STATEMENT OF JURISDICTION

The petitioner humbly submits this memorandum for the petition filed before this Honourable
Court. The Honourable Court is vested with jurisdiction, to hear the present matter under Article
226 of the Constitution of India.

STATEMENT OF FACTS

For the sake of brevity and convenience of the Honourable Court the facts of the present case are
summarized as follows:

***** Be that as it may, it is a

1. Republic of Narnia is a democratic republic state, having a stable government.

2. SayPM is a Narnian electronic payment system and digital wallet company, founded by Mr.
Money Bag in January 2009. SayPM has international investors, such as Chinese e-commerce
giant, Forty-Thieves, and Japanese multinational holding cluster, HardBank. SayPM offers
online payment services such as mobile recharges, utility bill payments, flight tickets, movie
tickets, and event bookings, as well as in-store payments at various retail stores, restaurants,
parking, tolls, pharmacies and educational institutions.

3. SayPM, a diversified e-commerce company, having more than 10,00,000 registered merchants
and more than 1,00,00,000 users of , has become equivalent to a necessary public utility in
Narnia. With other options available, SayPM occupies the largest chunk in the relevant market
and there is no competitor who comes close.

...Its boom is closely linked to the ruling party's decision of demonetization that brought down
Narnia's GDP by 2.75%, whereas SayPM witnessed a 1000% increase in overall usage of its
services and 1500% growth in the value of money added to SayPM's accounts. *****Further,
SayPM congragulated PM for taking the boldest financial decision by .....displaying.... PM's
image in billboards which attracted various PILs.

4. It is contended that SayPM collects various sensitive data from its customers, such as their
bank account, credit and debit card details and uses the same to allow the customers to access its
e-payment services to run its buisness. It is here pertinent to mention that SayPM also tracks
customers' usage pattern to make targeted advertisements to them. In response, SayPM claims
that it follows the highest category of data security measures to protect its customer data and is in
compliance with all applicable laws. Customers of SayPM need to agree to a lengthy consent
form before they are allowed to use SayPM's services. Very often, consumers do not understand
the terms and conditions in the consent form and thus, mechanically press the “I Agree” button to
use the services.

4. AnacondaPole, a highly acclaimed Narnian non-profit news website and television production
house, famous for its investigative journalism conducted an investigation titled "Operation
Swachch Narnia" through its star journalist Mr. Narad Lal ........who posed as a representative of
a fictitious organisation Jai Narnia Samiti, and met some of SayPM's top executives. Narad Lal
informed them that he is meeting on behalf of the “Samiti” to boost the probabilities of the ruling
party in the Parliamentary elections .....slated..... to be conducted in 2019.

The investigation reported that Mrs. Money Bag, who is a director of SayPM, during the
meeting, revealed that they had some association with the ruling party of Narnia and stated
........during a drunken conversation that the e-wallet company had received a call from the Prime
Minister's Office ("PMO") demanding some user data, right before the General Elections in
Narnia. To authenticate its claims, AnacondaPole has released the transcripts and video clips of
Mrs. Money Bag on its social media profiles in Legbook and MeTube.

Mrs. Money Bag said in the sting video:

“By the way, let me show you one more thing … this is our SayPM App. Nowadays, our Prime
Minister is right here. He has written a book Chai Time Tales. We are … we are actually selling
this book on our platform... Also, for the upcoming elections, they wanted our user data
regarding the sale and popularity of the book and some other information”.

However, the video did not mention whether or not SayPM complied with the alleged demand
and whether it involved demand of information other than the book's sale and popularity.

7. After AnacondaPole released the video and transcript, SayPM, on its official social media
profile, posted that “There is absolutely NO TRUTH in the sensational headlines of a video
doing rounds on social media. Our user data is 100% secure and has never been shared with
anyone, except law enforcement agencies on request. Thank you for your continued support.”
SayPM, however, did not reveal the name of “law enforcement agencies” with whom the
company had shared its user data, if any.

10. In light of the growing controversies around its data sharing practices, SayPM revised its
privacy policy and included a new clause stating, “I understand and permit SayPM, at its sole
discretion, to share my data with any third party for any purpose linked to the business of
SayPM.”

