You are on page 1of 38

1st ANAND SWAROOP GUPTA MEMORIAL NATIONAL

MOOT COURT COMPETITION, 2016


BEFORE THE HONORABLE HIGH COURT OF
DINOGRO
CIVIL APPELLATE JURISDICTION
PETITION (C) NO.OF 2016
IN MATTER OF,
SECTIONM.43A,72A OF INFORMATION TECHNOLOGY ACT 2000.
ARTICLE 14,15 19, 21, OF CONSTITUTION OF INDIA,1949
THE INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES
AND SENSITIVE DATA OR INFORMATION RULES,2011)

APPELLANT RESPONDENT
1. Mr. D C HAJELA THE GREAT RIVER
UNIVERSITY
2. Mr. P T PANCHOLA V.

BEFORE SUBMISSION TO THE HONOURABLE HIGH


COURT OF DINOGRO

MEMORANDUM ON BEHALF OF THE APPELLANT


TABLE OF CONTENTS

Index of Authorities...II

Index of AbbreviationsVI
Statement of Jurisdiction....................................................................................VII
Statement of Facts..............................................................................................VIII
Issues to deal with..................................................................................................10
SUMMARY OF ARGUMENTS...........................................................................11
Arguments advanced.............................................................................................15
Prayer.....................................................................................................................37
Bibliography..
INDEX OF AUTHORITIES

STATUTES

1. Information Technology Act,2000


2. The Information Technology(Reasonable Security Practices And
Procedures And Sensitive Personal Data Or Information) Rules,
2011
3. The Constitution of India, 1949
4. Code Of Civil Procedure,1908
5. Data Protection Act, 1998(UK)
6. Universal Declaration Of Universal Rights,1948
7. The Personal Data(Protection) Bill,2013
8. International Covenant On Civil And Political Rights,1966

CASE LAWS
1.

REPORTS

Books

BLACK S LAW DICTIONARY.


o
V.N. SHUKLAS CONSTITUTION OF INDIA 12TH EDITION
o
HALSBURYS LAWS OF ENGLAND
o
GANGULYS Commentaries ON CIVIL PROCEDURAL LAW
o
TH
12 EDITION
o INFORMATION TECHNOLOGY: LAW & PRATICE BY VAKUL
SHARMA

ONLINE RESOURCES

http://supremecourtofindia.nic.in
http://www.manupatrafast.com
INDEX OF ABBREVIATIONS
s : Section

: Paragraph

: Paragraphs

SPDI : Sensitive personal data or

Information.

A.C. : Appellate Cases

AIR : All India Reporter

Anr. : Another

Bom. : Bombay

K.B. : Kings Bench

Mad. : Madras

N. : Note

Ors. : Other

SC : Supreme Court

SCC : Supreme Court Cases

Sd/- : Signed

Supp. : Supplementary

U.S. : United States

U.T. : Union Territory

V. : Versus
STATEMENT OF JURISDICTION
The appellant humbly submits this memorandum for appeal filed before this

Honourable Court, Under S.96 Read with Order 41, R.27 of Code of civil

procedure1908.

It sets forth the facts and the laws on which the claims are based.

STATEMENT OF FACTS

1
The Great River University, a State Private University was established in the
year 2000. The university boasts of high quality infrastructure. It also provides,
to its students, uninterrupted, broadband internet connection over the campus
wide WiFi, free of charge. Every year, the university admits students to various
undergraduate and post graduate programs from the diverse sections of the
society.

During the time of admission, the university gathers students data for
administrative purposes and stores them in digital form. The data includes
personal details, past academic performance, income of parents, demographic
information, students registration / fee details, semester wise course marks /
grades details, extracurricular activities etc.

3
The university periodically updates various examination schedules, seating
arrangements, results including entrance and semester end marks / grades,
admission lists, unfair means / punitive actions etc on its website. The
information displayed on the website is accessible to all the students across the
university.
4

On 15th January 2015, the university published a stream wise comparative


analysis of performance of its engineering undergraduate students on its
website. The analysis showed the comparison of marks / grades obtained by
students with demographic and gender indicators along with their economic and
social data. It showed certain minority communities of students doing poorly in
passing the undergraduate engineering degree with those of majority community
students.
5
In a separate analysis of internet usage in the campus, charts, graphs and
statistical data showed students belonging to certain minority communities and
students from rural background not utilizing freeoncampusWiFiinternet for the
intended purposes. It depicted them veering out to popular social media web
sites and other illicit sites most of the time and visiting and downloading less
relevant educational contents.
6

One of the students named Roop Singh Hajelas father Mr. D.C. Hajela lodged a
complaint via email to the university authorities alleging violation of privacy of
his son by depicting his educational performance in a poor light, thereby
making him face ridicule amongst his class fellows and academia of the
University. The email further demanded a written apology from the university
and immediate removal of the comparative analytical data displayed on the
university website. The university authorities replied back, stating that they had
merely depicted a comparative statistical analysis in general without naming
any student in particular and refused to apologize.

7
Another girl student named Songam Thyangmu Pancholas elder brother Mr.
P.T. Panchola from Ladakh, also complained to the university authorities that
his sisters identity was revealed in poor light in the above mentioned data
analysis. As a consequence, she has gone into depression and is undergoing
psychological counseling and medical treatment. He demanded an unqualified
apology and immediate removal of the data from website. He further claimed
monetary compensation against mental harassment and depression related
medical treatment.

8
The authorities refused to entertain Mr. Pancholas complaint citing such
statistical analysis to be complying with the policies of the university and stated
that the display to be in harmony with administrative guidelines.

The university refused to remove the data displayed on the website. This
resulted in the continuous harassment of the minority community students. The
students being upset with the decision of the university sat on strike in the
campus which was led by Roop Singh.

