In today’s emerging Information Technology landscape, “Data” has become the most precious asset that extends so widely that it encompasses sensitive individual information like likes, dislikes, and even behavioral patterns, and that too intangibly which makes it very fluid. Moreover, the generation of such data is now not only limited to individuals intentionally registering information for some specified purposes but also through the individual social expressions made through digital presence over social media.
The risks erupting out of the above-described sensitivity of data gained public view through the unraveling of the Facebook-Cambridge Analytica Scandal that involved directed political advertising. Through this, one can understand that the probable injuries arising out of such risks might not be directly economical, physical, or imminent, but rather such risks involve invading one’s cognitivism in terms of choices or decisions that directly affect an individual’s behavior. Therefore, the result of any such data breach can squarely be viewed as parallel to invading someone’s right to privacy at its ultimate core.
The definition of privacy as such cannot be encompassed in black and white. However, it has often been understood as a right intrinsic to an individual’s existence.
In furtherance of the Hon’ble Supreme Court of India’s ruling that the Right to Privacy is a fundamental right envisaged under Article 21 of the Constitution of India through Justice KS Puttaswamy (Retd.) v. Union of India (2017), the protection of this right has further gained momentum through the Indian Parliament passing the Digital Personal Data Protection (DPDP) Act, 2023; the objective of which is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
Therefore, the DPDP Act is preventive in nature in terms of immobilizing the unlawful usage of data. Further, the law provides penal provisions in circumstances where the provisions of the DPDP Act have been breached. The determination of such breach in terms of Section 33 contained therein, amongst other matters, includes considering the realization of any gain or avoidance of any loss by such person who has committed the breach.
The DPDP Act assumes to play a corrective role in some sense. But, under such a legislative setup, what is missing is an individual’s recourse to seek compensation against such breach as, importantly, data breaches can also lead to huge adverse impacts upon individuals as well as entities in an economic sense, not only based upon the losses incurred by the victims but also due to the undue profits realized by the wrongdoers.
Accordingly, one of the most efficient ways to enable such remedies to subsidize undue profits, if not losses, is by means of instrumentalizing the Doctrine of Unjust Enrichment, as it does not focus on the plaintiff’s injury, but on the defendant’s gain [Chao, Bernard. “Privacy Losses as Wrongful Gains”. University of Denver Strum College of Law].
The legal maxim encompassing the Doctrine of Unjust Enrichment is Nul ne doit s’enrichir aux depens des autres which means that no one shall enrich themselves at the expense of some other person.
Whereas the dictionary meaning [Black’s Law Dictionary, Eighth Edition (Bryan A. Garner) at page 1573] of “Unjust Enrichment” is a benefit obtained from another, not intended as a gift and not legally justifiable, for which the beneficiary must make restitution or recompense. The Hon’ble Supreme Court of India, while speaking through Hon’ble Justice Mr. Dalveer Bhandari has relied upon the judgment in Schock v. Nash, wherein the definition of Unjust Enrichment has been provided as the unjust retention of a benefit to the loss of another, or the retention of money or property of another against the fundamental principles of justice or equity and good conscience.
The first judicial traces of Unjust Enrichment in India can be found in the Calcutta High Court’s judgment, Rambux Chittangeo v. Modoosoodhun Paul Chowdhry, wherein reliance was placed upon the jurisprudence propounded by Robert Joseph Pothier [Pothier’s Treatise on Obligations, Part I, Chapter I, Section 2], and John Austin [Austin on Jurisprudence, p. 133], with respect to identifying quasi-contracts with implied contracts. However, the Hon’ble High Court of Calcutta, speaking through Peacock, C.J. observed that such ideation was erred and not something that the Indian legal landscape would require the warranting of, and therefore it presented an approach wherein quasi-contracts are classified to be separate from implied contracts.
In furtherance, the codification of the Doctrine of Unjust Enrichment was instrumentalized in the form of the Indian Contract Act, 1872 (“IC Act”) vide Sections 68 – 72, in light of the “quasi-contracts” approach as the legislative scheme of Chapter V is such that it does not focus on the rights, liabilities and obligations that arise through the contract, but rather upon the relationships that exist due to the existence of a contract.
It was apparent that the Indian Jurisprudence intended to develop the Doctrine of Unjust Enrichment where the inclination was towards securing a robust and outward mechanism that developed a unitary concept that did not require a case-to-case based analysis. However, the Hon’ble Supreme Court of India in Nagpur Golden Transport v. Nath Traders passed a decision that did not provide any reasoning as to how the enrichment therein was “unjust” in nature based upon the set mechanics and essentials for invoking Unjust Enrichment. On similar lines, the Hon’ble Supreme Court of India had already passed the ICELA judgment, wherein multiple new facets were accorded to the Unjust Enrichment regime including considering “wrongdoing” as an essential element for unjust enrichment in addition to proposing a pre-suit and post-suit classification, thereby opening up the scope for requisition of case-to-case analysis.
The above adaptations reflect the ever-evolving nature of the Indian jurisprudence aimed at dynamically accommodating the constant changes that occur in all spheres, to enable the delivery of justice in its most appropriate form rather than sticking to a traditional outlook that might often lead to undesired conclusions.
The case-to-case based application of the Doctrine of Unjust Enrichment shall make it increasingly difficult to analyze disputes circling data breaches, considering the fluid nature of data as discussed above, and the enormity of the ways in which data can be alleged to have been processed and utilized to cause Unjust Enrichment.
Moreover, the entire premise of applying Unjust Enrichment in the present scenario is based upon mechanizing the idea of disgorgement by the wrongdoer, which presently is highly contested as the IC Act acknowledges the benefits of a non-gratuitous act but does not clear the air on whether disgorgement is covered under its ambit. Furthermore, in any scenario, the calculation of such disgorgement requires steady mechanisms that are very complex to devise.
However, the above challenges do not disprove Unjust Enrichment as a viable remedy for data victims, as rightly, it is the most viable remedy that is based upon the defendant’s gain, especially in India where the Doctrine of Unjust Enrichment has matured expansively well.
About the authors: Moiz Rafique is the Managing Partner at Privy Legal Service LLP. Abhishek Sadhwani is a Para-legal at the Firm.