Jurisprudential Dimensions of Data Protection

Data sharing is an intrinsic part of the right to privacy. Personal data such as birth date, financial
capabilities, health are all included within the ambit of privacy. Privacy is a human right enjoyed by every
human being which may extend to bodily integrity, personal autonomy, informational self-
determination, protection from state surveillance, dignity, confidentiality, compelled speech and
freedom to dissent or move or think. The right of privacy is the right to be free from unwarranted
publicity, to live a life of seclusion, and to live without unwarranted interference by the public in matters
with which the public is not necessarily concerned. [2]The Semayne’s Case (1604)[3] relates to the entry
into a property by the Sheriff of London in order to execute a valid writ wherein Sir Edward Coke, while
recognising a man’s right to privacy famously said that “the house of everyone is to him as his castle and
fortress, as well for his defence against injury and violence, as for his repose”. The concept of privacy
further developed in England in the 19th century and has been well established in today’s world. In case
of Campbell v. MGN[4], the court held that if “there is an intrusion in a situation where a person can
reasonably expect his privacy to be respected, that intrusion will be capable of giving rise to liability
unless the intrusion can be justified”.

International Conventions and Reports

Article 12 of the Universal Declaration of Human Rights states, “No one shall be subjected to arbitrary
interference with his privacy, family, home or correspondence, nor to attacks upon his honour and
reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Article 17 of the International Covenant on Civil and Political Rights states that “No one shall be
subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to
unlawful attacks on his honour and reputation.” Everyone has the right to the protection of the law
against such interference or attacks.

Article 16 of the UNCRC states that” No child shall be subjected to arbitrary or unlawful interference
with his or her privacy, family, or correspondence, nor to unlawful attacks on his or her honour and
reputation. The child has the right to the protection of the law against such interference or attacks.

The gathering and holding of personal information on computers, data banks, and other devices,
whether by public authorities or private individuals or bodies, must be regulated by law. Every individual
should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored
in automatic data files, and for what purposes. Every individual should also be able to ascertain which
public authorities or private individuals or bodies control or may control their files. If such files have
been collected or processed contrary to the provisions of the law, every individual should have the right
to request rectification or elimination.[5]

Indian Jurisprudence on Privacy of Data

The Hon’ble Supreme Court in the case of K. S. Puttaswamy (Retd.) v Union of India[6] , in which case the
‘Aadhaar Card Scheme’ was challenged on the ground that collecting and compiling the demographic
and biometric data of the residents of the country to be used for various purposes is in breach of the
fundamental right to privacy embodied in Article 21 of the Constitution of India. The Hon’ble Supreme
Court by its decision pronounced on August 24, 201711 unanimously held as under: –

M P Sharma[7] decision which mandates that the right to privacy is not protected by the Constitution
stands over-ruled;

The decision in Kharak Singh[8] to the extent which states that the right to privacy is not protected by
the Constitution stands over-ruled;

The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article
21 and as a part of the freedoms guaranteed by Part III of the Constitution.

Privacy is a constitutionally protected right which emerges primarily from the guarantee of life and
personal liberty in Article 21 of the Constitution. Elements of privacy also arise in varying contexts from
the other facets of freedom and dignity recognised and guaranteed by the fundamental rights contained
in Part III.

Privacy includes at its core the preservation of personal intimacies, the sanctity of family life, marriage,
procreation, the home and sexual orientation. Privacy also connotes a right to be left alone. Privacy
safeguards individual autonomy and recognises the ability of the individual to control vital aspects of his
or her life. Personal choices governing a way of life are intrinsic to privacy. Privacy protects
heterogeneity and recognises the plurality and diversity of our culture. While the legitimate expectation
of privacy may vary from the intimate zone to the private zone and from the private to the public
arenas, it is important to underscore that privacy is not lost or surrendered merely because the
individual is in a public place.

