PETITIONER

Memorial on behalf of the Petitioner
Team Code: TN - 321
3 RD SYMBIOSIS LAW SCHOOL HYDERABAD, NATIONAL MOOT COURT COMPETITION -

2018
Before,
THE HON’BLE HIGH COURT OF CITY OF JOY
WRIT PETITION UNDER ARTICLE 226 OF THE CONSTITUTION OF NARNIA
W.P. No. ______/2018
MR. TRUE LIES.............................................................................................................................PETITIONER

V.
SAYPM AND GOVERNMENT...................................................................................................RESPONDENT
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONER

TABLE OF CONTENTS
LIST OF ABBREVIATIONS...................................................................................................IV
INDEX OF AUTHORITIES.....................................................................................................V
STATEMENT OF JURISDICTION........................................................................................IX
STATEMENT OF FACTS.........................................................................................................X
ISSUES RAISED.....................................................................................................................XI
SUMMARY OF ARGUMENTS............................................................................................XII
ARGUMENTS ADVANCED....................................................................................................1
1. THE PIL FILED UNDER ARTICLE 226 OF THE CONSTITUTION OF NARNIA IS

MAINTAINABLE.....................................................................................................................1
[1.1] THE PETITIONER HAS A LOCUS STANDI.................................................................1
[1.2] THERE IS VIOLATION OF FUNDAMENTAL RIGHT.................................................1
[1.3] ALTERNATIVE REMEDY CANNOT BE THE GROUND FOR REJECTING

PETITION..................................................................................................................................3
[1.4] SAYPM SHOULD BE ALLOWED TO BE A PARTY TO THE SAID WRIT

PETITION..................................................................................................................................4
2. THE GOVT. AND SAYPM HAVE ACTED IN COLLUSION TO BREACH THE

PRIVACY OF THE CITIZENS OF NARNIA...........................................................................4
[2.1] THE GOVT. AND SAYPM HAVE ACTED IN COLLUSION........................................4
[2.1.1] Banners during demonetization:.................................................................................5
[2.1.2] Sting operation video release:.....................................................................................5
[2.2] RIGHT TO PRIVACY OF CITIZENS OF NARNIA HAVE BEEN BREACHED..........6
[2.2.1] Violation of informational privacy:............................................................................7
[2.2.2] Violation of privacy of choice and personal autonomy:.............................................8
[2.3] ASKING USER DATA FROM SAYPM AND TRANSFERRING SAYMO’S USER
DATA TO FOREIGN COMPANIES BY PMO IS NOT REASONABLE RISTRICTION ON
RIGHT TO PRIVACY UNDER ARTCLE 21............................................................................9
2
3. THE DATA MINING BY SAYPM AND SHARING IT WITH ANY THIRD PARTY IS
NOT PERMISSIBLE...............................................................................................................10
4. THE PROVISIONS OF IT ACT AND OTHER ACTS HAVE BEEN VIOLATED...........12
[4.1] IT ACT:........................................................................................................................12
Section 43A.......................................................................................................................12
Section 72A.......................................................................................................................13
Section 69.........................................................................................................................14
[4.2] Narnian Penal Code.....................................................................................................14
[4.3] Regulations by Telecom Regulatory Authority of Narnia:..........................................14
[4.4] Reserve Bank of Narnia...............................................................................................15
5. EXISTING LAWS OF NARNIA ARE NOT SUFFICIENT TO SAFEGUARD AND

SECURE THE PRIVACY OF CITIZENS...............................................................................15
Retention of Data:.................................................................................................................16
Collection of Information:....................................................................................................16
Disclosure of Information:...................................................................................................17
Disclosure of Sensitive Personal Data to the Government:..................................................17
[5.1] Remedies to be requested................................................................................................18
PRAYER...............................................................................................................................XIII
3
LIST OF ABBREVIATIONS
SERIAL NO. ABBREVIATION EXPANSION

1 PIL Public Interest Litigation
2 Hon’ble Honourable
3 Art. Article
4 SCC Supreme Court Cases
5 AIR All India Reporter
6 SC Supreme Court
7 PM Prime Minister
8 ICCPR International Covenant on Civil and Political Rights
9 IT Information Technology Act 2000
10 Rules 2011 Information Technology (Reasonable security
practices and procedures and sensitive personal data
or information) Rules 2011
11 TRAI Telecom Regulatory Authority of India
12 NPC Narnian Penal Code
13 Ltd. Limited
14 Co. Corporation
15 Govt. Government
16 PMO Prime Minister’s Office
17 UDHR Universal Declaration of Human Rights
18 DPB Data Protection Bill 2018
19 RBI Reserve Bank of India
20 GDPR General Data Protection Bill
21 SAR System Audit Report
22 CRPC Criminal Procedure Code
23 TRAN Telecom Regularity Authority of Narnia
24 RBN Reserve Bank of Narnia
25 TSP Telecom Service Provider
4
INDEX OF AUTHORITIES
Cases
State of Maharashtra v. Bharat Shanti Lal Shah, (2008) 13 SCC 5...........................................6

A. Janardhana v. Union of India, AIR 1983 SC 769..................................................................4
A.V. Venkateswaran v. R.S. Wadhwani, AIR 1961 SC 1506.....................................................3
Ahmedabad Cotton Mfg. Co. v. Union of India, AIR 1977 (Guj.) 113......................................3
Air India Statutory Corporation v. United Labour Union, AIR 1997 SC 645, 680...................3
Anuj Garg v. Hotel Association of India, (2008) 3 SCC 1.........................................................8
Balbir Singh v. F.D. Tapase, AIR 1985 P&H 244......................................................................1
Bandhua Mukti Morcha v. Union of India, AIR 1984 SC 802..................................................1
Bar Council of India v. Surjeet Singh, AIR 1980 SC 1612........................................................3
Basheshsar Nath v. Commissioner of Income Tax, AIR 1959 SC 149....................................11
District Registrar and Collector, Hyderabad v. Canara Bank, AIR 2005 SC 186......................7
General Manager v. A.V.R. Siddhanti, AIR 1974 SC 1755........................................................4
Gujarat State Financial Corporation v. Lotus Hotel, AIR 1983 SC 848....................................3
Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, 127..............................2
Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, 445..............................8
Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, 62................................7
Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, 81................................6
Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1......................................2
Kharak Singh v. State of Uttar Pradesh, (1964) 1 SCR 332......................................................6
L.I.C. of India v. Consumer Education and Research Centre, (1995) 5 SCC 482.....................8
National Legal Services Authority v. Union of India, (2014) 5 SCC 438.................................6
National Legal Services Authority v. Union of India, (2014) 5 SCC 438, 449.........................7
Naz Foundation v. Government of N.C.T. of Delhi, (2009) 3 CCR 1.....................................17
Olga Tellis v. Bombay Municipal Corporation, (1985) 3 SCC 545...........................................8
People’s Union for Democratic Rights v. Union of India, (1982) 3 SCC 235...........................1
R. Rajagopal v. State of Tamil Nadu, (1994) 6 SCC 632...........................................................6
Rai Ramakrishna v. State of Bihar, AIR 1963 SC 1667.............................................................9
Rajagopal Alias Gopal v. State of Tamil Nadu, (1994) 6 SCC 632.........................................17
Ram Jethmalani v. Union of India, (2011) 8 SCC 1...................................................................2
5
Secretory O.N.G.C. Ltd. v. V.U. Warrier, (2005) 5 SCC 245.....................................................4

