Data Protection in the Digital Age:

A Comparative Study of India’s

legislative framework with EU and

US, Data Protection law

 TABLE OF CONTENT

CHAPTER NAME OF CHAPTER

1 INTRODUCTION

2 DATA PROTECTION IN EU, US

3 REGIME IN INDIAN LEGAL SYSTEM

4 COMPARATIVE STUDY OF THE DATA PROTECTION REGIME

IN INDIA WITH REFERNCE TO EU, US

5 CONCLUSIONS AND SUGGESTIONS

CHAPTER 1:
 INTRODUCTION

1.1. India and the Need for Data Protection

The phrase "data is the new oil" is used frequently. The importance of data has increased over

the past few decades to previously unheard-of levels in an increasingly digitalized world,

including India. The majority of cyber security incidents that have occurred in India recently

have been motivated by data theft. Health data, financial data, and other critical personal and

sensitive data have all been hacked by cybercriminals on several occasions. Due to the

absence of strict data security legislation in India, many cases of data breaches, such as the

hacking of social media accounts6, the theft of credit and debit card information, and other

privacy breaches, go undetected and latest personal information of the citizens.

The Aadhar Database, which contains the individually identifiable information of over 1.3

billion Indians, was purportedly accessible for a pitiful 500 INR7 through an explosive

allegation made in an investigative article that was published in The Tribune Newspaper in

2018. Think tanks and the international media accurately labeled the Aadhar leak as the

largest data breach in history. Furthermore, India is second only to the United States in terms

of data breaches, accounting for almost 37% of worldwide data breaches8, according to a

research released by digital security company Gemalto. The numerous breaches of data in an

increasingly data-driven economy have brought to light the gap left by India's lack of a strong

data protection policy.

The purpose of this study is to identify the gaps in our data protection framework by

examining the current and forthcoming data protection legislation in India and contrasting

them with those of advanced data protection regimes. India is particularly concerned about

data privacy regulation for several reasons, chief among them being the country's enormous

population. With more than 500 million Internet users and a growth rate of more than 8%
annually, India is now the largest market in the digital economy. India's digital economy is

poised for an unparalleled expansion.

The difficulties in resolving issues brought on by extensive transactions made through digital

media may quickly materialize.The use of digital space in the finance sector has increased

recently in India as well. However, with the introduction of more sophisticated technologies

and the government's aggressive stance to support digital transactions following the

demonetization, the use of data has become even more significant and vulnerable to misuse at

the same time. The rise in the number of Indians using digital payment systems such as

Google Pay, BHIM, Paytm, and several other start-ups enabling digital transactions is

evidence that they have reached an era when these digital channels have becomean essential

component of our life, therefore ensuring proper security for these transactions requires a

robust and efficient system in place.

The danger to informational privacy is now more serious than ever due to the widespread use

of high-speed Internet throughout the nation. Even though the digital economy has created a

wealth of employment opportunities in the fields of health, education, and governance, it is

now more crucial than ever to have strong laws in place to guarantee the highest level of

protection for these individuals' personally sensitive data.

1.2.Locating the Meaning of Data Protection

According to definitions, one of the legal ideas that is hardest to pin down to a single

meaning is data protection. Legal experts have stated that "data protection" is a catch-all

phrase used to describe any activity related to handling personal data. Sweden's Data Act, the

first data protection legislation ever, was approved in 1973, over 50 years ago, and went into

force the following year. It is now prohibited for any individual or organization to handle

personal data using any sort of information technology without a license, according to the
Swedish Data Protection Authority. The progressive people of that nation in Scandinavia had

grown worried in the late 1960s about the increasing usage and storage of personal data, and

to ease their anxieties, the Data Act was created.

Data protection is the term used to describe the procedures, security measures, and legally-

mandated guidelines implemented to secure your personal data and guarantee that you

maintain control over it. In a nutshell, you should be free to decide what information you

disclose, with whom, for what length of time, and for what purpose. You should also be

allowed to edit some of this information.

Personal data" and "processing" are two components of data protection regulations that go on

to define the majority of their meaning. Due diligence is necessary because these two ideas

are important to the examination of the underlying reasoning behind the data protection laws.

Since the definition of "processing" is as broad as the data protection legislation as a whole, it

should be read broadly to increase the scope of the protections it affords. Any material

operation that directly affects data is referred to as processing. This includes gathering,

storing, erasing, using, and disseminating data.

The majority of sophisticated data protection policies advocate for interpreting the phrase as

broadly as feasible. It is inevitable that the fundamental goal of having a data protection law

would be undermined by a broadly construed definition of the term "processing." The idea of

"Personal Data" is, of course, the second facet of the Data Protection Laws. Anything that

may be used to uniquely identify a person or information that can be connected to their

identity is included in the term. In accordance with this same logic, European Union courts

have used the "personally identifiable" information test24, which establishes whether or not a

class of data qualifies as personal.

Once these tenets are clarified, it becomes easier to understand the idea behind data

protection regulations. Having said that, data protection laws may be defined as a body of

regulations that safeguard the sharing, gathering, application, deletion, storage, and

destruction of any information that could be used to identify an individual. In this case,

protection entails handling personal data with an acceptable level of fairness in accordance

with accepted standards. But the idea of informational autonomy and self-determination has

grown jurisprudentially, and data protection regulations today refer to more than just the fair

processing of personal data.

Informational self-determination is the phrase used to describe an individual's right to

determine whether or not their personal data can be exposed in the first place7.

1.3.The Right to Data Protection and Rule of Law

It is now accepted that the right to informational self-determination is a fundamental

component of the rule of law. As self-determination is a fundamental functional need of a

free democratic community, it has been suggested that inadequate autonomy in exercising

informational self-determination "would also impair the common good". This claim is based

on the observation that data protection is occasionally viewed as a subset of the right to

privacy.But most of this discussion is limited to the European Constitutional Courts, so it will

be covered in more depth at the proper time. As previously mentioned, data protection has

changed from being a tool to prevent unauthorized access to citizens' sensitive and personally

identifiable information to being a fundamental component of the social order that views the

right to informational self-determination as an essential feature of any community ruled by

the rule of law.

1.4.Right to Privacy and Its Relation with Data Protection

The normative truth that the data protection legislation and the right to privacy are

inextricably linked cannot be disputed. The relationship between the right to privacy and the

right to data protection is concrete, notwithstanding the theoretical differences between these

two hazy concepts. The right to privacy has been acknowledged as a basic right, which is the

basis for the claim that data protection regulations have evolved to be regarded as such.

Along these same lines, the Indian Supreme Court has instructed the Central government to

draft a data protection code. only after determining that the right to privacy is an integral

component of the freedom and right to life as specified under Article 21 of the Indian

Constitution. That removes no question from the fact that the purpose of data protection laws

is to safeguard the private rights of the people who are under their care. However, for the

purposes of the Data Protection laws, there must be a clear understanding of the right to

privacy in a nation like India where the body of legal precedent around this right is still

developing.

Comparable to the Data Protection Law, the right to privacy is a vague notion that has caused

much difficulties among legislators worldwide when it comes to providing a precise

definition. However, a clear and logical understanding of the right to privacy is required in

order to carry out the fundamental goal of data protection regulations. Due to the dearth of

legal precedents, it is necessary to depend on some of the established principles pertaining to

it. Additionally, and perhaps more crucially, data protection regulations themselves ought to

be sufficiently expansive to clearly define the meaning and extent of the right to privacy.

There are advantages and disadvantages to not clearly defining the right to privacy. It could

be advantageous inasmuch as the absence of a definition gives the judge plenty of leeway to

interpret it broadly. Since the world of technology is always evolving and seeming to reinvent
itself, it could be preferable for the general public, democracies, and the rule of law to

maintain an as flexible an interpretation of the right to privacy as possible. What the most

accurate definition of the right to privacy is has been hotly debated The vast body of research

on the subject of the relationship between data protection legislation and the right to privacy

argues that information control and the right to informational self-determination are related.

In the context of data protection, one of the most often cited interpretations of the right to

privacy is that "Privacy is the claim of individuals, groups, or organizations to select for

themselves whenhow and how much information is shared about them with others. The "right

to self-determination" has a powerful allure for the populace in any democratic setup, which

is the only explanation for its acceptance and popularity. Strictly speaking, no data protection

regulation can offer total informational self-determination, but what a strong law can

guarantee is a controlled determination. This is something that must be accepted.

The right to privacy has historically been understood in a more traditional and widely held

sense as the right to be left alone. This method views the right to privacy as including non-

interference as a fundamental component. According to this interpretation, "secrecy,

anonymity, and solitude" are the three pillars of the right to privacy. The foundational work

of Samuel D. Warren and Louis D. Brandeis, which established the framework for the

recognition of the right to privacy as a separate right, must always be mentioned in any

debate on the right to privacy.

“Based on these considerations, it can be concluded that the protection of ideas, feelings, and

emotions expressed through writing or the arts, to the extent that it prevents publication, is

just an example of upholding an individual's more general right to privacy. Similar rights

include the freedom from abuse or beatings, the freedom from imprisonment, the freedom

from venomous prosecution, and the freedom from defamation. These rights, like all other
legally recognized rights, are characterized by the nature of ownership or possession. Since

this is what makes property unique, it may be appropriate to discuss these rights.

The principle which protects personal writings and all other personal productions, not

against theft and physical appropriation, but against publication in any form, is in reality not

the principle of private property, but that of an inviolate personality.”

These characteristics are taken into account by several data protection standards in order to

guarantee that people receive the highest level of protection. The idea of the right to be left

alone is the origin of data protection principles including the right to erasure, the fairness of

processing principle, and the purpose restriction principle. The revelation of sensitive

material is yet another way to link data protection with the right to privacy46. Sensitive

documents are often ones that include information that might reveal a person's identify, such

as their name, sexual preferences, home address, etc.

There exists a great deal of controversy among academics regarding the efficacy of this

strategy because it is quite possible that in this Big Data era, information that would not

normally be considered sensitive could be collected and processed in a way that would render

it sensitive. The Supreme Court of India decided to embrace the informational self-

determination method while retaining the key components of these many theories about the

nature of the right to privacy:

Above all, the individual's right to privacy acknowledges an unalienable right to choose how

their freedom will be used. It is possible for someone to believe that being silence is the

greatest way to express themselves.

A space of privacy is implied by silence. Through artistic endeavors, an artist discovers a

mirror of their spirit. A writer conveys the idea that results from a mental process. A musician
muses over notes that, when played, produce silence. The inner quiet reflects on one's

capacity to communicate ideas and thoughts or engage in social interactions. These are

essential components of becoming a person. When a person has the freedom to choose what

they want, they can use their rights under Article 19. When interpreted in combination with

Article 21, liberty gives people the freedom to choose how and what they eat, how they dress,

what religion they practice, and a host of other choices.various issues where making a

decision in private of the mind is necessary for autonomy and self-determination. The

capacity to select a faith and the freedom to publicly express or not publicly express such

choices are inalienably linked to the constitutional right to freedom of religion under Article

25. These are a few examples of how privacy promotes freedom and is necessary for

exercising one's right to privacy48.

The passage demonstrates the significance that the Indian Supreme Court has placed on the

right to privacy. Whatever happens, this historic ruling will have a long-term impact on how

India's data protection rules are interpreted in the future. The Bill states that "sensitive

personal data may only be transferred outside of India for the purpose of processing" but that

"critical personal data" is exempt from this restriction. The feminist school of jurisprudence

has heavily criticized the interpretation of the right to privacy in its physical, functional, and

institutional aspects since it is long viewed as a barrier to gender equality. The feminist

school views the right to domestic privacy as a tool to applaud the subjugation of women in

their households. This interpretation has been criticized time and time again for being used to

protect the power disparities within the families.by the constitutional scheme's exclusions

under the pretense of privacy. One tool to "defend the exemption of marital rape from sexual

assault laws, and to discourage state interference with domestic violence or child abuse" is

the spatial and functional conception of the right to privacy.

Three significant elements that were absent from the Srikrishna draft version of the Personal

Data Protection Bill have also caused considerable worry among privacy experts and IT

businesses. These include provisions that will enable the Center to request the disclosure of

anonymized personal data or "other non-personal data" to any "data fiduciary or data

processor" in order to improve governance or target citizen welfare services.

The proposed Indian Data Protection Act of 2019 resembles modern international norms,

such the right to be forgotten, at first glance. Some restrictions are more contentious and may

limit some corporate activities, like as the need to keep sensitive data in systems situated

inside the subcontinent. Additionally, the draft bill says that non-personal data regulation for

the digital economy might be framed by the central government. To facilitate improved

targeting of service delivery or development of evidence-based policies by the Central

Government, it can specifically order any data processor to "provide any personal data

anonymized or other non-personal data."

India's position is somewhat reversed in the final Bill, which states that while "sensitive

personal data may be transferred outside India," it should still be kept in the nation. But it's

still unclear what the lawmakers intended to achieve when they passed a robust data privacy

legislation.

By avoiding the common traps, India might greatly benefit from the experiences of the

nations that are recognized to have robust data protection regulations in place. It is especially

crucial to address data privacy concerns that may have transnational implications in India, as

the country and the rest of the globe move toward a more digitalized and globalized society.

The researcher would consider it beneficial to discuss the accepted principles of data

protection in the developed world, particularly in the EU, as well as the legislation in these
jurisdictions in order to present a compelling case for a data protection regime that is

compatible with the entities situated abroad, and particularly in the developed world.

1.4.Principles of Data Protection

As previously said, the right to privacy is a somewhat nebulous and abstract concept, thus it

is impossible to establish a clear cut rule that would direct the courts in deciding whether or

not there has been an invasion of an individual's private space. Therefore, legislators and

courts worldwide have established a number of rules defining the right to privacy, which act

as a guide for efficient adjudication of claims of privacy infringement. The US Consumer Bill

of Rights, the GDPR51, and the OECD Principles are a few noteworthy principles.

Nevertheless, successful law cannot be achieved by a one-size-fits-all approach.

Therefore, India has to create its own national privacy principles that would be in line with

the ideals of the Indian Constitution while also incorporating the best practices from across

the globe, rather than adopting any of these principles.The goal of these guidelines must be to

ensure the security of all steps in the information gathering, processing, storage, access,

retention, and disclosure process that involve data that may be used to identify a specific

person. The Planning Commission established a committee chaired by Justice A P Shah with

the goal of creating National Privacy Principles. The committee's work resulted in the

formulation of the fundamental ideas that would serve as the foundation for future data

protection laws in India.

Under the direction of Justice AP Shah, the former Planning Committee established the

Group of Experts on Privacy in 2012 (Justice AP Shah Committee). A comprehensive

framework that considers all aspects of privacy and serves as the conceptual basis for an

Indian privacy legislation was advocated in the Justice AP Shah Committee report. Following

a thorough process of consultation and deliberation, it recommended a set of nine National

Privacy Principles that would be adhered to; they were mostly taken from the OECD

Guidelines. In order to discover the Indianized jurisprudence of the data protection law

through the principles outlined by the AP Shah Committee, the researcher will provide a brief

discussion of these principles.

Notice: The necessity of the notice to the data owner is the first and maybe most significant

of the principles outlined by the committee. The principle emphasizes the idea of data

ownership and requires that any processor of an individual's personal data provide adequate

notification to the data owner. The notification needs to be written in a way that makes it

clear enough for the data principal to comprehend what is being processed. It is

recommended that the notice should include information on the nature of the data being

collected, its intended use, and the security protocols the collector has implemented to

safeguard the obtained information.

The principle also requires that the data principal be notified periodically of modifications

made to the process's privacy policy and that prompt notification be given in the event of a

breach. Consent: The second principle is that getting consent is a fundamental prerequisite to

processing an individual's personal data. If the consent is declined, the processor has the right

to reject services. Notwithstanding, in cases where the processing is authorized by law and

aligned with other data protection standards, the data gathered by the agencies will be

anonymized.

Collection Limitation Principle: Only that amount of data must be gathered in order to

achieve the goal for which it was originally intended to be collected.

Purpose Limitation Principle: Only those uses of data that were disclosed to the data

principal at the time of consent-obtaining may be carried out. A new consent must be

obtained by notice59 before processing data for any additional purposes.

1.5.Findings

The Chapter addresses the legality and justification for global data protection legislation. The

chapter outlines the components of an efficient data protection framework with a focus on the

necessity of providing sufficient protection for safeguarding informational privacy. The

chapter also discusses the several data protection theories that have been established globally,

critically identifying the point of genesis of the idea that data protection is a component of the

right to privacy. The study provided a comprehensive understanding of the necessity of

finding the ideal balance between achieving informational self-determination and satisfying

the demands of a world that is becoming more and more digitalized.