9
The university authorized the proctorial board to conduct an inquiry into the
reason behind the strike and submit a report. The proctorial board conducted an
enquiry based on principles of natural justice. The proctorial board found that
Roop Singh Hajela was guilty for involvement in promoting enmity between
different groups on grounds of religion and recommended his expulsion from
the university. Roop Singh was expelled from the university. Unable to
withstand the defamation that he and his family suffered, he attempted to
commit suicide.

10
First stage of Petition

Mr. D.C. Hajela on behalf of his son Roop Singh Hajela filed a petition to the
district Court located at Sher Garh (Dinogro State Capital). The magistrate
dismissed Mr. Hajelas petition against The Great River University due to lack
of evidence and also held that the enquiry conducted by the university was fair
and just.

Appeal to High Court

Mr. Hajela appealed to Dinogro State High Court located at Bahadur Nagar
citing violation of his son Roop Singh Hajela privacy by depicting his
educational performance in a negative manner along with defamation and harm
to his physical health.

Mr. PT Panchola, brother of Songam Thyangmu petitioned Dinogro State High


Court in a similar petition alleging that his sister was singled out in the said
statistical analysis. It had revealed her identity in an indirect manner as she
belonged to a backward tribal hill area minority community from a difficult
demographic state.

Her privacy was violated by the university website analysis and showed her in
negative colour by putting her in a category not interested in studies and
ventures on online social media sites more as per data revealed by website
analysis.

She got ostracized by her peers, fellow students and academia due to unsuitable
non sensitive generalized of analysis making a stereotype out of her. Being
singled out due to her unique identity revealed she had to face consequence by
undergoing a severe depression and medical conditions.

Both the complainants cited the Ethical Legal and Privacy violations of their
wards by the university in revealing the students identities in a negative manner
causing them mental agony and suffering, social ostracization and consequent
depression. They further wanted the High Court to direct the university
authorities to immediately remove the said statistics from their website which
was still being displayed, apologize and compensate for the mental and
physical agony their wards are undergoing.
ISSUES TO DEAL WITH

Following Issues have been framed by Honourable Bench in


the Appeal filed by Mr. DC HAJELA and ors.

1. The Information / Data published on college website is it


SPDI?

2. Whether publication of comparative analysis of marks of


students on certain classification (i. e, Gender, Demography,
Socio-economic distinction) & analysis of internet data usage
of such students leads to negligence in implementing &
maintaining reasonable security practices for such data
protection on the part of University authorities?

3. Does issue 2nd invokes right to privacy of the student as per


IT Act 2000 and violation of his fundamental right under
Art.14, Art.15 & Art.21 of Constitution of India, 1949
respectively?

4. Whether the finding of Proctorial board was fair & Justified


to expel R S HAJELA from University?
SUMMARY OF ARGUMENTS

1. The Information / Data published on college website is it


SPDI?

2. Whether publication of comparative analysis of marks of


students on certain classification (i.e, Gender, Demography,
Socio-economic distinction) & analysis of internet data usage
of such students leads to negligence in implementing &
maintaining reasonable security practices for such data
protection on the part of University authorities?

3. Does issue 2nd invokes right to privacy of the student as per


IT Act 2000 and violation of his fundamental right under
Art.14, Art.15 & Art.21 of Constitution of India, 1949
respectively.

4. Whether the finding of Proctorial board was fair & justified


to expel R S HAJELA from University?
ARGUMENTS ADVANCED

1. The Information / Data published on college website is


it SPDI?

Blacks Laws Dictionary, Privacy is defined as the right determines the non
intervention of secret surveillance and the protection of individuals
information. It is split into four categories i.e,
i) Physical: An imposition whereby another individual is restricted from
experiencing an individual on a situation,
ii) Decisional: The imposition of a restriction that is exclusive to an entity,
iii) Informational: The prevention of searching unknown information and
iv) Dispositional: The prevention of attempts made to get to know the state of
an individual.

In R v Edward, Justice Cory (CANADA SC JUDGE) defined Privacy as the


state or condition of being alone or undisturbed right; freedom from
intervention or intrusion.
An important aspect of privacy is the ability to exclude others from the
premises. The right to be free from intrusion or interference is a key element of
privacy.

LAW IN INDIA
There is no specific legislation on privacy and data protection in India.
However, the Information Technology Act, 2000 (the Act) contains specific
provisions intended to protect electronic data (including non-electronic records
or information that have been, are currently or are intended to be processed
electronically).

Indias IT Ministry adopted the Information Technology (Reasonable Security


Practices and Procedures and Sensitive Personal Data or Information) Rules
(Privacy Rules). The Privacy Rules, which took effect in 2011, require
corporate entities collecting, processing and storing personal data, including
sensitive personal information to comply with certain procedures. It
distinguishes both personal information and sensitive personal information,
as defined below.

In August 2011, Indias Ministry of Communications and Information issued a


Press Note Technology (Clarification on the Privacy Rules), which provided
that any Indian outsourcing service provider/organisation providing services
relating to collection, storage, dealing or handling of sensitive personal
information or personal information under contractual obligation with any legal
entity located within or outside India is not subject to collection and disclosure
of information requirements, including the consent requirements discussed
below, provided that they do not have direct contact with the data subjects
(providers of information) when providing their services

DEFINITIONS
Definition of personal data
The Privacy Rules define the term personal information as any
information that relates to a natural person, which either directly or
indirectly, in combination with other information that is available or likely
to be available to a corporate entity, is capable of identifying such
person.

PROCESSING OF PERSONAL DATA

Processing of personal data is defined in Art. 2(b) as Any


operation or set of operations which is performed upon personal
data whether or not by automatic means such as collection ,
recording, organisation, storage, adaptation or alteration ,
retrieval , consultation , use , disclosure by transmission
,dissemination or otherwise making available , alignment or
combination , blocking , erasure or destruction.