State of Uttar Pradesh v. Indian Hume Pipe Co. Ltd., (1977) 2 SCC 724.................................3
Subramanium Swamy v. Director, Central Bureau of Investigation, AIR 2014 SC 2140.........6
Swayamber Prasad v. State of Rajasthan, AIR 1972 (Raj.) 69...................................................3
Vishaka v. State of Rajasthan, (1997) 6 SCC 241......................................................................2
Water Supply and Sewage Board v. Unique Erectors, AIR 1989 SC 973...............................16
Whalen v. Roe, 429 U.S. 589 (1977).........................................................................................8
Statutes
Data Protection Act, 1998, schedule 2,

https://www.legislation.gov.uk/ukpga/1998/29/schedule/2..................................................17
Information Technology Act, 2000, § 69, No. 21, Acts of Parliament, 2000...........................13
Information Technology Act, 2000, § 72A, No. 21, Acts of Parliament, 2000........................13
Information Technology Act, 2000, § 43A, No. 21, Acts of Parliament, 2000........................10
The Code of Criminal Procedure, 1973, § 91, No. 2, Acts of Parliament, 1974......................18
The Emblems and Names (Prevention of Improper Use) Act, 1950, § 3, No. 12, Acts of
Parliament, 1950.....................................................................................................................5
The Emblems and Names (Prevention of Improper Use) Act, 1950, No. 12, Acts of
Parliament, 1950.....................................................................................................................5
The Indian Penal Code, § 405, No. 45, Acts of Parliament, 1860...........................................14
Other Authorities
Notification by Department of Information Technology,

http://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf..............................12
Notifications on Storage of Payment System Data,
https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244&Mode=0.........................15
P.R.S. Legislative Research, www.prsindia.org/......................................................................17
Recommendations on Privacy, Security and Ownership of the data in Telecom Sector,
https://www.trai.gov.in/sites/default/files/RecommendationDataPrivacy16072018_0.pdf..14
Rules
Information Technology (Reasonable security practices and procedures and sensitive personal
data or information) Rules, 2011,
http://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf..............................10
6
data or information) Rules, 2011, rule 6 (1).........................................................................10
The Information Technology (Reasonable security practices and procedures and sensitive
personal data or information) Rules, 2011, rule 5 (7)............................................................9
The Information Technology (Reasonable security practices and procedures and sensitive
personal data or information) Rules, 2011, rule 6 (4)..........................................................16
Treatises
International Covenant on Civil and Political Rights, 1966, art. 17..........................................6
Regulations
E.U. Directives, art. 6...............................................................................................................16
Constitutional Provisions
INDIA CONST. art. 226.............................................................................................................3

INDIA CONST. art. 51, cl. c......................................................................................................6
Books
M.P. JAIN, INDIAN CONSTITUTIONAL LAW (10th ed. 2018).............................................1

S.R. BHANSALI, COMMENTARY ON THE INFORMATION TECHNOLOGY ACT 169
(2015)...................................................................................................................................13
S.R. BHANSALI, COMMENTARY ON THE INFORMATION TECHNOLOGY ACT 315
(2015)...................................................................................................................................13
Declarations of UN
Universal Declaration of Human Rights, 1948, art. 12..............................................................6
Articles
Apar Gupta, Comments on Draft Sensitive Personal Information Rules, India Law and
Technology Blog, https://iltb.net/comments-on-draft-sensitive-personal-information-rules-
da110e9c1f1c........................................................................................................................15
Francois Nawrot, Katarzyna Syska & Przemyslaw Switalski, Horizontal application of
fundamental rights – Right to privacy on the internet, 9th Annual European
Constitutionalism Seminar (May 2010), University of Warsaw,
7
http://en.zpc.wpia.uw.edu.pl/wpcontent/uploads/2010/04/9_Horizontal_Application_of_Fu
ndamental_Rights.pdf...........................................................................................................10
India’s telecom regulator recommends stricter data security rules, Reuters,
https://www.reuters.com/article/us-trai-dataprivacy-recommendations/indias-telecom-
regulator-recommends-stricter-data-security-rules-idUSKBN1K61X1...............................18
Pankaj Doval, Consent must for collection, sharing of personal data: Panel, The Times of
India,.....................................................................................................................................10
Prashant Iyengar, Privacy and the Information Technology Act in India, S.S.R.N.................16
Yvonne McDermott, Conceptualizing the right to data protection in an era of Big Data, 4 Big
Data and Society (2017).........................................................................................................7
Reports
Data Protection Committee Report, 2018................................................................................10

Data Protection Committee Report, 2018, 163........................................................................12
Data Protection Committee Report, 2018, 51..........................................................................11
8
9
STATEMENT OF JURISDICTION
The Counsel for the Petitioner humbly submits before the Hon’ble High Court of City of Joy,
the Memorandum on behalf of the Petitioner who filed PIL by way of writ petition under
Article 226 of the Constitution of Narnia.
This memorandum sets forth the facts, contentions and arguments for the petitioner in the
given case.
10
STATEMENT OF FACTS
SayPM is an e-payment system and digital wallet company founded by Mr. Money Bag in
January 2009 based outside the City of Joy in Narnia. SayPM collects various sensitive data
from its customers and uses it to allow the customers to access its e-payment services.
Customers need to agree to a consent form before they are allowed to use SayPM’s services.
During demonetization in Narnia in November 2016, SayPM advertised with its billboards
containing Prime Minister’s photograph which read “SayPM congratulates the Prime
Minister of Narnia for taking the boldest financial decision in the history of Narnia”.
AnacondaPole, Narnian non-profit news website and television production house, founded in
2003 by Mr. Khabri Lal conducted an investigation titled “Operation Swachch Narnia” and
released the transcripts and video clips of Mrs. Money Bag (2/6 th director of SayPM) on its
social media profiles in Legbook and MeTube. In the investigation, Anaconda Pole’s star
journalist Mr. Narad Lal informed SayPM’s top executives that he is meeting at the behest of
Jai Narnia Samiti to bolster the prospects of the ruling party in the Parliamentary elections
slated to be conducted in 2019. In the sting video, Mrs. Money Bag during a drunken
conversation said that the SayPM app is selling a book Chai Time Tales written by PM and
the e-wallet company received a call from PMO, right before the general elections in Narnia
demanding some user data regarding the sale and popularity of the book and some other
information for the upcoming elections. SayPM in its response, denied these allegations.
Earlier this year, allegations were imposed on SayMo and applications of opposition parties
in Narnia that they have transferred user data to a few foreign companies for data analytics
which was denied by the PMO. However, no investigation was conducted.
SayPM revised its privacy and added a new clause stating, “I understand and permit SayPM,
at its sole discretion, to share my data with any third party for any purpose linked to the
business of SayPM.” Users who did not consent to the said clause were blocked from using
SayPM’s application and the sum of money in the user’s wallet could neither be transferred to
any third party’s bank accounts nor be used to conduct other e-transactions rather the users
had the option to transfer the money in their wallet to their own bank account linked with the
application by paying a minor fee. Mr. True Lies, a privacy activist, filed a public interest
litigation by way of a writ petition in the High Court of City of Joy under Article 226 of the
Constitution.
11
ISSUES RAISED
I. WHETHER THE PIL FILED BY THE WAY OF WRIT PETITION UNDER

ARTICLE 226 OF THE CONSTITUTION OF NARNIA IS MAINTAINABLE?
II. WHETHER THE GOVERNMENT AND SAYPM HAVE ACTED IN
COLLUSION AND THEREBY BREACHED THE PRIVACY OF THE
CITIZENS OF NARNIA?
III. WHETHER DATA MINING BY SAYPM AND SHARING IT WITH ANY
THIRD PARTY IS PERMISSIBLE?
IV. WHETHER THE PROVISIONS OF IT ACT AND OTHER ACTS HAVE BEEN
VIOLATED?
V. WHETHER THE EXISTING LAWS OF NARNIA ARE SUFFICIENT TO
SAFEGUARD AND SECURE THE PRIVACY OF ITS CITIZENS?
12
SUMMARY OF ARGUMENTS
I. THE PIL FILED BY THE WAY OF WRIT PETITION UNDER ARTICLE 226 OF
THE CONSTITUTION OF NARNIA IS MAINTAINABLE.
Petitioner has a locus standi, fundamental right to privacy has been violated and the alternate
remedy which is available is not adequate, therefore the jurisdiction of the HC can be invoked
under article 226 and the petition is maintainable.
II. THE GOVERNMENT AND SAYPM HAVE ACTED IN COLLUSION AND