 CHAPTER 2:

GLOBAL INSTITUTIONS AND THEIR DATA\

PROTECTION PRINCIPLES

2.1.Introduction

The researcher addressed some of the most prominent features of the digitalization era that

have given rise to privacy issues worldwide in the previous chapter. The talk has given a

theoretical understanding of the Principles of Data Protection, but in order to fully understand

the practical aspects of a Comprehensive Data Protection Code, it would be best to study the

ways in which the provisions related to the concept of Data Protection are implemented. As

the saying goes, "the taste of pudding lies in the eating.".. Additionally, the study becomes

crucial for developing a code that complies with international best practices for data

protection.

Academicians and jurists from all over the world have correctly concluded that a nation

acting alone cannot achieve data protection. Since the Internet serves as the primary source,

storage, and transmission channel for most data worldwide, national regulators are unable to

effectively address the myriad obstacles in implementing a strong data protection framework.

Since data transcends national borders, a transnational framework is required to ensure

sufficient protection for residents' personal data while permitting unlimited cross-border data

transfer.

There must be a mutually agreed upon framework to ensure the free movement of data across

borders and to enforce a certain level of security safeguards.

framework that national data protection laws should be based on80. Globally recognized data

protection principles have the potential to significantly contribute to the standardization and

coherence of data protection legislation worldwide81. There is no one-size-fits-all solution

that can effectively address the issue of data protection, as we have shown in the previous

chapter. Instead, the topic of data security is highly abstract.

This makes it necessary to establish a set of global guidelines that would act as a roadmap for

countries creating their own data protection legislation. Numerous international and regional

organizations have reached consensus on some fundamental ideas that have to be included in

national data protection legislation, all while keeping this point of view in mind.82 The

researcher would mainly concentrate on two of the most significant organizations that have a

significant impact on global data protection laws.

2.1.United Nation’s Data Protection Principles

The foundation for a strong data protection framework worldwide is laid forth by the United

Nations Personal Data Protection principles. Although the majority of global data protection

laws attest to following these guidelines, there are occasionally small departures from them.

What's important in this case is the UN's acknowledged principles' persuasive value, which
serves as a guide for governments who sincerely want to establish a strong data protection

framework in their nation. Even though these guidelines are meant to direct United Nations

System Organizations in fulfilling their mandates, they nonetheless have a great deal of

persuasive power on a worldwide scale. The 2019 Personal Data Protection Bill and the

GDPR

and many data protection laws throughout the world base their data protection framework on

these fundamental ideas. In order to help the United Nations System Organizations carry out

their mandated activities, these principles (referred to as the "Principles") lay out a basic

framework for the processing of "personal data," which is defined as information relating to

an identified or identifiable natural person (referred to as the "data subject").

FAIR AND LEGITIMATE PROCESSING PRINCIPLE

The following justifications should be used by the United Nations System Organizations to

treat personal data fairly, in compliance with their missions and governing instruments:

(i) the data subject's consent; (ii) the data subject's best interests, in accordance with the

relevant United Nations System Organization mandates; (iii) the relevant United Nations

System Organization mandates and governing instruments; or (iv) any other legal basis that

the United Nations System Organization specifically names

PURPOSE SPECIFICATION

It is imperative that personal data be processed for specific reasons that align with the

missions of the relevant United Nations System Organization and consider the appropriate

balance of rights, freedoms, and interests. Processing personal data in a way that is

inconsistent with these goals is not appropriate.

PROPORTIONALITY AND NECESSITY

When it comes to the designated purposes of processing personal data, the processing of such

data must be relevant, restricted, and sufficient.

TRANSPARENCY

When relevant and feasible, processing personal data should be done in a way that is

transparent to the data subjects. As long as the stated purpose for which personal data is

processed is not thwarted, this should include, for instance, giving them information about

how their personal data is processed and instructions on how to request access, verification,

rectification,and/or deletion of that data.

The Accountability Principle, which states that United Nations System Organizations should

have sufficient policies and procedures in place to adhere to these Principles, is one of the

other well-known principles. Furthermore, the foundation of the Data Protection Principles is

the idea that a United Nations System Organization may transfer personal data to a third party

in the course of carrying out its mandated activities, so long as the organization is satisfied

that the third party will adequately protect the personal data under the circumstances.

2.1.The Underpinnings of Right to Privacy within the ICCPR

Rather than representing personal rights, the term "privacy" is used collectively in Article 17

of the International Covenant on Civil and Political Rights. The "internet" was still in its

infancy when it was drafted, hence the drafters' considerations and comprehension are now

mostly meaningless. Meanwhile, it is possible to ensure that people's private information is

protected while preventing the possible unlawful nature of targeting and widespread

surveillance operations by implementing specific guidelines and adopting particular actions.

.. This will provide the foundation for a data security solution that is actually successful in the

modern day. In general, the current system encourages data digitization, but it is illegal to
acquire, transmit, or retrieve personally identifiable information that is kept digitally unless it

is done in compliance with legal procedures. A person has the right to know why their data is

being used, where it is being stored, how long it was collected, how to get it corrected, and

other information. Additionally, this has been emphasized repeatedly throughout the remark.

The Human Rights Committee has often emphasized how important it is to gather and

manage personal data in a legal manner. "The collection and storage of personal data on

servers, databases, and other devices, by public institutions or private persons or entities,

should be regulated by law," the statement reads. While the connotation of the comment

appears to extend to the digital domain of the right to privacy, there are important gaps that

need to be addressed.

.. Comment 16 ought to incorporate an individual-centric definition of privacy in addition to

considering the Right to Informational Privacy from a wider angle. Countries will find great

assistance from the ECtHR precedents in amending comment 16 to expressly hold normal

public data collection procedures as grounds for violating an individual's right to privacy.

This will serve as the foundation for addressing the threat posed by mass surveillance and

expanding the scope of the provision to encompass the digital world in order to fully

recognize the range of potential risks associated with technological improvements.

Getting Rid of the 4th Amendment’s based - Right to Privacy

The word "home" is used expressly in Article 17 of the ICCPR, which suggests that the

convention's definition of privacy is restricted to "spatial privacy," or the privacy of one's

own personal areas. This implies that "protection from encroachment of man's own castle"

will be the extent of the covenant's security.But such a condensed interpretation of the word
"home" would be dangerous in this day and age, when the potential for private property

invasion has shifted to internet channels. Therefore, "online private spaces"—which include a

person's emails, Facebook and Twitter sites, and other social media accounts—should be

included in the new section.

Nowadays, the only ways for a person to identify themselves in the public sphere on the

internet are through social media pages and mobile phones. The idea of private space, which

dates back a century, has mostly been replaced by electronic devices and social media

accounts.This adjustment should be specifically acknowledged in Article 17. The member

nations' courts have historically defined the term "home" broadly, stating that it encompasses

"a place in which private life can evolve freely.""The convention must accord the phrase

"private domain" the broadest possible meaning, encompassing all methods by which one can

access the online sphere, in order to recognize the growth of private life in the present era.

.Incorporation of Metadata into the Definition of Correspondence

Article 17 of the agreement has been limited in another essential way, which is the definition

of the term "Correspondence." While letters, phone conversations, emails, and other

correspondences have previously been covered in Comment 16, the most recent dangers to

personal data from “metadata” need to be included in the context of Article 17. In essence,

the metadata are discrete sets of personal data that may be merged for information gathering

and statistical analysis.. International courts have questioned the extent to which the metadata

may be utilized for mass surveillance and identity. The Supreme Court of India invalidated a

section of Section 57 of the Aadhar Act for purposeful limitation and breaking storage

regulations, however the court overlooked the drawbacks of storing metadata. As a result, this

would make it possible for the Indian government to handle and keep personal data of people

via the reliable Aadhar platform. To avoid such careless misunderstanding of the threats that
information might pose to the right to privacy, the inclusion of metadata in the idea of

"correspondence" has become necessary.

It is important to keep in mind that the government might use metadata for a great deal of

security-related objectives. Through the use of metadata, more data

Because information about a person's eating habits, whereabouts, and behavioral patterns is

easily accessible, it is crucial to provide metadata within the parameters of Article 17 of the

convention. This would surely broaden the scope of the provision, making it essential in

addressing the issue of widespread metadata surveillance.

.“The United Nations Special Rapporteur on freedom of speech stated, "When gathered and

analyzed, communications metadata can create a profile of a person's life, including health

concerns, political and religious beliefs, alliances, relationships, and interests, revealing as

much information as, or even greater detail that may not be distinguishable from the content

of communications."

It is important to note that the judiciaries of other nations with sophisticated data protection

laws, as well as those in Europe, have taken action to maintain that information pertaining to

internet usage is included by Article 8 of the ECHR's definition of "correspondence." States

have a broad window of opportunity to carry out mass surveillance and profiling, however,

because metadata is not specifically included in the examination of communications.

Globally, people's right to privacy will be significantly impacted by the collection of

metadata over time.

2.1 Decoding the Unlawfulness of the Interferences with the Right to

Informational Privacy

Threats to people' privacy about their personal information as a result of growing

digitalization have become a global concern. Many internet companies rely on making money

off of the customer data they gather, both for their own use and to sell to other parties. Not all

people are privacy hawks, and millennials aren't as much as previous generations were.

However, there has been a significant increase in awareness of informational privacy

following the scandalous Cambridge Analytica Data dumps. In 2014, Nix, SCL, and

Cambridge Analytica Elections, got aware of the study being conducted at Cambridge

University's Psychometrics Center. The study found that using publicly accessible Facebook

user account data, one can accurately evaluate a user's personality attributes using a

psychometric model called the "OCEAN" scale. An algorithm developed by researchers was

able to identify a person's personality based on the "likes" they had on publicly accessible

Facebook sites.

The algorithm and the ensuing data collection to train the business's model ultimately resulted

in Cambridge Analytica supporting political campaigns such as Brexit and the US elections

in 2016 and set up a global controversy. Facebook's reputation suffered once the data

harvesting was made public, and the company was hit with many fines for improper data

handling.

Over time, following the Facebook/Cambridge Analytica crisis, it became clear that, in spite

of all the government hearings, the public would need to take further steps and take particular

action to get internet corporations to realize that it was time for them to offer sincere

apologies. The GDPR was primarily passed by the European Union to regulate how these

firms may utilize personal data. Users would still not be able to completely prevent someone

from gathering their personal information.

WhatsApp-Facebook Privacy Policy Update

The problem of informational privacy violation has been increasingly obvious with the global

increase of social media users. Due to the lack of comprehensive data protection legislation,

India, a country with a high concentration of social media users, faces an increased danger of

illegal interference with users' privacy. One of these risks has emerged in the shape of the

vehement resistance to WhatsApp's recently modified privacy policy. The social networking

site updates its privacy policy in a move that has drawn significant media attention and user

anger.

.. The platform will share user data with its parent corporation, Facebook, in accordance with

the revised rules. According to reports, the government is looking into and assessing the most

recent privacy policy update that WhatsApp released, following a backlash against the

contentious modifications that connected user data to Facebook's other services and goods.

It's clear that simply because of the Due to a lack of regulations in India, Indian WhatsApp

users are being treated like second-class citizens and their personal data is being

commercialized by WhatsApp without giving them a clear, concise, and unequivocal warning

before collecting their assent.

However, WhatsApp is unable to do the same for users in the European zone, where privacy

rights are still protected, due to the presence of a strong legislative framework in that region.

This facet of the business's operations clearly illustrates the necessity of a stringent legal

framework to guarantee data protection. The policy has been updated, and users are required

to approve it in order to continue using their conversations. This goes against the fundamental

principles of informational self-determination.

Furthermore, worries about privacy violations are not limited to conversations. The recently

established Atmanirbhar Digital India Foundation (ADIF), an industry group of Indian

entrepreneurs, has demanded more government monitoring after alleging that WhatsApp's
latest privacy policy amendment poses a serious risk to user payments and financial data.

Despite WhatsApp's assertion that the upgrade solely affects WhatsApp Chat, the policy may

potentially result in more data sharing between Facebook, the parent company, and

WhatsApp Payments.

.The corporation had to delay the new policy's adoption for a few months due to public

criticism, but in the absence of any regulations, nothing in the law would make the company's

actions illegal. The tragedy has had several good outcomes, one of which being the increased

awareness of information privacy among the Indian populace. This may be demonstrated by

users switching to other platforms and a sharp drop in the platform's user base growth once

the new policy was announced.

GDPR and Informational Privacy

To safeguard people from arbitrary and illegal interference in their personal lives, the

GDPR's Article 17 states, "No one shall be subjected to arbitrary or unlawful interference

with his privacy, family, home or correspondence, nor to unlawful attacks on his honor and

reputation." Although General Comment 16 clearly stipulates that any legitimate

governmental interventions that do not align with the principles outlined in the Covenant will

be considered illegal,. Given that the convention permits "lawful" interferences with the right

to privacy, it is important to give sufficient weight to the criterion when determining whether

an act that is alleged to violate someone's private is lawful.

When it comes to domestic legislation, lawfulness is just another word for it. Any law that

has been duly passed by a state's authorized authority would be considered lawful

interference. Nonetheless, General Comment 16 states clearly that this kind of interference

must not be capricious and must adhere to the convention's guidelines94. Although the

committee's remark is praiseworthy, it is important to remember that these rules only apply to

those facets of life that have been determined to be part of the right to privacy.. The sections

that aim to safeguard "unlawful" infringements are mostly pointless, as the convention's

existing understanding of the right to privacy is so narrow and antiquated. The Committee

has accepted the idea that a law does not make invasions of privacy acceptable merely

because it permits such violations. The committee suggests, in a sense, adding the due

process provision to justify the individuals' privacy violations.

The United Nations (Office of the High Commissioner for Human Rights) Committee and the

Inter-Parliamentary Union have worked hard to define the standards that will be used to

determine whether the law that is being used to violate privacy is legal. The committee

25
established a four-point criteria to evaluate the legitimacy of the methods used to try to

restrict an individual's privacy:

1. The legislation must be available to the public, which means that no provision that tries to

invade someone's private space may be coupled with a confidentiality clause. By taking this

exam, you may be confident that the people are aware of the legal framework that governs

the invasion of their privacy.

2. The second test establishes that the data can only be handled for purposes that are lawful

and combines the purpose limitation and fairness principles.

. The third criteria offers the fundamental notion of certainty, which is that the legislation

need to sufficiently define the subtleties of interference. The legislation should establish an

objective standard to identify the categories of individuals whose privacy may be violated,

the goal that the violation of privacy is intended to accomplish, and the specific process by

which the violation of privacy may be authorized. The legislation should also specify exactly

how long such data processing must be permitted for as well as how to store and remove such

data.

The third criterion provides the essential idea of certainty, namely that the laws must

adequately specify the nuances of interference. The regulation ought to set up an objective

criterion to determine which groups of people are susceptible to privacy violations, what the

purpose of the breach is, and the precise procedure via which it may be approved. Along with

defining how long such data processing must be allowed for, the regulation should also

outline how to keep and delete such data.

The third requirement, which states that the rules must sufficiently define the subtleties of

interference, offers the fundamental concept of certainty. The law should provide an objective

26
standard to identify the categories of individuals who are vulnerable to privacy breaches, the

nature of the breach, and the specific process by which it might be authorized. The legislation

should specify how long such data processing may be permitted for as well as how to store

and remove such data.

.3. The essential idea of clarity is provided by the third criteria, which is that the regulations

must adequately describe the nuances of interference. The law ought to provide an impartial

benchmark for identifying the groups of people who are susceptible to privacy violations, the

type of violation, and the particular procedure that may permit it. The law should outline how

to keep and delete such data as well as how long such processing of data may be allowed.

2.4.1 The need for sufficient safeguards

The third criterion, which states that the regulations must sufficiently explain the subtleties

of interference, provides the fundamental notion of clarity. A fair standard should be set by

the law to determine which individuals are most vulnerable to privacy violations, what kinds

of violations occur, and which specific procedures may allow them. The length of time that

such data processing may be permitted, as well as how to store and destroy such data, should

be specified in the legislation.

The regulatory framework should have enough judicial scrutiny to guarantee the process's

openness and lack of arbitrariness. It is argued that the absence of these protections will

eventually open the door for illegal incursions into persons' private lives.

The necessity of establishing a structure that would provide effective measures that would

increase openness and foster accountability within the state's surveillance system has been

highlighted repeatedly in the UN's subsequent resolutions.

27
Adequate protections are vital to minimize and completely eradicate the potential for

arbitrary interference with an individual's right to privacy, but having strong redressal

processes in place is just as crucial. It is imperative to provide sufficient publicity of the

procedures for lodging complaints against violations of the rights enshrined in Article 17. In

order to guarantee that the system has the necessary components to address the violations of

informational privacy, the OHCHR has defined a few requirements.

The first condition is notice, which is predicated on the idea that it is the state's responsibility

to guarantee that the public is informed about the specifics of the interference and their right

to file a lawsuit against the infringement. The necessity of an expeditious, efficient, and

unbiased inquiry of the claimed violations by the state comes next.

A fundamental need for any legislation aiming to violate an individual's privacy is that it

must be fair and non-arbitrary.