Definition of sensitive personal data


The Privacy Rules define sensitive personal data or information to include the
following information relating to:

password

financial information eg bank account/credit or debit card or other


payment instrument details

physical, physiological and mental health condition

sexual orientation

medical records and history


biometric information

any detail relating to the above clauses as provided to a corporate entity


for providing services, and

any of the information received under the above clauses for storing or
processing under lawful contract or otherwise.

Biometrics means the technologies that measure and analyse human body
characteristics, such as fingerprints, eye retinas and irises, voice patterns,
facial patterns, hand measurements and DNA for authentication purposes.

However, any information that is freely available in the public


domain is exempt from the above definition.

NATIONAL DATA PROTECTION AUTHORITY


No such authority exists.

REGISTRATION
No requirements.

DATA PROTECTION OFFICERS


Every corporate entity collecting sensitive personal information must appoint a
Grievance Officer to address complaints relating to the processing of such
information, and to respond to data subject access and correction requests in an
expeditious manner but within one month from the date of receipt of grievance.

There is no specific requirement that the data protection officer must be a


citizen of or resident of India, nor are they any specific enforcement
actions or penalties associated with not appointing a data protection
officer correctly. However, appointment of a data protection officer is part
of the statutory due diligence process and it is thus imperative that such
an officer should be appointed.

2. Whether publication of comparative analysis of marks of


students on certain classification (i.e, Gender,
Demography, Socio-economic distinction) & analysis of
internet data usage of such students leads to negligence in
implementing & maintaining reasonable security
practices for such data protection on the part of
University authorities?

COLLECTION & PROCESSING

Under the Act, if a corporate entity that possesses, manages or handles any
sensitive personal information in a computer resource that it owns, controls
or operates, is negligent in implementing and maintaining compliance with
the Privacy Rules, and its negligence causes wrongful loss or wrongful gain
to any person, the corporate entity shall be liable for damages to the
person(s) affected.

The Privacy Rules state that any corporate entity or any person acting on its
behalf, which is collecting sensitive personal information, must obtain
written consent (through letter, email or fax) from the providers of that
information. However, the August 2011 Press Note issued by the IT
Ministry clarifies that consent may be given by any mode of electronic
communication.
The Privacy Rules also mandate that any corporate entity (or any person, who
on behalf of such entity) collects, receives, possess, stores, deals or handles
information, shall provide a privacy policy that discloses its practices regarding
the handling and disclosure of personal information including sensitive
personal information and ensure that the policy is available for view, including
on the website of the corporate entity (or the person acting on its behalf).
Specifically, the corporate entity must ensure that the person to whom the
information relates is notified of the following at the time of collection of
sensitive personal information or other personal information:

the fact that the information is being collected

the purpose for which the information is being collected

the intended recipients of the information, and

the name and address of the agency that is collecting the


information and the agency that will retain the information.

Further, sensitive personal information may only be collected for a lawful


purpose connected with a function or purpose of the corporate entity and only
if such collection is considered necessary for that purpose. The corporate entity
must also ensure that it does not retain the sensitive personal information for
longer than it is required, and should also ensure that the same is being used for
the purpose for which it was collected.

A corporate entity or any person acting on its behalf is obligated to enable the
providers of information to review the information they had so provided and
also to ensure that any personal information or sensitive personal information
that is found to be inaccurate or deficient is corrected upon request. Further, the
provider of information has to be provided a right to opt out (ie he/she will be
able to withdraw his/her consent) even after consent has been provided.
However, the corporate entity will not be held responsible for the authenticity
of the personal information or sensitive personal information given by the
provider of information to such corporate entity or any other person acting on
its behalf.

TRANSFER
The data collector must obtain the consent of the provider of the information
for any transfer of sensitive personal information to any other corporate entity
or person in India, or in any other country that ensures the same level of data
protection as provided for under the Privacy Rules. However, consent is not
necessary for the transfer, if it is required for the performance of a lawful
contract between the corporate entity (or any person acting on its behalf) and
the provider of information or as otherwise specified in the Act.

A corporate entity may not transfer any sensitive personal information to


another person or entity that does not maintain the same level of data protection
as required in the Act.

The contract regulating the data transfer should contain adequate indemnity
provisions for a third party breach, should clearly specify the end purposes of
the data processing (including who has access to such data) and should specify
a mode of transfer that is adequately secured and safe.

Further, under the Act, it is an offence for any person who has pursuant to a
contract gained access to any material containing personal information to
disclose that information without the consent of the person concerned, and
with the intent to cause or knowing that he is likely to cause wrongful loss or
wrongful gain.

Thus, contracts should also specifically include provisions:

entitling the data collector to distinguish between personal


information and sensitive personal information that it wishes to
collect/process
representing that the consent of the person(s) concerned has
been obtained for collection and disclosure of personal
information or sensitive personal information, and outlining the
liability of the third party.

SECURITY
A corporate entity possessing, dealing or handling any sensitive personal
information in a computer resource which it owns, controls or operates is
required to implement and maintain reasonable security practices and
procedures to secure the sensitive personal information. The reasonable
security practices and procedures may be specified in an agreement between
the parties.

Further, the Privacy Rules provide that in the absence of such agreement reasonable
security practices and procedures to be adopted by any corporate entity to secure sensitive
personal information are procedures that comply with the IS/ISO/IEC 27001
standard or with the codes of best practices for data protection as approved by
the Federal Government. Presently, no such codes of best practices have been
approved by the Federal Government.