THEREBY BREACHED THE PRIVACY OF THE CITIZENS OF NARNIA.
There are several instances to show that the govt. and SayPM have acted in collusion. PMO
asked for user data from SayPM for the elections and SayPM introduced arbitrary clause to
share user data with any third party which breaches the privacy of the citizens of Narnia.
III. THE DATA MINING BY SAYPM AND SHARING IT WITH ANY THIRD PARTY
IS NOT PERMISSIBLE.
SayPM violates Rule 5(7) and Rule 6(1) of the IT Rules, 2011 and does not follow the
suggestions of Data Protection Committee Report. The new clause which is added in
SayPM’s revised privacy policy does not provide for any opt-out option neither does it takes
free consent from the users to share user data. Moreover, the new clause is arbitrary for the
new customers of SayPM and amounts to material alteration for the existing customers.
IV. THE PROVISIONS OF IT ACT AND OTHER ACTS HAVE BEEN VIOLATED.
The provisions of IT Act namely Section 43A, Section 72A and Section 69 of the IT Act have
been violated by the misdeeds of the SayPM, their act is also punishable under Section 405 of
NPC. The company has failed to follow the regulations of TRAN and RBN which have been
issued for customer’s interest, thereby threatening the rights of the users.
V. EXISTING LAWS OF NARNIA ARE NOT SUFFICIENT TO SAFEGUARD AND

SECURE THE PRIVACY OF CITIZENS.
The IT Act is having so many terms that have been loosely defined. There are no Penal laws
so as to control company’s activities. The Data Protection Bill 2018 has also missed on few
important dimensions of data privacy. There is a dire need of stricter laws and regulations
under section 87 of the IT Act, 2000.
13
ARGUMENTS ADVANCED
1. THE PIL FILED UNDER ARTICLE 226 OF THE CONSTITUTION OF NARNIA IS

MAINTAINABLE.
The council humbly submits that the PIL filed by way of writ petition under article 226 of the
Constitution of the Narnia is maintainable because there is violation of fundamental right of
public at large and the petitioner has a locus standi to file it.
[1.1] THE PETITIONER HAS A LOCUS STANDI.

In People’s Union For Democratic Rights & Others v. Union of India & Others 1, the Hon’ble
Court defined Pubic Interest Litigation and observed that, “Public Interest Litigation is a
cooperative or collaborative effort by the petitioner, the State of public authority and the
judiciary to secure observance of constitutional or basic human rights, benefits and privileges
upon poor, downtrodden and vulnerable sections of the society.”
If the matter to be reviewed is one which affects the public at large 2, any member of public or
organisation may bring it for scrutiny. 3The expression “public interest litigation” means a
legal action initiated in a Court for enforcement of public interest.4 In case of an injury
affecting the public, a public man having some interest can maintain an action challenging the
action of the government.5 In the present case, the petitioner is a privacy activist and he filed
this petition in order to protect the fundamental rights of common people of the country thus
the present petition is in public interest and the petitioner has the locus standi to file this
petition under article 226 of the Narnian Constitution.
[1.2] THERE IS VIOLATION OF FUNDAMENTAL RIGHT.

Article 21 states that, “No person shall be deprived of his life or personal liberty except
according to procedure established by law.” Life and Personal Liberty in this article has a
very wide ambit and Supreme Court defines it time and again in its judgements. In the recent
judgement of Justice K.S. Puttaswamy (Retd.) and Anr. V. Union of India and Ors. 6, Supreme
Court said that the Right to Privacy is an integral part of Right to Life and Personal Liberty.
1 People’s Union for Democratic Rights v. Union of India, (1982) 3 SCC 235.
2 Id.
3 Bandhua Mukti Morcha v. Union of India, AIR 1984 SC 802.
4 M.P. JAIN, INDIAN CONSTITUTIONAL LAW (10th ed. 2018).
5 Balbir Singh v. F.D. Tapase, AIR 1985 P&H 244.
6 Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.
1
In the present case, Prime Minister’s mobile application SayMo transferred user data to a few
foreign companies for data analytics7 and asked a private company SayPM to transfer their
user data to the ruling party for the upcoming elections8 and all this was done without the
prior consent of the users of the application thus breaching the Right to Privacy of the users
and imposing a serious threat to the fundamental right of the general public at large.
Moreover, SayPM introduced a new clause in its application which gives the company the
sole rights to share user data with any third party for any purpose linked to its business which
is arbitrary and violates the rights of more than 1,00,00,000 users of SayPM across the
country. In the landmark Vishaka v State of Rajasthan 9, the Supreme Court issued detailed
guidelines for the protection of the fundamental rights of working women under Articles 14,
19 and 21. These guidelines were issued for mandatory adoption by all workplaces, which
include both State and non-State actors. This case indicates that the Supreme Court has not
restricted the issuance of writs and enforcement of fundamental rights against the State only.
There thus exists the possibility of enforceability of fundamental rights against private bodies
as well.
In Ram Jethmalani v. Union of India10 , the court observed that the notion of fundamental
rights, such as a right to privacy as part of right to life, is not merely that the State is enjoined
from derogating from them. It also includes the responsibility of the State to uphold them
against the actions of others in the society, even in the context of exercise of fundamental
rights by those others.11The ICCPR casts an obligation on states to respect, protect and fulfil
its norms. The duty to protect mandates that the government must protect it against
interference by private parties.12
[1.3] ALTERNATIVE REMEDY CANNOT BE THE GROUND FOR REJECTING

PETITION.
Objective of Article 22613 is to rectify an instance of grave injustice. The fact that aggrieved
party has another adequate remedy may be taken into consideration but it is not the rule of
law. It is a rule of policy, convenience and discretion. 14 It is again held in the case of A.V
7 Moot Proposition, ¶ 9.
9 Vishaka v. State of Rajasthan, (1997) 6 SCC 241.
10 Ram Jethmalani v. Union of India, (2011) 8 SCC 1.
11 Id. 35, 36.
12 Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, 127.
13 INDIA CONST. art. 226.
14 State of Uttar Pradesh v. Mohd. Nooh, AIR 1958 SC 86.
2
Venkateswaran v R.S. Wadhwani that “The rule that when there is an adequate alternative
remedy, the High Court will not interfere under Article 226 is only a rule of discretion and not
a rule of law.”15 But where the alternative remedy is not appropriate and where the remedy is
not fully covered to challenge the election, a writ petition is maintainable. 16 The Court
observed that the rule of exhaustion of an alternative remedy is not one that bars the
jurisdiction of court, but it is a rule which courts have laid down for the exercise of their
discretion.17 To be an alternative remedy, it must be equally adequate or efficacious so that
qualitatively and quantitatively the same relief would be given to redress the injury of
petitioner.18
In the present case, fundamental right of privacy of the citizens of Narnia is at stake and there
is no sufficient alternative remedy available. There is no dedicated law to completely address
the issue of data protection and data privacy and laws which are claimed by the govt. to
safeguard the privacy of the citizens such as IT Act 2000, TRAI, Narnian Penal Code are not
sufficient to enforce the fundamental rights of the citizens of Narnia and therefore this
petition cannot be rejected on the grounds of available alternative remedy. The significant
point to note is that under article 226, the power of a High Court is not confined only to issue
of writs; it is broader than that for a High Court can also issue any directions to enforce any
of the Fundamental Rights or “for any other purpose”. In a number of cases, courts have issue
directions rather than writs.19
[1.4] SAYPM SHOULD BE ALLOWED TO BE A PARTY TO THE SAID WRIT

PETITION.
In the present case, the government asked for the user data from the private company of
SayPM and the nexus between the two resulting in compromise of any citizen’s personal data
needs to be scrutinised. Thus making SayPM a necessary party in this writ petition for which
SayPM should be allowed to be a party to the said writ petition.
The SC held in one of its judgement that a necessary party is one without whom no effective
order can be made. The question is whether the presence of a particular party is necessary in
order to enable the Court effectively and completely to adjudicate upon and settle all the
15 A.V. Venkateswaran v. R.S. Wadhwani, AIR 1961 SC 1506.