SayPM ensured that users who did not consent to the said new clause, were blocked from using
their application. Thus, large sum of money, which the users had in their SayPM wallet, could
neither be transferred to any third party's bank accounts nor be used to conduct other e-
transactions. The users of SayPM were highly upset. SayPM constantly countered the allegation
saying that the data was shared as per the contract entered into by the users and only for purposes
which are necessary for it to fulfil its obligations towards the users. Thus, they have already
complied with all the existing laws by entering into such contracts with the users of SayPM.
SayPM also stated that the money of the users in the wallet was not completely blocked, rather
the users have the option to transfer the amount in their wallet back to their own bank account
linked with the application by paying a minor fee, if their wallet is blocked.

9. Earlier this year......Recently...., it was alleged that the Prime Minister's own mobile
application (“SayMo”) transferred user data to a few foreign companies for data analytics. While
this was denied by the PMO, general public was quite concerned about the safety of their data.
Similar allegations were also levelled against the applications of opposition parties in Narnia.
However, no investigation was conducted.

However, Narnia's data privacy and protection laws are allegedly weak and there is no proper
law which completely addresses the concerns relating to data protection and data privacy of
Narnia's citizens. The Government has continuously said that the existing general laws, such as
the Narnian Penal Code, Information Technology Act, regulations/guidelines issued by sectoral
regulators such as the Reserve Bank of Narnia, Telecom Regulatory Authority of Narnia, etc are
all sufficient.

STATEMENT OF ISSUES

The following questions are presnted before this Hon'ble Court for adjudication in the instant
manner:

ISSUE I: Whether the writ petition is maintainable before the HC in the present case?

ISSUE II: Whether right to privacy is a fundamental right guaranteed under the Constitution of
India?

ISSUE III: Whether the state is committing gross violations of the existing legal framework and
International obligations?

ISSUE IV: Whether the present laws with IT need amendments?

SUMMARY OF ARGUMENTS

I. THE WRIT PETITION BEFORE THE HIGH COURT IS MAINTAINABLE

The writ petition filed by the petitoner is maintanable. Firstly, the existence of an effacious
alternative remedy in .....would not oust the petitioner from filing the writ petition as
fundamental rights have been infringed.

Secondly, there is abuse of power by SayPM exercising its authority beyond discretion.

Lastly, the case involves a substantial question of law of general importance as it is pertinent to
make rules under Section 87 of the Information Technology Act 2000.

The writ petition filed by the petitoner is maintainable, as it is independent of any alternative
remedy [A]. Further, there is infringement of Fundamental Rights [B] and there is abuse of
power by the ........SayPM, respondent,??? [C]

A.

1. The existence of an alternative remedy does not operate as an absolute bar on the writ
court(Shivram Poddar v. ITO, AIR 1964 SC 1095; Also see JUSTICE B L HANSARIA’S,
WRIT JURSIDICTION (3 ed. 2005).) as it is a process that the court chooses to opt out of
convenience and discretion.(JUSTICE B L HANSARIA’S, WRIT JURSIDICTION (3 ed.
2005); Union of India v. Hidalco Industries (2003) 5 SCC 194 (198); Union of India v. Bajaj
Tempo Ltd., (1998) 9 SCC 281. )

But to do that special circumstances must exist. When an authority has acted without jurisdiction,
the bar does not apply. (Kuntesh Gupta v Management H. K. Mahavidyalaya AIR 1987 SC
2186)

Under special circumstances the High Court may grant writ remedies to a petitioner even with
the existence of an alternative remedy. SC held in(Whirlpool Corporation v. Registrar of
Trade Marks, (1998) 8 SCC 1 (11)) bar would not exist atleast in three contingencies, namely,

(i) where the writ petition has been filed for the enforcement of Fundamental Rights.

(ii) Where there has been a violation of the principles of natural justice or,

(iii) Where the order or proceedings are wholly without jurisdiction or the vires of an Act is
challenged.

The present case falls under category (i), the principle which was earlier also laid down in Wazir
Chand v. State of H.P., (AIR 1954 SC 415: (1955) 1 SCR 408)
B. There is infringement of Fundamental Rights under Article 19 and 21 of the Constitution.

C.

