Boss snooped into employee's bank data. Court said: guilty, but...
The ex-employer accessed the employee's bank details to prove he leaked secrets. The court held it was a privacy breach, but couldn't grant relief because the bank wasn't made a party.
Guilty.
Found guilty.
No relief granted.
The ex-employer accessed the employee's bank details to prove he leaked secrets. The court held it was a privacy breach, but couldn't grant relief because the bank wasn't made a party.
Your ex-boss hacked your bank account to prove you leaked company secrets. The court said he was guilty — but then it stopped. The Victim (employee) had won the argument. He had lost the case.
This is the strange, frustrating logic of Amit D Patwardhan v. Rud India Chains — a case that every Indian employee should know, and every employer should fear, for reasons that have nothing to do with the judgment itself.
When the Offender (ex-employer) went looking for proof
The facts are simple. An employee left his job. His former employer suspected he had leaked sensitive business information to a rival company. To prove it, the Offender (ex-employer) accessed the employee's bank account details — without permission.
Not through a court order. Not through a police investigation. The Offender (ex-employer) simply reached into the employee's private financial records, pulled out the data, and used it to build a case against him.
The employee did what any of us would do. He filed a complaint under Section 46 of the Information Technology Act, 2000 (the provision that allows a person to seek compensation for a privacy violation involving electronic data). He argued that his right to privacy, protected under Article 21 of the Constitution (the fundamental right to life and personal liberty, which the Supreme Court has held includes the right to privacy), had been violated.
The Adjudicating Officer's verdict: guilty, but
The Adjudicating Officer — the person appointed under the IT Act to hear such complaints — examined the facts. The Offender (ex-employer) had indeed accessed the bank account without authorisation. The officer determined that this constituted a breach of the employee’s right to privacy. The officer held the Offender (ex-employer) guilty.
So far, so good. The Victim (employee) had won.
But then came the catch.
The officer noted that the Bank Authorities — the institution that held the employee's account and had allowed the Offender (ex-employer) to access it — were not made a party to the proceedings. The Bank Authorities were not summoned. The Bank Authorities did not get a chance to explain what happened, or to be held accountable. And without the Bank Authorities being present, the officer said, no effective relief could be granted.
The Offender (ex-employer) was guilty. But the Victim (employee) got nothing. The Adjudicating Officer's order, a thin sheaf of papers with the faint smell of old ink, stated the employer was guilty — but the relief column was empty.
Why the Bank Authorities had to be in the room
This is the part that trips up most people. If the Offender (ex-employer) is guilty, why can't the court just order the Offender (ex-employer) to pay compensation? Why do the Bank Authorities need to be in the room?
The answer lies in how the law works in practice. The Adjudicating Officer can only grant relief against parties that are before the court. If the Bank Authorities are not a party, the officer cannot order the Bank Authorities to do anything — not to change its security practices, not to compensate the employee, not even to explain how the breach happened. And without the Bank Authorities' involvement, the officer cannot fully assess who was responsible for what.
Think of it this way. If someone breaks into your house through a door that the landlord left unlocked, you can sue the burglar. But if you want the landlord to fix the lock, you need to bring the landlord to court too. The burglar alone cannot give you a secure door.
Here, the Offender (ex-employer) was the burglar. The Bank Authorities were the landlord. And the employee had only sued the burglar.
The trap that catches every victim
This case is a procedural trap that catches many victims of privacy breaches. They focus on the person who directly violated their privacy — the ex-employer, the stalker, the hacker — and forget about the institution that made the breach possible.
If your bank gives your account details to someone without your permission, the bank is not just a victim. It is a participant. It may have been negligent. It may have had weak security. It may have deliberately shared the data. Whatever the reason, the bank must be in court to answer for its role.
The same logic applies to any institution that holds your personal data — hospitals, telecom companies, insurance firms, social media platforms. If your data leaks, the institution that held it is a necessary party (a person or organisation that must be included in the case for the court to grant complete relief). Leave them out, and you may win the argument but lose the remedy.
THE PLAY: When filing a privacy complaint under Section 46 of the IT Act, name every entity that touched your data — the person who accessed it, and the institution that let them.
The warning for employers
For employers, this case is a warning dressed in procedural clothing. The Adjudicating Officer held the Offender (ex-employer) guilty of a privacy breach. That finding stands. The Offender (ex-employer)'s name is now attached to a legal determination that it violated an employee's constitutional right to privacy. That is not a trivial thing.
Even though no compensation was paid, the Offender (ex-employer) has been officially marked as a privacy violator. In future cases, that finding could be used against the Offender (ex-employer). It could affect its reputation. It could affect its ability to defend itself in other lawsuits. And if the employee had included the Bank Authorities as a party, the Offender (ex-employer) might have been ordered to pay substantial damages.
The lesson for employers is equally clear: do not access an employee's personal data without legal authorisation. Even if you suspect wrongdoing, even if you are sure the employee is leaking secrets, you cannot take the law into your own hands. The proper route is a court order, a police complaint, or a properly authorised internal investigation with clear policies and consent.
The case that ended without a remedy
The Adjudicating Officer found the Offender (ex-employer) guilty. The Offender (ex-employer)'s conduct was a breach of privacy. The employee's rights were violated. But because the Bank Authorities were not in the room, the officer could not grant any relief.
The employee walked out with a moral victory and an empty pocket.
That is the strange, frustrating logic of Amit D Patwardhan v. Rud India Chains. It is a case that proves a point and teaches a lesson, but leaves the Victim (employee) exactly where he started — violated, but uncompensated.
The next time your data is breached, remember: the person who took it is not the only one who should be in court. The person who gave it to them should be there too.