16 Bar Council of India v. Surjeet Singh, AIR 1980 SC 1612.
17 State of Uttar Pradesh v. Indian Hume Pipe Co. Ltd., (1977) 2 SCC 724.
18 Ahmedabad Cotton Mfg. Co. v. Union of India, AIR 1977 (Guj.) 113.
19 Swayamber Prasad v. State of Rajasthan, AIR 1972 (Raj.) 69; Gujarat State Financial Corporation v. Lotus
Hotel, AIR 1983 SC 848; Air India Statutory Corporation v. United Labour Union, AIR 1997 SC 645, 680.
3
questions which are involved in the writ petition.20 In another judgement, the apex court held
that a proper party is one, in whose absence, an effective order can be made but whose
presence is considered proper for a complete and final decision on the question involved in
the proceeding.21
Power under article 226 can be exercised by the High Courts to reach injustice wherever it is
found.22 The relief claimed by the petitioner is not a relief claimed against a private party
only. He is aggrieved by inadequacy of law laid down by the Parliament and ineffectiveness
of the machinery for enforcement of such laws in the circumstances of the present case as the
law and machinery are not ensuring protection of fundamental right of privacy of the citizens
of Narnia as submitted in foregoing paragraph. He has a grievance against the Parliament and
the Central govt. and both these institutions are ‘state’ within the meaning of Art. 12 of the
Constitution.
2. THE GOVT. AND SAYPM HAVE ACTED IN COLLUSION TO BREACH THE

PRIVACY OF THE CITIZENS OF NARNIA.
It is humbly submitted before the Hon’ble Court that the SayPM and Govt. of India have
acted in collusion in several instances and thereby breached the privacy of the citizens of
Narnia.
[2.1] THE GOVT. AND SAYPM HAVE ACTED IN COLLUSION.

In the present case, there has been many instances which show that Govt. and SayPM have
nexus and thus acted in collusion.
[2.1.1] Banners during demonetization: During demonetization, SayPM advertised heavily by

putting billboards and print adverts containing the Prime Minister’s photograph which read
“SayPM congratulates the Prime Minister of Narnia for taking the boldest financial decision
in the history of independent Narnia”.23
The Section 324 of the Emblems and Names (Prevention of Improper Use) Act 251950 clearly
provides that no person shall use or continue to use any name or emblem for the purpose of
any trade, business, calling or profession without the previous permission of the central
20 A. Janardhana v. Union of India, AIR 1983 SC 769.

21 General Manager v. A.V.R. Siddhanti, AIR 1974 SC 1755; A. Janardhana v. Union of India, AIR 1983 SC
769.
22 Secretory O.N.G.C. Ltd. v. V.U. Warrier, (2005) 5 SCC 245.
24 The Emblems and Names (Prevention of Improper Use) Act, 1950, § 3, No. 12, Acts of Parliament, 1950.
25 The Emblems and Names (Prevention of Improper Use) Act, 1950, No. 12, Acts of Parliament, 1950.
4
government. This law suggests that written permission is required. The law provides that
“any person who contravenes the provisions of Section 3 shall be punishable with fine, which
may exceed to Rs 500”. It is highly unlikely that this brand campaign would have occurred
without some sort of informal agreement or at the very least prior intimation on the part of
SayPM. Despite of the law, the Govt. didn’t issue any notice to SayPM under the Emblems
and Names (Prevention of Improper Use) Act 26 of 1950, which bars use of Prime Minister’s
name and picture for commercial use and no fine was imposed. The government’s decision
benefitted digital wallet company like SayPM and its image and services were also boosted
by the government’s direct campaign to promote cashless transactions and therefore SayPM’s
action of advertising with PM’s photograph was more like a thanksgiving gesture and not
something done to boost nationalist feeling as claimed by SayPM. 27 Govt.’s non-action for
this act of SayPM only indicates towards their collusion.
[2.1.2]Sting operation video release: A non-profit news website AnacondaPole in its

investigation arranged a meeting with SayPM’s 2/6 director, Mrs. Money Bag who’s also the
wife of the founder of SayPM. Mrs. Money Bag, during the meeting, revealed that the
company had some association with the ruling party of Narnia 28. AnacondaPole released the
transcripts and video clips of Mrs. Money Bag in which she is clearly stating that the e-wallet
company received a call from the PMO demanding some user data, right before general
elections in Narnia.29 She told that Prime Minister’s book Chai Time Tales is being sold on
their platform and for the upcoming elections, they wanted information regarding the sale and
popularity of the book with some other information also.30 SayPM responding to this claim
posted on its official social media profile that “There is absolutely NO TRUTH in the
sensational headlines of a video doing rounds on social media. Our user data is 100% secure
and had never been shared with anyone, except law enforcement agencies on request.” 31 The
point of contention is that SayPM never challenged the authenticity of the video itself, only
the claim. And it has also not explicitly commented on the alleged request from the PMO.
All these instances clearly indicates towards the collusion of Govt. and SayPM, and imposes
imminent threat on the infringement of right to privacy of citizens of Narnia.
26 Id.
5
[2.2] RIGHT TO PRIVACY OF CITIZENS OF NARNIA HAVE BEEN BREACHED.

It is humbly submitted before the Hon’ble Court that the Right to Privacy is protected as an
intrinsic part of the right to life and personal liberty under Article 21 and as a part of the
freedoms guaranteed by Part III of the Constitution, as held by the Supreme Court in the
recent case of Justice K.S Puttaswamy (Retd.) v. Union of India 32 and hereby govt. asking
SayPM for user data right before general elections, SayMo sharing its user data with foreign
companies for data analytics and SayPM’s revised privacy policy’s new clause is in violation
of this fundamental right.
The recognition of privacy as a fundamental constitutional value is a part of Narnia’s