The SC (Comptroller and Auditor General of India v K S Jagannathann, AIR 1987 sc 537;
(1986) 2 SCWR 35) has observed that the High Court exercising their jurisdiction under Art. 226
have the power to issue a writ of mandamus ........or pass orders or give necessary directions
when the Government or a public authority...... has failed to exercise or wrongly exercised the
discretion conferred upon it by a statue or has exercised such discretion mala fide or on irrelevant
considerations in such a manner as to frustate the object of conferring such discretion.

The principle has been well stressed in the leading English case of Sydney Municipal Council v.
Campbell. (1925 AC 338: (1924) AllER Ext 930: 94 LJPC 65: 133 LT 63) where it has been
held that the writ can be issued for a purpose which was beyond the object of the statue.

II. RIGHT TO PRIVACY IS A FUNDAMENTAL RIGHT GUARANTEED UNDER THE

CONSTITUTION OF INDIA

It is humbly sumitted before this Court that Article 19 and 21 have been violated on account of
arbitrary action of the respondent. Right to freedom of speech and expression under Art 19 (1)(a)
and have been violated on account of sharing of user's data with third party without permission.
Further, there is breach of confidentiality and privacy on part of the respondent.

1. Right to privacy under Article 21:

Article 21 of the Constitution envisages right to life and personal liberty of a person. The word
"Life" under Art 21 means a quality of life(*****Francis Coralie v. Union Territory of Delhi,
AIR 1994 SC 1844.), which includes........right to privacy....

Though the Constitution of India has not guaranteed the right to privacy as a fundamental right to
the citizens but nevertheless, the Supreme Court has come to the rescue of common citizen, time
and again by construing "right to privacy" as a part of the right to "protection of life and personal
liberty".

In the context of personal liberty, the Supreme Court has observed(Ram Narain v. State of
Bombay, 1952 SCR 652) that "those who feel called upon to deprive other persons of their
personal liberty in the discharge of what they conceive to be their dutymust strictly and
scrupulously observe the forms and rules of the law."

Further, in R. Rajagopal v. State of Tamil Nadu, Justice B.P. Jeevan Reddy observed that:

the right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this
country by article 21. It is a "right to be let alone".(Olmstead v. US)

In Maneka Gandhi v. Union of India, in a seven- judge bench decision, Justice P N Bhagwati
held that the expression "personal liberty" in Art. 21 is of the widest amplitude and covers a
variety of rights which constitute the personal liberty of man.

III. THE STATE IS COMMITTING GROSS VIOLATIONS OF EXISTING LEGAL

FRAMEWORK AND INTERNATIONAL OBLIGATIONS

An obligation of confidence gives the data subject the right not to have his information used for
other purposes or disclosed without his permission unless there are other overriding reasons in
the public interest for this to happen. That is, where an obligation of confidence arises, it is
unlawful for a data user to use the information for a purpose other than that for which it was
provided.

Also, ICCPR, UDHR and ICESCR recognizes right to life and personal liberty of a person.

The first pronouncement on the right to respect for privacy and family is set out in the Universal
Declaration stipulating that ‘no-one shall be subjected to arbitrary interference with his privacy, family,
home or correspondence’ and that ‘the family is the fundamental group unit of society entitled to
protection by society and the state’.

P: The right to privacy is the right to individual autonomy that is violated when states interfere with,
penalise, or prohibit actions that essentially only concern the individual, such as not wearing safety
equipment at work or committing suicide.

UDHR
Article 12:

"No one shall be subjected to arbitrary interference with his privacy, family, home or
correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the
protection of the law against such interference or attacks."
Article 19:

"Everyone has the right to freedom of opinion and expression; this right includes freedom to hold
opinions without interference and to seek, receive and impart information and ideas through any media
and regardless of frontiers."

ICCPR

In the context of privacy, particularly General comment no. 16 on the right to privacy, family, home and
correspondence, and protection of honour and reputation (Art. 17) of 1988 and General comment no. 19
on the insurance of the family, the right to marriage and equality of spouses (Art. 23) of 1990 are of
immense importance.

Article 17

1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or
correspondence, nor to unlawful attacks on his honour and reputation.