. The Human Rights Committee has often argued that having laws that are strictly in line with

the goals and objectives of the covenant is necessary to ensure that the law is not arbitrarily

applied. The qualities of need, proportionality, and validity are also embraced by the criteria

of non-arbitraryness. To legitimize the state's invasion of people' private rights, it just needs

to "show in precise and tailored

provide a clear and direct link between the [limited right] and the danger in order to illustrate

the precise nature of the threat and the necessity and proportionality of the particular measure

taken. The member governments have often opted to interpret Article 17 in the broadest sense

possible, assuming that it is sufficiently flexible to include inherent restrictions with regard to

issues of national security and counterterrorism.

.. It is well known that states frequently cite concerns about public interest and national

security as reasons for violating an individual's right to privacy. While preventing terrorism
28
and safeguarding national security are legitimate concerns, it is important to outline the

bounds around these matters to keep them from serving as a means of facilitating widespread

monitoring.

.2.5.Findings

In essence, the chapter chronicles the origins of the data protection regime and examines the

many data protection principles that are accepted by international organizations worldwide.

The conducted study gives the researcher insight into the essential components of a strong

data protection policy in a democracy. In the next chapters, the researcher attempts to develop

the best possible data protection model for the Indian scheme, paying particular attention to

the OCED Principles. The study has made it possible for the researcher to pinpoint the

essential components of a strong data protection policy.

.The preceding chapters have extensively covered the jurisprudential concerns surrounding

the notion of data protection worldwide. Nevertheless, each sovereign state has the freedom

to craft national laws that best suit its own needs, so it would be appropriate to talk about

some of the jurisdictions' approaches to data protection and how they have incorporated the

ideas covered in earlier chapters..

Numerous precautions are enforced by Big Data to guarantee the protection of personal

information belonging to people worldwide. The Internet of Things will make it more simpler

to consume large volumes of data, which will raise the danger of personal data being

threatened. Personal data makes up a significant portion of the data involved in the process

and may include personally identifiable information about the data subjects.

29
 CHAPTER 3:

DATA PROTECTION IN EU, US

3.1.Introduction

Big data is the deliberate and focused use of information for purposes other than the ones for

which it was initially collected.136 Offering specialist services may require data processing,

analysis, and assessment. For instance, personalized advertisements for internet users may be

displayed by analyzing the purchase patterns of individuals in a certain area. The

consolidation and revaluation of this data can be advantageous for financial transactions,

creditworthiness, healthcare, personal consumption, professional activity, monitoring and

route taking, internet usage, electronic cards and telephones, and video or communication

surveillance

While there are clearly many scientific benefits to big data, managing it still carries a certain

level of risk. Artificial intelligence-based car information may also be falsified, and

employing these data further restricts the length of time that people may participate. This

implies that other important rights, including the right to object, that are recognized by

complex data protection legislation are nullified. This has led to the processing and

interpretation of massive amounts of data becoming a new challenge to the worldwide data

protection policy. Given massive data, the GDPR recognizes the impending challenges with

data protection. However, a number of serious issues relating to the remedy and the right

have emerged as a result of the lack of human connection. In the next section, we'll discuss

some of the impending problems that big data will provide for the data protection framework.

A portion of the stance taken by the GDPR appears to be reflected in and endorsed by the

Indian law. The federal data privacy rules in the United States have so far taken a

significantly more laissez-faire approach to data regulation as compared to the GDPR of the
30
EU. This might be an indication of a fundamentally different understanding of how online

speech protection, data privacy, and human rights relate to one another. In general,

Americans feel that the government has less responsibility for securing internet data and

information than many of its European Union counterparts.What does the law mean for

India's engagement in the international data discourse? India is a major player in the realm of

global internet governance.

The Indian government has done a fantastic job of establishing itself as a global leader in the

regulation of democratic data. India has been praised by commentators for its ability to

influence foreign policy and for its high level of participation in the UN General Assembly

and other forums on internet policy.The specific institutional choices India makes on data

privacy would most likely have a significant impact on the national economy. These

consequences might be direct (like increased compliance costs) or indirect (such potential

stifling of innovation and overall productivity losses). The given numerical statistics show the

many ways in which different sectors of the Indian economy might be impacted by a data

privacy law, even if they might not apply to India.modeled after GDPR.

The literature on the GDPR that is now being published suggests that there will be significant

economic consequences for the European Union (EU), which might impact labor markets,

SMEs, international trade, and economic growth overall. After a careful analysis of the

literature assessing the GDPR's impacts, it is clear that there may be disadvantages for India

in implementing a data privacy law modeled after the GDPR and that similar studies must be

conducted there prior to the bill's implementation. Given that the DPC's proposed bill will

significantly impact significant sections of India's economy, it must be carefully and critically

evaluated in the context of the US and EU's data protection legislation.

The right to personal data protection bears close resemblance to the right to respect for the
31
private life. While both of these rights are based upon the theme that an individual have a

right to live their life with dignity and hence, they need a personal sphere which The right to

privacy and the right to respect for one's private life are closely related. The right to respect

for private life is a far larger notion than the other two, even though they are also predicated

on the idea that everyone has the right to live their life with dignity and, as such, need a

personal space free from outside interference. The right to protection of personal data is an

organic concept that encapsulates a mechanism that protects individuals' personal information

through systematic regulations for data processing, storage, and security. In contrast, the right

to fundamental freedoms, the right to life, and other rights are included within it.

In addition to reaffirming the right to personal data protection, Article 8 of the EU Charter of

Fundamental Rights (the Charter) outlines the fundamental principles that underpin this right.

It stipulates that the processing of personal data must be reasonable, done so for defined

objectives, and supported by either the subject's permission or a legally permissible basis.

Every time an individual's data is processed, they are guaranteed the right to have their data

protected, even if such processing has no bearing on the subject's right to privacy. Even in

situations when such processing has no influence on the right to privacy, it may still violate

that right.

This gives rise to the right to data protection. The European Court of Justice has given the

term "privacy" an extremely broad interpretation, holding that the mere act of collecting an

individual's data may violate that right if it is unintentionally disclosed to third parties.

3.2.Role of ECHR In Developing Data Protection Jurisprudence In EU

Everyone has the right to respect for their home, communications, and private and family life,

according to the European Convention on Human Rights.. Restricting the involvement of

public authorities in an individual's private life is the central subject of the European data
32
protection policy. A fundamental principle of a life based on dignity is the right to privacy,

with the exception of situations involving genuine public interests. The nations realized the

growing threat of privacy breaches with the advent of revolutionary technical innovations,

which led to a much broader understanding of the right to be left alone and accelerated the

development of notions such as informational self-determination.1

Early in the 1970s, a number of states passed laws governing the processing and storage of

people' personal data in response to the rising demand for data regulation.

Intimate situations, sensitive or confidential information, information that could sway the

public's opinion of an individual, and even elements of one's professional life and public

behavior are all covered by the European courts' extremely strict stance on data protection

and liberal interpretation of the right to privacy. It may be deduced that the broad definition

of privacy is meant to cover up any ambiguities in the meaning that would compromise

someone's right to private.

When considered collectively, the personal data retained under the directive, which could be

accessed by competent authorities, could allow "very precise conclusions to be drawn

concerning the private lives of the persons whose data has been retained, such as the habits of

everyday life, permanent or temporary places of residence, daily or other movements, the

activities carried out, the social relationships of those persons and the social environments

frequented by them." This ruling was made by the CJEU in Digital Rights Ireland142, during

its examination of the validity of Directive 2006/24/EC regarding the fundamental rights to

personal data protection and respect for private life.

A vital component of any sound data protection regime is the range of rights that its citizens

are granted. A strong data protection system that aims to preserve the integrity of all valued

rights in all of its manifestations must fundamentally include the explicit acknowledgment of
33
certain of the rights that are seen to be the parameters of the right to privacy. It is thus thought

to be best to examine some of the most important rights in this area that are recognized by EU

law.

3.3.Right to Religion

Nowadays, a person's religion, beliefs, and mode of worship may have a significant influence

on how the rest of society perceives them. For this reason, safeguarding information about

one's religious beliefs is seen as a crucial aspect of one's right to privacy.

According to the EU Charter of Fundamental Rights, any individual's private religious,

spiritual, or philosophical information is regarded as sensitive information. The freedom of

thought, religion, and conscience are guaranteed by Article 9 of the Charter, and any

violation of this information is deemed to jeopardize these rights. The petitioner in Sinak Isik

v. Turkey had challenged a law on the grounds that the identity card's religious name was

incorrect. The European Court of Human Rights (ECtHR) declared the regulation to be

unlawful, stating that religious freedom includes the ability to practice one's religion alone or

in private as well as in public and with other people who share the same beliefs.

The domestic laws in effect at the time required people to carry identification cards, which

were documents proving one's faith that had to be produced upon request to any

governmental agency or private company. Such a duty overlooked the fact that the freedom

to express one's faith also granted the freedom from having to reveal one's views.

Notably, the government said that people no longer had to include their religion on their

identity card and could choose to leave it blank if they so desired. The court dismissed the

argument, stating that such a recusal would place the relevant parties in an awkward situation.

As a result, the disputed law was ruled to be violative of the Article 9 of the ECHR.

34
Certain analysts contend that churches that keep track of visitor information should have been

required under GDPR Article 91 to create internal data processing policies that adhere to the

requirements.

3.4.Financial Interests

The global corporate landscape has undergone a radical transformation with the arrival of the

digital era. Data has never been more important, and rightfully so; many economists concur

that data is the new oil. Data processing is a key component of many businesses worldwide,

and concerns over the financial effects of stringent compliance guidelines for the protection

of personal data are frequently voiced by both data controllers and data subjects. In the

historic Google Spain case, it was questioned whether financial interests might be considered

a legitimate basis for restricting the processing of data. The court determined that because

search engines hold a significant quantity of personally identifiable information, the data they

have gathered might pose a severe danger to privacy.146 The court concluded that, in

addressing the contention regarding the underlying economic interest in this type of data

processing, a just balance should be struck between that interest and the fundamental rights of

the data subject, particularly the right to privacy and the right to have personal data protected.

Therefore, it was decided that the underlying economic and other interests are subordinated to

the right to privacy and the right to personal data. The Court additionally notes that a great

deal of his personal life may be covered by this information, and that without the search

engine, it would have been extremely difficult or impossible to link the information.

Thus, internet users might create a more or a less thorough profile of the individual being

looked up. Furthermore, because search engines and the internet play such a significant part

in modern society and make the information found in these lists of results widely available,
35
the impact of the interference with an individual's rights is amplified. The Court holds that

the engine operator's financial interest in the data processing is insufficient justification for

such intervention given its potential significance.

The ECtHR has taken the stance of weighing the relevant interests in each instance against

the data protection regulations. Sometimes, when there isn't the The right to have data erased

has been rejected by the court. The question before the court in Camera di Commercio,

Industria, Artigianato e Agricoltura di Lecce v. Salvatore Manni147 was whether petitioner

Mr. Salvatore Manni could assert a claim for the erasure of personal data (relating to the

bankruptcy of a business he headed a few years ago) in order to protect their financial

interests. The court held that the fundamental records of the relevant firm should be released

first, even though it acknowledged that the petitioners' prospective clients had a right to see

the information. that their contents and other information about the firm, including the

specifics of the individuals who have the authority to bind the company, may be accessible to

third parties148. Therefore, the learned court noted that the disclosure's goal of furthering the

genuine public interest made the infringement of the petitioner's personal data interference

justifiable.149 The court did note, however, that in some circumstances, people may be able

to object to the processing of their personal data even in cases where there are unusually

special circumstances and legitimate general interests. The court has underlined time and

again that a valid public interest exists when all the facts surrounding a case are taken into

account.

3.4.Freedom of the arts and sciences

The case Vereinigung bildender Künstler v. Austria151 dealt with a disagreement about a

painting that depicted nudity and included a politician who had properly requested an

injunction from the domestic court due to privacy invasion. The European Court of Human
36
Rights (ECtHR) noted that, rather than addressing specifics of [the portrayed's] personal life,

the painting was more likely to refer to his public position as a politician and the need for [the

depicted] to show a greater degree of tolerance toward criticism in this role.

3.4.1.Freedom of Expression

The GDPR's Article 85 regulates how the freedom of speech and the right to privacy interact.

In order to do this, the Article requires the states to balance the two rights and provides a

number of exemptions and derogations from certain chapters. The link between the two rights

was controlled by Article 9 of the directive before the GDPR was passed. Nevertheless, it is

important to acknowledge that there have been many instances where the rights to data

protection and the freedom of speech and expression have clashed. In Tietosuojavaltuutettu v.

Satakunnan Markkinapörssi Oy and Satamedia, the CJEU used the chance to clarify the link

between the two rights, ruling that a balance between the two rights is necessary. urthermore,

while the right to free speech and expression is an essential component of any democratic

society, the restrictions and limitations on the right to data protection must only be applied

when absolutely required in order to strike a balance. The court ruled that while political

discourse is a necessary component of any organic democracy and that discussions about

matters of public interest cannot be legitimately restricted, editorial gossip intended to pique

the interest of certain readers does not advance the conversation or serve any fundamental

public interest. Under such circumstances, the right to data protection cannot be superseded

by the expansion of the freedom of speech.

An injunction order against a publishing business that forbade the reporting of the arrest of a

well-known German actor was contested before the ECtHR in Axel Springer AG v.

Germany, on the grounds that the order violated Article 10 of the ECHR. Applying the

margin of appreciation concept, the court considered the fundamental question and
37
established a comprehensive set of standards for balancing the rights to privacy and freedom

of speech and expression.. Whether the article advances a topic of public interest; The extent

of the subject's notoriety and the topic of the report; the subject's past behavior; the source of

the information and its accuracy; the kind, structure, and implications of the publication; as

well as the harshness of the penalty applied.

Given the case's circumstances, it was determined that the injunction constituted excessive

limitations because the actor was well-known to the public and his detention affected public

interest. As a result, it was determined that the order in question breached Article 10 of the

ECHR.

3.4.2.Professional Secrecy

The idea of professional secrecy has strong roots in the moral standards of all professions,

while not being a basic right. Confidentiality is a crucial component in professions that rely

on trust, such as client-lawyer and doctor-patient relationships. The European Court of

Human Rights (ECtHR) has decided that, in order to safeguard the basic right of an

undertaking to respect for its private life as guaranteed by Article 8 ECHR and Article 7 of

the Charter, it may be essential to forbid the revelation of some information that is deemed

secret. The necessity to preserve a balance between the rights of data subjects and the

underlying legitimate interests has been highlighted by the courts.

3.5.Important Definitions under GDPR

It would be best to take a quick look at some of the GDPR's pertinent definitions before

delving into the specifics of the European Union's data protection rules, since they have

played a significant influence in their development.

38
3.5.1.Personal Data

understanding that the most essential component of the data protection system is, of course,

the personal data. According to the GDPR, any information that may be used to identify a

specific person or be linked to them is deemed personal data159. According to the GDPR,

data controllers must take all reasonable steps to determine the type of information they have

collected160. Furthermore, the individual whose information is being processed—the data

subject—is the most significant stakeholder in the data.

3.5.2.Data Subject

Any identified natural person whose personal information is being processed is referred to as

a data subject. Legal entities may, however, only assert their claim to the protection of

Articles 7 and 8 of the Charter with respect to this identification to the extent that the legal

entity's official title names one or more natural people. Articles 7 and 8 of the Charter

recognize the right to respect for private life with relation to the processing of personal data.

This right pertains to any information that may be used to identify or identify a specific

person.

3.6.Principles of EU Data Protection Regime

The European Courts have established a strong foundation of legal reasoning in their quest to

grant the right to data protection to the fullest degree feasible, much like any other developed

jurisdiction. These guidelines provide a framework for evaluating instances in which data

subjects' rights to data protection have been violated. Notably, all of these guidelines are still

in place under the GDPR to guarantee the highest level of security and data subjects' control.

3.6.1.Data Accountability Principle

39
The controller bears the responsibility of adhering to the principles of personal data

processing and must be able to provide evidence of compliance. Additionally, the controller

should be capable of guaranteeing compliance with the principles of data protection. This

concept rests on the idea that when breaches occur, the data controllers should be held

responsible.

3.6.2.Data security principle

The foundation of the European data protection legislation is the idea of providing data

subjects with appropriate security and confidentiality. It includes the notion of a system that

guarantees the implementation of suitable organizational or technological safeguards

throughout the processing of personal data to guard against unintentional, unauthorized, or

illegal access, use, alteration, disclosure, loss, destruction, or damage

In order to safeguard individuals' rights to data protection, the GDPR also mandates that data

controllers take into account the state of the art, implementation costs, and the type, extent,

context, and goal of processing, in addition to the risk of varying likelihood and severity for

natural persons' rights and freedoms. Pseudonyms and encryptions are specifically mentioned

in the GDPR as ways to increase security. Additionally, as was previously mentioned, the

GDPR requires controllers to notify data subjects of any potential data breaches within a

certain amount of time.