As per Article 21, an invasion of privacy must be justified on the basis of a law which stipulates a
procedure which is fair, just and reasonable. An invasion of life or personal liberty must meet the three-
fold requirement of (i) legality, which postulates the existence of law; (ii) need, defined in terms of a
legitimate state aim; and (iii) proportionality which ensures a rational nexus between the objects and
the means adopted to achieve them.

Various legislative enactments in India do not confer protection of all types of data

Information and Technology Act

Section 43A of the IT Act mandates that where a body corporate possessing, dealing or handling any
sensitive personal data or information[9] in a computer resource which it owns, controls or operates, is
negligent in implementing and maintaining reasonable security practices and procedures[10] thereby
causing wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay
damages by way of compensation, which shall not exceed a sum of INR 5,00,00,000 (Rupees Five Crore).

Section 66 C deals with identity theft and states that whoever, fraudulently or dishonestly makes use of
the electronic signature, password or any other unique identification feature of any other person, shall
be punished with imprisonment for a term which may extend up to three years and shall also be liable
to a fine of up to INR 1,00,000

Section 72 requires that any person who has secured access to any electronic record, book, register,
correspondence, information, document or other material without the consent of the person concerned
and thereafter, discloses such electronic record, book, register, correspondence, information, document
or other material to any other person shall be punished with imprisonment for a term which may extend
to two years, or with fine which may extend to INR 1,00,000 (Rupees One Lakh) , or with both.

Section 72A mandates, any person, including an intermediary [11]who, while providing services under
the terms of a lawful contract, has secured access to any material containing personal information.

Loopholes

The IT Act does not contain a definition of a data breach.

The provisions of the IT Act only deal with the collection and distribution of information by a ‘body
corporate’.

IT Act does not include the overarching stipulation that interception can only transpire in the case of
public emergency or in cases involving public safety. Additionally, section 69 of the IT Act mandates that
any person or intermediary who fails to assist the specified agency with the interception, monitoring,
decryption or provision of information stored in a computer resource shall be punished with an
imprisonment for a term which may extend to seven years, and shall be liable for a fine.

The term “consent” has not been defined under the IT Act.

The Rules and provisions of the IT Act principally sought to shelter ‘personal information’ and ‘sensitive
personal data or information’, i.e. the information related to (i) password; (ii) financial information such
as bank account or credit card or debit card or other payment instrument details; (iii) physical,
physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; and
(vi) biometric information. However, the information which is freely accessible in the public domain is
not considered within the ambit of ‘sensitive personal data or information’.

https://lawsikho.com/course/diploma-cyber-law-fintech-technology-contracts

Click Above
Aadhar Act, 2016

Biometric information means photograph, fingerprint, iris scan, or such other biological attributes of an
individual as may be specified by regulations.[12]

Core biometric information means fingerprint, Iris scan, or such other biological attribute of an
individual as may be specified by regulations.[13]

Demographic information includes information relating to the name, date of birth, address and other
relevant information of an individual, as may be specified by regulations for the purpose of issuing an
Aadhaar number, but shall not include race, religion, caste, tribe, ethnicity, language, records of
entitlement, income or medical history.[14]

The Authority shall ensure the security of identity information and authentication records of individuals.
[15]

No court shall take cognizance of any offence punishable under this Act, save on a complaint made by
the Authority or any officer or person authorised by it.[16]

Loopholes

Section 28 of the Act says that the Authority shall ensure the security of identity information and
authentication records of individuals. Section 2(e) of the Act defined ‘authority’ which refers to the
Unique Identification Authority of India established under sub-section (1) of Section 11 of the Act. It is to
be noted that Section 139AA of the Income Tax Act, 1961 provides for the linking of Aadhaar to PAN.
The provision was challenged in the Supreme Court and was subsequently upheld by a Hon’ble Division
Bench of Justices A.K. Sikri and Ashok Bhusan in Binoy Viswam Case[17]. However, when Aadhaar is
linked, the data which were collected by the UIDAI would be shared with the Income Tax Authorities.
But, the Income Tax Act doesn’t provide for any designation or any authority for the purpose of
protection of that information and data. Therefore, a major loophole remains in the decision.

