PIZZA WITH A SIDE OF DATA THEFT

July 13, 2021
cyber crime

By Lucy Rana and Rima Majumdar

In this digital day and age, data and information may be considered as the newest form of wealth. Perhaps that is why there isn’t a shortage of criminal activity surrounding data theft and infringement of one’s privacy!

One such interesting case in the context of data theft was the Criminal Writ filed by Jubilant Food Works Limited (“Jubilant”) before the Delhi High Court. Jubilant operates the famous Dominos Pizza outlets in India. In the case titled Jubilant Food Works Limited vs. Union Of India, the Petitioner filed the writ petition seeking a Writ of Mandamus directing the Ministry of Electronics and Information Technology and the Department of Communications, Ministry of Communications to direct and notify intermediaries such as telecom service providers, internet service providers, search engines, etc. to immediately remove or disable access to the uniform resource locator(s) (URLs) created by one or more unknown persons/hackers to illegally share the data of thousands of customers of the petitioner on the internet.

BRIEF FACTS OF THE CASE

It is the case of the Petitioner that certain unknown hackers have illegally accessed its confidential user/customer data, and have hosted it on the URLs without consent, thus invading the privacy of the Petitioner’s customers and committing the offence of data theft.

The Petitioner further claimed that the hackers had also attempted to intimidate and extort a ransom from the Petitioner, and that such an action is an offence under Section 43sub-clause (a) ‘access data without permission’ and Section 43 sub-clause (b) ‘download, copy or extract data without permission’ as well as Section 66 which provides for computer related offences under the Information Technology Act, 2000. Furthermore, these said offences are also criminally punishable under sections 384/506/34 of the India Penal Code (IPC).

ARGUMENTS ON BEHALF OF THE PETITIONER

The Petitioner argued that the Ministry of Electronics and Information Technology / MeitY (Respondent no. 1) and the Department of Communications (Respondent no. 2) being the appropriate government authority under the IT Act for internet based communication, are duty-bound to immediately notify the intermediaries and issue directions to remove or disable access to the URLs, as part of their statutory obligation under section 79 (3)(b) of the IT Act read with Rule 3 (1) (d) of the 2021 Rules.
That in view of the judgment passed by the Delhi High Court in the case titled as X vs Union of India in W.P. (Crl) 1082/2020 decided on 20 April 2021, Petitioner was also seeking issuance of directions to the DCP Cyber Crime Cell and the SHO, Cyber Crimes Cell, South East District – Delhi, Police Station – Chittaranjan Park (Respondent No. 3), to take steps to:

(a) immediately remove/disable access to the impugned URLs; and
(b) obtain all information and associated records, including all unique identifiers relating to the URLs, from the concerned intermediaries, under Rule 3 (1) (j) of the 2021 Rules, for the purposes of prevention, detection, investigation and prosecution of offences committed by the hackers under the IT Act.

That due to the inaction of the Respondents, the hackers merrily continue to re-post, re-direct and re-publish the sensitive data of the Petitioner’s customers from one URL to another, thereby resulting in a severe breach/compromise of personal data of thousands of Petitioner’s customers.

The Petitioner also became aware that the hackers had posted an advertisement on one of the URLs with an offer to sell the illegally obtained data of the Petitioner’s customers. Therefore, if the URLs are not immediately removed or disabled, the hackers would continue to further compromise the data of the Petitioner’s customers on the internet, thus invading their privacy.

DIRECTIONS PASSED BY THE COURT

In cases such as the present one, a dynamic injunction has been an appropriate way of tackling the issue of digital piracy in India. To explain it, take the example of the arcade game Whac-a-Mole, where the player is given a hammer and asked to hit the toy moles which appear at random, and send them back into their holes. This is exactly how infringers operating websites with fraudulent or pirated content function; the moment one website is disabled, another takes its place. Since it is not possible for the aggrieved person to approach the court with a new suit, each time a mirror website pops up, dynamic injunctions allow the Plaintiff to cover these mirror websites without obtaining a fresh injunction order.

Presently, in several cases concerning digital piracy or online scams and data theft, the Department of Telecommunications (DoT) and the Ministry of Electronic and Information Technology (MeitY) have been made parties, with the relief sought from them being limited to blocking access to the rogue websites, as and when the Plaintiff becomes aware of the same and provides the information regarding the same to these Government bodies.

In the Jubilant Foods case as well, the counsel for the Union of India (representing the DoT and MeitY) made a submission to the Hon’ble Court that the URLs supplied to them have already been blocked and they shall continue to take proactive steps as and when the complaints shall be filed by the Petitioner before them.

Finally, the Petitioner was granted liberty to make written communication to the investigating officer for removal/access disablement of the same or similar offending content appearing, including URLs on any other website/online platform or search engine(s), whether in the same or in a different context; and the investigating officer is to notify such website/online platform or search engine(s) to comply with such request, immediately and in any event within 72 hours of receiving such written communication from the Petitioner.
With these observations, the Single Bench comprising of Justice Yogesh Khanna disposed of the petition.

Related Posts

Protection of Personal Information & Sensitive personal data or information in India

Player’s Control over Sports Performance Data

DATA-PRIVACY PROTECTION AMIDST COVID-19 – RECENT UPDATES FOR THE EMPLOYMENT SECTOR

For more information please contact us at : info@ssrana.com