3.6.3.The Storage Limitation Principle

The principles of maximizing data security also form the foundation of the Storage

Limitation Principle. In order to eliminate the possibility of any breaches, it stipulates that

data must only be kept on file for as long as is strictly required. This idea is appropriately

included by the GDPR, which states that data must be retained in a format that allows data

40
subjects to be identified for no longer than is required to fulfill the purposes for which it was

gathered. Furthermore, it stipulates that the controller must set deadlines for deletion or

frequent reviews1

The European Court of Human Rights (ECtHR) noted in S. and Marper that keeping personal

data for an excessively long period of time is not characteristic of a democratic society run by

the rule of law. The case involved the two applicants' fingerprints, cell samples, and DNA

profiles being kept on file indefinitely even after they were found not guilty. These rulings

serve to illustrate the concerns that data storage poses to people' right to privacy and the

inherent hazards associated with it for European courts. By destroying any data that is no

longer absolutely essential for the reason for which it was gathered, the idea seeks to reduce

the amount of data stored.

The courts have acknowledged a broad variety of exceptions to the storage principle, though,

and data may be kept for extended lengths of time if it is needed for statistical analysis, public

interest, scientific research, or historical purposes—as long as it is used exclusively for these

purposes. The CJEU clarified the necessity of an objective standard for issuing data retention

directives169 in the Digital Rights Ireland case . The observation was founded on the idea

that information shouldn't be kept around longer than is absolutely required.

3.6.4.Data Minimization Principle

According to GDPR, processed data must be sufficient, pertinent, and not excessive for the

purposes for which it is gathered and/or processed further. The European Court of Human

Rights (ECHR) invalidated a data retention regulation clause in the Digital Rights Ireland

case, citing the significance of data minimization and the broad reach of data processing

through the use of a generic language. In order to combat severe crime, the directive

41
stipulated that all people, all electronic communication devices, and all traffic data must be

treated equally and without distinction, restriction, or exception.

The court reaffirmed its support of the principle by noting that the directive contradicts the

principle prohibiting the excessive processing of data and that personal data that is

appropriate and pertinent but would cause an undue interference with the fundamental

freedoms and rights at issue should be deemed excessive.

3.7.Purpose Limitation Principle

When the aim of processing is adequately defined and unambiguous, people are better

informed about what to expect, and legal certainty and transparency are improved. However,

it's crucial to define the aim precisely so that data subjects may use it to properly exercise

their rights, such the right to object to processingThe cornerstone of European Courts' law

regarding the right to data protection has been the idea of purpose limitation. The need that

personal data be acquired for specific, explicit, and legal reasons and not subsequently

processed in a way that is incompatible with those goals has caused commentators to

frequently herald this principle as a guarantee of transparency and user control.

The tightly worded clause prohibits the gathering and use of data for ambiguous, future

purposes by stating that a separate legal basis must exist even for uses that are related to the

original goal of the data acquisition. The foundation of the purpose limitation principle is the

idea that processing data cannot be done in a way that is surprising, improper, or offensive to

the data subject. The data may be processed further only if it serves the original purpose and

only for those purposes. Among the list of acceptable uses are further processing for public

interest archiving, scientific or historical research, or statistical reasons .

. This implies that the data controller will be permitted to treat the data in these

42
circumstances, even if the data collected by the subject fails the compatibility test. The law,

however, is well-established regarding what types of data are compatible, and the data

controller is required to take into account the following factors: any connection between

those purposes and the intended further processing purposes; the context in which the

personal data were collected, especially with regard to the reasonable expectations of data

subjects based on their relationship with the controller regarding its further use; the nature of

the personal data and the implications of the intended further processing for data subjects;

and the presence of suitable safeguards.s in the proposed additional processing procedure as

well as the initial one. In accordance with the principle, data subjects also have the right to

object to data collection and to know the reasons why their data is being collected.

3.8.Fairness Principle

Ensuring data subjects that their information will be treated in a transparent and lawful

manner is the motivation behind the fairness principle. According to the concept, data

controllers must show off their compliance procedures and alert data subjects to any possible

risks. Additionally, where a data subject's permission serves as the legal foundation for data

processing, the controllers are required to abide by the subject's requests. The hospital in

K.H. and Others v. Slovakia refused to provide the petitioners access to their own medical

reports because of the possibility of data misuse. According to the European Court of Human

Rights, the state had not demonstrated that there were adequate and convincing grounds to

prevent the applicants from having effective access to information about their health.It was

decided that data subjects could not be denied the ability to access their data unless there

were very strong grounds for doing so.

Nothing has a more significant place in the EU's whole data protection framework than the

transparency aspect. Data processing must be transparent with regard to the data subject, as
43
required by the GDPR. The term "transparency" has been used broadly to refer to a variety of

informational materials, such as those provided to individuals prior to the commencement of

processing, those that should be easily accessible to data subjects during processing, and

those that are provided to data subjects upon request for access to their own data.One of the

important instances where the right to data accessibility was emphasized was Haralambie v.

Romania

. The ECtHR concluded that those who were the subject of personal data stored by public

authorities had a critical interest in being able to access them, even if it noted that Article 8

had been breached. The petitioner was eventually allowed access to the material held about

him after a grueling five years. It was the responsibility of the government to provide a

reliable process for gaining access to this kind of data.181 Additionally, it was decided that

delays in granting data subjects access to their information could not be justified by flaws in

the archive section.

Additionally, Recital 39 of the GDPR states explicitly that data subjects must be informed

about the Processing activities in an understandable manner so that they are aware of what

will happen to their data. This implies that the data subject must be aware of the precise

reason for processing their personal data at the time the information is collected. The

effectuation is a crucial subject that unites these ideas.

3.9.Rights of Data Subjects under GDPR

The right of data subjects to access their own data is recognized under EU law. The right to

data is clearly recognized under the EU Charter of Fundamental Rights.

individuals to have access to their data and request corrections as required. The GDPR

establishes extensive right-based regulations to provide individuals with the highest level of

data control. A wide variety of rights that persons have with regard to their data are mandated
44
by Article 8 in order to advance this goal. Establishing procedures that allow data subjects to

contest infringements of their rights, hold controllers accountable, and seek compensation is

just as crucial as giving them rights.

3.10.Right to Rectification

The GDPR envisions a legislative framework that aims to provide data subjects with the

greatest amount of control over their data, keeping in mind the significance of protecting

personal information. The right to request the correction of erroneous personal data

pertaining to oneself from the controller without undue delay is granted to the data subject.

The data subject must have the right to have incomplete personal data filled, including by

supplying a supplementary statement, in light of the processing's goals.

In Ciubotaru v. Moldova, despite the existence of factual proof supporting his argument, the

petitioner was not allowed to have his ethnicity's name corrected.

The State had not complied with its affirmative commitment to ensure to the applicant

effective respect for his private life, the court observed, by preventing the applicant from

having his claim reviewed in light of objectively verifiable facts. Data controllers are required

to promptly provide data subjects with the opportunity to update their stored information. The

police information report, according to the court in Cemalettin Canli v. Turkey, is a

methodically gathered public record that is kept in files owned by the government and may

also be considered private life

3.11.Right to Data Portability

45
 Only when data is submitted in accordance with contractual requirements or is based on

permission are data subjects guaranteed the right to data portability. Under the EU data

protection law, cases where the data was collected legally do not have this privilege. It is

necessary for the data controller to provide systems that enable data to be transferred between

controllers in accordance with the wishes of the data subjects. The GDPR places a strong

emphasis on the necessity of creating interoperable formats to provide increased data

portability.

It should be mentioned that, in terms of data portability, the legislation does not place undue

burden on data controllers. The GDPR aims to strike a balance between the interests of data

controllers and data subjects by permitting data to be maintained on the basis of legitimate

public interest or in support of legal operations. Nevertheless, the right to data portability

cannot be restricted outside of these two exceptional situations. It is also clear that giving data

subjects authority over their own personal data is the only goal of the recognition of the right,

which is to guarantee user choice, control, and empowerment.

3.12.Findings

An examination of a few significant pieces of US legislation pertaining to data protection

does suggest that these rules may be used as a means of defending people's rights to total

control over their personal information. But some significant gaps that have surfaced are as

follows.

 The US has an excessive number of data protection laws, each with a narrow reach, in

contrast to the European Union, which has a comprehensive rule in the shape of the General

Data Protection Regulation. Consequently, the nation's data protection structure is extensive,

intricate, and technically advanced. Additionally, there are several federal and state laws

covering the same topic, which causes needless complexity.

46
 The bulk of the regulations (or at least most of them) were passed more than two or three

decades ago, and many of these rules find it difficult to deal with the issues raised in the

contemporary period. Therefore, it is imperative that technology advancements be taken into

account in order to fulfill the goal of protecting residents' private information.

 In spite of these drawbacks, it is undeniable that the US has a strong and efficient structure in

place to safeguard citizens' rights to data protection. But as compared to the US, the EU has a

far more sophisticated, advanced, comprehensive, and contemporary data protection system.

 The following two factors provide the European Union a slight advantage in the area of data

protection. First, unlike the EU, which has what is perhaps the most individual-centric data

protection regulation in the world, the US lacks a comprehensive federal law governing the

processing of data. The second explanation has to do with the European Courts' permissive

view of data privacy problems.

 In order to successfully address the issues of the current period, the United States must also

have a comprehensive federal regulation along the lines of the General Data Protection

Regulation.India has frequently been referred to as the most significant offshore business

destination in the world. The growing network of Indian data outsourcing enterprises was the

first to raise worries about possible data breaches in India. It is sometimes asserted that India

would never have needed a data protection legislation at all if not for the concerns of

informational privacy breaches brought on by data offshore corporations .

. There was no legislative structure in place to control the data outsourcing process in India,

which led to several cases of data theft and informational privacy violations by these

offshoring businesse. Naturally, the world press took notice of these instances and finally

pressured the Indian government to pass a data protection law.

47
 The researcher's identification of the essential elements of a strong data protection regime in

nations with sophisticated data protection legal frameworks has created the ideal foundation

for a detailed examination of the current data protection legislation in India. To date, the

researcher has identified the best practices used by various jurisdictions to provide citizens'

personal data with a fair degree of protection as well as the difficulties governments face in

effectively addressing privacy issues related to technological advancements.

 The chapter's conclusion has allowed the author to also pinpoint the level of protection that,

in terms of informational privacy, a digitalized society has grown to demand.Therefore, the

goal of the upcoming chapter is to get a thorough understanding of India's current Data

Protection laws.

48
 CHAPTER 4:

DATA PROTECTION REGIME IN INDIAN LEGAL SYSTEM

4.1. Introduction

The researcher now has a fairly comprehensive grasp of the various methods to personal data

protection that the United States, the United Kingdom, and the European Union have taken

thanks to the previous chapter. It would be important to do a comprehensive analysis of

India's current data protection laws before delving into talks on the viability of a certain data

protection model. This chapter's talks aim only to provide readers with the most

comprehensive knowledge of India's current situation of data protection.Every day, the globe

gets more and more digitalized, and India is not an exception to this phenomenon.

Many billions of people worldwide communicate with one another via digital media,

resulting in the global generation of enormous amounts of data. A sizable portion of the

population is reached via the recently discovered digital communication channels, which

include social networking sites like Facebook, Twitter, WhatsApp, and others. In India,

almost 53% of people have an online presence thanks to more affordable internet and

increased connectivity.

Additionally, the Indian economy has a significant presence of online payment programs like

Paytm and Google Pay. The vast amount of data engaged in the digital space has increased as

a result of individuals using these apps. But technological advancements have also given both

49
governmental and commercial sector organizations the ability to quickly access, store, and

process an individual's personal data

An increase in internet users also suggests that these transactions often contain a large

amount of personal and financial data. India is a digital transmission hotspot due to the

enormous popularity of these apps among Indian users.

. It is important to remember that these smartphone apps, which provide users with a variety

of services including online chat, digital payments, online shopping, taxi services, etc., save

and handle a significant amount of personal data about its users.. The following paragraph

provides a comprehensive overview of the development of a digital economy that places data

at its centre:

Even something as basic as calling for a cab today requires using a smartphone app that

gathers and utilizes several kinds of data, including the user's financial information, her

current location, and details about her past travels. People's communication, decision-making,

and business practices are all being profoundly altered by data. Nowadays, companies are

compiling enormous databases about customer behaviour and preferences. It is now easier

than ever to compress, sort, modify, discover, and understand information, which can then be

turned into knowledge that is useful

The majority of the time, the process includes transmitting and storing personal data in

addition to collecting and processing it. Technology has advanced to the point where

processing and storing personal data is now very a technically and financially feasible choice.

These phenomena guarantee that data aggregators not only gather but also retain personal

information about individuals, which may be utilized to create user profiles and, naturally,

improve the effectiveness of the apps.

50
Service providers may speed up transactions and improve service quality by creating

personalized user profiles. The things that consumers might be interested in purchasing are

suggested by internet aggregators and e-commerce corporations based on their past online

activity. Precisely said, the way things function in the digital age may be greatly influenced

by the usage of data, and all organizations, public and commercial, want to maximize the

amount of information that can be obtained from their users' data. To enhance traffic

conditions, data analysis on the positions of residents in a certain region might be employed.

the examination of the patients' medical records might assist the researchers in developing a

more accurate diagnosing process. The government may benefit much from the examination

of people's demographics and economic circumstances when formulating and implementing

socially beneficial policies. Data processing may also greatly assist law enforcement

organizations in preventing crimes and financial regulators in identifying frauds. Drone

cameras and more sophisticated surveillance techniques employing internet and advanced

technology have been increasingly popular among police enforcement agencies.

However, the preservation of people's personal data poses a serious danger to informational

privacy even as it makes things more easy for consumers and promotes a safer society. An

rising number of people are using the internet, which has opened up a world of worries about

potential data breaches. Since the government is the entity that processes personal data on

individuals the most in India, it is critical that laws governing data collection, storage, and

processing be in place in order to provide the appropriate protections. Nonetheless, the

danger to informational privacy in India, like in the rest of the globe, has not suddenly

materialized; rather, it has the threat has only grown more significant with the onset of

digitalization

51
Our ability to gather, store, process, and transfer information has significantly increased

because to the advancement of science and information and communication technologies,

which are made possible by computers and other electronic devices. However, it also leaves

us open to more widespread breaches of our privacy. This violation of privacy might also

originate from a personal relationship. It might occur in any of the following ways:

Data on our personal computers can compromise us in ways that range from financial loss to

embarrassment; data transmission over the Internet and mobile networks is equally risky of

being intercepted; and in this era of cloud computing, where a large portion of our data,

including emails, chat logs, personal profiles, bank statements, and other data, are stored on

Our privacy thus depends on the internal electronic security mechanisms of the far-

off servers of the businesses whose services we consume.Due to their increased vulnerability

to exploitation, minorities, women, the elderly, and children's privacy are particularly

vulnerable in this digital age, and • the management of data online has given rise to new types

of annoyances that might compromise anyone's privacy, such as electronic voyeurism, spam

or offensive emails, 'phishing,' etc.

4.2.The Information Technology Act, 2000

In view of the need for uniformity in the law pertaining to alternatives to paper-based

methods of communication and information storage, the Indian Information Technology Act

2000 ("Act") was based on the Model Law on Electronic Commerce adopted by the United

Nations Commission on International Trade Law. It was suggested that all States intending to

enact a law for the impugned purpose give favourable consideration to the said Model Law

when they enact or revise their laws. As previously mentioned, the offshoring industry and

the information technology sector were the primary focus of India's original data protection

legislation plan 334. Due to the gaps in India's current legal system, there have been several

cases of in response to increasing international

52 pressure and instances of data theft, India
passed the Information Technology Act, 2000 to control the movement of data within the

nation.

The IT Act continues to be the cornerstone of the many Indian legislation intended to

safeguard a society supportive of the cause of data protection. The IT Act largely regulates

the issues mentioned above, which led to the emergence of a data-driven culture in India with

the growth of the IT sector. The Act has undergone many amendments to date in response to

the constantly changing threats that the development of technology poses to data security.

This section will address the current Act provisions in order to examine the current Indian

data protection system. Within its system, the IT Act defines "data" according to a traditional

meaning focused on e-commerce. The original legislative aim behind the clause is implied by

the focus on computer and other types of memory storage. Furthermore, it should be

mentioned that in the wake of later rules, the limited definition of term data has had

significant modifications

"(o) 'data' is a representation of knowledge, facts, concepts, or instructions that are being

prepared or have already been prepared in a formalized manner and are meant to be

processed in a computer system or computer network. They can be stored internally in the

computer's memory or printed out on a computer, as well as on magnetic or optical storage

media, punched cards, punched tapes, and computer printouts. “The IT Act's purview seems

to be limited to e-commerce operations, and the Indian legal definition of data was primarily

intended to further the cause of internet regulation in the information technology industry.

