to do under the act which also can be a corollary to the good faith principle. In Mahesh Kumar Agarwal v State of Madhya Pradesh[17], the plaintiff filed a case against the Municipal Council for non-performance of sending a notice prior to an anti-encroachment drive. In this case, the respondents used section 318 under the Municipalities Act, 1961 which exempted the Municipal Council for any act done in good faith or intended to be performed in pursuant of the said act. The court held that, the use of words intended to be done under this Act is of paramount importance.

If a person has intention of performing any duty under the Act, then he would be covered under this phrase. The intention can be gathered from the surrounding circumstances and the conduct of the parties. In the present case, even according to the plaintiffs when a notice was given to the Municipal Council, then it was specifically replied that, a notice was given to the plaintiffs for removal of encroachment. Only when the plaintiffs did not remove the encroachment, then anti-encroachment drive was undertaken.

Therefore, in this case, the court still emphasized that it was important for the Municipal Council to act in accordance with the statute, however, if because of any externalities, the act could not be duly performed would still exempt the council from any suit against such inaction.

However, this wouldn't be an inference to state that any negligence on the account of the party to which the duty was owed would also be exempted from such action. It's important to understand that, the requirement for due diligence under the Data Protection Bill would be read with the exemption of intention to perform an act under the said clause. Furthermore, in this said clause, the second half should not be read independently without concluding that the action was done in good faith.

In Municipal Corporation of Hyderabad v T.V. Sarma, the court held that:
It is settled law that the word or can be read as and and the word and can be read as or where it is necessary to do so in order to give effect to the intention of the legislature. Therefore, any action intended to be performed with accordance with the said statute would be presumed that it was performed with due diligence and good faith, since it's necessary to achieve the objective and purpose of the act[18].

Conclusion
Therefore, we can conclude on this note that, the term Good faith by Indian jurisdictions have provided as a defense, notwithstanding the fact that it should be honest, and not negligent conduct of the individual in question. The Personal Data Protection Bill, 2019 would have similar analogous interpretations of the said Article, which would further enforce much more preservation and shield to a Data principal's privacy with respect to the Data Fiduciary.

End-Notes:

1. Article 12, UNHCR.
2. Article 21, Constitution of India.
3. K.S. Puttuswamy v Union of India.
4. Article 88, Personal Data Protection Bill, 2019
5. Section 2(h), Limitation Act, 1963.
6. Jitender Kumar Gupta v Sukhbir Singh Saini.
7. Sarah Margaret Richards v. Secretary of State for Work and Pensions.
8. General Clauses Act, 1897.
9. Maung Aung Pu v Maung Si Maung.
10. Indian Penal Code, 1860.
11. Blackstone Dictionary.
12. Central Board of Secondary Education v Aditya Bandyopadhyay.
13. Harjeet Singh v DM (North).
14. Swift Knit Pvt Ltd v ITO.
15. Central Estates Ltd v Woolgar.
16. Herrington and Carmichael v The Trustee.
17. Mahesh Kumar Agarwal v State of Madya Pradesh.
18. Municipal Corporation of Hyderabad v T.V. Sarma.