ENFORCEMENT
Civil penalties of up to EUR 694,450 for failure to protect data including
sensitive personal information may be imposed by an Adjudicating Officer;
damages in a civil suit may exceed this amount.

Criminal penalties of up to 3 years imprisonment or a fine up to EUR 6,950, or


both for unlawful disclosure of INFORMATION.

3.Does issue 2nd invokes right to privacy of the student as


per IT Act 2000 and violation of his fundamental right under
Art.14, Art.15 & Art.21 of Constitution of India, 1949
respectively?
The Information Technology Act, 2000,1 governs the law relating to information
technology in India. With the liberal use of internet and processing of electronic data of
all forms for a wide range of purposes both within the private and public domain,
concerns as to intrusion into ones privacy has assumed importance and has become a
matter of public debate. The raging controversy on the consequences of UID (Unique
Identification) Program (Aadhar), an ambitious project of the Government of India on
the right to privacy and its intrusion by the Government in the form of data collected, for
issue of a UID card, is a point in illustration.

Recently in exercise of the rule making power conferred by Clause (ob) of Subsection
(2) of Section 87 read with Section 43A of the Information Technology Act, 2000, the
Central Government promulgated the Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
These Rules cater to three groups Body Corporates, Information Providers (or Data
subjects) and the Government. These rules address the:

1. Obligation of the corporates who collect the sensitive personal data of an


individual the obligations being those pertaining to its use and
disclosure2
2. Rights of the information provider, with a view to curb indiscriminate disclosure of such
information without the consent of the data subject.3.
3. Right of the Government to access Sensitive Personal Data of individuals in cases of
investigation, etc.4

This article aims to analyse these rules in the background of the development of
privacy and information technology laws along with a discussion on its scope,
extent and utility.

Points to remember

BACKGROUND OF THE NEW RULES


Indias first stride to give legal recognition to electronic documents and digital signatures
came in the form of the Information Technology Act, 2000. The Act did not address
issues of data privacy and protection.

In 2004, the Indian Supreme Court,5interpreted Article 19(1)(a) of the Constitution of


India to include by implication the right to information within the constitutional guarantees
of freedom of speech and expression.6Consequently, the government enacted a national
legislation called the Right to Information Act 2005. The character of the Act was broad
and covered under its ambit information held by or under the control of any public
authority.7

By this time, the European Union enacted stringent data protection laws. EU, having the
worlds most restrictive law, stated that the member states must cease to send personal
data to any third country unless such country adhered to similar laws or had other
appropriate safeguards in place. A lack of such safeguards and data protection laws was
often the reason for preventing the movement of voice processing and BPO work to
India8. This made the Government of India realize the importance of having in place a
distinctive legal regime promoting data protection. A need was felt to create the
necessary confidence among investors and foreign companies.9Thus, an amendment
was made to the Information Technology Act, 2000 and the Information Technology
Amendment Act 2008 (ITAA), was enacted.

The ITAA, 2008 inserted Section 43A10, a vital beginning to the string of data protection
laws in the country. Section 43A provided for the payment of compensation, by a person
in possession, etc. of sensitive personal data, who is negligent in maintaining and
implementing reasonable security practices and procedures and thus resulted in any
wrongful loss or wrongful gain. The Central Government was empowered to prescribe,
by promulgation of Rules, the definition and content of sensitive personal data or
information. It is in the background of Section 43A that the Rules of 2011 were
promulgated, seeking to define the content of sensitive personal data or information and
reasonable security practices and procedures apart from enlisting collection,
disclosure and protective measures.

Furthermore, the Information Technology Rules (ITR), 200911, which was a precursor
to the current ITR, 2011, provided for a comprehensive and constitutionally sound
framework for the disclosure of information. Currently the ITR, 2011 has expanded its
reach to higher levels of privacy of personal security information.

With these Rules, India has taken big strides towards bringing about strict measures to
safeguard sensitive personal information or data and has attempted to strike a delicate
balance between private liberty and public need.

AN OBJECTIVE ANALYSIS OF THE ITR, 2O11


The Rules have been subjected to public scrutiny ever since February 7, 2011, when the
draft rules were open to public comment. These rules were finally enacted on April 13,
2011, but disappointingly did not meet the expectations of the public at large. It continues
to remain a victim of severe criticism.
The Rules suffer from ambiguity visvis its ambit and extent as discussed infra.

DEFINITION AND SCOPE


The aim here is to briefly look at the definition and scope of phrases which form the
foundation of such rules.

Clauses of broad character


The main objective of these Rules, as already mentioned earlier, was to impose
restrictions on businesses with regard to handling of personal data. In order for these
Rules to meet its end, the term sensitive personal data should have been defined more
stringently. Instead, only a mere list of the constituents of the term is prescribed under
Rule 3. For a better understanding, it is imperative to look at the constituents of
Sensitive personal Data:

1. Password
2. Financial information such as Bank account or credit card or debit card or
other payment instrument details
3. Physical, physiological and mental health condition
4. Sexual orientation medical records and history
5. Biometric information
6. Any detail relating to the above clauses as provided to body corporate for providing
service and
7. Any of the information received under above clauses by body corporate for
processing, stored or processed under lawful contract or otherwise:
8. Any of the information received under above clauses by body corporate for
processing, stored or processed under lawful contract or otherwise.

It can be observed here that clauses (vii) and (viii) appear to be of a very broad
character. It can be interpreted to include, within its ambit, a wide array of information.
The importance of a precise definition of sensitive personal information is paramount as
clauses of such broad interpretation add to the ambiguity of the scope of not only these
rules but also of Section 43A. Thus, it seems to follow that, any ambiguity in the
definition, fails to serve the very purpose of the rules, to begin with, since the whole
enactment deals with the concept of processing of Sensitive Personal Data or
Information. In order for this clause to be clearer, the definition could be amended to
include inter alia, information which is capable of personally identifying a person,
individually or when aggregated12.