Section 33(1) of the Act says that disclosure of information including identity information or
authentication records may be made pursuant to an order of a court not inferior to that of a District
Judge and further says that no order by the Court may be made under the sub-section shall be made
without giving an opportunity of hearing to the UIDAI. However, it doesn’t provide for an opportunity of
hearing to the data principal, which against the principles of natural justice and in contravention of
observation of the Hon’ble Apex Court in Puttaswamy’s Constitutional Morality requires a Government
not to act in a manner which would become violative of rule of law and not giving opportunity to the
affected party is against the notion of rule of law. Hence, it is against constitutional morality.

As the centralised body for the storage and organization of information is Central Identities Data
Repository (CIDR) there is an enormous possibility of data breach or piracy and once the centralised
repository is hacked, it may lead to the breach of the personal data and information of millions of
people.

As per Section 47(1), a court can take cognizance of an offence punishable under the Act only if a
complaint is given by UIDAI or any officer or any other person authorised by it. Section 47 of the Act is
arbitrary, irrational and illogical as it doesn’t provide a method to individuals to seek effectual remedies
for violation of their right to privacy. Thus, it can be safely said that section 47 violates the rights of
citizens to seek remedies in case of violation of their fundamental rights.

It is a fundamental principle that ownership of an individual’s data must at all times vest with the
individual. But it is pertinent to note that the proviso to Section 28(5)[18] of the Aadhaar Act, disallows
individual access to the biometric information that forms the core of his or her unique ID and thereby
violates this fundamental principle.

As per Section 23(2)(s)[19] UIDAI which is administering the Aadhaar project is also accountable for
establishing a grievance redressal mechanism in order to address grievances arising from Aadhar
thereby massively compromising the independence of the grievance redressal body.

Section 29(4)[20] is too broad as it renders wide discretionary power to UIDAI to display, publish or post
core biometric information of any person for purposes specified by the regulations.

Non Compliance of the mandates laid down by the Supreme Court in the Aadhar Amendment Act 2019

The Supreme Court in the Aadhar Judgement[21] (Para 322) has held, “ No doubt, the Government
cannot take umbrage under the aforesaid provision to enlarge the scope of subsidies, services and
benefits. ‘Benefits’ should be such which are in the nature of welfare schemes for which resources are
to be drawn from the Consolidated Fund of India. Therefore actions by CBSE, NEET, JEE and UGC
requirements for scholarship shall not be covered under Section 7 unless it is demonstrated that the
expenditure is incurred from Consolidated Fund of India. We are of the opinion that the respondents
shall not unreasonably expand the scope of ‘subsidies, services and benefits’ thereby widening the net
of Aadhaar, where it is not permitted.” The court went on to elaborate that Sections 24 & 25 of the
Aadhar Amendment Act 2019 mention about the utilize of Aadhaar by telecom service providers, banks
and financial institutions for doing reporting functions under the Prevention of Money Laundering Act
( PMLA) which have no connection with subsidies, benefits, welfare or DBT. Merely making Aadhaar
( online or hard copy) as two out of four options in these sections, without mentioning the third one
( merely empowering the government to do so) and providing passport as the fourth one ( which a large
majority do not possess) does not comply with the SC intent which primarily constrained use of Aadhaar
to “ benefits” from the Consolidated Fund of India, as above restrictively defined.

Section 57 of the original act states, “Nothing contained in this act shall prevent the use of Aadhaar for
establishing the identity of an individual for any purpose whether by the State or any body, corporate or
person.” In a lengthy discussion on the Aadhaar Judgment (paras 355 to 367), Section 57 was declared
unconstitutional and struck down of being too wide. The re-embodiment of the same invalid 57 is
available in 5(7) of 2019 amendment Act, where an alike provision, expressly overriding all other
provisions, allows compulsory use of Aadhaar alone if Parliament by any law ( not yet specified) so
provides. Sections 24 and 25 discussed above, additionally reflect a similar reincarnation.