2. Everyone has the right to the protection of the law against such interference or attacks.

General Comment No. 16 to Article 17

Right to Privacy in the International Covenant on Civil and Political Rights (ICCPR) to which India
is a signatory State Party emphasized that:

"The gathering and holding of personal information on computers, data banks and other devices, whether
by public authorities or private individuals or bodies, must be regulated by law. Effective measures have
to be taken by States to ensure that information concerning a person's private life does not reach the hands
of persons who are not authorized by law to receive, process and use it, and is never used for purposes
incompatible with the Covenant. In order to have the most effective protection of his private life, every
individual should have the right to ascertain in an intelligible form, Whether, and if so, What personal
data is stored in automatic data files, and for What purposes. Every individual should also be able to,
ascertain which public authorizes or private individuals or bodies control or may control their files. If
such files contain incorrect personal data or have been collected or processed contrary to the provisions of
the law, every individual should have the right to request rectification or elimination."

***************************************************************************

Article 8 ECHR (European Convention on Human Rights) sets out the right to respect for private and
family life, home and correspondence, as well as a number of possible limitations. Authorities may not
interfere with this right except as is ‘in accordance with law and is necessary in the interests of a
democratic society, in the interests of national security, public safety or the economic well-being of the
country, for the prevention of disorder or crime, for the protection of health and morals, or for the
protection of the rights and freedoms of others.’

The European Court has made it clear that a state has a duty not to interfere with its subjects’ privacy,
except under the strictly limited circumstances priscribed in Article 8 ECHR; i.e., only if prescribed by
law, in the public interest and necessary in a democratic society. The Court has ruled that a person’s
private life extends to moral and physical integrity, including sex life, and it has found that in certain
circumstances a state has a duty to act to ensure that the right to privacy can be enjoyed.

Article 11 ACHR (American Convention on Human Rights) sets out the right to privacy, honour and
dignity, and prohibits arbitrary interference with the right to privacy and stipulates that everyone has the
right to protection of the law against attacks or interferences with the right.

The ACHPR does not explicitly set out the right to privacy, but Article 18 attaches particular importance
to the state’s duty to protect the family.

HUMAN RIGHTS LAW 1998

The Human Rights Act 1998 sets out the fundamental rights and freedoms that everyone in the UK is
entitled to. It incorporates the rights set out in the European Convention on Human Rights (ECHR) into
domestic British law. The Human Rights Act came into force in the UK in October 2000.

What the law says

Article 8: Right to privacy

Everyone has the right to respect for his private and family life, his home and his correspondence.

There shall be no interference by a public authority with the exercise of this right except such as is in
accordance with the law and is necessary in a democratic society in the interests of national security,
public safety or the economic well-being of the country, for the prevention of disorder or crime, for the
protection of health or morals, or for the protection of the rights and freedoms of others.

Example case - Goodwin & I v United Kingdom [2002]

This case heard in the European Court of Human Rights explored issues for transsexual people in relation
to their rights to private life and to marry. The judgment was a landmark decision for the treatment of
transsexual people, a group which had not been recognised in UK law as:

their acquired gender

able to hold a birth certificate showing their acquired gender, and

able to marry someone of the opposite gender.

The Court ruled that this treatment violated both the right to private life and the right to marry. The UK
Government later introduced the Gender Recognition Act 2004, creating a mechanism to enable all these
things.

............................................................

See the publication ‘Human rights, human lives: a guide to the Human Rights Act for public authorities’
for more examples and legal case studies that show how human rights work in practice.

CYBER REGULATION APPELLATE TRIBUNAL

CHAPTER XI OFFENCES

7. Penalty for breach of confidentiality and privacy

Save as otherwise provide in this Act or any other law for the time being in force, any person who, in
pursuance of any of the powers conferred under this Act, rules or regulation made thereunder, has secured
assess to any electronic record, book, register, correspondence, information, document or other material
without the consent of the person concerned discloses such material to any other person shall be punished
with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh
rupees, or with both.

Parliament States LAMP Laws of India Blog

Report Summary- Data Protection Expert Committee White.pdf

The Committee of Experts on a Data Protection Framework for India (Chair: Justice B. N. Srikrishna)
released a white paper on November 27, 2017. The Committee was constituted in August 2017 to
examine issues related to data protection, recommend methods to address them, and draft a data
protection law. The objective was to ensure growth of the digital economy while keeping personal data of
citizens secure and protected. The Committee sought comments on certain questions raised by it till
December 31, 2017. It will draft a law for data protection in India based on the feedback it receives.