This proposition may be appreciated from the fact that the concept of data protection was far

far away from the Indian conception of privacy and informational self determination. The fact

that there is any law in existence in India can be attributed to the subsequent amendments 337

that were brought in the IT Act. The two most notable pillars of the data protection scheme in
53
 the country are Section 43A and Section 72A of the Act.

This claim may be understood in light of the fact that the Indian conceptions of privacy and

informational self-determination differ greatly from those of data protection. The following

amendments made to the IT Act are responsible for the existence of any laws in India today.

Sections 43A and 72A of the Act are the two most significant foundations of the nation's data

protection program. The cyber contraventions and cyber offenses are the two main categories

into which the Indian data protection system may be divided. Even so, the cyber

protocols.338

Cyber violation includes breaking the rules outlined in this section. The word "convention" is

notable for being extremely narrow in its definition, encompassing any unjustified inference

into an individual's informational privacy by an unlawful breach into data held on a computer

or computer network . Chapter IX of the IT Act is the cornerstone of codified Indian data

protection legislation. The Information Technology Act of 2000's Section 43 stipulates the

data controller's obligation in the event of a breach.

(i) 43A Compensation for Data Protection Violation. -If a corporate entity owns, controls, or

operates sensitive personal data or information in a computer resource and is negligent in

putting reasonable security practices and procedures in place, causing wrongful loss or

wrongful gain to any individual, the corporate entity shall be liable to compensate the

individual in question for damages. Justification. With respect to this section, -

(ii) "body corporate" refers to any organization of people involved in business or professional

activities, including firms, sole proprietorships, and other associations; (iii) "reasonable

security practices and procedures" refers to security measures intended to guard against

unauthorized access, damage, use, alteration, disclosure, or impairment of such information,

as may be stipulated in an agreement.

54
(ii) reasonable security practices and procedures, as may be prescribed by the Central

Government in consultation with such professional bodies or associations as it may deem fit,

or as may be specified in any law currently in force, between the parties, or in the absence of

such an agreement or any law; (iii) "Sensitive personal data or information" refers to any

personal data that the Central Government may prescribe after consulting with any

organizations or professional bodies that it may see fit

(iii) .As implied by the language of the provision, the Section aims to penalize body

corporates that deal with, possess, and handle sensitive data but neglect to maintain and

implement reasonable security measures. Should this lead to an individual's wrongful gain or

loss, the body corporate in question will be responsible for compensating the individual for

damages. The Indian Penal Code's concept of unjust gain must be used while interpreting the

term.

(iv) From a cursory reading of the passage, it is clear that the obligations are limited to the

body corporates, which includes businesses, corporations, proprietorships, and other divisions

of groups of persons. The fact that the people are spared from the harsh penalties outlined in

the provision does indicate that the legislature's primary goal in establishing the stated section

was to target corporations that handle the processing of personal data. However, the author

believes that the provision's scope and ambit are extremely limited, and the following

prerequisites must be met in order for the criminal penalties to apply.

(v)The information in question needs to be sensitive.

(vi) A body corporate must be the owner and operator of the computer resource handling

the data.

55
(vii) There must be a lack of adequate security standards and the corporate body cannot

handle the data carelessly.

Above all, there must have been unjust gain or wrongful loss as a consequence of the

carelessness. In 2009, the Indian legislature amended the Information Technology Act to

include section 74 A, which protects privacy under contractual relationships, in addition to a

very restrictive provision that aims to prevent breaches of informational privacy in non-

contractual relationships.

In response to the 26/11 Mumbai assaults, India enacted the IT (Amendment) Act, 2008

(ITAA 2008), which established a robust data protection framework. It resolves data

protection issues raised by the sector and, among other things, establishes a more foreseeably

structured legislative framework with provisions for cybercrimes and data protection.

Corporate entities are expected to secure sensitive personal information of customers stored

in digital environments using acceptable security measures.

Furthermore, the ITAA 2008 mandated that they safeguard data in accordance with valid

contracts by establishing fines for privacy and confidentiality violations.

4.3. Information Technology (Reasonable Security Practices and

Procedures and Sensitive Person Data or Information) Rules, 2011

The Information Technology Act of 2000 implicitly states that sensitive personal data was

not defined, which left a great deal of space for misunderstandings and cases of

misinterpretation. The Ministry of Communications and Information Technology created the

"Information technology (Reasonable Security Practices and Procedures and Sensitive Person

Data or Information) Rules, 2011" in 2011 as a result of using the authority granted by

section 43 A of the Act to periodically enact new regulations. It would be excellent for us

56
analysis to quickly review some of the rule's pertinent sections in order to have a

comprehensive understanding of India's current data protection laws.

Although the guidelines mostly preserve the definitions of the IT Act of 2000, they also close

some of the Act's main gaps, attempting to provide a viable framework for data protection

laws that would safeguard people' information privacy. The definition of "sensitive data" is

one of the most important improvements to the Rules.

The Rule is fairly broad in its wording and includes nearly any information that, in the event

of a breach, might directly affect a person's right to privacy. The rule's proviso does,

however, exclude material that is already in the public domain from the category of sensitive

data.

The need for the supplier of the sensitive data to grant their consent is embodied in the

obligation to get that consent. Additionally, the regulation stipulates that data must only be

gathered for legally authorized purposes. These regulations also acknowledge the well-

established principles of data protection, such as the rights to fairness in processing, purpose

limitation, and the . Apart from these fundamental guidelines, the regulations mandate that

corporations that gather confidential data have a strong privacy policy and implement

appropriate safeguards to ensure the security of the individuals' private information.

Nonetheless, the regulations give the government carte blanche to disregard any data privacy

norms and grant access to law enforcement and the government to individuals' sensitive

personal information without the individuals' agreement.

Furthermore, the central government appoints members of the Cyber Appellate Tribunal, the

adjudicating body346. A strong data protection framework in India is still a pipe dream since

there is no independent adjudicating body in existence and no safeguard against potential

government violations of the right to privacy.

57
4.4.Privacy in the Health Sector

It is irrefutable that a fundamental component of the right to privacy is the information about

an individual's health and medical history. Constitutional courts in India and other countries

have consistently maintained that disclosing medical information might result in an

unjustified intrusion into an individual's personal space, severely upsetting that person's peace

of mind.In Mr. X v. Hospital Z, the Supreme Court declared the following, emphasizing the

value of informed self-determination in cases involving medical histories:

“In addition to a contract, a right to privacy may also result from a particular connection,

such as a business partnership, marriage, or even a political one. As was previously said, the

doctor-patient relationship is essentially commercial, but it is also a professional matter of

confidence. As such, doctors have an ethical and moral obligation to safeguard patient

confidentiality.

Under such circumstances, making even factual private information publicly available might

violate someone's right to privacy and can result in a conflict between one person's "right to

be let alone" and another person's right to information. Even genuine private information

disclosed has the potential to upset someone's peace of mind. It can cause him to develop a

lot of complexes and possibly develop psychiatric issues. After then, he could lead a chaotic

existence for the rest of his life

In the most straightforward language possible, this precedent-setting decision from the

Honorable Supreme Court establishes the prohibition on disclosing even accurate medical

history information about a patient without that patient's consent. Health-related data is even

classified as sensitive data by the SPDI Rules, 2011, which means that it cannot be shared

58
with a third party without authorization. On the other hand, hospitals are required under the

Clinical Establishment Rules, 2012 to keep an electronic record of their patients' medical

histories.

However, because the regulations are not applied to public entities, government-run hospitals

are free from all of them, giving them a reputation for protection against unjustified invasions

of individuals' private rights.

4.5. Existing Surveillance Regime in India

The limitations that the proposed data protection law in India aims to place on the breadth

and depth of the right to privacy are its most important feature. Since the subject of law is

still extremely young, it will take some years before the courts develop a clear methodology

for determining the boundaries of when and how the right to privacy can be used. Without a

doubt, the Puttaswamy ruling will launch a system that will significantly protect the privacy

of billions of Indians' personal information. It would be incorrect to assume that Puttaswamy

marks the end of the effort to protect citizens' private information; rather, it marks the

beginning. We are now worried about the ruling in Puttaswamy, how the court justified it,

and how this may affect India's future data protection laws.

.It should be mentioned that the nature of the right to privacy was the main point of argument

in the Puttaswamy case between the petitioners and the defendants. Is there an unrestricted

right to privacy, or does it include certain built-in restrictions? What are the imitations, and

how does the court defend them if it isn't absolute? Although the legislation on the matter is

still in its infancy, the Puttaswamy does offer a model.to ascertain the circumstances that

warrant the state's invasion of privacy. The next portions of our debate will aim to delve more

into the subtleties of the restrictions imposed on the right to privacy by the SC. This is the

most crucial aspect of the problem as, even while the government is likely to acknowledge
59
that citizens have a fundamental right to privacy, it will undoubtedly hunt for other

justifications for interfering in people's private lives.The Data Protection Bill, 2019 has been

sent to a select committee, which is unlikely to change the draft bill's "exemptions" section.

4.6. Privacy and Surveillance

The lack of explicit or even implicit reference of privacy in the constitution's text or in the

deliberations of the Constituent Assembly is the biggest obstacle to the acceptance of the

right to privacy in the Indian constitutional structure. The Indian courts have only been able

to identify the right to privacy in the constitution by means of a functional and structural

interpretation of its provisions. It is hardly unexpected, then, that it has taken more than 60

years for Indian courts to acknowledge that an individual's private rights are fundamental to

their rights.."[i]f India wants to avoid coming out as an authoritarian state, it must be open

and honest about who will be allowed to gather data, what information will be gathered, how

it will be put to use, and how the right to privacy would be upheld Regrettably, the impending

data protection regime unintentionally allows enforcement authorities to access individuals'

personal information, which is exactly what it should not have done.

The fact that the constituent assembly summarily rejected the inclusion of any such

protection in the Indian constitution, and this understanding of the right to privacy under the

fourth amendment served as the only source of guidance—or rather, misguidance—for the

Indian courts for years. This rejection had a significant impact on the development of the data

protection regime in India for years. M. P. Sharma and Others v. Satish Chandra was the first

case in which the Supreme Court had the opportunity to consider whether a right to privacy

existed within the context of a right to property.The SC cited many rulings from the US

Supreme Court to consider the legality of the state's intrusion and adoption under the Indian

60
scheme. The court determined that: Despite rejecting the acceptance of spatial privacy in the

context of governmental search and seizure

"In any system of jurisprudence, the State's power of search and seizure is paramount for

safeguarding social security, and it is inevitably subject to legal regulations." We have no

basis to import a fundamental right to privacy—which is comparable to the American Fourth

Amendment—into a completely different fundamental right through a process of strained

construction when the framers of the Constitution saw fit to exempt such regulation from

constitutional limitations

It is evident from this that the court declined to incorporate the fourth amendment into the

constitutional framework for two reasons. First, it adopted the originalist approach and just

refused to include the fourth amendment in the Indian plan on the grounds that the

Constituent Assembly had not included it. The second rationale was more of a defense

predicated on the idea that the state could have the authority to search and seize in order to

protect social security.

This idea, however, was short-lived, since the Supreme Court quickly established a

completely different definition of the scope of the right to privacy in Kharak Singh v. State of

UP. The matter at hand was to an administrative directive that aimed to grant the authority to

search and seize property from police officers on historical sheeters' homes. The court

continued to consider the legitimacy of this restriction based on Article 21 of the Constitution

even though, as an executive order, it would not be considered a law under Article 13 of the

Constitution. Based on the preamble's use of the word "dignity," the SC observed that an

arbitrary incursion into someone's house would rob them of their dignity and mental serenity.

. The court essentially acknowledged that following a person's activities did in fact breach

their right to privacy, even if it declined to interpret this as one of the core liberties protected
61
by the constitution. Judge Subba Rao, on the other hand, established a connection between

privacy and personal freedom and concluded that: While the right to privacy is not

specifically stated as a basic right in our Constitution, it is still a necessary component of

individual freedom. Domestic life is sacred in any democratic nation; it should provide him

with security, tranquillity, pleasure, and relaxation. When everything else fails, a person's

home, where they reside with their family, serves as their "castle" and barrier against

intrusions on their personal freedom

It is important to highlight that Justice Subba Rao displayed remarkable judicial innovation in

his dissenting opinion by interpreting the right to privacy in both Article 19 and the right to

life and liberty. "Be free from restrictions or encroachments on his person, whether those

restrictions or encroachments are directly imposed or indirectly brought about by calculated

measures," he said, emphasizing the word freely.He rejected the idea that the right to free

speech and expression is an abstract idea without any psychological foundation, but he

refused to omit the aspect of privacy from these rights:

We have arrived at the conclusion that Art. 19 (1) (d) of the Constitution, when combined

with the freedom of speech and expression, must only apply to bodily movements.

Undoubtedly, the act of spying imposes limitations on the aforementioned freedom. It cannot

be argued that the aforementioned freedom would just uphold the procedures of speech and

expression and lack any subjective or psychological substance.

One may argue that Kharak Singh represented the hesitant acceptance of the "individual"

oriented understanding of the right to privacy. One may argue that this case did bring to light

some of the most urgent issues with India's current monitoring policy. To understand the

characteristics of the current surveillance system in India, a quick review of the cases that

62
followed is required before going into the difficulties that are similar in the current situation

and those that the court addressed or neglected to address in Kharak Singh.

Courts will safeguard innocent citizens' phone conversations against improper or haughty

intervention by listening in on the call. The guilty are not the ones who are protected. It

should not be interpreted as meaning that the courts will accept measures that put citizens'

safety at jeopardy in order to allow the police to act in an illegal or unusual way. There isn't

currently an illegal or unethical way to get the conversation's tape recording.

Nothing is more detrimental to a man's physical happiness and health than a calculated

intrusion into his privacy, he said, adding that while it is true that our Constitution does not

specifically declare a right to privacy as a fundamental right, the right is an essential

component of personal liberty and that, in the last resort, a person's home is his

castle.Assuming that the fundamental rights explicitly guaranteed to a citizen have penumbral

zones and that the right to privacy is itself a fundamental right, that fundamental right must

be subject to restriction on the basis of compelling public interest.

The Indian telegraph Act's section 5(2), which has been the government's most frequently

used tool in its surveillance regime, was one of the questions under challenge in People's

Union for Civil Liberties (PUCL) v. Union of India, one of the Supreme Court's most well-

known rulings challenging the country's surveillance regime.

It should be noted that the clause fully supported the idea that even the most little information

about a person's medical history might be harmful to their dignity and thus require further

protection. At this point, the ruling in Mr. X v. Hospital Z is relevant since the SC

emphasized that the clause has been acknowledged in both text and spirit.,

63
"Private facts may constitute an infringement on one's right to privacy, which may

occasionally result in a conflict between one person's "right to be let alone" and another

person's right to information." Even genuine private information disclosed has the potential to

upset someone's peace of mind. It might cause him to develop several complexes and

possibly even psychiatric issues

With the post-Puttaswamy period law on phone tapping and surveillance, the Bombay High

Court was given the chance to rule in 2019 by applying the principles of the right to privacy

to section 5(2) of the IT Act.Regarding the interception issue in the Vinit Kumar Case, the

High Court decided as follows: An The IT Act's section 5(2) only permits orders of

interception to be granted in "public emergency" or "public safety" situations. The

aforementioned intercepted messages must be deleted if the interception was done in

violation of Section 5(2) of the IT Act.

The BN Srikrishna committee report states that "the Puttaswamy test of necessity,

proportionality, and due process should not be passed without a degree of transparency being

followed in the surveillance process." Public information, legislative oversight, executive and

administrative supervision, and judicial oversight are just a few ways that this might manifest

itself. The investigation made clear that, when it comes to monitoring, the state must follow

the guidelines established in the Puttaswamy ruling.

We will first go into great length in this part on the guidelines established by the Indian

Supreme Court that must be adhered to when denying someone their fundamental rights. The

Puttaswamy ruling recognized the right to privacy as an integral part of the right to life and

liberty, making it a basic right. As such, the state agencies that are allowed exemptions from

these constitutional safeguards must meet the criteria outlined in the ruling.

64
Indian courts have customarily employed distinct standards to ascertain the boundaries within

which individuals' rights might be curtailed. The Supreme Court has developed three

standards throughout the years to determine whether the limitation of basic rights is

appropriate. We will now have a quick review of these criteria in order to assess if the current

bill's provisions, which aim to exclude the agencies from applying the Act's safeguards, can

pass muster with the standards established by legally binding judicial decisions.

In the Puttaswamy majority ruling, the proportionality test was interpreted in a way that was

specific to the Indian constitutional framework. In assessing the degree of privacy violations,

Indian courts will apply the theory of proportionality in the upcoming days and the

constitutionality of the provisions providing for The test will serve as the foundation for

exceptions under the data protection bill. While the Puttaswamy judges' understanding of

proportionality differs from other jurisdictions around the globe, it is important to note that

the judges thoroughly examined the test's design before changing the current standards for

privacy infringement.