The Supreme Court in the Aadhar Judgement(Para 349), while upholding Section 33 which dealt with
compulsory disclosure in interests of national security, altered the decision-maker from Joint Secretary
to a higher level and considerably added, “ There has to be a higher ranking officer along with,
preferably, a judicial officer.”

In the 2019 Aadhar Amendment Act though a Secretary level officer has been designated, no judicial
element along with has been provided, thereby palpably violating the mandate laid by the Supreme
Court.

Critical Analysis of Personal Data Protection Bill, 2018

It is pertinent to note here that there is no specific legislation for the protection of data in India. In 2006,
the Personal Data Protection Bill, 2006 was introduced in the Rajya Sabha with a vision of providing
protection to personal data and information of an individual collected for a particular purpose by an
organisation and to prevent its usage by other organisations for commercial or other purposes.
Subsequently in the wake of the decision of the Apex Court in Justice (Retd.) K.S. Puttaswamy v. Union of
India (Right to Privacy matter), right to privacy being declared as a fundamental right, it was felt that it is
essential to protect personal data as a facet of informational privacy. Hence, the Personal Data
Protection Bill, 2018 was introduced in the Parliament with provisions covering aspects of protection of
data.

Loopholes

Though the bill provides a skeletal framework of a data protection law and attempts at covering some
aspects of data protection yet it suffers from major loopholes.

1. Absence of guidelines for fair and reasonable data processing

As per the recommendations of Justice Srikrishna Committee courts of law and regulatory authorities
should be allowed to develop principles of fair and reasonable data processing. The Bill places the
obligation on data fiduciaries to collect data in a fair and reasonable manner that respects the privacy of
the individual but does not explicitly specify fair and reasonable manner of personal data processing
which could result in fairness and reasonability principles to vary across fiduciaries processing similar
types of data and fiduciaries in the same business may evolve and follow different standards.
2. Proposal for data localization is quite concerning

Data localization could cast an adverse impact on smaller data fiduciaries who resort to alternative
cheaper storage mechanisms with compliance burden and raised costs and some of them may be
dismayed from investing in India as a market because of extra costs arising from putting up duplicate
servers as a result of which consumers may not have the choice of availing services of all data
fiduciaries. In some cases where the data fiduciary is registered as an entity in a foreign country, law
enforcement may not essentially be expedited. Furthermore, India needs to invest and enhance data
centre infrastructure and grid capacity before mandating data localization.

3. Functions of the legislature for non-consensual processing of data is uncertain

Personal data may be processed if such processing is necessary for any function of Parliament or any
State Legislature.[22] The Bill allows for processing of an individual’s personal data without their consent
if it is necessary for any function of the Parliament or state legislature which is irrational and it is quite
uncertain to predict about the possible requirement of the Parliament or State Legislature to access any
personal data without the consent of the individual.

4. Certain types of data are exempted which may not satisfy test of proportionality

The State can process data for the purposes of (i) national security, (ii) prevention, investigation and
prosecution of violations of law, (iii) legal proceedings, (iv) personal or domestic purposes, and (v)
research and journalistic purposes. A vital question is whether all exceptions provide in the Bill are
justified. The Supreme Court, in Puttaswamy vs Union of India, allowed exceptions to the right to privacy
of an individual only in cases where a larger public purpose backed by law is satisfied by the
infringement of privacy of an individual and highlighted that the exemption must be necessary for and
proportionate to achieving the purpose. Thus it is apparent that an exception for national security,
pursuant to a law, may be justified. But, it is uncertain if exceptions for legal proceedings, or for
research and journalistic purposes meet the requisites of necessity and proportionality.