Principles: The Committee suggested that a framework to protect data in the country should be based on
seven principles: (i) law should be flexible to take into account changing technologies, (ii) law must apply
to both government and private sector entities, (iii) consent should be genuine, informed, and meaningful,
(iv) processing of data should be minimal and only for the purpose for which it is sought, (v) entities
controlling the data should be accountable for any data processing, (vi) enforcement of the data protection
framework should be by a high-powered statutory authority, and (vii) penalties should be adequate to
discourage any wrongful acts.

Scope and exemptions under the framework

Applicability: The Committee observed that countries can enforce laws within their jurisdiction.
However, a single act of data processing could take place across different countries and jurisdictions.
Some of the questions asked by the Committee relate to: (i) territorial applicability of the law, (ii) extent
to which the law should apply outside India, and (iii) measures that should be included in the law to
ensure compliance by foreign entities.

Definition of personal data: The Committee noted that it is important to define what constitutes
personal information. This is critical to determine the extent to which privacy of information will be
guaranteed under a data protection law. It sought comments on some questions which relate to: (i) what
kind of information qualifies as personal data, (ii) should the definition focus on whether a person can be
identified based on the data, and (iii) treatment of sensitive personal data. Sensitive data is related to
intimate matters where there is a higher expectation of privacy (e.g., caste, religion, and sexual
orientation).

Exemptions: The Committee noted that entities under the data protection framework may be exempt
from certain obligations (e.g., certain actions taken by the state). It sought comments on the categories of
exemptions that should be included under the law, and the basic safeguards that should be ensured when
processing data in these categories.

Grounds for data processing, obligation on entities and rights of individuals

Consent: The Committee noted that consent is treated as one of the grounds for processing personal
data. However, consent is often not informed or meaningful. In this context, it sought comments on the
conditions that determine valid consent. Further, it noted that one in three internet users across the world
is a child under the age of 18. A data protection law must sufficiently protect their interests, while
considering their vulnerability, and exposure to risks online.

Purpose of collection: The Committee discussed the principle where personal data must be collected for
a specified purpose, and such data should not be processed for any other purpose. Further, a related
principle requires that personal data be erased once the purpose for collecting it has been met.

Participation rights: The Committee noted that one of the principles of data protection is that a person
whose data is being processed should be able to influence the processing. This includes the right to
confirm, access, and rectify the data. The Committee observed that regulations of the European Union
have recognised other rights such as the right to object to data processing. Incorporation of such rights in
the Indian law requires further assessment. It also noted that the right to be forgotten has emerged as a
contentious issue in data protection laws.

Regulation and enforcement

Enforcement models: The Committee noted that once the provisions of the law are formalised,
enforcement mechanisms must be structured to ensure compliance. In this context, it sought comments
on the enforcement tools to be used for: (i) code of conduct, (ii) breach of personal data, (iii)
categorisation of different data controllers, and (iv) creation of a separate data protection authority. The
authority may be responsible for: (i) monitoring, enforcement and investigation, (ii) setting standards, and
(iii) generating awareness.
Penalty and compensation: The Committee discussed penalties for offences under the proposed law,
and the authority which should have the power to hear and adjudicate complaints. Further, it noted that
awarding compensation to an individual who has incurred a loss or damage due to the data controller’s
failure is an important remedy to be specified under the law.

IV. THE PRESENT LAWS WITH IT NEED AMENDMENTS

In today's global economy, and particularly for India, the importance of strong, enforceable, and
internationally interoperable data protection standards cannot be underestimated. While India has
adopted various sectoral laws and policies for securing data protection, most significantly the IT
Act and the Rules thereunder, a holistic national legislation on privacy rights is absent. (paper1).

The ITA was ratified by the Indian Parliament in 2000 and was enacted following the adoption of
the UNCITRAL Model Law on E- Commerce 199617 and the passing of a resolution by the
United Nations General Assembly supporting member states to consider and incorporate the
Model Law on E- commerce when enacting or amending national laws. It is to be realised that
the Information Technology Act which was passed in 2000 was last amended 10 years ago, that
too was controversial, as it was passed by Parliament without debate(21) and needs to be
amended in many respects due to advancement in technology.