commitment to a global human rights regime. The state is required to endeavour to “foster
respect for international law and treaty obligations in the dealings of organized peoples with
one another”33. In pursuance of this, many cases 34 have adverted to international conventions
like UDHR35 and ICCPR36 which establish privacy as an inherent and universal right and
confer “protection against arbitrary and unlawful interference with a person’s privacy, family
and home’, in a manner which harmonizes the fundamental rights contained in Articles 14, 19
and 21 with Narnia’s international obligations.” In the Puttaswamy case, Justice Nariman
linked the three aspects of privacy (informational privacy, privacy of choice, and bodily
integrity)37 with the preamble (which guarantees dignity, fraternity, and democracy)38.
Hence, it is humbly submitted before the Hon’ble Court that the SayPM sharing its user data
with PMO right before the general elections, SayMo sharing its user data with foreign
companies for data analytics and inclusion of the new clause in SayPM’s revised privacy
policy leads to a violation of these three aspects of privacy- informational privacy including
right to be let alone, right to bodily integrity and dignity, and privacy of choice and personal
autonomy.
[2.2.1] Violation of informational privacy: Informational privacy does not deal with a
person’s body but deals with a person’s mind, and therefore recognizes that an individual may
32 Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1; R. Rajagopal v. State of Tamil Nadu, (1994) 6
SCC 632; People's Union for Civil Liberties v. Union of India, (1997) 1 SCC 301; State of Maharashtra v.
Bharat Shanti Lal Shah, (2008) 13 SCC 5; Kharak Singh v. State of Uttar Pradesh, (1964) 1 SCR 332 (Minority
judgement by Subba Rao).
33 INDIA CONST. art. 51, cl. c.
34 National Legal Services Authority v. Union of India, (2014) 5 SCC 438; Subramanium Swamy v. Director,
Central Bureau of Investigation, AIR 2014 SC 2140.
35 Universal Declaration of Human Rights, 1948, art. 12.
36 International Covenant on Civil and Political Rights, 1966, art. 17.
37 Supra note 6.
6
have control over the dissemination of material that is personal to him. Unauthorized use of
such information may, therefore lead to infringement of this right.39 In the instant case,
SayPM shares its customers’ user data with PMO without informing the users and includes a
new clause in its privacy policy which compels its customers to agree to the term of SayPM
sharing their data on its sole discretion with any third party in order to avail its services. This
leads to an infringement of right to have control over dissemination of personal data of the
Narnians.
SayMo, the Prime Minister’s own mobile application transferred user data to few foreign
companies for data analytics.40
The new clause41 of SayPM’s privacy policy reflects its mandatory nature which makes
informed consent illusory. Moreover, the new clause allows SayPM to share the various
sensitive data42 it collects from its customers for any purpose linked to the business of SayPM
with any third party, which is unjust, unfair and unreasonable. Further, blocking the account
of those who did not consent to the said new clause and not providing them the option to opt-
out from its services reflects the arbitrary approach. Moreover, a solely consent-based model
does not entirely ensure the protection of one’s data, especially when data collected for one
purpose can be repurposed for another.43
In the SC case of Canara Bank 44 , in the view of the Court, even if the documents cease to be
at a place other than in the custody and control of the customer, privacy attaches to persons
and not places and hence the protection of privacy is not diluted45. The decision in Canara
Bank has thus important consequences for recognising informational privacy.46
As legal rights were broadened, the right to life had “come to mean the right to enjoy life –
the right to be let alone”47. In R. Rajagopal v. State of Tamil Nadu 48 , the Court observed that-
39 National Legal Services Authority v. Union of India, (2014) 5 SCC 438, 449; District Registrar and
Collector, Hyderabad v. Canara Bank, AIR 2005 SC 186.
43 Yvonne McDermott, Conceptualizing the right to data protection in an era of Big Data, 4 Big Data and
Society (2017).
44 District Registrar and Collector v. Canara Bank, (2005) 1 SCC 496.
46 Id. 67.
47 Supra note 6.
48 R. Rajagopal v. State of Tamil Nadu, (1994) 6 SCC 632; Whalen v. Roe, 429 U.S. 589 (1977); Justice K.S.
Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, 445.
7
“...the right to privacy is implicit in the right to life and liberty guaranteed to the citizens of
this country by article 21. It is alright to be let alone.”
Therefore, SayMo transferring user data with foreign companies for data analytics, SayPM
sharing user data with PMO without informing users and further including a new clause to
deal with growing controversies around its data sharing policy specifically violates the right
to informational privacy i.e., an aspect of right to be let alone of the people of Narnia, owing
to its mandatory and arbitrary approach.
[2.2.2] Violation of privacy of choice and personal autonomy: SayPM is now a diversified e-
commerce company with more than 10, 00,000 registered merchants and more than 1, 00,
00,000 users across the country making it indispensable for Narnia’s shoppers. It has become
akin to a necessary public utility in Narnia. The choice between accessing benefits and losing
privacy is a false choice, because it requires them to choose between a privilege that is
essential for their livelihood, and a fundamental right. The Preamble chapter on Fundamental
Rights and Directive Principles accords right to livelihood contained within the meaning of
right to life as a meaningful life, social security and disablement benefits are integral schemes
of socio-economic justice to the people.49
Article 21 guarantees the protection of “personal autonomy”50 and hence the ability of an
individual to make choices lies at the core of the human personality. 51 By depriving the
people of their ability to choose, the government of Narnia and SayPM are severely
infringing on the right to life of their people.
PMO asking SayPM for user data and transferring PM’s own mobile application SayMo’s
user data to foreign companies for data analytics does not provide a choice to the users nor
they are informed before sharing such data. Blocking of the user account on not consenting to
the new clause without deleting the information of such users is also arbitrary. This means
once an individual open an account in SayPM, his/her private information remains in the
database for life and he/she does not have a choice and the right to opt out even if there is no
desire to have their information stored, violating right to choose and personal autonomy of
Narnians. Further, Rule 5(7)52 of the IT Act requires that the individual must be provided with
49 L.I.C. of India v. Consumer Education and Research Centre, (1995) 5 SCC 482; Olga Tellis v. Bombay
Municipal Corporation, (1985) 3 SCC 545.
50 Anuj Garg v. Hotel Association of India, (2008) 3 SCC 1.
51 Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.
52 The Information Technology (Reasonable security practices and procedures and sensitive personal data or
information) Rules, 2011, rule 5 (7).
8
the option of ‘opting out’ of providing data or information sought by the body corporate and
must have the right to withdraw consent at any point of time. Whereas in the present, SayPM
and SayMo does not provide an opt-out provision and also does not provide an option to
withdraw consent at any point of time.
Therefore, it is most humbly submitted that SayPM and SayMo are devoid of an option to
opt-in or opt-out which violates the right to choose and personal autonomy under Article 21,
of the people of Narnia.
[2.3] ASKING USER DATA FROM SAYPM AND TRANSFERRING SAYMO’S USER
DATA TO FOREIGN COMPANIES BY PMO IS NOT REASONABLE RISTRICTION
ON RIGHT TO PRIVACY UNDER ARTCLE 21.
In the context of Article 21, an invasion of privacy must be justified on the basis of a law
which stipulates a procedure which is fair, just and reasonable. The law must also be valid
with reference to the encroachment on ‘life and personal liberty under Article 21’. A
restriction on life and personal liberty must meet the three-fold requirement as laid down by
Justice Chandrachud53: (i) legality, which postulates the existence of law; (ii) need, defined in
terms of a legitimate state aim and; (iii) proportionality, which ensures a rational nexus
between the objects and the means adopted to achieve them.
In this case, SayMo’s data transferring to foreign companies for data analytics and PMO
asking for user data from SayPM neither has any legitimate state aim nor is it proportional
which clears the fact that these acts does not fall into reasonable restrictions which can be
imposed on the fundamental right to privacy under art. 21 of the Narnian Constitution.
3. THE DATA MINING BY SAYPM AND SHARING IT WITH ANY THIRD PARTY
IS NOT PERMISSIBLE.
It is humbly submitted before the Hon’ble High Court that data mining by SayPM and
sharing it with any third party, PMO or any third party as mentioned in the new clause, is not
in compliance with the Information Technology (Reasonable security practices and
procedures and sensitive personal data or information) Rules 2011 54, Information Technology
Act 200055 and the Data Protection Bill 201856, and thus is not permissible.
53 Rai Ramakrishna v. State of Bihar, AIR 1963 SC 1667.

54 Information Technology (Reasonable security practices and procedures and sensitive personal data or
information) Rules, 2011, http://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf.
55 Information Technology Act, 2000, No. 21, Acts of Parliament, 2000.
56 Data Protection Committee Report, 2018,
http://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf.
9
In Justice Puttaswamy (Retd.) v. Union of India57, it is held that every transaction of an