5. Data processing for providing all services of the state without consent is unjustified

Personal data may be processed if such processing is necessary for the exercise of any function of the
State authorised by law for (a) the provision of any service or benefit to the data principal from the
State; or (b) the issuance of any certification, license or permit for any action or activity of the data
principal by the State.[23] The recommendations of Sri Krishna Committee cite that only those
government entities which are exercising functions directly related to the provision of welfare should be
allowed non-consensual processing of data and acknowledges that non-consensual processing by
government entities for all types of public functions may be too broad to an exception to consent. But
the Bill utterly disregards the recommendation and allows non-consensual data processing for all
services of the State.

6. A complaint may be filed only in case of possibility of harm

A data principal may raise a grievance in case of a violation of any of the provisions of this Act, or rules
prescribed, or regulations specified thereunder, which has caused or is likely to cause harm to such data
principal, to— (a) the data protection officer, in case of a significant data fiduciary; or (b) an officer
designated for this purpose, in case of any other data fiduciary.[24] It is questionable as to why the
sheer violation of the rights of the principal isn’t sufficient to file a complaint. Nothing contained in sub-
section (1) shall render any such person liable to any punishment provided in this Act if she proves that
the offence was committed without her knowledge or that she had exercised all due diligence to
prevent the commission of such offence. [25] The data principal also has to exhibit and prove that harm
has been caused to them as a result of unlawful data processing thereby placing an unnecessary burden
on the data principal.

7. No stipulated time limit for reporting data breach

If we take into consideration notifications of data breaches the bill states that the data breach
notifications are to be made by the data fiduciary to the Data Protection Authority For India(DPAI) “as
soon as possible”, in case they pose potential “harm” to data principals.[26] However, there is ambiguity
in this provision as it does not explicitly mention how soon and within what stipulated time the breach is
to be notified.

8. Discretionary reporting of data breaches could result in clash of interests

The Bill states that the fiduciary shall inform the DPA in the event of a data breach (i.e., accidental or
unauthorised use or disclosure of data) only if such a breach is likely to cause harm to any data principal.
[27] The question which remains unanswered is whether the fiduciary should have the discretion to
determine whether a data breach needs to be reported to the DPA. From a plain reading, we can
interpret that the fiduciary has the discretion to determine if the data breach has caused data principal
any harm. This could result in choosy reporting of data breaches which will avoid the DPA from being
loaded with a high volume of low-impact data breach reports on one hand and on the other also not
make the fiduciary responsibilities of the duty reporting. Conversely, there may be a clash of interest
while deciding whether a breach is to be reported, as the fiduciary is regulated by the DPA and cases of
breaches and promptness of notification are evaluated in independent data audits ordered by the DPA
whose results are summarised into a score, made public and influences the insight of a fiduciary’s
trustworthiness.

9. Arrest, Detention, Attachment of Properties in the form of compensation can be made by DPA
without court order

The Recovery Officer, per the orders of the Data Protection Authority, may conduct several enforcement
actions against a person including (i) attachment and sale of the persons movable property; (ii)
attachment of the persons bank accounts; (iii) attachment and sale of the persons immovable property;
(iv) arrest and detention of the person in prison; (v) appointing a receiver for the management of the
persons movable and immovable properties.[28] The Bill vests unfettered power to the Recovery Officer
to act in pursuance of the orders of the Data Protection Authority and do not stipulate approval of a
court order for the above enforcement actions unlike the RBI[29] or the IRDA.[30]

10. The definitions of ‘Serving copy’ and ‘Critical personal data’ are not provided

It is uncertain what is meant by a ‘serving copy’ of data. It might be alive, an actual time reproduction of
data on a server within India, or it might be a backup at a particular frequency. The exclusive definition
needs to be provided, as expenses, implications and execution timelines for fiduciaries would differ
substantially with the exact nature of a ‘serving copy’. Furthermore, what covers the ambit of ‘critical
personal data’ needs to be explicitly mentioned, as it is an indispensable prerequisite for fiduciaries to
prepare for storing this data solely in India.