A need for distinction between Personal Data and Sensitive Personal Data
Broad clauses as such, include not only Sensitive Personal Data but also other
Personal Information. It, thus, strays away from the purpose of 43A, which only seeks
to protect Sensitive Personal information. Hence, a need is felt to make a distinction
between Personal data and Sensitive Personal Data13. An ephemeral distinction of the
two concepts has been brought out in Rule 2 (which has defined Personal Information,
although it remains silent about its constituents) and Rule 4 (which ensures that Body
Corporates should have a privacy policy for Personal Information including Sensitive
Personal Information). The absence of a distinction between the two concepts seems
to be an important point in illustration with respect to the difference between Indian Data
Privacy Laws and its UK counterpart, the Data Protection Act, 199814. The latter makes
a definite distinction between the two concepts and has prescribed separate rules for
handling the two different data. The Indian Rules, on the other hand, fails to recognize
different levels of stringency with regard to collection, transfer, disclosure and handling
of Personal Data and Sensitive Personal Data.

Broadening the definition of Sensitive Personal Data or Information


Another improvement within the scope of defining sensitive personal data or information
would be an extension to include (i) political opinions, (ii) religious beliefs or other beliefs
of a similar nature, (iii) whether he is a member of a trade union, (iv) his sexual life, (v)
the commission or alleged commission by him of any offence, and (vi) any proceedings
for any offence committed or alleged to have been committed by him, the disposal of
such proceedings or the sentence of any court in such proceedings as done in the DPA.
It should also be extended to include browsing data which is gathered by websites and
search engines, which when aggregated, can reveal a persons detailed profile15. By
implementing these, the definition of sensitive personal data is further fine tuned,
eliminating any ambiguity with regard to the extent of its ambit.

RETENTION OF DATA
Moving on, it is but reasonable to assume that the Rules should prescribe conditions
for a safe disposal of data, after it has been used for the purpose for which it was
collected. This is supported by the conditions listed out under Rule 5 of the said Rules.
With respect to retention of data, Rule 5 spells out that the information should not be
retained for a period longer than what is required to carry out the object for which it was
collected and the information should be kept secure. Although it states that the body
corporate cannot retain any information for longer than is required16it is essential for
the rules to include a retention period after which the data is to be destroyed. On a
prima facie reading of the rules, the interpreter is rightly under the impression that they
were formulated, primarily, for the data collected virtually vis a vis online as these
rules fall under the Information Technology Act. In line with this thought, the above
contention of including a retention period is justified because more often than not
websites hold archival data. Hence, it is imperative that the rules contain such
provisions that would also include a procedure to delete and destroy the data making
retrieval impossible.17

COLLECTION AND DISCLOSURE OF INFORMATIONCollection of Information


Rule 5 deals with the collection of sensitive personal data or information. It states inter
alia that a body corporate has to first obtain consent in writing through letter, fax or
email, from the provider of such information, regarding purpose of usage, before
collection of such information. This rule is conterminous with Article 7 of the EU
Directive18, which reflects the same principle as it states that personal data may be
processed only if the data subject has unambiguously given his consent to the same.
Further, Rule 5 gives the provider of information certain privileges of modifying such
information as and when necessary and withdrawing the consent given earlier.

But, the rules fail to clearly distinguish between the provider of information and
individual to whom the data pertains which gives rise to a lot of uncertainty on a prima
facie reading of the rules.

In addition, Rule 5(3), falling in line with Article 619of the EU directive, says that the body
corporate or any person on its behalf shall take such steps as are, in the circumstances,
reasonable 20to ensure that the person concerned is aware of the fact that the
information is being collected, the purpose for which it is being collected, the recipients of
such information, etc.21The phrase in Rule 5(3) uses convoluted language instead of
using simple phrases like take reasonable steps reasonableness has generally been
interpreted by courts contextually.22The Supreme Court in Water Supply and Sewage
Board v. Unique Erectors (Guj)23has observed that in law, prima facie meaning of
reasonable in regard to those circumstances of which the actor, called upon to act
reasonably, knows or ought to know.

Disclosure of Information
Rule 6 states that prior permission of the provider of information has to be obtained

before disclosure is made to a third party and any third party receiving such information

is not entitled to disclose it further.24

It is essential to improve the definition of Rule 6 and make its provisions more
stringent. By stating that the disclosure of information requires prior consent from the
provider of such information, this rule seems to have left the ends open. In cases
where the consent is granted online, it cannot be clearly determined whether the
person granting the consent is the provider of information, the data subject himself or
some other third party.

If the information of a person is being transferred to a third party for a different purpose, it
looks to be right to be done only with the knowledge of the data subject. It does not
suffice if the provider of information, who may be a party other than the data subject, to
grant consent for the same. This may lead to a misuse of information in three party
cases. For example, A provides sensitive personal data of X to Company B, upon the
consent and knowledge of X, to carry out a particular transaction. Later, Company C
approaches A for the personal information of X, to process a separate transaction. In
such a situation, it seems unreasonable for A to give out personal information of X
without the consent of X. Thus, this rule should be modified to impress upon the consent
of the data subject himself. It is pertinent, here, to draw the readers attention to
Schedule 2 of the Data Protection Act, 1998. It specifies that the consent of the data
subject is essential for the transfer of information wherein the data subject has been
defined as an individual who is the subject of personal data. This concept must be
incorporated into these Rules in question.