individual user and every site that she visits, leaves electronic tracks generally without her
knowledge. These electronic tracks contain powerful means of information which provide
knowledge of the sort of person that the user is and her interests.58 Data mining is sorting
through large data amounts for useful information and it can generate information other than
that was provided. The Telecom Regulatory Authority of India (TRAI) in its recent
recommendations, had stated that each user owns his data and the entities processing such
data are mere custodians.59
The IT Rules, 201160 only deals with protection of "Sensitive personal data or information of
a person", which includes such personal information which consists of information relating
to:- Passwords; Financial information such as bank account or credit card or debit card or
other payment instrument details; Physical, physiological and mental health condition; Sexual
orientation; Medical records and history; Biometric information. 61 These rules62will apply in
the instant case because SayPM collects various sensitive data from its customers, such as
their bank account credit and debit card details and it also tracks customers’ usage pattern to
make targeted advertisements to them.63
Rule 6(1)64 of IT Rules, 2011 states that disclosure of information by body corporate to any
third party shall require prior permission from the provider of the information unless such
disclosure has been agreed to in the contract between the body corporate and the provider of
the information. And in the present case, SayPM did not take prior permission when call from
PMO came. Rule 5(7)65 of IT Rules, 2011 states that the provider of information shall, at any
time while availing the services or otherwise, also have an option to withdraw its consent
given earlier to the body corporate. SayPM while introducing the new clause in its revised
57 Supra note 6.
58 Francois Nawrot, Katarzyna Syska & Przemyslaw Switalski, Horizontal application of fundamental rights –
Right to privacy on the internet, 9th Annual European Constitutionalism Seminar (May 2010), University of
Warsaw,
http://en.zpc.wpia.uw.edu.pl/wpcontent/uploads/2010/04/9_Horizontal_Application_of_Fundamental_Rights.pd
f.
59 Pankaj Doval, Consent must for collection, sharing of personal data: Panel, The Times of India,
http://timesofindia.indiatimes.com/articleshow/65171122.cms?
utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst.
60 Supra note 54.
61 Id. Rule 3.
information) Rules, 2011.
10
privacy policy nowhere provided to its customers the opt-out option or any revocation of
consent option which is again is in non-compliance with the law of the land. Even if the
customers agree to the new clause, it would amount to waiver of their fundamental right to
privacy which is not permissible. Justice NH Bhagwati and Justice Subba Rao expressed their
views in Basheshsar Nath v. CIT66 that the fundamental rights enshrined in Part-III of the
Constitution are absolutely inviolable and cannot be waived by a citizen. 67 Moreover, the new
clause amounts to material alteration for the existing customers.
The proposed Data Protection Bill 201868 essentially makes individual consent central to data
sharing.69Unless you have given your explicit consent, your personal data cannot be shared or
processed. Consent needs to be informed, consent needs to be specific, consent must be clear,
and consent needs to be capable to being withdrawn as easily as it was given. 70 SayPM,
however took consent in its revised privacy policy by introducing the new clause but the
consent was not free but only illusory because the customers had no other option then
agreeing to the clause in order to continue using SayPM. Since SayPM occupied the largest
chunk in the market, it became akin to a necessary public utility in Narnia 71 and not agreeing
to the new clause would be a great loss for the existing customers as they would be barred
from using the application and their money will also be blocked. 72 Next, the draft bill also
states that any person processing your personal data is obligated to do so in a fair and
reasonable manner.73 In other words, your data should be processed only for the purposes it
was intended for in the first place. And the clause added by SayPM states that the data will be
used for any purpose linked to the business of SayPM which makes it ambiguous. The
committee has also laid down steps that guard against personal profiling of individuals and
uninformed harvesting of data by third-party applications, something that occurred in the data
leak case involving facebook and Cambridge analytica.74
66 Basheshsar Nath v. Commissioner of Income Tax, AIR 1959 SC 149.

67 Id. ¶ 12.
68 Data Protection Committee Report, 2018,
69 Id. 32.
70 Id. 36.
73 Data Protection Committee Report, 2018, 51.
74 Supra note 69.
11
There are provisions for penalties for non-compliance with the rules and the law in Data
Protection Bill75 as well as IT Act 200076. In light of the above arguments, the counsel humbly
submits that the data mining by SayPM and sharing it with any third party is not in
compliance with the existing laws of Narnia and thus not permissible.
4. THE PROVISIONS OF IT ACT AND OTHER ACTS HAVE BEEN VIOLATED.

It is humbly submitted that the IT Act and other acts have been violated.
[4.1] IT ACT: The Information Technology (Amendment) Act, 2008 inserted Section 43A in
the IT Act and the Central Government, in exercise of the powers conferred by clause (ob) of
sub-section (2) of Section 87 read with Section 43A of the IT Act, 2000 notified the
data or information) Rules, 201177 (hereinafter referred to as the "2011 Rules").
Section 43A78 of the IT Act explicitly provides that whenever a corporate body possessing,
dealing or handling any sensitive personal data or information which includes “Financial
information such as bank account or credit card or debit card or other payment instrument
details”, which it owns, controls or operates, is negligent in implementing and maintaining a
reasonable security practices and procedures to protect such data or information, which
thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall
be liable to pay damages to the person(s) so affected.
The only condition is that such body corporate must be engaged in commercial or
professional activities. Rule 4 of 2011 Rules provides that the body corporate shall provide
privacy policy for handling the information and sensitive personnel data. Such policy shall be
published on the website of the body corporate. According to Rule 5 the body corporate shall
obtain consent in writing through letter etc., before collection of such information. And shall
use the information for the purpose for which it has been collected. It shall keep such
information secure as provided in Rule 8. Rule 6 lays down an important condition that any
disclosure of information to third party shall require prior permission from any provider of
such information. The government agency shall also state that the information so obtained
shall not be published or shared with any other person. Rule 7 provides that a body corporate
75 Data Protection Committee Report, 2018, 163,

76 Information Technology Act, 2000, No. 2, Acts of Parliament, 2000 (India).
77 Notification by Department of Information Technology,
http://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf.
78 Information Technology Act, 2000, § 43A, No. 21, Acts of Parliament, 2000.
12
or any person on its behalf may transfer information to any other body corporate or person in
India or located in any other country, which ensures the same level of data protection that is
adhered to by the body corporates as provided for under these rules. The transfer may be
allowed only if it is necessary for the performance of the contract.79
SayPM which is an electronic payment system and digital wallet company which has access
to the personal information of its users is unable to devise a proper and focused privacy
policy and instead abusing them by inserting arbitrary clauses. It was also heard that the
company has shared some information with the PM office. The consent should be an
informed one so that customers are aware as to how their information is being used.
Section 72A80 provides for the punishment for disclosure of information in breach of lawful
contract and any person may be punished with imprisonment for a term not exceeding three
years, or with a fine not exceeding up to five lakh rupees, or with both in case disclosure of
information is made in breach of lawful contract. The two important ingredients to be
fulfilled are:- (i) without the consent of the person concerned under section 72, or (ii) with the
intention or knowledge of causing wrongful loss or wrongful gain in breach of contract under
section 72 A.81
SayPM didn’t acquire the consent of the users as there might be a possibility that they are not
aware of what they are consenting for and have mechanically pressed the “I Agree” button.
After this, by inserting such an arbitrary and abusive clause they are bullying their users to
give their consent which is not out of their free will but because they are left with no choice.
The company will be wrongfully gaining by using their user data.
Section 6982 of the IT Act states that only if “sovereignty or integrity of India, the security
and defence of the State, friendly relations with foreign states or public order” is in danger
“or for preventing incitement to the commission of any cognisable offence” can websites or
mobile apps share details with any government agency. But, as per the section 69 of the IT
Act, the reasons for sharing personal details have to be “recorded in writing, by order.”
SayPM said that they shared the information with law enforcement agencies but they did not
reveal the names as to whom they shared the user data information with and for what
79 S.R. BHANSALI, COMMENTARY ON THE INFORMATION TECHNOLOGY ACT 16 (2015).

