Introduction
The uncertain lockdown restrictions due to the COVID-19 pandemic, coupled with unfortunate turbulence, affected relationships negatively. Dating applications became widely used, with the search for meaningful relationships moving to the internet. In an article in ‘The Times of India’, it was stated that the second wave of the COVID-19 pandemic in India saw a 20-25% surge in dating app usage.
The filtered preferences and swiping options assist individuals in tailor-making their partners. However, the human tendency of seeing through rose glasses make the red flags, particularly cyber and data security concerns on the Internet, appear merely as flags when the balance tilts towards probable companionship.
Through the means of this article, we will attempt to further the dialogue on the law governing dating apps in three sections: first, the primary concerns raised with regard to dating-app usage; second, the various Indian legal provisions which supplement safety governance on dating apps and third, the effect of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 on dating apps.
I. Privacy Concerns and Dating Apps
To create appealing profiles; dating applications require you to feed in basic information such as your name, age, location and pictures. This personal data supplement prompts, which are used to increase the traction on a profile. Another means to increase visibility is linking one’s social media accounts. This may seem harmless but amounts to implicit consent being granted to the dating application to collect data. This collection is not done for safekeeping purposes, but has notably been shared with third party apps. The transaction’s nature has never been disclosed by the companies. Further, there is no available information as to how long the companies keep one’s data even after a user’s account is deleted or deactivated- which is a flagrant violation of one’s fundamental right to be forgotten.
In November 2020, vulnerabilities in the security mechanisms employed by Bumble were exposed and made the location and user data (including personal information and photographs) collected by the application over a period of six months public. This was a wake-up call for Bumble and led to upgradation in their previous encryption scheme. The half-hearted measure was insufficient as information such as pictures and dating preferences can still be accessed by an attacker.
The lack of end-to-end encryption on popular apps like Bumble, OkCupid and Tinder is a double-edged sword, as the personal information shared becomes imperative to fulfil the match-making function of the application. This information can always backfire and be misused not only by attackers but also by the very companies to whom we blindly provide our personal data.
II. Law governing Dating Apps
At the outset, it should be noted that dating applications have a vigorous privacy policy and redressal mechanism to resolve a user’s immediate concerns. One can report a profile for being fake, the nature of content shared etc. using the in-built features of the application. Some dating apps such as Bumble require a user to submit a selfie of them mimicking the action shown in the picture to confirm whether the user is an actual person or not.
Having said that, this verification process is not fool-proof. There are times where there are colossal violations which require intervention by law enforcement authorities. The applicable provisions in the Indian context are as follows:
i) The Constitution of India
The Supreme Court of India, in its landmark decision of Justice KS Puttaswamy (Retd.) v Union of India, read the ‘right to privacy’ as a part of the wide array of constitutionally-guaranteed fundamental rights under Article 21. This right to privacy under Article 21 of the Constitution includes the ‘right to be forgotten’, as was opined by Justice SK Kaul in the aforementioned judgment.
The following is a relevant extract from the judgment:
“If we were to recognise a similar right, it would only mean that an individual who is no longer desirous of his personal data to be processed or stored, should be able to remove it from the system where the personal data/information is no longer necessary, relevant, or is incorrect and serves no legitimate interest. Such a right cannot be exercised where the information/data is necessary, for exercising the right of freedom of expression and information, for compliance with legal obligations, for the performance of a task carried out in public interest, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims. Such justifications would be valid in all cases of breach of privacy, including breaches of data privacy.”
ii) The Indian Penal Code, 1860
The reading down of Section 66A of the Information Technology Act, 2000 (‘the IT Act’) in Shreya Singhal v Union of India does not absolve an individual from posting or sharing offensive or unwarranted content across IT media. The provisions of the Indian Penal Code, 1860 (‘IPC’) would apply to content shared across these applications.
Section 354 of the IPC is an umbrella provision with respect to assault of criminal force on a woman with an intent to outrage her modesty. Sections 354A, 354C and 354D concern sexual harassment (imprisonment which may extend to 3 years, fine or both), voyeurism (imprisonment between 3-7 years and fine) and stalking (3 years’ imprisonment and fine for first conviction and 5 years’ imprisonment and fine for second conviction). Section 509 further penalizes words, gestures or acts intended to insult the modesty of a woman with imprisonment that may extend to 3 years.
Section 383 read with 384 prescribes imprisonment which may extend to 3 years for extortion. Section 416 read with 419 punishes cheating by personation with the same period of imprisonment. Defamation, however under Section 499 read with 500, is punishable by imprisonment which may extend to 2 years. The same punishment is prescribed for criminal intimation by anonymous source under Section 507 of the IPC.
iii) The Information Technology Act, 2000
The usage of technology and the internet put dating applications under the ambit of the IT Act. As dating applications can only be used by adults, provisions relating to minors shall not be discussed.
