Data breach: A Double-Edged Sword Infringing Both, the Right to Privacy and the Right to a Fair Trial

Post the landmark judgement in Dobbs v. Jackson that overturned the famous Roe v. Wade judgement of 1973, legal issues surrounding ‘data breach’ and admissibility of ‘illegally obtained’ evidence arise. This article aims at examining if evidence obtained from leaked data, or data breach should be admissible in criminal proceedings and how it will affect the accused’s rights to a fair trial. To that end, the article will analyse how data breach is violative of the right to privacy, and how, such data breach results in digital information being used as evidence that is obtained illegally.

Right to privacy and data breach  

The right to privacy is well-established in international law. The right to privacy became an international human right before it was established as a human right domestically. The Universal Declaration of Human Rights in Article 12, and the ICCPR vide Article 17 recognize the right to privacy as a fundamental human right.

In July 2012, the Human Rights Council affirmed that the same rights that people have offline must be protected online. This implies that the ‘right to privacy’ applies to digital privacy as well. Digital privacy is the protection of an individual’s information that is used or created while using the internet on a computer or a personal device. This right is violated when a ‘data breach’ occurs.

A data breach is an incident where information is stolen or taken from a system without the knowledge or authorization of the system’s owner. This stealing of digital information may be considered similar to trespassing of physical privacy; thus, ‘data breach’ is a violation of the right to privacy. The issues surrounding the right to privacy in the physical world have penetrated into cyberspace, giving rise to a new range of legal issues.

From the above, it is logical to infer that the information of the netizens must be protected to respect their fundamental right to privacy. However, while people’s digital data need to be protected, data monopolists have used their unchecked access to private personal information to create in-depth profiles.

It’s really hard to understand how our data is being used and where it’s being shared because it could be many third parties, and those third parties can also resell to other third parties. When such data-sharing is rampantly done, there are ample chances of our sensitive information being discovered by the intervention of digital players The underlying risk of such information being passed on to law enforcement agencies also persists.

Right to a fair trial

Criminal proceedings culminate in Court trials. While the victims have the right to get justice, the accused too have certain rights in court proceedings initiated against them, under both domestic and international jurisdictions. One of those rights is the ‘right to a fair trial’.  A ‘fair trial’ is defined as a trial that is conducted fairly, justly, and with procedural regularity by an impartial judge and in which the defendant is afforded his or her rights.

Fair trial rights are recognised by international instruments like the Rome Statute of the ICC. The Rome Statute of the ICC vide Article 64 ensures a trial that is fair and expeditious and conducted with full respect for the rights of the accused.

The Statute also articulates the rights of persons during investigations and stipulates that during an investigation, a person shall not be compelled to incriminate himself or herself or to confess guilt. It can be inferred from this that ‘self-incrimination’ is against the provisions of the Rome Statute. The use of information input by netizens against them would be equal to self-incrimination, hence infringing the rights of the accused at the investigation stage.

Having said that, it is equally true in today’s digitised reality, how cycle trackers collect, retain and at times share some of their user’s data. Such sharing of data, without the consent of the end-user, violates not only the (digital) privacy but also violates the fair trial rights of the accused.

If prosecutors are trying to prosecute anyone, they may subpoena any app on netizens’ smartphones and devices, thereby manifestly compelling such data subjects to (digitally) self-incriminate. This is the threshold of violation of the right to a fair trial.

Impact of digitalisation

Digitalisation has engulfed our lives like never before. The world is just a ‘click’ away, as we can access our bank accounts, watch movies, be an audience to live reports of global occurrences online or cheer for our favourite sportspersons from the comfort of our couch.

Though fascinating, digitalisation is not without ramifications. Problems ensue when our information or ‘data’ is shared with third parties without our consent or knowledge. Besides the harm caused to our personal relationships due to increased online activity leaving little room for personal connections, netizens, who happily surf their lives on the net, are unaware as to where and how their data is used.