Germany's constitutional courts have developed a three-part test to determine whether a

privacy invasion is legitimate. The validity of the objective for which the action is being done

is the subject of the test's first component. A sensible relationship between the methods and

the desired outcome is necessary for the second component to be met. The third component,

often known as the need stage, stipulates that there must be no less restrictive option that is

equally effective in achieving the objective.

. The last phase, referred to as the "balancing stage," calls for the government action to not

disproportionately affect people' rights. Citing a passage from Professor Bilchitz's thesis, the

Supreme Court has clarified that, in order to determine whether a policy is necessary, it must

first identify all potential alternatives to the government's adopted policy. Only then can it
65
investigate whether these measures could be a viable alternative.

. The less restrictive alternative policy ought to be chosen if it can actually and significantly

accomplish the goal that the government is trying to accomplish.

4.7. Findings

This chapter's examination focused on the many aspects of India's current data protection

laws. A cursory examination of the laws now in effect and previous rulings paints an

extremely negative image of the nation's data protection framework. It must be acknowledged

that the notion of acknowledging the right to privacy as a separate right that might be linked

to dignity and the rights to life and liberty was not well received by the Indian populace as a

whole, including the constituent assembly.

In accordance with the same logic, it took the Indian Constitutional Courts more than 70

years to acknowledge that the Indian Constitution had a separate right to privacy. Regarding

data security, the Indian legislative first addressed the rising number of cases of fraud and

data theft in the rapidly expanding Indian sector of information technology. India's data

protection laws are extremely lax since the Information Technology Act, 2000 was enacted

primarily to combat the rising threat of cyber fraud rather than to address data protection

issues.

Since India does not yet have a complete data protection law, one must search for provisions

in other laws that attempt to provide individuals' personal data with sufficient security. The

Information Technology Act, 2000 and the Information Technology Rules 2011 are two

examples of laws that attempt to protect individuals' informational privacy. The researcher

has examined these laws' various provisions in order to assess how effective India's current

data protection laws are.

66
a) Indian data protection laws have a relatively weak stance on data protection and lack

enough safeguards to ensure that people's personal information is protected.

b) The Indian data protection regime does not incorporate the internationally recognized Data

Protection Principles.

b) Given that the State is the entity that processes data the most, the legislation need to

provide adequate protections against the potential for the State to violate an individual's right

to data privacy. Because State actors are not covered by India's present data protection

framework, it is difficult to prevent unjustified data breaches by the government and its

agencies.

d) There is an urgent need to advance a paradigm change in the approach of the legislative to

provide the ownership of data to the data principals, since there are now insufficient

mechanisms to ensure and enforce the data protection standards. e) To defend people's rights

against data breaches, India needs to establish an impartial Data Protection Authority. At the

moment, there isn't The executive staffs the clause requiring the creation of a data protection

authority and oversees the whole system for resolving data breach claims.

e) There is a need to incorporate laws controlling social media intermediaries and data

localization because the current data protection framework in India places little focus on data

security measures. f) The Information Technology Act of 2000 is unfavorable to the rights of

data principals because it places several obstacles in the way of the implementation of the

right to compensation for data breaches.

f) The fundamental tenets of data protection—such as the right to erasure, the right to

informational self-determination, the right to informed consent, the right to be forgotten, etc.

—are absent from the current framework.b) The current framework excludes minors from the

definition of personal data and provides no protection for their data.

67
h) Because the responsibilities of data processors are severely limited, it is very challenging

to get the remedies that the current laws have established.

f) The existing framework does not include the core principles of data protection, such as the

right to erasure, the right to informational self-determination, the right to informed consent,

the right to be forgotten, etc. b) Minors are not included in the definition of personal data

under the existing framework, and their data is not protected. h) Obtaining the remedies that

the existing laws have set is extremely difficult due to the severely restricted obligations of

data processors. right to privacy, the nation's top court has established the cornerstones of a

strong data protection system. The day the right to privacy was acknowledged as a basic right

protected by the Indian Constitution was more than three years ago. But there hasn't been

much progress made in India on passing a comprehensive data protection law, and the

planned Data Protection Bill, 2019 hasn't even been given the green light yet. Given that the

researcher has given careful thought to the laws pertaining to India's data protection

framework

CHAPTER 5:

COMPARATIVE STUDY OF THE DATA PROTECTION REGIME IN INDIA WITH

REFERNCE TO EU, US

5.1. Introduction

n in India, allowing the researcher to develop a logical assessment of the current situation of

data protection in India. After completing most of the preliminary work, the researcher will

compare and contrast some of the most important elements of the current and planned data
68
protection laws in India in this chapter. This discussion's only goal is to produce workable

and useful recommendations for achieving the goal of building a strong data protection

framework in India.

The Information Technology Act of 2000, the SDPI Rules of 2011, and the Personal Data

Protection Bill of 2019 will all be examined by the researcher in order to evaluate the claim

that "India's legal framework for data protection is insufficient to protect citizens' right to

privacy."

As a result, the discussions in the following sections will only focus on analyzing the

provisions of the current and proposed data protection laws in bill and their implications for

the future data protection regime in India. We have already taken into consideration the

approach that the Indian judiciary has taken with regard to various aspects of the right to

privacy. The conclusion of the research will be determined in part by a thorough examination

of the proposed bill's main features.

Comparing India's data protection legislation with those of the European Union, the US, the

UK, and several of the BRICS nations would be the main goal of the study. In order to create

a synergy between the study effort and the practicalities, the researcher has opted to compare

the peace-meal law that now governs data protection in India with the complete text of the

proposed Indian data protection laws.

It's safe to assume that India's current data protection regime is nearing its end, and within the

next year, a completely new one may take its place. For this reason, it's critical to monitor

how the nation's data protection laws are evolving. With this normative consideration in

mind, the researcher will contrast some of the most important features of Indian data

protection regulations with those of the US, UK, and EU.

69
5.2.Scope of The Indian Data Protection Laws in India and Elsewhere

The goal of the GDPR's passage is outlined in over 168 recitals in its incredibly long

preamble . The recitals acknowledge the basic right to privacy in the clearest possible terms

while outlining the need of adopting the measures. Similarly, "An Act to make provision for

the regulation of the processing of information relating to individuals; to make provision in

connection with the Information Commissioner's functions under certain regulations relating

to information; to make provision for a direct marketing code of practice; and for connected

purposes" is what the preamble of the UK Data Protection Act reads.

It is said that a bill's preamble establishes the general direction and voice of the law, and that

it serves more than just as a formality. It is also a primary source used by judges to interpret

any law's requirements. Therefore, it is essential that the preamble includes a wide range of

auxiliary goals in its description without straying from the spirit and core of the law.

Nonetheless, the right to privacy is never mentioned once in the preamble of the IT Act 2000.

A comparison between the GDPR and the IT Act and the IT norms will not be fair given that

India does not currently have comprehensive data protection laws. With this normative

component of the study in mind, the researcher, for the purpose of The numerous sections of

the proposed Data Protection Bill within the framework of the Indian data protection system

will be considered in the quality of analysis. The goal of the so-called Personal Data

Protection Bill, 2019 is to establish a strong data protection framework in the nation that

would grant citizens the right to their personal data. For this reason, it is imperative that the

law's preamble clearly state the goals for which it is being brought. Additionally, it states that

protecting personal data is required by the constitution and is "an essential facet of

informational privacy."

70
It should be noted that, in contrast to the GDPR, the preamble of the proposed Indian Act

promotes digital governance and the digital economy rather than emphasizing the value of

informational privacy. It also acknowledges that data has become a vital communication tool

in the digital age and should be protected to a higher extent. However, it is concerning that

too much emphasis is placed on advancing the digital economy at the expense of

safeguarding individuals' right to privacy.

There are significant concerns regarding the efficacy of the proposed data protection regime

in India, as the Personal Data Protection Bill 2019, which is meant to be the cornerstone of

the country's upcoming data protection regime, fails to specifically acknowledge the right to

informational privacy in relation to informational self-determination.

The bill, among other things, aims to establish a comprehensive framework for the creation of

a data protection regime that does not acknowledge the data principal as the owner of their

data, but rather guarantees the implementation of structural and technical safeguards to

control the processing of personal data and prevent its unauthorized use. To achieve these

goals, the proposed bill also aims to create a data protection authority, but neglects to

emphasize the degree of autonomy provided to the authority . An ideal preamble of a data

protection law in a country like India should have been liberal in its approach towards

highlighting the importance of protecting the right to informational self-determination

because the data protection regime in that country is still in its infancy and there are no

judicial precedents (apart from Puttaswamy) that we can rely upon.

.. India lacks the benefit enjoyed by the European Union, where a substantial body of data

protection jurisprudence has already been produced by the judiciary. The preamble of the

proposed bill, however, makes no mention of the admirable goal of prioritizing the rights of

71
the data principals over any other aspect of data processing. In contrast, even the various US

laws attest to the provision of an adequate degree of protection to citizens' right to privacy.

Analysing the several other data protection laws in the US, such the Fair Credit Reporting

Act and the Health Insurance Portability and Accountability Act of 1996, leads to a similar

conclusion.

The proposed measure prioritizes innovation and the development of a digital economy over

the preservation of individual rights. It is argued that the absence of a clear mention of

protecting data subjects' rights from state intrusion in the bill's preamble, given that the state

serves as the data controller in the vast majority of these cases, could be harmful to efforts to

establish a strong data protection framework.

In contrast to the GDPR, the measure as it stands now offers the explicit ways in which the

goal of advancing the data protection system is intended to be accomplished.

The data's economic component takes precedence over the data principals' rights. A data

protection regime that treats citizen data more as a tool of commercialization is indicated by

the preamble's disregard for the need to establish an open surveillance regime that would be

subject to the rule of law, as well as its excessive emphasis on fostering a digital economy

and "ensuring empowerment, progress, and innovation through digital governance."

.It is recommended that the fundamental component of the proposed data protection regime

be the bill's inclusion of the idea that the data principal is the genuine owner of their data and

that their right to informational self-determination and decisional autonomy falls under its

purview. Although the government's strategy may be focused on developing the digital

economy and digital governance, these goals shouldn't be permitted to take precedence over

the more important goal of defending the right to privacy.

72
The pledge of protection against governmental intervention in an individual's private sphere

and the case for surveillance reform in India should be made clear in the preamble. When

comparing the preamble of the law to that of the GDPR, it becomes clear that there are

inherent weaknesses that have existed since the development of a strong data protection

policy in India.

5.3. Application of Act to Processing of Personal Data.

Individuals' personal information is not protected in any way by the Information Technology

Act of 20000 or the SDPI Rules of 2011 unless it is considered sensitive information.

Notably, the Telegraph Act addresses several issues of informational privacy. The Telegraph

Act and Rules, which include clauses that make illegal communication interception illegal

and punishable. Moreover, telecom service providers' (TSPs') licenses TSPs are required by

this Act to take precautions to protect their customers' privacy and communication

secrecy.427 Furthermore, governmental institutions are exempt from the Act's restrictions. It

is argued that the promise of data protection is rendered meaningless and ephemeral by these

exclusions. In stark contrast, the GDPR recognizes the right to personal data privacy as a

basic right and provides total protection for people' personal data.

The Act's application is both extraterritorial and territorial, and it also covers organizations

located outside of India if their processing of personal data involves any particular activity or

business conducted in India. Regarding how the act is applied, the GDPR's scope, US data

protection regulations, and the UK Data Protection Act are comparable. The following

situations will result in the Act's provisions being applicable:,

The information is handled by the State, any Indian-based business, or any other Indian legal

entity; • The information is gathered, processed, kept, or released inside the borders of India.

The processing of data by fiduciaries or data processors who are not physically present in
73
India, if the processing is related to business conducted there or any other particular activity. •

The processing of data involves profiling of data within the Indian Territory.

Even if the proposed law eliminates many of the significant shortcomings of the prior

application of the rules to non-sensitive personal data, there are still several gaps that make

the forthcoming data protection regime less effective than the GDPR at protecting

individuals' right to privacy. Among the strangest features of theThe proposed measure would

exclude "non-personal" data from the Act's protections, giving the Central government the

right to refuse these data's access to the Act's safeguards. It is argued that the phrase "non-

personal data" has a very ambiguous and misleading meaning. It is argued that legislation

aimed at safeguarding citizens' personal information and establishing a robust data protection

framework should not allow for the infringement of informational privacy through the use of

provisions such as "non-personal" data. and excluding them from the proposed Act's

applicability. Artificial intelligence and widespread technological advancements have made it

possible to turn data that lacks characteristics of a specific individual into personal data. It is

argued that one shouldn't completely rule out the potential of non-personal data being

misused. However, no such categorization is provided by the GDPR, the US Privacy Act, or

THE UK Data Protection Act.

5.4. Personal Data, Non-Personal Data and Sensitive Data

And disqualifying them from the application of the proposed Act. Data without particular

individual traits may now be transformed into personal data thanks to artificial intelligence

and other technology advancements. There is a contention that non-personal data misuse

should not be entirely ruled out. Nevertheless, neither THE UK Data Protection Act nor THE

US Privacy Act offer any such classification.

5.4.1. Personal Data

74
The proposed bill and the GDPR define personal data nearly identically; however, the Indian

approach is weaker since it includes the idea of non-personal data. According to the Draft

Bill, the terms "personal data" and "non-personal data" are clearly defined, and sensitive data

is also distinguished. The definition of personal data in the proposed bill is predicated on the

same logic, as the study heavily drew from Puttaswamy's observations and argued that the

"sphere of privacy includes a right to protect one's identity." According to the bill's proposed

language

"Personal data" is defined as information about or pertaining to an identifiable natural person,

either directly or indirectly, based on any feature of their identity, whether they are found

online or offline, or by combining those features with other information. It also includes any

conclusions that are made about them for the purpose of profiling.

The word "personal data" has been interpreted extremely broadly, encompassing any

personally identifiable information that can be used, directly or indirectly, to identify a real

person. It also includes in its purview all information that, when put together, can be linked to

any feature or attribute of a real person.. The BN Srikrishna Committee report, which

recommended that a "flexible definition" of personal data be outlined in legislation, is

supported by the proposed bill. The study also made it clear that the flexible definition must

be compatible with new technological advancements that might change the data categories

while maintaining sufficient certainty.

The construction of an identifiability-cantered definition of personal data necessitates a

thorough understanding of how its scope is contingent upon the context in which the pertinent

data is being processed. In light of this, we think that a wide and accommodating definition of

personal data need to be implemented.

75
All of the committee's suggestions regarding the scope of the definition of personal data are

included in the proposed law, and it is important to note that the legislature has heavily

incorporated the committee's recommendations when it comes to the definition of personal

data. It is said that the GDPR and the proposed Indian law have a similar stance when it

comes to defining personal data. The United States' legal precedents appear to be going in the

same direction.

5.4.2.Sensitive Data

Only sensitive personal data is granted protection under the IT Act of 2000 and the SDPI

Rules of 2011. In Puttaswamy, the Supreme Court upheld increased protection for data that

directly affects an individual's fundamental characteristics, even as it acknowledged the

dignity inherent in the right to privacy under the constitutional framework. The BN

Srikrishna Committee report emphasized the necessity for distinct definition of specific types

of personal data, stating that they "may be likely to cause greater harm, or harm of a graver

nature."

Rama Vedashree states that the "concept of Sensitive Personal Data is primarily used for

providing higher level protection to the data subject against instances of identity-driven harm,

discrimination, and profiling." Sensitive information is defined under the proposed measure

to include genetic, biometric, and health-related data.information related to caste, religious

belief, sex, sexual orientation, political affiliation, caste, intersex status or any other officially

identifiable information.

5.4.3.Financial Data

The current regulations in India on the right to data protection classify financial data as

sensitive data, shielding it from unjustified interference. Financial data is likewise recognized

76
as sensitive data under the 2019 Personal Data Protection Bill. According to the Bill, every

number or other piece of personal information used to identify an account created byas well

as any personal information pertaining to the connection between a financial institution and a

data principle, such as financial condition and credit history, or card or payment instrument

provided by a financial institution to a data principal. This implies that a higher degree of

security will be given to the PAN, income tax information, bank information, insurance

information, and associated information since they are deemed sensitive data..

The United States' Fair Credit Reporting Act (FCRA)439 requires credit rating organizations

to ensure the confidentiality of consumer financial information while also providing a high

level of security for individuals' financial data. Additionally, as required by the Act, credit

agencies must notify clients of any data that may be used against them.. “Lenders have a duty

to tell customers of any information used against them. This offers the consumers a chance to

know and, if feasible, contest the information. Additionally, the Act requires rating agencies

to notify customers about the specifics of the information. Ensuring the secrecy of the data is

one of the many ways the FCRA works to protect consumer privacy.”.