80 Information Technology Act, 2000, § 72A, No. 21, Acts of Parliament, 2000.
81 S.R. BHANSALI, COMMENTARY ON THE INFORMATION TECHNOLOGY ACT 315 (2015).
82 Information Technology Act, 2000, § 69, No. 21, Acts of Parliament, 2000.
13
purpose. A proper procedure has to follow when the information is shared with the third
party. One cannot do that if the other party is requesting for it. The Prime Minister’s own
mobile application (SayMo) transferred user data to few foreign companies for data analytics
which indicate that there might be misuse of data when shared with the government.
[4.2] Narnian Penal Code: Section 40583 of I.P.C. refers to “property” and not “movable
property”, hence, the word “property” is not restrictive. Therefore, ‘data’ would be covered
within the ambit of “property” in Section 405 of I.P.C. and thus any such act would attract a
penalty of imprisonment up to 3 years, or fine, or both, under this section. This section
penalizes Data Criminals from the independent contractors (Call Centers etc.) to whom Data
may be entrusted in the course of business for carrying out specific tasks /assignments.
[4.3] Regulations by Telecom Regulatory Authority of Narnia: A general data protection law
is notified by the Government, the existing Rules/ License conditions applicable to TSPs for
protection of users’ privacy be made applicable to all the entities in the digital ecosystem.
Breach of any of these terms can result in the license of the TSPs being suspended or
terminated.
TRAN released its recommendations84 on the subject titled ‘Privacy, Security and Ownership
of Data in the Telecom Sector’ which are applicable for apps, browsers, operating systems
and handset makers. In its recommendations, TRAN said that individual users owned their
data, or personal information, and entities such as devices were "mere custodians” and do not
have primary rights over that information. Terming the existing data protection framework as
inadequate, TRAN said that companies should not use meta-data to identify users and should
disclose any data breaches.
SayPM is the mere custodian of the information provided by the users but by inserting the
clause they are absolving themselves from all the obligations as they can now act according
to their discretion.
[4.4] Reserve Bank of Narnia: RBN has directed all payment system operators in the country
to store data within India to ensure safety and security of users' information. It is observed
that not all system providers store the payments data in India. In order to ensure better
monitoring, it is important to have unfettered supervisory access to data stored with these
system providers as also with their service providers / intermediaries/ third party vendors and
83 The Indian Penal Code, § 405, No. 45, Acts of Parliament, 1860.
84 Recommendations on Privacy, Security and Ownership of the data in Telecom Sector,
https://www.trai.gov.in/sites/default/files/RecommendationDataPrivacy16072018_0.pdf.
14
other entities in the payment ecosystem. It has, therefore, been decided that: All system
providers shall ensure that the entire data relating to payment systems operated by them are
stored in a system only in India. This data should include the full end-to-end transaction
details / information collected / carried / processed as part of the message / payment
instruction. For the foreign leg of the transaction, if any, the data can also be stored in the
foreign country, if required. System providers shall submit the System Audit Report (SAR)
on completion of the above requirement.85
By inserting the clause, they want to act according to their sole discretion as to any decisions
to taken for the users’ data.
5. EXISTING LAWS OF NARNIA ARE NOT SUFFICIENT TO SAFEGUARD AND

SECURE THE PRIVACY OF CITIZENS.
It is humbly submitted before the Hon’ble High Court that the ITR 2011 suffer from
ambiguity vis-à-vis its ambit and extent as discussed infra. The main objective of these Rules
was to impose restrictions on businesses with regard to handling of personal data. In order for
these Rules to meet its end, the term “sensitive personal data” should have been defined more
stringently. Instead, only a mere list of the constituents of the term is prescribed under Rule 3.
It can be observed here that clauses (vii) and (viii) appear to be of a very broad character. The
importance of a precise definition of ‘sensitive personal information’ is paramount as clauses
of such broad interpretation add to the ambiguity of the scope of not only these rules but also
of Section 43A. In order for this clause to be clearer, the definition could be amended to
include inter alia, “information which is capable of personally identifying a person,
individually or when aggregated”.86
A need for distinction between Personal Data and Sensitive Personal Data: The absence of a
distinction between the two concepts seems to be an important point in illustration with
respect to the difference between Indian Data Privacy Laws and its UK counterpart, the Data
Protection Act, 1998. The latter makes a definite distinction between the two concepts and
has prescribed separate rules for handling the two different data. The Indian Rules, on the
other hand, fails to recognize different levels of stringency with regard to collection, transfer,
disclosure and handling of “Personal Data” and “Sensitive Personal Data”.
85 Notifications on Storage of Payment System Data, https://www.rbi.org.in/scripts/NotificationUser.aspx?

Id=11244&Mode=0.
86 Apar Gupta, Comments on Draft Sensitive Personal Information Rules, India Law and Technology Blog,
https://iltb.net/comments-on-draft-sensitive-personal-information-rules-da110e9c1f1c.
15
Retention of Data: Rule 5 spells out that the information should not be retained for a period
longer than what is required to carry out the object for which it was collected and the
information should be kept secure. Although it states that the body corporate cannot retain
any information for longer than is required.87 The contention of including a retention period is
justified because more often than not websites hold archival data. Hence, it is imperative that
the rules contain such provisions that would also include a procedure to delete and destroy
the data making retrieval impossible.88
Collection of Information: Rule 5 deals with the collection of sensitive personal data or
information. It states inter alia that a body corporate has to first obtain consent in writing
through letter, fax or email, from the provider of such information, regarding purpose of
usage, before collection of such information. The consent must be informed, explicit and
freely given.
In addition, Rule 5(3), falling in line with Article 6 89 of the EU directive, says that the body
corporate or any person on its behalf shall take such steps “as are, in the circumstances,
reasonable”90 to ensure that the person concerned is aware of the fact that the information is
being collected, the purpose for which it is being collected, the recipients of such
information, etc. The phrase in Rule 5(3) uses convoluted language instead of using simple
phrases like “take reasonable steps”-reasonableness has generally been interpreted by courts
contextually.91 The Supreme Court in Water Supply and Sewage Board v. Unique Erectors
(Guj)92 has observed that “in law, prima facie meaning of reasonable in regard to those
circumstances of which the actor, called upon to act reasonably, knows or ought to know”.
Disclosure of Information: Rule 6 states that prior permission of the provider of information
has to be obtained before disclosure is made to a third party and any third party receiving
such information is not entitled to disclose it further.93 If the information of a person is being
transferred to a third party for a different purpose, it looks to be right to be done only with the
knowledge of the data subject. It does not suffice if the provider of information, who may be
a party other than the data subject, to grant consent for the same. This may lead to a misuse of
88 Supra note 1.
89 E.U. Directives, art. 6.
90 Water Supply and Sewage Board v. Unique Erectors, AIR 1989 SC 973.
91 Prashant Iyengar, Privacy and the Information Technology Act in India, S.S.R.N.
92 Supra note 7.
16
information in three party cases. The Schedule 2 of the Data Protection Act, 1998 94 specifies
that the consent of the data subject is essential for the transfer of information wherein the
“data subject” has been defined as ‘an individual who is the subject of personal data’. This
concept must be incorporated into these Rules in question.
Disclosure of Sensitive Personal Data to the Government: Rule 6 enables the government to
access any sensitive personal data, maintained by the body corporates under law, for several
purposes including detection and investigation of crimes, cyber incidents, prosecution,
punishment for offences, etc.95 It is thus apparent that the government has the power to obtain
sensitive personal information of individuals from body corporates without a warrant or the
concerned person’s consent. With an enforcement of such a rule, the body corporates may
willingly give away such information in order to avoid prosecution. The government has, in
this regard, given itself the “master key” and there are no checks on this power despite the
fact that the government has to make a written request stating the purpose for seeking such
information.96 Thus, the rule raises issues of personal privacy infringement.
In the Naz Foundation Case97, it was found that the State cannot invade the privacy of citizens
based solely on consideration of ‘public morals’. The court also said that the “right to privacy
has thus been held to protect a private space in which man may become and remain
himself”.98
With respect to information in public domain, the Supreme Court, in the case of Rajagopal
alias Gopal v. State of Tamil Nadu 99 held that there is no protection for personal information
in public records, and protection of privacy for persons who have voluntarily placed
themselves in the public eye is reduced. Vishwanathan considers that the Supreme Court ‘in
Rajagopal, for the first time, articulated the twin pillars of privacy law in India’.
[5.1] Remedies to be requested.

The object of any statute or rule is to prevent mischief and promote the object. The virtue of a
statute or rule is certainty and clarity as opposed to ambiguity and vagueness. The quality of
any statute or rule has to be judged on these yardsticks.
94 Data Protection Act, 1998, schedule 2, https://www.legislation.gov.uk/ukpga/1998/29/schedule/2.