Disclosure of Sensitive Personal Data to the Government


Rule 6 enables the government to access any sensitive personal data, maintained by the
body corporates under law, for several purposes including detection and investigation of
crimes, cyber incidents, prosecution, punishment for offences, etc.25. It is thus apparent
that the government has the power to obtain sensitive personal information of individuals
from body corporates without a warrant or the concerned persons consent. With an
enforcement of such a rule, the body corporates may willingly give away such
information in order to avoid prosecution. The government has, in this regard, given itself
the master key and there are no checks on this power despite the fact that the

government has to make a written request stating the purpose for seeking such
information26. Thus, the rule raises issues of personal privacy infringement.
At this point, it is pertinent to look at the interpretation of Right to Privacy by
various competent Judicial Institutions so that the importance of adopting
procedural safeguards against privacy infringement can be well established. .

In the landmark case of Kharak Singh v. State of UP27, the learned judges have
recognized the inclusion of Right to Privacy within the ambit of Article 21 of the
Constitution, viz. Right to Life. It has been stated that,

It is true our Constitution does not expressly declare a right to privacy as a fundamental
right, but the said right is an essential ingredient of personal liberty. The pregnant
words of the famous Judge, Frankfurter J., in Wolf v. Colorado28, pointing out the
importance of the security of ones privacy against arbitrary intrusion by the police, could
have no less application to an Indian home as to an American one.. Justice Frankfurter
said nothing is more deleterious to a mans physical happiness and health than a
calculated interference with his privacy.

Courts have repeatedly taken a persons and not places emphasis in interpreting
the right of privacy29, rejecting views that privacy is tied to property interests30. A
clear shift from person to place was enunciated in the American Supreme Court
case of Warden v. Heyden31)

In the Naz Foundation Case32, it was found that the State cannot invade the privacy of
citizens based solely on consideration of public morals. The court also said that the
right to privacy has thus been held to protect a private space in which man may become
and remain himself.33

With respect to information in public domain, the Supreme Court, in the case of
Rajagopal alias Gopal v. State of Tamil Nadu34held that there is no protection for
personal information in public records, and protection of privacy for persons who have
voluntarily placed themselves in the public eye is reduced. Vishwanathan35considers
that the Supreme Court in Rajagopal, for the first time, articulated the twin pillars of
privacy law in India.

From the above, it seems that most of the courts have acknowledged the
importance of Right to Privacy. Thus, it is vital that the rules provide for procedural
safeguards against unauthorized disclosure of information and maintenance of
constitutional levels of privacy even against the Government.

CONCLUSION
The object of any statute or rule is to prevent mischief and promote the object. The virtue
of a statute or rule is certainty and clarity as opposed to ambiguity and vagueness. The
quality of any statute or rule has to be judged on these yardsticks.

In an attempt to clarify some of the ambiguities arising out of the provisions of these
rules, the Indian Government issued a clarification which allays fears as to the
Jurisdiction and effect of the rules on companies outsourcing to India. The Ministry has
clarified that the Sensitive Personal Data Rules apply only to body corporates or persons
located within India. Furthermore, it has provided some clarity regarding the realm of
Rules 5 and 6 stating that any body corporate located in India, which provide services
relating to collection, storage, dealing or handling and processing sensitive personal data
or information under contractual obligation with any legal entity (located within or outside
India) is not subject to the requirement of the above rules36. While the Press Note
appears to resolve a few immediate concerns it leaves many questions regarding the
handling of sensitive personal information unanswered.37

Judging the rules under consideration on these yardsticks, it is unfortunate to conclude


that the rules fall short of becoming a model piece of legislation especially while dealing
with a progressive and emerging concept like Sensitive Personal Information or Data.
The efficacy of the rules depends upon such precise definition and content and if the
same is lacking the rules not only fail to serve the purpose or prevent mischief but it in
fact becomes a fertile ground for mischief and misuse. Considering Indias pre eminent
position as an IT destination in the world, it is imperative that the Government looks at
the rules closely yet again with utmost expedition and make it more precise and
utilitarian.

Freedom of expression is guaranteed under Article 19(1) (a) of the Indian Constitution. Restrictions on
the exercise of the freedom of expression are found in Article 19(2) that can be enforced by the State
and are in the interests of sovereignty and integrity of the State, the security of the state, friendly
relations with foreign states, public order, decency or morality, or in relation to contempt of court,
defamation or incitement to an offense.1 When considering the right of freedom of expression and the
right to privacy, traditionally there has always been a fundamental question about the relative weight of
privacy and expression. An open democracy values a person's right to express opinions even when it
conflicts with another's right to privacy. For example, who donated to whose campaign to which
celebrity is getting married where. At the same time, restrictions like national security or public
interest can detract from both expression and privacy. The freedom of expression has been seen by
certain people as a counter to the right to privacy of the person whose information is being disclosed
(expressed) by the other party, it is interesting to note that the right to privacy was actually derived in
part from the right to freedom of speech. In the case of Kharak Singh v. The State of U.P.,2 the
Supreme
Court for the first time recognized that citizens of India had a fundamental right to privacy which was
part of the right to liberty in Article 21 as well as the right to freedom of speech and expression in
Article 19(1)(a), and also of the right of movement in Article 19(1)(d). This line of thought has recently
been approved again by the Supreme Court in District Registrar and Collector, Hyderabad and
another
v. Canara Bank and another.3

In Govind v. State of M.P.6 the Supreme


Court laid down the (i) superior important countervailing interest test, (ii) compelling state interest test,
and (iii) compelling public interest test. On the other the case of R. Rajagopal (discussed in detail in
this chapter) has also laid down certain tests regarding when private information can be published.

Broadly, the right to the freedom of expression impacts the right to privacy in negotiating:

1.) To what categories of data should the freedom of expression be limited in order to protect
privacy.
2.) In which context will freedom of expression impinge on privacy.
3.) In what circumstances is it necessary that an individual be provided the right to privacy in order
to protect the freedom of speech.