5.4.5.Health Data

Individuals' personal health data is well protected by the Health Insurance Portability and

Accountability Act (HIPAA), which prohibits processing of such data without consent. Their

preservation is an essential component of the right to privacy since medical histories contain

sensitive information about a person's past health and medical conditions. The HIPAA

regulations give sufficient security for sensitive data pertaining to the right to privacy.

. However, there is a discrepancy in the laws regarding the validity of the processing of health

data, as we have seen in the Medical Council of India's numerous rules, the SDPI Rules,

2011, and the IT Act 2000. Even though medical history data is classified as sensitive data by
77
the SDPI Rules, 2011, there is still a significant risk of privacy breach since the restrictions

are not applied to government institutions.

As we've seen in earlier chapters, the European Court of Human Rights' extensive body of

rulings has also demonstrated how crucial it is to adequately safeguard personal health

information in the EU441. The proposed bill includes a fairly thorough description of the

health data and proceeds cautiously in including all relevant information about an individual's

medical history.

According to the proposed bill, "health data" is defined as information pertaining to the

physical or mental health of the data principal, including records about the data principal's

past, present, or future health as well as information gathered during the registration process

or while providing healthcare services, as well as information linking the data principal to the

provision of particular health services. It should be noted that the clause fully supported the

idea that even the most little information about a person's medical history might be harmful to

their dignity and thus require further protection. Right now at this point, the ruling in Mr. X

v. Hospital Z443, in which the SC said that the clause had been accepted in text and spirit,

"Private facts may constitute an infringement on one's right to privacy, which may

occasionally result in a conflict between one person's "right to be let alone" and another

person's right to information." Even genuine private information disclosed has the potential to

upset someone's peace of mind. It might cause him to develop a lot of complexes and

possibly even psychiatric issues

The proposed measure provides a higher level of security for health-related data by

classifying it as sensitive data. The purpose of the bill is to address the present gap in the

security of sensitive medical data, which is now covered by IMC regulations that are

insufficient to provide effective protection and safeguards.. Additionally, the current data
78
protection framework provides no protection at all for personal data in public sector medical

facilities. However, the Preamble of the proposed law states that this would no longer be the

case, meaning that the public sector will also be subject to similar protections.

5.5.Data Anonymization

The current Indian data protection laws provide very little guidance on the presence of an

anonymized data policy. There are no requirements for data anonymization under either the

SDPI Rules 2011 or the Information Technology Act of 2000. However, there is a wealth of

well-developed global law regarding the principles of data anonymization. However, the

GDPR also states that anonymized data that cannot be restored to its original form should not

be free from the regulations' obligations.

. The data anonymization concept is incorporated into the proposed bills to alter the

characteristics of the personal data. in accordance with the suggestions made by the B N Sri

Krishna committee, which recommended following the data anonymization principle in order

to prevent the improper use of personally identifiable information. The Act gives data

anonymization a wide scope and stipulates that:

“In line with the recommendations of the B N Sri Krishna committee, which suggested

adhering to the data anonymization principle in order to prevent the improper use of

personally identifiable information, the data anonymization concept is incorporated into the

proposed bills to alter the characteristics of the personal data. The Act provides broad

guidelines for data anonymization and states that:

Although the idea of data anonymization is not unique to any one data protection legislation

in the world, the state's intricate network of betrayal in handling personal data most definitely

is. In the first place, the proposed bill makes the unscientific assumption that any processor

79
will be forced to share anonymized personal data in order to improve service targeting,

despite the possibility that such data may become de-anonymized in the future due to

technological advancements.

In layman's words, this means that the central government can demand that the data

fiduciaries provide the citizens' anonymized, non-personal data in order to support evidence-

based policymaking and improved service targeting. It is argued that a thorough definition of

anonymized data and non-personal data is absent from the draft statute.

Additionally, the method by which the non-personal, anonymized data might become

personally identifiable data is disregarded by the law. The ability of the central government to

force data fiduciaries to provide information in these categories for evidence-based

policymaking and more precisely targeted services is as concerning448. Justice

Chandrachud's dissenting opinion in the adhaar judgment had also expressed doubts over

the irreversibility of the anonymized data.

5.5.1. Points of Concern

The potential for anonymized data in particular and non-personal data in general to be

converted into personally identifiable information is the most urgent worry. Although

analysts worldwide have consistently expressed doubts regarding the irreversibility of

anonymized data, the bill introduces an additional avenue for introducing uncertainty into the

data protection regime by involving non-personal data, even as it ignores these concerns.

.. The researcher would want to state up front that terms such as non-personal data were not

needed at all and should not be included in a data protection framework. It is quite possible

that the Central government would use the gap to violate peoples' privacy about their

personal information, as will be mentioned in the upcoming chapter.

80
The potential for reversibility is the most serious issue raised by the so-called anonymized

data. It should be mentioned right away that the Bill's definition of anonymized data is

incorrect. The clause should clearly state that in order for data to be considered anonymized,

"all the means likely reasonably to be used" to identify a natural person must no longer be

able to be used to do so

The laws leave it up to the Data Protection Authority to define the standards for determining

the standards of data rather than developing an impartial and healthy standard for identifying

the nature of data. Invisibility. Furthermore, there are risks involved in the anonymization

process. It should be highlighted that over time, non-personal data in the existing

environment may take on the characteristics of personal data.

Thus, it can be seen that the legislature has left open a broad loophole through which

personally identifiable information may evade the implementation of the data protection

legislation and endanger individuals' basic rights by disguising it as non-personal and

anonymized data. The ability of the federal government to designate data as sensitive data is

another unsettling feature of the law; this will be discussed in more detail later. Nonetheless,

the legislature's disregard for the dangers associated with drawing a clear distinction between

personal and anonymized data raises grave concerns over the efficacy of the proposed data

protection framework.

Regretfully, Justice Chandrachud's objections to the biometric data's uniqueness are

disregarded by the Personal Data Protection Bill, 2019, which defines biometric data as

information that "allows or confirms the unique identification of the individual." The

proposed bill's definition stipulates that:

“Biometric data refers to any similar personal information obtained through measurements or

technical processing operations performed on the physical, physiological, or behavioural

81
traits of a data principal that permit or validate that natural person's unique identification; this

includes fingerprints, iris scans, and facial images;

”The underlying assumption of the proposed bill's definition of biometric data is that it only

refers to information that permits the verification of a natural person's identity. By doing this,

the proposed measure effectively opens the door for the exclusion of a significant amount of

personal data under the guise that it lacks sufficient information to establish an individual's

identity. However, the bill incorporates biometric data under the definition of sensitive data

in accordance with the committee's recommendations, which calls for a higher level of

security for such data.

5.6Conclusion

Numerous problems that still afflict the Indian data protection framework have been brought

to light by the comparative study of the data protection regimes in India, the United States,

the United Kingdom, and several of the BRICS nations. Even the planned data protection

framework does not offer a solid firewall against the unauthorised incursion inside the

citizens' private sphere, despite the fact that the State and its agencies are totally exempt from

the present data protection law in India.

The following points summarize the primary distinction between the approaches used in the

analysis by the participating nations and Indiana: The proposed Personal Data Protection Bill

2019 aims to narrow the current gap by implementing the fundamental data protection

principles, even if India's current data protection laws are far from meeting international best

practices.

82
Nevertheless, the Indian legislature has created a broad window of exemption provisions that

would allow the state agencies to violate the rights of the data owners on a variety of reasons,

despite the fact that there are clear indications of data breaches in the Aadhar program.

A significant divergence from the basic characteristics of the data protection legislation of

the nations under consideration illustrates an effort by the lawmakers to exclude the central

government's agencies from the act's requirements. The proposed Indian law contains

extensive exemption clauses, in contrast to the GDPR and the UK Data Protection Act, 2018

which grant government bodies relatively narrow grounds of exemption.

The way in which the rights granted by law are enforced is yet another noteworthy

divergence from the Indian approach to data protection. The safeguards against the state and

its agents are rendered inapplicable by the provisions of the Information Technology Act of

2000 and the Information Technology Rules of 2011. This significantly reduces the efficacy

of the Indian data protection laws.

CHAPTER 6:

83
 CONCLUSIONS AND SUGGESTIONS

6.0. Introduction

Some of the most important problems that jeopardize India's chances of becoming a secure

jurisdiction for data protection have been brought to light by the talks in the preceding

chapter. To address the current shortcomings in the draft bill, this chapter effectively

incorporates the recommendations that might be included in the proposed Personal Data

Protection Bill, 2019.

The study's six chapters, which cover the many facets of data protection laws in India and

elsewhere, have been loosely separated. To arrive at an equitable evaluation of the study

hypothesis, the investigator allegedly categorized the chapters in a way that would facilitate

the best comprehension of the significance of a strong data protection legislation in the

nation.

The primary objective of the research was to conduct a critical analysis of the proposed data

protection bill's provisions, with the ultimate goal of addressing the thesis's hypothesis. The

researcher has concluded that the research hypothesis is answered in the affirmative

following a thorough examination of some of the most important components of the proposed

law. This result was more or less implied by the conversations in each of the chapters.

It is undeniably true that some of the most important concerns about data protection

regulations in a free and democratic society are not addressed by the Personal Data Protection

Bill, 2019. The researcher will categorically underline the elements of the proposed law in the

following sections that support the conclusions drawn by the researcher in relation to the

hypothesis.

84
One of the most important elements affecting how the courts will read a piece of law is its

preamble. As a result, having a prelude that is clear and forceful about its goal becomes ideal.

Ensuring the inhabitants of India have the right to privacy regarding their data and developing

a data protection framework that is attentive to even the smallest infringements on that right

should be the main goals of the Data Protection Bill.

The preamble should include a clear government pledge to prevent unauthorized access to

individuals' private information as well as a comprehensive plan for reforming surveillance.

The preamble ought to consider the urgent necessity of raising national understanding of the

parameters of the right to privacy and fostering a culture that values privacy. The following

changes are suggested to the preamble of the Data Protection Bill, 2019:

The preamble, which succinctly and substantively includes these goals, will expand the scope

of the rights stipulated in the law. It is argued that policies that promote the digital economy

and place an excessive focus on data's commercial benefits would not advance people's right

to privacy. The promotion of the digital economy should not come at the expense of

protecting people's right to privacy, even though these goals may be incidental to a strong

data protection system.

The prologue has to "call a spade a spade," acknowledge the urgent need for surveillance

reform in the nation, and put forth a plan for a system that would ultimately defend people's

right to privacy. The preamble should unequivocally support the need for the establishment of

a fully independent authority to enforce the basic right to privacy, as well as the imperative of

defending and preserving it under the constitution.

6.1. Conclusion

85
The chapter provides a summary of the findings from the previous chapters' analysis and

makes recommendations for a solid framework that would serve as the cornerstone of India's

future comprehensive data protection laws. The recommendations include modifying the

draft data protection law's main clauses in order to include internationally recognized data

protection concepts into India's data protection framework.The Chapter addresses the legality

and justification for global data protection legislation. The chapter outlines the components of

an efficient data protection framework with a focus on the necessity of providing sufficient

protection for safeguarding informational privacy.

The Chapter also addresses the several data protection principles that have been established

globally, discerning analytically where the idea of data protection as a component of the right

to privacy first emerged. • The study provided a comprehensive understanding of the

necessity of finding the ideal balance between achieving informational self-determination and

catering to the demands of a world that is becoming more and more digitalized.

The chapter on "GLOBAL ORGANISATIONS AND THEIR DATA PROTECTION

PRINCIPLES" examines the many data protection principles that are accepted by

international organizations worldwide while also fundamentally outlining the regime's

origins.

.The study that was conducted gives the researcher insight into the essential components of a

strong data protection policy in a democracy. In the next chapters, the researcher attempts to

develop the best possible data protection model for the Indian scheme, paying particular

attention to the OCED Principles. • The study has made it possible for the researcher to

pinpoint the essential components of a strong data protection policy. •Numerous problems

that still afflict the Indian data protection framework have been brought to light by the

comparative study of the data protection regimes in India, the United States, the United

Kingdom, and several of the BRICS nations. 86

To get insight into global best practices linked to data protection, a specialized research of the

legislation currently in place governing data protection in the United States, the United

Kingdom, and the European Union has been conducted. It is essential to carry out a full data

protection assessment because the European Union has had one in place for more than thirty

years. thorough examination of its data protection architecture in order to pragmatistically

expand the scope of the topic's analysis.

The evaluation of the current data protection laws in developed data protection regimes such

as the US and the EU aims to create a standard that will direct Indian policy makers regarding

the different forms of an ideal data protection regime, of course with the modifications

required to fit Indian society. The goal of the BRICS study on data protection laws was to

draw comparisons between the approaches taken by authoritarian communist regimes and

liberal democracies in this area. The study emphasized the importance of having a strong data

protection framework while also highlighting the difficulties in maintaining information

privacy and advancing global trade.

A thorough analysis of the current laws and court rulings pertaining to the right to privacy

and data protection within the Indian legal system is conducted in the Chapter on Data

Protection Regime in Indian Legal System.The analysis reveals a wide range of shortcomings

in the Indian data protection system, which makes it unable to address the threats to

informational privacy resulting from widespread digitalization. It also highlights the fact that

the nation's current laws do not include important data protection concepts.

The analysis presented in this chapter emphasizes even more how urgent it is to pass a

comprehensive data protection law that has the idea of informational self-determination at its

core. The proposed Personal Data Protection Bill 2019 aims to narrow the current gap by

87
implementing the fundamental data protection principles, even though India's current data

protection framework is far from the world's best practices.

Despite clear evidence of data breaches in the Aadhar program, the Indian legislature created

a broad window of exemption provisions that allow state entities to violate the rights of data

principals for a variety of reasons. A significant divergence from the basic characteristics of

the data protection legislation of the nations under consideration illustrates an effort by the

lawmakers to exclude the central government's agencies from the act's requirements.

The protections against the state and its agents are rendered inapplicable by the provisions of

the Information Technology Act of 2000 and the Information Technology Rules of 2011.

This significantly reduces the efficacy of the Indian data protection laws. •In order to predict

the stance that Indian constitutional courts would adopt when interpreting the terms of the

new data protection bill, the researcher has also conducted a thorough analysis of the

Supreme Court of India's stance on the right to privacy. .

These exemptions are quite broad in their scope and application, and the central government

shall be able to exempt any agency from the application of the Act's provisions for offenses

like "preventing incitement to the commission of any cognizable offence relating to public

order.600" The exemption clauses in the Personal Data Protection Bill, 2019 do not follow

the doctrine of proportionality while justifying the non-application of the proposed law's

provisions to any central agencies on the absolutely wide grounds of the sovereignty of India

and public order

The Comparative Analysis of India's Data Protection Laws Chapter makes a thorough

comparison between the data protection laws of India and those in the EU, UK, and USA

with reference to these countries. The researcher has also incorporated the proposed Personal

88
Data Protection Bill, 2019 provisions for the comparison study in order to get a beneficial

analytical output.

To illustrate the fundamental distinctions in the approaches to data protection, the chapter

compares and contrasts the salient features of the data protection laws of India and the three

other regimes. As it tests the research premise, the study reveals significant differences

between the Indian legislative and its counterparts in the study on the legislature's dedication

to establishing a strong data protection framework. • The goal of the research of the data

protection principles of international and regional organizations was to gain understanding of

the common best practices in relation to data protection regulations. .

89
 BIBLIOGRAPHY

STATUTES

 Children’s Online Privacy Protection Act, 15 U.S.C. 6501–6505

 Electronic Communications Privacy Act, 1986 (P.L. 99-508).

 Fair Credit Reporting Act 15 U.S.C. § 1681

 Family Educational Rights And Privacy Act Of 1974, 20 U.S.C. § 1232g

 General Data Protection Regulation (EU GDPR), (EU) 2016/679

 Health Insurance Portability And Accountability Act, P.L. No. 104-191

 Indian Contract Act, 1872, No. 09, Acts Of Parliament, 1872. (India)

 Information Technology Act, 2000, No. 21, Acts Of Parliament, 2000. (India)

 IT(Amendment) Act, 2008, No. 10, Acts Of Parliament, 2009. · (India)

 Personal Data Protection Bill, 2019, Bills of Parliament, 2019 (India)

 The Aadhaar (Targeted Delivery Of Financial And Other Subsidies, Benefits And Services)

Act, 2016, No. 18, Acts Of Parliament, 2016. (India)

90
  Video Privacy Protection Act, 1988 Pub.L. 100–618

ARTICLES

 Adriana-Maria Sandru; Daniel-Mihail Sandru, Humanitarian Law and Personal Data

Protection, 2018 PANDECTELE ROMANE 58, 61 (2018).

 Addison Litton, The State of Surveillance in India: The Central Monitoring System’s Chilling

Effect on Self-Expression, 14 WASH. U. GLOBAL STUD. L. REV. 799, 720 (2015).

 Aimee Boram Yang, China in Global Trade: Proposed Data Protection Law and Encryption

Standard Dispute, 4 ISJLP 897, 901 (2018)

 Alan F. Westin, Privacy and Freedom 33 (1967); Andrew J. McClurg, Kiss and Tell:

Protecting Intimate Relationship Privacy through Implied Contracts of Confidentiality, 74 U.