Section 66 of the IT Act concerns computer-related offences. Impersonation of another person using a communication device/computer resource for cheating would amount to imprisonment or a fine of INR 1 lakh under Section 66D. Section 66E also prescribes imprisonment or a fine of upto INR 2 lakh for non-consensual capturing, publishing or transmitting images of one’s bodily private parts. Both sections attract imprisonment which may extend to 3 years.
Section 67 of the IT Act, read with Section 67A and Section 67B form a complete code on obscenity over the Internet, as was held by the Hon’ble Apex Court in Sharat Babu Digumarti v Government (NCT of Delhi). Section 67 states that the publishing or transmission of obscene material in electronic form would be punishable in both first conviction (imprisonment for 3 years and a fine of INR 5 lakh) as well as second conviction (imprisonment of 5 years and fine of INR 10 lakh). Section 67A follows a similar mode of punishment for the publishing or transmission of sexually explicit content in electronic form, with a uniform fine of INR 10 lakh but 5 years’ imprisonment upon the first conviction and 7 years upon the second.
iv) Personal Data Protection Bill, 2019
Dating applications have been complying with the provisions of the General Data Protection Regulation (‘GDPR’)- the European Union’s data protection legislation since 2018. The intention of the legislation is to ensure that one’s personal data is neither collected nor utilized without the user’s consent. It appears that this this compliance was a mere formality, as Tinder and Grindr were both subject to a probe for non-compliance with the GDPR in 2020.
India, at the moment, does not have an official legislation governing usage of personal data. The closest we have come to the same is the Personal Data Protection Bill, 2019 (‘PDP Bill’). Under the PDP Bill, Chapter II places certain obligations upon a data fiduciary (entity collecting a user’s data), the most notable being limitations placed under Clauses 5 and 6 on the purposes of processing and collection of personal data, respectively. Clause 9 further places a restriction on the retention of personal data, and Clause 11 mandates the consent of a data principal prior to processing the personal data.
Chapter V of the PDP Bill grants rights to data principals (persons whose data is collected), such as the rich to be forgotten and the right to correction and erasure of data. The mandatory data localization requirements under Chapter VII of the PDP Bill are a saving grace, as the personal data collected cannot be transferred outside Indian territory. However, as the PDP Bill is yet to become a law, this discussion remains purely academic till such time it gains proper legislative status.
III. ‘Significant’ Other- IT Intermediary Guidelines, 2021
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (‘IT Rules 2021’) were notified by the Ministry of Electronics and Information Technology in February 2021. The IT Rules 2021 regulate intermediaries and prescribe their functioning mechanism.
Rule 2(w) of the IT Rules 2021 define a ‘social media intermediary’ as one which ‘primarily or solely enable online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services’, whereas Rule 2(v) of the same declare a ‘significant social media intermediary’ to be a social media intermediary where the registered users in India exceed the threshold determined by the Central Government. The number is currently fixed at 50 lakh users. With the expected usage of online dating applications in the Indian market to be 3.2% by 2023, we are looking at a future wherein a dating application would become a significant social media intermediary under the IT Rules 2021. Thus, a higher standard of scrutiny ought to be exercised.
Rule 3 of the IT Rules do address some concerns which a user of a dating app could have, such as the mandate of storing data for a period of 180 days after the cancellation or withdrawal of registration. However, Rule 3 is silent on the anomaly of a user merely deleting the application but not the user account. The due diligence requirements and intimation of a privacy policy routinely are a welcome change.
Post the intimation of the IT Rules 2021, intermediaries such as Whatsapp sought judicial intervention before the Delhi High Court. The writ petition was filed on the same ground as was voiced by several activists and scholars- the IT Rules 2021 have the potential to breach the end-to-end encryption offered by these services. Rule 4(2) of the IT Rules 2021 request the information of the first originator of a message as required, if the significant social media intermediary primarily provides messaging services.
Applying the concern to dating apps, a user would be left in a lose-lose situation. The lack of end-to-end encryption removes the roadblock the authorities would have had to face, and can easily acquire information of the first originator of messages on a dating app. How is one expected to exercise caution when they’re trying to fall in love?
IV. Conclusion
The question one would raise at the end is one which is omnipresent in tech circles- how does one ensure easy, effective provision of a service on a technological development without violating one’s rights? Higher penalties, a more user-friendly privacy policy and a ban on intentional mismanagement of data are the most obvious choices before a company but have surprisingly not been implemented. It is in such situations that a reading of the IT Rules with the PDP Bill (hopefully soon, the PDP Act) would be necessary to create an equitable Indian version of the GDPR.
The half-baked faith that a user puts into the hands of a company, to seek companionship, should not be exploited. The legal provisions before us only address the problems after they have occurred. Pre-emptive measures can only be applied after the enactment of the PDP Bill as an act. For now, the IT Rules offer respite to the extent that they do not violate a user’s fundamental right to privacy. Thus, it is imperative to ensure proper compliance with what we have to help individuals find their ‘happily ever after’.
(This post has been authored by Anahida Bhardwaj , a Law Researcher for HMJ Navin Chawla at the High Court of Delhi.)