96 P.R.S. Legislative Research, www.prsindia.org/.
97 Naz Foundation v. Government of N.C.T. of Delhi, (2009) 3 CCR 1.
98 Id. ¶ 40.
99 Rajagopal Alias Gopal v. State of Tamil Nadu, (1994) 6 SCC 632.
17
Law enforcement agencies requesting data from Indian online service providers primarily
rely on a legacy framework in the CrPC 1973 that was never meant to request electronic data.
An investigating officer, to obtain data from an Indian service provider for the purposes of an
investigation, usually produces a written order under Section 91 100 of the CrPC to the person
in possession of the “document or thing.” Companies have identified procedural requirements
that police agencies need to adhere to. These include the requirements for a request to come
from an authorised government email id, with the appropriate letterhead and containing the
relevant sections under which the crime is being investigated. Even for the purpose of
investigation there is a law enforcement procedure is listed in order to access data, hence
there is a definite need of law when data is being demanded for other purposes.
The European Union in May 2018 brought into effect new privacy regulations in the bloc,
forcing companies to be more attentive to how they handle customer data, while bringing
consumers new ways to control their data and tougher enforcement of existing rights.101
The Data Protection Bill 2018 has also been unable to recognise all concerns of the public. It
does not allow Indians to ask companies to completely delete data they have shared, an
accepted practice in the EU. The “right to be forgotten” suggested in the bill only allows
individuals to restrict companies from using their data. The bill fails to hold the state
accountable in any meaningful way for the processing of personal data or sensitive personal
data,” says Nayantara Ranganathan of the Internet Democracy Project. “The government has
been given some excuses to process personal data, and some of these are under weak
standards of ‘necessity’ and ‘any breakdown of public order’. While the draft bill gives
individuals greater control of their data, it still gives the government enough leeway to access
this.
Till the Data Protection Bill comes into force, there is a need of an injunction upon the clause
so that the users don’t have to compromise upon their privacy of data. Also, there is a dire
need for new laws and regulations to be formed and implemented under section 87 102 of the
IT Act so that our laws can be at par with other countries and secure our users’ rights.
100 The Code of Criminal Procedure, 1973, § 91, No. 2, Acts of Parliament, 1974.
101 India’s telecom regulator recommends stricter data security rules, Reuters,
https://www.reuters.com/article/us-trai-dataprivacy-recommendations/indias-telecom-regulator-recommends-
stricter-data-security-rules-idUSKBN1K61X1.
102 Information Technology Act, 2000, § 87, No. 21, Acts of Parliament, 2000.
18
PRAYER
Wherefore in the light of the facts of the case, issues raised, arguments advanced and
authorities cited, may this Hon’ble court may be pleased to adjudge and declare that:
1. The PIL by the way of writ petition under article 226 is maintainable.
2. The right to privacy under article 21 of the citizens of Narnia have been breached.
3. The provisions of IT Act 2000 have been breached.
4. Issue a writ of mandamus so as to:
 Direct the govt. to frame or amend rules for the protection of privacy rights.
 Direct CIA to investigate any nexus between the Govt. and SayPM.
 Pass an injunction for the new clause added by SayPM until new Data
Protection laws are implemented.
 Direct govt. to make new rules under section 87 of the IT Act, 2000.
And pass any other order in favour of the petitioners that it may deem fit in the interest of
justice, equity and good conscience.
SD/-
Counsel for Petitioner.
13

PETITIONER

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

PETITIONER

Încărcat de

Drepturi de autor:

Formate disponibile

Memorial on behalf of the Petitioner

Team Code: TN - 321

3 RD SYMBIOSIS LAW SCHOOL HYDERABAD, NATIONAL MOOT COURT COMPETITION -

THE HON’BLE HIGH COURT OF CITY OF JOY

WRIT PETITION UNDER ARTICLE 226 OF THE CONSTITUTION OF NARNIA

W.P. No. ______/2018

MR. TRUE LIES.............................................................................................................................PETITIONER

SAYPM AND GOVERNMENT...................................................................................................RESPONDENT

WRITTEN SUBMISSION ON BEHALF OF THE PETITIONER

1. THE PIL FILED UNDER ARTICLE 226 OF THE CONSTITUTION OF NARNIA IS

[1.1] THE PETITIONER HAS A LOCUS STANDI.................................................................1

[1.2] THERE IS VIOLATION OF FUNDAMENTAL RIGHT.................................................1

[1.3] ALTERNATIVE REMEDY CANNOT BE THE GROUND FOR REJECTING

[1.4] SAYPM SHOULD BE ALLOWED TO BE A PARTY TO THE SAID WRIT

2. THE GOVT. AND SAYPM HAVE ACTED IN COLLUSION TO BREACH THE

[2.1] THE GOVT. AND SAYPM HAVE ACTED IN COLLUSION........................................4

[2.1.1] Banners during demonetization:.................................................................................5

[2.1.2] Sting operation video release:.....................................................................................5

[2.2] RIGHT TO PRIVACY OF CITIZENS OF NARNIA HAVE BEEN BREACHED..........6

[2.2.1] Violation of informational privacy:............................................................................7

[2.2.2] Violation of privacy of choice and personal autonomy:.............................................8

4. THE PROVISIONS OF IT ACT AND OTHER ACTS HAVE BEEN VIOLATED...........12

[4.2] Narnian Penal Code.....................................................................................................14

[4.3] Regulations by Telecom Regulatory Authority of Narnia:..........................................14

[4.4] Reserve Bank of Narnia...............................................................................................15

5. EXISTING LAWS OF NARNIA ARE NOT SUFFICIENT TO SAFEGUARD AND

Disclosure of Sensitive Personal Data to the Government:..................................................17

[5.1] Remedies to be requested................................................................................................18

SERIAL NO. ABBREVIATION EXPANSION

State of Maharashtra v. Bharat Shanti Lal Shah, (2008) 13 SCC 5...........................................6

Secretory O.N.G.C. Ltd. v. V.U. Warrier, (2005) 5 SCC 245.....................................................4

Data Protection Act, 1998, schedule 2,

Notification by Department of Information Technology,

International Covenant on Civil and Political Rights, 1966, art. 17..........................................6

E.U. Directives, art. 6...............................................................................................................16

INDIA CONST. art. 226.............................................................................................................3

M.P. JAIN, INDIAN CONSTITUTIONAL LAW (10th ed. 2018).............................................1

Universal Declaration of Human Rights, 1948, art. 12..............................................................6

Data Protection Committee Report, 2018................................................................................10

I. WHETHER THE PIL FILED BY THE WAY OF WRIT PETITION UNDER

II. THE GOVERNMENT AND SAYPM HAVE ACTED IN COLLUSION AND

V. EXISTING LAWS OF NARNIA ARE NOT SUFFICIENT TO SAFEGUARD AND

1. THE PIL FILED UNDER ARTICLE 226 OF THE CONSTITUTION OF NARNIA IS

[1.1] THE PETITIONER HAS A LOCUS STANDI.

[1.2] THERE IS VIOLATION OF FUNDAMENTAL RIGHT.

[1.3] ALTERNATIVE REMEDY CANNOT BE THE GROUND FOR REJECTING

[1.4] SAYPM SHOULD BE ALLOWED TO BE A PARTY TO THE SAID WRIT

15 A.V. Venkateswaran v. R.S. Wadhwani, AIR 1961 SC 1506.

2. THE GOVT. AND SAYPM HAVE ACTED IN COLLUSION TO BREACH THE

[2.1] THE GOVT. AND SAYPM HAVE ACTED IN COLLUSION.

[2.1.1] Banners during demonetization: During demonetization, SayPM advertised heavily by

20 A. Janardhana v. Union of India, AIR 1983 SC 769.

[2.1.2]Sting operation video release: A non-profit news website AnacondaPole in its

[2.2] RIGHT TO PRIVACY OF CITIZENS OF NARNIA HAVE BEEN BREACHED.

The recognition of privacy as a fundamental constitutional value is a part of Narnia’s

53 Rai Ramakrishna v. State of Bihar, AIR 1963 SC 1667.

In Justice Puttaswamy (Retd.) v. Union of India57, it is held that every transaction of an

66 Basheshsar Nath v. Commissioner of Income Tax, AIR 1959 SC 149.

4. THE PROVISIONS OF IT ACT AND OTHER ACTS HAVE BEEN VIOLATED.

75 Data Protection Committee Report, 2018, 163,

79 S.R. BHANSALI, COMMENTARY ON THE INFORMATION TECHNOLOGY ACT 16 (2015).

5. EXISTING LAWS OF NARNIA ARE NOT SUFFICIENT TO SAFEGUARD AND

85 Notifications on Storage of Payment System Data, https://www.rbi.org.in/scripts/NotificationUser.aspx?