Comparative Study of the European Union’s General Data Protection Regulation (GDPR) and the
Personal Data Protection Bill, 2018

However Section 27(1) which says that the data principal shall have the right to restrict or prevent
continuing disclosure of personal data by a data fiduciary related to the data principal where such
disclosure (a) has served the purpose for which it was made or is no longer necessary; (b) was made on
the basis of consent. The major difference is that in India, a citizen has not been warranted the right to
demand his/her data to be erased. Data reassure, which is an article in itself in GDPR does not even find
a mention in the Indian draft bill.

Sharing of source of personal data to data principal

The data fiduciary does not need to share the source of the personal data to the data principal in case
the data has not been collected from him/her as per PDPB which is an explicit requirement in GDPR.
As per the Personal Data Protection Bill notifications of data breaches are to be made by the data
fiduciary to the Data Protection Authority For India(DPAI) “as soon as possible”, in case they pose
potential “harm” to data principals but does not explicitly mention how soon and within what stipulated
time the breach is to be notified in contrast to GDPR which has a time limit of 72 hours.

Breach notification to data subject is required in GDPR whereas in PDPB it depends upon discretion of
DPA

In case of a breach, there’s no requirement by Indian draft bill to share it with the data principal; rather,
the data protection authority shall determine whether such breach should be reported to the data
principal. This is also in contrast to GDPR provisions.

Accountability

GDPR places more emphasis on explicit accountability for data protection thereby putting a straight
responsibility on companies to prove that they comply with the principles of the regulation, rather than
the hands-off approach of the Data Protection Act which means firms will have to perform mandatory
activities such as staff training, internal data audits and keeping detailed documentation if they wish to
avoid falling foul of the GDPR rules.

GDPR explicitly requires data principal to be provided a copy of data processing whereas PDPB vaguely
mentions summary of data to be provided

GDPR requires that the data subject (data principal) is provided with a copy of data undergoing
processing. The Indian legislation mandates a summary of that data to be shared, with no definition of
what that summary is.

Obligation on data fiduciary

There is no obligation on data fiduciary in the Bill to share with the data principal for how much time
period the data will be stored while collecting or at any time, as GDPR mandates.

The Data Protection Bill does not mandate the data fiduciary to allocate the names and categories of
other recipients of the personal data with the data principal, unlike GDPR.

Consent policies

Under the PDPB data compilation does not essentially mandate an opt-in but under GDPR apparent
privacy notices are provided to consumers, allowing them to make a well-versed decision on whether
they should consent to allow their data to be stored and used and the consent can be withdrawn at any
time.

Recommendations
The PDPB should exclusively mention rules and guidelines for the fair and reasonable principles of data
processing by data fiduciaries because the provisions of Section 4 of the Bill mandates that the data
fiduciary should collect data in a logical and fair method.

The Data Protection bill should authorize the Data Protection Authority to declare templates for an
assortment of consent, and the required businesses should comply with these templates.

The mention of incidental purposes and the ambiguous language of Section 5(2) of the Bill should be
abrogated in order to avoid misinterpretation.

Section 32 of the Personal Data Protection Bill should incorporate a specific time limit to report the
breach of data by the data fiduciary to the data processor instead of using a vague term like as soon as
possible.

The provisions of Section 13 are very wide and there is a possibility that this provision might be
arbitrarily used under the blanket of state functions and therefore this provision must define in a more
elaborate and detailed manner the realm of necessary data.

Data fiduciaries might be required to supply information about any data breaches on their website to
ensure transparency.

Insertion of a qualified right to erasure in the Bill as mandated in the GDPR will be of significant
importance to the privacy rights of the people.

In case there is a breach of data then in such a case the Data Protection Authority in order to maintain
transparency could make the data protection impact estimation and data audits available publicly.

Though the bill prescribes broad principles, more work needs to be done in order to make consent work
in practice.

Conclusion

Though the existing laws in India do not confer necessary data protection but India is on the way of
drafting a legislative enactment for data protection. A deep insight into the above loopholes and further
debates and discussions in the Parliament to provide necessary recommendations to eradicate the same
would pave the way for creating a strong data protection law in India.