Violations of privacy that can result because of an expression are most commonly understood as
privacy torts and include: (a) intrusion into an individuals personal affairs including public disclosure
of a person's private life (b) publicity which places an individual in false light in public, and (c) use of
an individuals own name for commercial purposes commonly understood as the right to publicity.

Examples of circumstances in which the freedom of expression needs to be negotiated with the right to
privacy include:
a) Public Interest: In what circumstances does disclosure of information in the public interest
outweigh an individuals right to privacy. The term public interest however has deliberately
been left anomalous by the Courts in India although it has been described as something more
than mere idle curiosity.7 The fact that the term public interest has not been clearly and strictly
defined acts as a serious threat to the right to privacy since the bogey of public interest can be
raised anytime to attack this right. The Courts have however tried to find an optimal balance
between the two issues and by not defining the term public interest the Courts have eliminated
the need for frequent amendments to keep it in line with the changing norms and perceptions of
society.

b) Public Persons: In what circumstances should expression be limited in order to protect the
privacy of persons in the public sphere. In India this question has been partially defined by the
Right to Information Act under section 8, but the Act does not bring under its scope public
figures who are not government employees such as cricket stars, actors/actresses, and other
celebrities. Although the commercial exploitation of the images and celebrity of such public
persons can be protected to some extent under the existing intellectual property regime such as
trademark law as well as copyright law,8 the Delhi High Court has recognized that the right to
publicity has evolved from the right to privacy.9

ONLINE SPEECH
The above framework of privacy has mostly been developed in the
background of the real world
however this framework is being constantly challenged and tested in
the modern world with the high
pervasiveness of the internet and social networking websites. For
example, in what circumstances does
a comment online or a picture posted online violate the privacy of
another individual.

Today the internet has made privacy an integral part of realizing the
right to free expression. For
example, governments are putting in place censorship regimes that do
not only restrict online speech,
but also seek to identify the source of the speech. In this way, the right
to anonymous speech has
become a contested issue globally. The internet is also making the line
between speech expressed in the
private sphere vs. speech expressed in the public sphere more difficult
to define.

Some of the major issues that the internet throws up with regard to the
right to privacy are:

Public and Private Sphere. It is unclear if statements made on the


social media should be
considered public or private, and if private individuals posting
pictures need consent from
all individuals before posting the picture or video on social media
sites. Further even if a
picture has been posted without the consent of the person, should it
not be required that
people tagged in a picture first have to give their consent before the
picture is tagged.
Whether online speech on a social networking site be treated in the
same manner as the
conversation in a restaurant or even over the phone, or will it get
treated as speech on a
television.

For example, governments are putting in place censorship regimes


that do not
only restrict online speech, but also seek to identify the source of the
speech. In this way, the
right to anonymous speech has become a contested issue globally. The
internet is also
making the line between speech expressed in the private sphere vs.
speech expressed in the
public sphere more difficult to define. For example, In India in
November 2012 a business
man in Pondicherry was arrested for tweeting offensive messages
about Karti
Chidambaram,1 and also in 2012 two girls were arrested for comments
made on Facebook
relating to the passing away of Bal Thackeray.2

Right to be Forgotten: The internet never forgets! This single line encapsulates one of the
gravest concerns for privacy advocates vis--vis the internet and the online world. In what
circumstances can an individual require the deletion of information pertaining to them that
has been circulated in the public domain. Although the right to privacy in the non online
world has been described as the right to be left alone that may not exactly translate into a
right to be forgotten. In Spain there was a case where a person was arrested and the fact that
he had a criminal record was publicized on the internet as well. In this case the court ruled
that he had a right to be forgotten. The new draft EU Regulations have expressly talked
about the right to be forgotten by including a right to demand the deletion of data no longer
required for the purpose for which it was collected. However in India, the debate on data
retention and the right to privacy has not yet reached such a level and data retention and
verification requirements are still governed more by national security requirements rather

than privacy issues.

Calculation of Harm: Another issue regarding privacy and the online world is how do you
calculate harm being done by breach. If a slanderous comment is left on your facebook
page, assuming it is a public space, how would you calculate the harm done by such a
comment. If your data retained by a data controller is lost or leaked to some other party, can
this loss be quantified to be compensated in terms of money? Or does the person have to
wait till some financial loss is caused to him/her to file a claim against the data controller.
Verification and Quality
Any report or article that is of public interest and benefit, but that contains comments against a
citizen should be checked by the editor of the publication for factual accuracy. If inaccuracies are
found, they should be corrected by the editor. Any document that forms the basis of a news report,
should be preserved at least for six months in order to allow for facts to be checked. 20 Newspapers
should not publish anything that is manifestly defamatory or libelous unless the publication will be
for the public good21. Personal remarks which can be construed to be derogatory against a dead
person should not be published.22

Although these Norms provide for a number of guidelines, not all of them are followed by the media on
most occasions, for example the norms provide that particulars relating to the identity of rape victims
should not be revealed by the media. However in the gang rape case now popularly referred to as the
Nirbhay Rape Case the media revealed a large amount of personal details of the victim such as the
college she was studying in, her course, which semester she was in. Similarly in the rape case of an
NLSIU student in Bangalore, the media released details such as her nationality, her college, which year
she was studying in, etc. Such details are more than enough for any person acquainted with the women
in present or future to identify them which is clearly a violation of the Norms of Journalistic Conduct as
well as the intent of the laws protecting the identity of rape victims.