Unfortunately, we willingly pass on our sensitive information by signing Privacy Policies and Terms of Conditions, without actually reading them. More often than not, the sensitive information we share on various media platforms remains there. As aptly observed by the Supreme Court of India in the case of Justice K S. Puttaswamy, (page 529, para. 64),

“Any endeavour to remove information from the internet does not result in its absolute obliteration. The footprints remain.”

The ‘footprints’ are the sensitive data we assume are removed after pressing the ‘delete’ tab. However, such data eternally exists in cyberspace. Privacy experts are increasingly concerned about how data collected from various apps could potentially be used to penalise anyone. This is at least true in respect of the data collected from ‘period-tracking’ apps being (mis)used by prosecutors to incriminate women seeking abortions where abortion is criminalised.

Illegally obtained evidence: admissibility issues

As discussed earlier, criminal proceedings result in trials before relevant Courts. In order to facilitate the proceedings, reliance is placed on evidence. Evidence plays a crucial role while deciding on the culpability or innocence of an accused. The manner in which such evidence is obtained is regulated by international instruments.

The Rome Statute vide Article 69 (7) states that evidence obtained by means of a violation of the Statute or internationally recognized human rights shall not be admissible if such violation casts substantial doubt on the reliability of the evidence, or the admission of the evidence would be contrary to, and would seriously damage the integrity of the proceedings.

Article 15, UNCAT provides that statements made consequent to torture shall not be invoked as evidence in any proceedings, except against a person accused of torture. Similar uniform provisions regarding any information availed as a result of a ‘data breach’ and subsequently used as incriminating evidence against the end user is absent. Hence, the evidence obtained from ‘data breach’ poses some legal questions: whether it is authentic, and if authentic, does it trifle with the fairness of the Court proceedings, specifically in regards to the rights of the accused.

The Corfu Channel case was perhaps the first case in which illegally obtained evidence and its admissibility were discussed. In this landmark case, the ICJ rejected the evidence on grounds of “discovery by intervention“, leaving future generations of litigants and lawyers alike, pondering over the consequences for evidence obtained through violations.

Current status of ‘illegally obtained evidence’

Little is said about the admissibility of evidence obtained illegally. Moreover, the treatment of illegally obtained evidence varies from one judicial system to another.

In India, illegally obtained evidence is admissible in the Court if it is ‘relevant’ to the case. In the US, illegally obtained evidence is inadmissible due to the application of the exclusionary principle and doctrine of ‘Fruits of Poisonous Tree’.

In Canada, the Courts have discretionary rule implying that Courts exercise full discretion as to the admissibility of illegally obtained evidence.

In the UK, such evidence is made admissible even if illegally obtained through an unlawful procedure. It is safe to infer from this that there is a lack of regulation concerning the admissibility of illegally obtained evidence.

There has been an existing lack of regulation on the admissibility criteria at the investigation stage and the decisions handed down by the ICC on the admissibility of evidence as is manifest from the Lubanga and Katanga cases. The lack of international guidelines and regulations on the admissibility of illegally obtained evidence will pose serious threats when leaked data will be used to incriminate the accused as it will be violative of the accused’s right to privacy, right to a fair trial, and also question the integrity of court proceedings.

Conclusion

As elucidated above, the right to privacy includes in its ambit, the right to digital privacy as well. When such privacy is perpetrated, it comes with legal repercussions in the face of the threat of unfair trials for the accused, specifically in regard to the illegally obtained evidence used to incriminate the accused.

As there are no universal laws governing the admissibility of illegally obtained evidence, the future of fair trial rights becomes bleak. It would be safe to conclude on the notion that while maintaining the fundamental right to privacy, including digital privacy, more procedural legality is required to guarantee the highest standard of protection of fundamental human rights for the accused. New laws governing evidence collected through data breaches need to be implemented both internationally and domestically.

This article has been submitted by Adv. Dyuti Dholakia.