Current realities, challenges and the policy aspects of cyber space have not been addressed.
There are no provisions, for instance, for mandatory reporting of cyber crime and cyber security
breaches.

The IT laws for a long time been outdated and way behind its counterparts in other parts of the
world. The Act needs more teeth to handle the dark web.

The RSPP Rules lay out a number of requirements that a body corporate must implement and
comply with but are silent as to whether body corporate needs to provide notice of changes in its
privacy policy.(paper 1) For eg: It states that prior to collection, a body corporate must provide
the individual with the option of not disclosing information, including sensitive personal data or
information. The individual also has a right to withdraw consent. (44) It is not clear, however, if
the body corporate has an obligation to delete information if consent is withdrawn.

Attention has been drawn to the failure of the proposed law in safeguarding individuals’ personal
data from the excessive collection by the State for the purposes of national security.

The questions have been raised whether the Act has sufficient 'byte' to become an effective
legislation. Then there are so- called concerns over certain grey areas within the Act...lack of
confidence building measures, consumer protection,...draconian power to the police...silent on
intellectual property rights, taxation...the list is endless. In short, the question is of legislative
competence in framing the Act.
What we need is continued legislative activities and it is time to amend other enactments, like the
Indian Telegraph Act of 1885, The Indian Post Office Act of 1888 and The Indian Wireless
Telegraphy Act of 1993 to bring them at par with the new technological developments. This new
medium requires new laws.

Thus, the Supreme Court also approves the principle of updating construction, i.e., law must
constantly be on the move adapting itself to the fast chnaging society and not lag behind.(State
of Maharastra v. Dr. Praful B. Desai, (2003) 4 SCC 601)

It also pertinent to note here, that the absence of a specific privacy law in India has resulted in a
loss of substantial foreign investment and other business opportunities. This deficiency has also
served as an obstacle to the real growth of electronic commerce. Thus, a statute addressing
various issues related to privacy is of utmost importance today, if not an entire act can be brought
into force, then at least specific provisions relating to privacy and data protection be incorporated
into the Act.

Suggestions for Improvement

The IT (Amendment) Act, 2008, reduced the quantum of punishment for a majority of cyber
crimes. This needs to be rectified.

The majority of cyber crimes need to be made non-bailable offences.

The IT Act does not cover a majority of crimes committed through mobiles. This needs to be
rectified.

A comprehensive data protection regime needs to be incorporated in the law to make it more
effective.

Detailed legal regime needed to protect privacy of individuals and institutions.

Cyber war as an offence needs to be covered under the IT Act.

Parts of Section 66A of the IT Act are beyond the reasonable restrictions on freedom of speech
and expression under the Constitution of India. These need to be removed to make the provisions
legally sustainable.

.
The Information Technology (Amendment) Act, 2008 serves as a suitable case study for an
analysis of the legislative exercise of law and policy formulation in the field of cyber crime
legislation, revealing quite emphatically the need for carefully worded provisions, foresight in
the drafting process and imagination with respect to explanations to particular sections. The
inadequacies of the legislation and the resultant realistically anticipated problems reinforce the
notion that criminal legislations cannot be left open to broad interpretations, especially with
regard to internet regulations, considering the fact that cyberspace provides certain liberties in
action that make it easier to transgress laws, and with such characteristics inherent to the
environment, any regulatory mechanism or legislative measure must seek to be comprehensive,
clear and narrow in interpretive scope.

While the purpose of the Information Technology (Amendment) Act was to address increasing
trends of cyber crime and in effect, make it difficult to be a cyber criminal, the irony rests in the
fact that what the Amendment Act eventually has created is a situation wherein it perhaps, isn’t
‘easier to be a criminal’, but rather, ‘easier to be classified as a criminal’. The danger, in both
cases, cannot be overemphasised.

Guidelines for the Regulation of Computerized Personal Data Files

On December 14, 1990, the United Nations adopted General Assembly Resolution 45/95. The resolution,
Guidelines for the Regulation of Computerized Personal Data Files, set out Fair Information Practices for
the use of personal data. The United Nations General Assembly recommended that governments
incorporate the privacy guidelines into legislation and administrative regulations. The guidelines lay out
the following ten principles to provide minimum guarantees of privacy protection for personal data.

