This piece has been authored by Sukanya Nema and Ashay Maske, Dharmashastra National Law University, Jabalpur
Abstract
In a recent instance while the Delhi High Court was hearing a suit by Tata Sky against the Professional social media giant LinkedIn, to get a permanent injunction restraining defendants other than LinkedIn from using the “TATA SKY” trademark. Through the order, LinkedIn was directed to disclose the details of their grievance officer. In pursuance of the same, it becomes pertinent to study the Indian legal framework and its evolution in line with the GDPR norm with respect to the Grievance officer, and its appointment, the role and responsibility, and adjudication of a query.
Keywords:- Grievance redressal, Corporate Offices, Data ,Information Technology, Employees
Understanding the Legal Framework:
The Information Technology Act, 2000[1] (hereinafter ‘IT Act’) was passed to provide “legal recognition for transactions conducted through electronic data interchange and other means of electronic communication.” It establishes civil and criminal culpability under Chapters IX and XI, respectively. Section 43 of Chapter IX of the Act addresses penalties and compensation for unauthorized access to or damage to a computer, computer system, or network.
For such a breach, an Adjudicating Officer is obligated to conduct an inquiry to determine if a person has violated the law, making him responsible for paying compensation under the Act. Appeals against the adjudicating officer’s decision must be made to the Cyber Appellate Tribunal. If the compensation value demanded under Chapter IX of the IT Act exceeds 5 crores, the matter would be decided by a competent court. This compensation claim is subject to the compensation caps outlined in different provisions of Chapter IX.
The Information Technology Rules, 2011 (hereinafter The IT Rules, 2011) Rule 5(9)[2] established the need for appointment of the grievance officer, stating
“Body corporate shall address any discrepancies and grievances of their provider of the information with respect to the processing of information in a time-bound manner. For this purpose, the body corporate shall designate a Grievance Officer and publish his name and contact details on its website. The Grievance Officer shall redress the grievances or provide information expeditiously but within one month ‘ from the date of receipt of the grievance.”[3]
Thereafter to keep up with the advancement the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (hereinafter IT Rules 2021) were notified. The social media companies were required to appoint India-based Grievance Redressal Officers, Compliance Officers, and Nodal Officers to enable the users of social media, who have a grievance to have a recourse for its redressal.
Grievance officer requirement for entities
Explanation to Section 43A of the IT Act, 2000[4] defines a “body corporate”, it says that, “body corporate” means any company and includes a firm, sole proprietorship, or other association of individuals engaged in commercial or professional activities. Thus, there is no limit on the number of personnel employed by the body corporate or the number of people to whom the body corporate is providing its services.
Rule 2(1)(i) of the IT Rules 2011 defined “Personal Information”, which means “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such a person”. The keyword here is to identify a person through any information, therefore if an information, direct or indirect, traces its history to a specific natural person and such information is not destroyed as per the compliance of the IT Rules, will be Personal Information. Further, Rule 3 of the IT Rules, 2011[5] talks about “Sensitive personal data” or information which amongst other things includes any detail provided to the body corporate for providing service and any information received by the body corporate for processing, storing, or processing under lawful contract or otherwise. Thus, the data provided by the employees to the body corporate shall fall under the category of sensitive personal data including biometrics, face recognition, passwords, etc.
For such Information under Rule 4, the body corporate was responsible for providing a policy for privacy and disclosure of information. Rule 5 (9) of the IT Rules 2011 mandates that a body corporate shall address any discrepancies and grievances of their provider of the information with respect to the processing of the information in a time-bound manner. For this, the body corporate shall designate a Grievance Officer and publish their name and contact details on its website.[6] The IT Intermediary Rules, 202, Rule 11(3) provides that the Grievance Officer serves as the point of contact for any grievance relating to the Code of Ethics; and (b) serve as the node of contact for interactions with the complainant, the self-regulating body, and the Ministry.[7] The qualification to become a Grievance Officer is that such a person is required to be an employee of the body corporate if the body corporate is indulged in the business of social media.[8] In the case of other body corporates functioning as a firm, private entity, or business, such an entity is required to designate a grievance officer as per the IT Rules, 2011 irrespective of the strength of the body corporate.[A1]
The General Data Protection Regulation [A2] [A3] Article 37 lists when it mandatory to appoint a grievance officer are when:
- The processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
- The core activities of the controller or the processor consist of processing operations which, by their nature, their scope, and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
- The core activities of the controller or the processor consist of processing a large-scale special category of data.
- The organization employs more than a certain number of individuals in the jurisdiction.
Section 3(1) of the IT Rules 2021 lists the due diligence obligations to be met by the intermediary, which includes an intermediary, a significant social media intermediary, and an online gaming intermediary. Section 3(2), which lists an intermediary’s obligation to publish the Details of the Grievance Mechanism, also mentions that
“The intermediary shall prominently publish on its website, mobile-based application, or both, as the case may be, the name of the Grievance Officer and his contact details as well as the mechanism by which a user or a victim may make a complaint against violation of the provisions of this rule or 2 [sub-rules (11) to (13) of rule 4, or in respect of] any other matters pertaining to the computer resources made available by it”.
