Social networking sites have become the preferred mode of sharing and disseminating digital information. Technological advances, with multiple inbuilt features and options, have changed the way we connect, communicate, associate and organise.

However, these new tools of communication impose new challenges to the existing commercial and trade laws. The modus operandi to access digital information and the evidentiary value of this information have put the enforcement and investigating authorities in a fix. Virtual communication and e-commerce transactions have underscored the urgent need for a law to regulate the conduct of parties in the digital space.

Recently, the SEC summoned Elon Musk (Chairman of Tesla Group) for tweeting a misleading and false information about taking Tesla private. In the end, it cost him and Tesla $20 million each and the Chairmanship.

In India, the securities market regulator, SEBI, is grappling with the percolation of unpublished price sensitive information from WhatsApp. The existing law does not empower SEBI to access records of private communications between the users of WhatsApp and other similar websites/apps. Further, the privacy policy of these social networking sites do not permit sharing of information with third parties at any given point of time.

The WhatsApp data is end-to-end “encrypted” and once delivered, they are deleted from the servers. Once an account is deleted using the “in-app delete my account feature” all the data are deleted. Permanent deletion of data will disable SEBI and other regulators to collect evidence and the investigation system will be handicapped.

Seeking the leave of the court to access records is time consuming and, in the meantime permanent deletion or manipulation of digital data will make a court order infructuous. Therefore, the law should provide more teeth to the regulator to access the records of social networking sites. However, in some recent insider trading cases, the regulator did not hesitate in changing the rules of the game. In the Deep Industries case, it was held that persons who are friends on Facebook and liked the photo of each other are connected persons, and in the matter of Palred Technologies Ltd , the regulator deemed persons connected through mutual friends on Facebook as an “insider”. But, giving the regulator a free hand to access private communications will put the privacy of an individual in peril. The Supreme Court in KS Puttaswamy v. Union of India , (2017), has categorically held that right to privacy is an integral part of the right to life, and also delineated the contours of privacy which include physical privacy, informational privacy and decisional autonomy. Any invasion of privacy must pass the three-fold test of: existence of law, legitimate state aim, and proportionality.

The Data Protection Bill, 2018 can provide the regulators the impetus it needs. Section 14 of the Bill permits the regulator to process information if such processing is explicitly mandated under any law or to comply with any judgment or order of the court. Additionally, Section 17 permits the Authority under the Bill to process data in the interest of public or for the prevention and detection of any unlawful activity, including fraud and also the processing of data which is publicly available.

However, the Bill in the draft stage does raise questions. It does not lay down a fair and just procedure for the regulator to access the information and is silent on deletion of the data post investigation.

Additionally, the prior consent of the individual is not required for processing the data, which is against the principles of natural justice. The Bill does not prescribe any time limit for storage of data by the social networking sites for processing by the regulators. In the absence of a definite time limit, the entire investigation will be paralysed for want of evidence.

Additionally, the Bill does not lay down any standard privacy policy to be followed by the data fiduciaries. The Bill also does not address whether the price sensitive information of the company, held by the promoter/director in its fiduciary capacity will constitute “personal data”. The jurisdiction of India to access records from social networking companies situated outside India have also raised questions on the extra-territorial operation of the law.

The servers of all social networking companies are often outside India or in “the cloud” and accessing records in these cases will be a daunting task for the regulator. The law has to prescribe the place and method to store data of these social networking sites having operations in India.

The SEBI (Prohibition of Insider Trading Regulations), 2015 will require changes to curtail the menace of leakage of unpublished price sensitive information in the digital world. Companies must draft a digital Chinese wall policy and a digital code of conduct for the promoters and directors who are privy to unpublished price sensitive information.

Similarly, other sectoral regulators must be provided with powers to access records of social networking sites, if not, the digital platform will be misused to practice unlawful and illegal activities.

The writer is an Advocate practising at the Madras High Court. Kumar Karan assisted the writer for this article

Related Topics