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a
part of their coursework and develop themselves in real-life practical skill.

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various
opportunities. You can click on this link and join:
https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

Endnotes

[1] W. Boni and G.L.Kovacich, Netspionage: Global Threat to Information, 147( 1st ed., 2000)

[2] Strutner v Dispatch Printing Co., 2 Ohio App. 3d 377 (Ohio Ct. App., Franklin County 1982).

[3] Peter Semayne v Richard Gresham, 77 ER 194.

[4] 2004 UKHL 22.

[5] UN Doc. HRI/GEN/1/Rev.9, General Comment No. 16: Article 17, para 10.

[6] (2015) 8 SCC 735.

[7] M. P. Sharma and Ors. v Satish Chandra, District Magistrate, Delhi and Ors 1954 SCR 1077

[8] Kharak Singh v State of Uttar Pradesh and Ors, (1964) 1 SCR 334

[9] The term “sensitive personal data or information” of a person is defined to mean such personal
information which consists of information relating to— (i) password; (ii) financial information such as
Bank account or credit card or debit card or other payment instrument details; (iii) physical,
physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi)
biometric information; (vii) any detail relating to the above clauses as provided to body corporate for
providing service; and (viii) any of the information received under above clauses by body corporate for
processing, stored or processed under lawful contract or otherwise: provided that, any information that
is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or
any other law for the time being in force shall not be regarded as sensitive personal data or information
for the purposes of these regulations.

[10] The term “reasonable security practices and procedures” has been defined to mean security
practices and procedures designed to protect such information from unauthorised access, damage, use,
modification, disclosure or impairment, as may be specified in an agreement between the parties or as
may be specified in any law for the time being in force and in the absence of such agreement or any law,
such reasonable security practices and procedures, as may be prescribed by the Central Government in
consultation with such professional bodies or associations as it may deem fit.

[11] The term “intermediary” with respect to any particular electronic records, has been defined to
mean any person who on behalf of another person receives, stores or transmits that record or provides
any service with respect to that record and includes telecom service providers, network service
providers, internet service providers, web hosting service providers, search engines, online payment
sites, online auction sites, online market places and cyber cafes.

[12] S.2(g), The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act,
2016

[13] S.2(j), The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act,
2016

[14] S.2(k), The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act,
2016

[15] S.28, The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act,
2016

[16] S.47, The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act,
2016
[17] Binoy Viswam v. Union of India and Ors (2017)7 SCC 59

[18] Notwithstanding anything contained in any other law for the time being in force, and save as
otherwise provided in this Act, the Authority or any of its officers or other employees or any agency that
maintains the Central Identities Data Repository shall not, whether during his service or thereafter,
reveal any information stored in the Central Identities Data Repository or authentication record to
anyone: Provided that an Aadhaar number holder may request the Authority to provide access to his
identity information excluding his core biometric information in such manner as may be specified by
regulations.

[19] Section 23(2)(s) states, ”Without prejudice to sub-section (1), the powers and functions of the
Authority, inter alia, include— (s) setting up facilitation centres and grievance redressal mechanism for
redressal of grievances of individuals, Registrars, enrolling agencies and other service providers;”

[20] Section 29(4) states that”No Aadhaar number or core biometric information collected or created
under this Act in respect of an Aadhaar number holder shall be published, displayed or posted publicly,
except for the purposes as may be specified by regulations.”

[21] K.S. Puttaswamy v. Union of India

[22] S.13(1), Personal Data Protection Bill 2018

[23] S.13(2), Personal Data Protection Bill, 2018

[24] S.39(2), The Personal Data Protection Bill, 2018

[25] S.96(2), The Personal Data Protection Bill, 2018

[26] S.32(3), The Personal Data Protection Bill, 2018

[27] Ibid

[28] S.78, The Personal Data Protection Bill, 2018

[29] Reserve Bank of India

[30] Insurance Regulatory and Development Authority