Qualification criteria
Though the qualifications of the grievance officer are not listed, the Information Technology Rules, 2011[9] Rule 5(9) lays down that the person appointed as the Grievance Officer shall be a resident of India[10]. The IT Rules 2021 under Section 11 modifies the same and lists that the person must be based in India. The Indian Law does not specify any requirements other than this.
Roles and responsibilities
The Grievance Officer is responsible for addressing the data subject grievances related to the Sensitive Personal Data or Information (SPDI). The sensitive data would contain, Passwords, financial information such as bank accounts, credit cards, debit cards, etc., physical and mental health details, sexual orientation, medical records, biometric information, and any other detail provided to body corporate for providing service that does not fall under an information which is freely accessible and/or can be accessed through the Right to Information Act, 2005[11].
Also, to ensure that they address grievances on time. The Grievance Officer’s role is similar to the Data Protection Officer under the EU’s General Data Protection Regulation (Regulation (EU) 2016/679)[12] but unlike the DPO, a Grievance Officer is not responsible for cooperating with a supervisory authority or ensuring compliance. Their job is to ensure the grievances received by them are addressed on time.
Resolution procedure
Under the IT Rules 2011 the Information provider, who would also be the accused, will have to generate a receipt as specified by the body corporate and submit the same to the Grievance Officer. The Grievance Officer, under Rule 5(9) will have to redress the grievance of the provider of information within one month of the date of receipt. The further grievance redressal process was to be determined by the body corporate itself. The body corporate shall be responsible for setting up a grievance redressal mechanism to identify and publish information about the grievance officer, set up complaint filing and escalation processes, and provide timelines[13].
In case of deciding whether any person/body corporate has contravened the law that makes him liable to pay compensation under the Act, an inquiry would have to be held by an adjudicating officer. Appeals against the decision of the adjudicating officer would have lied before the Cyber Appellate Tribunal. If the compensation value claimed under Chapter IX of the IT Act was more than 5 crore a competent court would decide the matter. This compensation claim was subject to the caps on compensation provided under individual sections of Chapter IX.
As per the IT Rules 2021, the Grievance Officer has to acknowledge the complaint within 24 hours and dispose of the same within 15 days[14]. Further, the social media intermediary has to appoint a Chief Compliance Officer, key managerial personnel, who shall be responsible for ensuring compliance with the Act and the rules made thereunder. [15] An appeal to the decision of the Grievance Officer is to be made to the Grievance Appellate Committee within 30 days of receipt of communication from the Grievance Officer.
Conclusion
The Grievance Officer is the first person to deal with a breach of privacy, and thus the person who implements the idea of privacy at the grassroots level. Time and again the law has been modified to suit the needs of the hour. The need to notify and be aware of the grievance officer is critical because he is the first person to approach in the event of a user’s privacy breach. In the case of Tata Play Ltd. v. LinkedIn Corporation, while considering the plea of permanent injunction to prevent LinkedIn users from using the trademark ‘TATA SKY’ on their platform, the observations of Justice Singh[A4] [16], state that the details of the Grievance Officers, including their physical and email addresses, shall be published on the LinkedIn website, is valid and squarely covers the idea of spreading awareness about the Grievance Officer to every user of the platform.
[1]Information Technology Act, 2000, §43A, No. 21, Acts of Parliament (India) 2000.
[2]Information Technology (Reasonable Security practices and procedures and sensitive personal data or information) Rules, 2011 (India).
[3] Information Technology (Reasonable Security practices and procedures and sensitive personal data or information) Rules, 2011, § 5(5), 2011 (India).
[4] Information Technology Act, 2000, §43A, No. 21, Acts of Parliament (India) 2000.
[5] Information Technology (Reasonable Security practices and procedures and sensitive personal data or information) Rules, 2011, § 5(5), 2011 (India).
[6] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, Rule 4
[7] IT Intermediary Rules, 2021 updated on 28.10.2022.pdf (meity.gov.in), Rule 11(3)
[8] IT Intermediary Rules, 2021 updated on 28.10.2022.pdf (meity.gov.in), Rule 4
[9] Information Technology (Reasonable Security practices and procedures and sensitive personal data or information) Rules, 2011 (India).
[10] Brief Information Note on India’s Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, https://static.pib.gov.in/WriteReadData/specificdocs/documents/2021/jun/doc202162411.pdf.
[11] Information Technology (Reasonable Security practices and procedures and sensitive personal data or information) Rules, 2011, §3, 2011 (India).
[12] EU’s General Data Protection Regulation, Article 37, (Regulation (EU) 2016/679).
[13] ISO IS 17428, https://egazette.nic.in/WriteReadData/2020/223869.pdf (accessed on 21-06-2023, 05:05 PM).
[14] Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, § 3(2), 2021.
[15] Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, §4, 2021
[16] Tata Play Ltd. v. LinkedIn Corporation, 2023 SCC OnLine Del 3924 ‘Publish details of grievance officers on website for public access’; Delhi HC directs LinkedIn | SCC Blog (scconline.com)
[A1]Author is advised to mention the relevant provisions of the rules which involves information related to grievance officer.
[A2]Full form required.
[A3]Done
[A4]Add the judgment name and provide more clear information on this for clarity.