Information Technology (Intermediaries Guidelines) Rules, 2011 (Due Diligence Rules)


An intermediary liability or intermediary safe-harbor provision provides intermediaries with immunity
from liability for what users do on their platforms. This immunity is valid only when the intermediary
can demonstrate that i) they have no actual knowledge, ii) that they have undertaken due diligence, iii)
they have responded to take down notices. Unfortunately the Indian guidelines also prescribe terms of
service which lists what content is and is not permissible and holds intermediaries responsible for
implementation of these terms of service.34

The guidelines impact both privacy and freedom of expression as on one hand the guidelines seek to
prohibit the posting of content including content that violates individual privacy, and at the same time
the guidelines require intermediaries to hand over information, including personal information, to law
enforcement agencies when requested. Since it makes intermediaries liable to hold information to help
law enforcement agencies after a takedown notice, it will encourage them to place restrictions on
anonymous and pseudonymous speech.

Among other content, individuals are not allowed to host, display, upload, modify, publish, transmit,
update or share information that:

1. Belongs to another person or to which the user does not have any rights; -This protects the
privacy of persons whose information may have been taken by a third party and uploaded
without the consent of the owner of the information.
2. Is harassing; defamatory or libellous; pornographic; pedophilic; invasive of another's
privacy; disparaging. This specifically prohibits sharing of information which is invasive
of someones privacy. On top of that defamatory or libellous acts have also been considered
by certain people as violations of the right to privacy.
3. Is deceptive or misleading; impersonates another;35 Information which impersonates
someone else can be seen to invade the privacy of the person who is being impersonated
since it is his/her identity which is being utilised without his/her consent.
R. Rajagopal v. State of T.N.15 (1975)

What remedies can a citizen of India claim in case of infringement of his right to privacy and
further if such writing amounts to defamation?

With regard to this issue the Court held:

The right to privacy as an independent and distinctive concept originated in the field of Tort
law, under which a new cause of action for damages resulting from unlawful invasion of
privacy was recognised. This right has two aspects which are but two faces of the same coin (1)
the general law of privacy which affords a tort action for damages resulting from an unlawful
invasion of privacy and (2) the constitutional recognition given to the right to privacy which
protects personal privacy against unlawful governmental invasion. The first aspect of this right
must be said to have been violated where, for example, a persons name or likeness is used,
without his consent, for advertising or non-advertising purposes or for that matter, his life story
is written whether laudatory or otherwise and published without his consent as explained
hereinafter.

Although cases such as R. Rajagopal and others thereafter have clearly held that the constitutional
scheme of our country does not countenance a prior injunction on the basis of violation of the right to
privacy, they did not specifically address whether such an injunction could be granted under tort law,
however the fact that the Court in PHOOLAN DEVI V. SHEKHAR KAPOORAND Ors.(1994) case has
entertained and allowed the application for a prepublication injunction makes it clear that such an
injunction can be sustained in the realm of tort law.

The Bofors pay-off case


The Bofors pay-off case was centered on charges of criminal conspiracy and corruption between
several public servants including Rajiv Gandhi and S.K Bhatangar, which involved the cheating and
fraudulent representation. Rajiv Gandhi and S.K.Bhatnagar were also charged for having taken illegal
bribes for awarding the contract in favor of Bofors (Gun Company). The CBI investigated the case for
many years, and in the process of the investigation held many press conferences revealing facts and
opinions about the case. Though the case was not focused on whether the privacy of the public servants
was violated by these press conferences, the High Court of Delhi, observed that, The fairness of trial is
of paramount importance as without such protection there would be trial by media which no civilized
society can and should tolerate. The functions of the court in the civilized society cannot be usurped by
any other authority. The Court agreed that media awareness creates awareness of the crime, but the
right to fair trial is as valuable as the right to information and freedom of communication. It noted how
the case was an example of how trial by media can cause irreversible harm to the reputation of an
individual and his family, and criticized the trend of the police or CBI of holding press conferences for
the media when the investigation of a crime is still ongoing. 59

Conclusion:
The freedom of expression and privacy in many ways support each other, as the right to express an
opinion or thought freely often is protected by providing the individual the privacy to do so. In the
context of the media, the right to privacy can be violated by press coverage both online and offline.
There are many new ways in which the right to privacy and the freedom of expression relate to each
other which have not been addressed strongly in Indian legislation, policy, or case law. For example the
taking of photographs by individuals (not the press) has not been addressed, the ability for individuals
to issue comments anonymously offline, and the right to be forgotten online and offline have not been
addressed. These issues are being addressed by many countries and at an international level. For
example, the EU has proposed an amendment to the EU directive that would require companies holding
data to allow users to withdraw the information from websites. The amendment, known as the Right to
be forgotten would give users the power to tell websites to permanently delete all personal data held
about them. Websites would be held legally accountable and would face sanctions if they did not
comply. Additionally, users would also have to explicitly opt-in before companies could use or
process their personal data.60 The right to anonymous speech is also being fought for at an international
level. Frank La Rue, special rappatuer to the UN, has issued a report on Freedom of Expression and
Privacy, where he specifically promotes the ability of individuals to speak anonymously online and
offline as a key to protecting the right to free expression and the right to privacy. In his report he points
out that when states do not allow anonymous speech and censor material online, the privacy of the
individual is often violated as the state not only want to take down the content that was posted, but
wants to identify the person that posted the content.61 Anonymous speech is clearly prohibited in India
in the context of online speech, but anonymous speech is not regulated in the media, as sources are
often not identified in news coverage.

1. Whether the finding of Proctorial board was fair & justified


to expel R S HAJELA from University?

PRAYER

In the light of arguments advanced and authorities cited, the counsel for

respondent humbly submits that the Honble Court may be pleased to

adjudge and declare that:


Any other order as it deems fit in the interest of equity, justice and

good conscience.

For This Act of Kindness, the Appellant Shall Duty Bound Forever

Pray.

Sd/-

(Counsel for the Appellant)

TEAM CODE:
SLS026

You might also like