Principle of lawfulness and fairness: Demands fairness and lawfulness in the collection and processing of
personal data.

Principle of accuracy: Puts responsibility on the persons doing the data collection to ensure the data
collected is accurate.

Principle of the purpose-specification: Requires the purpose of the data collection to be transparent in
order to ensure the data is used only for the specified purpose and that the data is only kept as long as it is
needed to achieve the stated purpose.

Principle of interested-person access: Guarantees the right to know that one’s data is being used and also
guarantees access to that data in an intelligible form. It requires appropriate remedies to rectify unlawful,
unnecessary, or inaccurate data.

Principle of non-discrimination: Forbids the collection of data "likely to give rise to unlawful or arbitrary
discrimination" safe for the exceptions under principle 6. Covered data includes "racial or ethnic origin,
colour, sex life, political opinions, religious, philosophical and other beliefs as well as membership of an
association or trade union."

Power to make exceptions: Makes exceptions to Principle 5 for that which is "necessary to protect
national security, public order, public health or morality . . . [and] the rights and freedoms of others . . ."
as well as ". . . within the limits prescribed by the International Bill of Human Rights . . ." or other similar
documents.

Principle of security: Requires protection of the data from natural disasters and human dangers like theft
or misuse.

Supervision and sanctions: Requires the designation of an authority "responsible for supervising
observance of the principles set forth above."

Transborder data flows: Allows for free circulation of data between countries when those countries have
"comparable safeguards for the protection of privacy."

Field of application: Extends the applicability of the principles "to all public and private computerized
files."

The European Union

The E.U. has a considerable collection of laws and institutions relating to Data Protection.

The Charter of Fundamental Rights of the European Union (2000)

Article 7 - Respect for private and family life

Everyone has the right to respect for his or her private and family life, home and communications.

Article 8 - Protection of personal data

Everyone has the right to the protection of personal data concerning him or her.

Such data must be processed fairly for specified purposes and on the basis of the consent of the person
concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which
has been collected concerning him or her, and the right to have it rectified.

Compliance with these rules shall be subject to control by an independent authority.

........................“There is nominally a data protection law in India in the form of the Reasonable Security
Guidelines under Section 43A of the Information Technology Act. However, it is a toothless law and is
never used. Even when data leaks such as the ones from the official Narendra Modi app or McDonald’s
McDelivery app have happened, section 43A and its rules have not proven of use,” said Pranesh Prakash,
policy director at CIS.
Some redress for misuse of personal data by commercial entities is also available under the Consumer
Protection Act enacted in 2015, according to information on the website of Privacy International, an
NGO. As per the Act, the disclosure of personal information given in confidence is an unfair trade
practice.

PRAYER

Wherefore in the lights of the facts stated, issues raised, authorities cited and arguments
advanced, it is most humbly prayed before this Honourable Court that it may be pleased to:

1. ........Declare....... that, the writ filed is maintainable in the Court of law;

2. Declare that there is blatant violation of Article 21 of the Constitution;

3. Issue directions to the SayPM to prevent it from sharing its users data without the express
written consent of the data subject;

4. Issue directions to the Government to frame or amend rules/ regulations under Section 87 of
the IT Act, 2000.

AND/OR

Pass any other order that it deems fit in the interest of Justice, Equity and Good Conscience.

And for this, the appellant as in duty bound, shall humbly pray.

COUNSELS ON BEHALF OF APPELLANT

Sd/

Many of the changes proposed might not be acceptable to the legal feternity. But I feel that these
changes will be strongly felt near future. I feel that this legislation overall is a masterpiece. The
lacuna it has is only due to the lack of technical skill while drafting. I would again insist on these
proposed changes to realize in toto the purpose for enactment of this statute.

At this point it would be too early to predict as to what kind of legislation it will turn out to be.
But undoubtedly the most important distinguishing characteristic of this Act is that it has
provided legal recognition to the virtual electronic medium.

.............

(1). Section 2 (h) - "certification practice system" means a statement issued by a Certifying
Authority to specify the practices that the Certifying Authority employs in issuing Digital
Signature Certificates.