CIN. L. REV. 887, 901 (2006).

 Alex B. Makulilo, The Quest for Information Privacy in Africa, 8 JOURNAL OF

INFORMATION POLICY 317, 337 (2018).

 Alina Savoiu & Catalin Capatina Basarabescu, The Right to Privacy, ANNALS

CONSTANTIN BRANCUSI U. TARGU JIU JURIDICAL SCI. SERIES 89, 101 (2013).

 Andrew Jay McClurg, Bringing Privacy Law Out of the Closet: A Tort Theory of Liability for

Intrusions in Public Places, 73 N.C. L. REV. 989, 999-1002 (1995).

 ANNE S. Y CHEUNG, ROLF H WEBER, PRIVACY AND LEGAL ISSUES IN CLOUD

COMPUTING 248 (2015).

 Antonio Tavares Paes, Privacy and Data Protection in Brazil,

5 J.L. & CYBER WARFARE 225, 220 (2018).

91
 Anupam Chander & Molly Land, United Nations General Assembly Resolution on the Right

to Privacy in the Digital Age, 53 INT’L LEGAL MATERIALS 727 735 (2014).

 Asang Wankhede, Data Protection in India and the EU: Insights in Recent Trends and Issues

in the Protection of Personal Data, 2 EUR. DATA PROT.L. REV. 70, 73 (2016).

 Asang Wankhede, Data Protection in India and the EU: Insights in Recent Trends and Issues

in the Protection of Personal Data, 2 EUR. DATA PROT. L. REV. 70, 86 (2016).

 Balla, Stephen J., Administrative Procedures and Political Control of the Bureaucracy, 92

AMERICAN POLITICAL SCIENCE REV. 1998 663,670(2012).

 Brandon Faulkner, Hacking into Data Breach Notification Laws,

59 FLA. L. REV. 1097, 1198(2007).

 Brent Snook, Joseph Eastwood, Paul Gendreau, Claire Goggin & Richard M. Cullen, Taking

Stock of Criminal Profiling: A Narrative Review and Meta-Analysis, 34 CRIM. JUST. &

BEHAVIOR 437, 455 (2007).

 Brian Gorlick, Human Rights and Refugees: Enhancing Protection through

International Human Rights Law, 69 NORDIC J. INT'L L. 117, 126 (2000).

 Cheng-Yun Tsang, From Industry Sandbox to Supervisory Control Box: Rethinking the

Role of Regulators in the Era of FinTech, 2019 U. ILL. J.L. TECH. &

POL’Y 355, 360 (2019).

 Daniel Garrie and Irene Byhovsky, Privacy and Data Protection in Russia, 5(2) JOURNAL

OF LAW & CYBER WARFARE 235, 253 (2017).

 Daniel Garrie & Irene, Byhovsky, Privacy and Data Protection in Russia,

92
 5 J.L. & CYBER WARFARE 235, 243 (2017).

 David Wallace & Mark Visger, Responding to the Call for a Digital Geneva Convention: An

Open Letter to Brad Smith and the Technology Community, 6 J.L. & CYBER

WARFARE 3, 5 (2018).

 Dhiraj R. Duraiswami, Privacy and Data Protection in India, 6 J.L. &

CYBER WARFARE 166, 169 (2017).

 Dhiraj R. Duraiswami, Privacy and Data Protection in India,

6 J.L. & CYBER WARFARE 166, 168 (2017).

 Dorothy A. Hertzel, Note: Don't Talk to Strangers: An Analysis of Government and Industry

Efforts to Protect a Child's Privacy Online, 52 FED. COMM. L.J. 429, 441 (2000).

 DOUGLAS N. WALTON, ARGUMENTATION METHODS FOR ARTIFICIAL

INTELLIGENCE IN LAW 150 (2005).

 Elliott, D., Opinions Data Protection is More Than Privacy, 5(1) EUROPEAN DATA

PROTECTION LAW REVIEW 13, 16(2019).

 Erica Fraser, Data Localisation and the Balkanisation of the Internet, 13

SCRIPTED 359, 365 (2016) ID.

 Eva Fialova, Data Portability and Informational Self-Determination, 8

MASARYK U. J.L. & TECH. 45, 53 (2014).

 Evans, A. C European Data Protection Law. 29 THE AMERICAN JOURNAL OF

COMPARATIVE LAW 571, 580 (1981).

 Frederik Zuiderveen Borgesius, Jonathan Gray & Mireille Van Eechoud, Open Data,
93
 Privacy, and Fair Information Principles: Towards a Balancing Framework, 30

BERKELEY TECH. L.J. 2073 2097 (2015).

 Gillian Metzger, Designing Agency Independence, (2011) JOTWELL: J. THINGS WE LIKE

141, 145 (2011)

 . M. Seervai, The emergency, future safeguards and the habeas corpus case: A Criticism, 21

TEMP. INT'L & COMP. L. J. 103, 111 (2007).

 Hallinan, D., 2019. Opinions ∙ Data Protection without Data: Could Data Protection Law

Apply without Personal Data Being Processed?, 5(3) EUROPEAN DATA PROTECTION

LAW REVIEW 293, 299.(2019).

 Henry Pearce, Systems Thinking, Big Data, and Data Protection Law, 18 EUR. J.L.

REFORM 478, 500 (2016).

 Herbert Spencer Hadley, Right to Privacy, 3 N. W. L. REV. 1, 5 (1895).

 Ian Walden, Anonymising Personal Data, 10 INT’L J.L. & INFO. TECH. 224, 333 (2002).

 Ilina Georgieva, The Right to Privacy under Fire-Foreign Surveillance under the

NSA and the GCHQ and Its Compatibility with Art. 17 ICCPR and Art. 8 ECHR, 31(80)

UTRECHT JOURNAL OF INTERNATIONAL AND EUROPEAN LAW 104, 114

(2015).

 Jakub Misek, Consent to Personal Data Processing - The Panacea or the Dead End,8

MASARYK U.J.L. & TECH. 69, 76 (2014).

 Joan M. Kiel, The Health Insurance Portability and Accountability Act (HIPAA)

Implementation Via Case Law, 20 J. CONTEMP. HEALTH L. & POL'Y 435, 448 (2004).

94
 Jonathan Miller, S., How Did You Know That: Protecting Privacy Interests of Research

Participants via Certificates of Confidentiality, 17 COLUM. SCI. & TECH.

L. REV. 90, 100 (2015).

 Jordan J. Paust, Can You Hear Me Now? Private Communications, National Security and the

Human Rights Disconnect (2014), 15(2) CHICAGO JOURNAL OF INTERNATIONAL

LAW 612, 625 (2015).

 Joseph A Cannataci & Jeanne Pia Mifsud-Bonnici, Data Protection Comes of Age: The Data

Protection Clauses in the European Constitutional Treaty, Information & Communications

Technology Law, INFORMATION AND TECHNOLOGY LAW(Jan 27,

2007),

<https://www.tandfonline.com/action/showCitFormats?doi=10.1080%2F136008304

2000325274>

 Joshua Warmund, Can COPPA Work - An Analysis of the Parental Consent Measures in the

Children's Online Privacy Protection Act, 11 FORDHAM INTELL. PROP. MEDIA & ENT.

L.J. 189, 210 (2000).

 Joss Wright. Regional variation in Chinese Internet Filtering. INFORMATION,

COMMUNICATION & SOCIETY 121, 123 (2014).

 Judy Meadows; Bob Oakley, Balancing Act - Reconciling Privacy with the Public's Right to

Know, 8 AALL SPECTRUM 14, 35 (2004).

 Kalyani Ramnath, ADM Jabalpur's Antecedents: Political Emergencies, Civil Liberties, and

Arguments from Colonial Continuities in India, 31 AM. U. INT’L L. REV. 209,225 (2016).

 Kenbei Zhang, Incomplete Data Protection Law, 15 GERMAN L.J. 1071, 1081 (2014).
95
 Kevin McGillivray, Conflicts in the Cloud: Contracts and Compliance with Data

Protection Law in the EU, 17 TUL. J. TECH. & INTELL. PROP. 217, 254 (2014).

 Kevin McGillivray, Conflicts in the Cloud: Contracts and Compliance with Data Protection

Law in the EU, 17 TUL. J. TECH. & INTELL. PROP. 217, 230 (2014).

 Latha R. Nair, Data Protection Efforts in India: Blind Leading the Blind, 4 INDIAN J.L.&

TECH. 19, 27 (2008).

 Laura F. Edwards, Rights That Made the World Right, 102 JUDICATURE 15, 20 (2018)

 Lee A. Bygrave,Data Protection Pursuant to the Right to Privacy in Human Rights Treaties,

6 INT'L J.L. & INFO. TECH. 247, 246 (1998).

 Lilian Edwards, Privacy, Security and Data Protection in Smart Cities: A Critical EU Law

Perspective, 2 EUR. DATA PROT. L. REV. 28, 40 (2016)

 Lina Jasmontaite, European Union: The European Data Protection Supervisor (EDPS)

Opinion 4/2015 Towards a New Digital Ethics, 2 EUR. DATA PROT.L. REV. 93, 112

(2016).

 Lokke Moerel; Ronan Tigner, Data Protection Implications of Brexit , 2 EUR. DATA

PROT. L. REV. 381, 388 (2016).

 Lothar Determann & Chetan Gupta, India's Personal Data Protection Act, 2018:

Comparison with the General Data Protection Regulation and the California Consumer

Privacy Act of 2018, 37 BERKELEY J. INT'L L. 481, 501 (2019).

 Mahendra Pal Singh, The Constitution of India: A Contextual Analysis,14 SOCIO-

LEGAL REV. 228, 229 (2018).

96
 MAJA BRKAN, EVANGELIA PSYCHOGIOPOULOU, COURTS, PRIVACY AND DATA

PROTECTION IN THE DIGITAL ENVIRONMENT 232 (2017)

 Marc Chase McAllister, Modernizing the Video Privacy Protection Act, 25 GEO. MASON L.

REV. 102, 108 (2017).

 Maria Tzanou, Data protection as a fundamental right next to privacy? ‘Reconstructing’ a

not so new right, 3(2) INTERNATIONAL DATA PRIVACY LAW 88, 99 (2013),

<https://doi.org/10.1093/idpl/ipt004>.

 Matthias Berberich; Malgorzata Steiner, Blockchain Technology and the GDPR- How to

Reconcile Privacy and Distributed Ledgers, 2 EUR. DATA PROT.L. REV. 422, 431

(2016).S

 Michael A. Livermore, Cost-Benefit Analysis and Agency Independence, 81 U. CHI. L.

REV. 609, 615 (2014).

 Mike Hintze, Privacy Statements under the GDPR, 42 SEATTLE U. L. REV. 1129, 1134

(2019).

 Mike Hintze, Privacy Statements under the GDPR, 42 SEATTLE U. L. REV. 1129,1132

(2019)

 Monika Zalnieriute, An International Constitutional Moment for Data Privacy in the times of

Mass-Surveillance, 23(2) INTERNATIONAL JOURNAL OF LAW AND INFORMATION

99, 107 (2015).

 Nandan Nilekani, Data to the People: India’s Inclusive Internet, 97 FOREIGN AFF. 19, 33

(2018).

 Orla Lynskey,Deconstructing Data Protection: The Added-Value of a Right to Data

97
 Protection in the EU Legal Order, 63 INT'L & COMP. L.Q. 569, 575 (2014).

 Paul Ohm, Broken Promises of Privacy: Responding to the Surprising Failure of

Anonymization, 57 UCLA L. REV. 1701, 1744 (2010).

 Peter Blume, Practical Data Protection, 2 INT'L J.L. & INFO. TECH. 194 (1994); Rupert

Battcock, Data Protection: Where Next, 3 INT’L J.L. & INFO. TECH. 156 (1995); Anneliese

Roos, Core Principles Of Data Protection Law, 39 COMP. & INT’L L.J. S. AFR. 102,110

(2006).

 Raghunath Ananthapur, India's New Data Protection Legislation, 8 SCRIPTED 192, 201

(2011)

 RATNA KAPUR AND BRENDA COSSMAN, SUBVERSIVE SITES: FEMINIST

ENGAGEMENTS WITH LAW IN INDIA 54 (1996).

 Renato Opice Blum & Camila Rioja, Brazil's GDPR Sanctioned, 2 INT'L J.

DATA PROTECTION OFFICER, PRIVACY OFFICER & PRIVA CY COUNS. 12, 16

(2018).

 Rights in Conflict-Reconciling Privacy with the Public's Right to Know, 63 LAW LIBR. J.

551, 563 (1970).

 Ruth Gavison, Feminism and the Public/Private Distinction,

45 STAN. L. REV. 1, 8 (1992).

 Ryan M. Calo, Against Notice Skepticism in Privacy (and Elsewhere), 87(3) NOTRE

DAME LAW REVIEW 1030, 1031

 Samuel D. Warren; Louis D. Brandeis, Right to Privacy, 4 HARV. L. REV. 193, 201 (1890-

98
 1891).

 D McGoldrick, Developments in the Right to be Forgotten, 13(4) HRLR 76, 777 (2013).

 Silvia Lucia Cristea & Viorel Banulescu, The Right to Personal Data Protection. The Right

to Privacy. A Comparative Law Approach,, ANALELE STIINTIFICE

ALEUNIVERSITATII ALEXANDRU IOAN CUZA DIN IASI STIINTE JURIDICE 1, 9

(2018).

 Singh, S., Privacy and Data Protection In India: A Critical Assessment., 110 JILI, VOL. 53,

57 (2020)

 Sophie Stalla-Bourdillon & Alison Knight, Anonymous Data v. Personal Data - False

Debate: An EU Perspective on Anonymization, PSEUDONYMIZATION AND PERSONAL

DATA, 34 WIS. INT’L L.J. 284, 295 (2016).

 Sougata Talukdar, Privacy and Its Protection in Informative Technological Compass in

India, 12 NUJS L. REV. 1, 55 (2019).

 Sougata Talukdar, Privacy and Its Protection in Informative Technological Compass in

India, 12 NUJS L. REV. 1, 11 (2019)

 Subhajit Basu, Policy-Making, Technology and Privacy in India,

6 INDIAN J. L. & TECH. 65, 70 (2010).

 Susan Nevelow Mart, The Right to Receive Information, 95 LAW LIBR. J. 175, 190 (2003).

 Tschentscher, A.,. Privacy and Data Protection by Rules Rather than

Principles. SSRN ELECTRONIC JOURNAL 153 (2017),

<http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2372088>.
99
 Uchenna Jerome Orji, The African Union Convention on Cybersecurity: A Regional

Response Towards Cyber Stability?, 12(2) MASARYK UNIVERSITY JOURNAL OF LAW

AND TECHNOLOGY 91, 107( 2018).

 Uchenna Jerome Orji, The African Union Convention on Cybersecurity: a Regional Response

towards Cyber Stability, 12 MASARYK U. J.L. & TECH. 91 102 (2018).

 Umang Joshi, Online Privacy and Data Protection in India: A Legal Perspective, 7 NUALS

L.J. III 75, 77 (2013)

 Viktor Mayer-Schonberger & Yann Padova, Regime Change: Enabling Big Data through

Europe's New Data Protection Regulation, 17 COLUM. SCI. & TECH.

L. REV. 315, 320 (2016)

 Vinita Bali, Data Privacy, Data Piracy: Can India Provide Adequate Protection for

Electronically Transferred Data, 21 TEMP. INT'L & COMP. L.J. 103, 106 (2007).

 Will Thomas DeVries, Protecting Privacy in the Digital Age, BERKELEY TECHNOLOGY

LAW JOURNAL 283, 311 (2003).

 Wilson, B., Data Privacy in India: The Information Technology Act. 2 SSRN

ELECTRONIC JOURNAL 82, 88 (2010).

 WOLF J. SCHÜNEMANN, MAX-OTTO BAUMANN, PRIVACY, DATA

PROTECTION AND CYBERSECURITY IN EUROPE 100 (2017)

BOOKS

 CATHERINE MACKINNON, TOWARDS A FEMINIST THEORY OF THE STATE 322

(1989).

100
 CHRSTOPHER KUNAR, EUROPEAN DATA PROTECTION LAW:

CORPORATE COMPLIANCE AND REGULATION 57 (2003).

 CYRUS FARIVAR, HABEAS DATA: PRIVACY VS. THE RISE OF

SURVEILLANCE TECH 353 (2018).

 ETER LL. M. CAREY, DATA PROTECTION HANDBOOK 334 (2004).

 GUTWIRTH, S. AND DE HERT, P., REGULATING PROFILING IN A DEMOCRATIC

CONSTITUTIONAL STATE. IN PROFILING THE EUROPEAN CITIZEN 271 (2008).

 GWEN KENNEDY, DATA PRIVACY LAW AND PRACTICAL GUIDE 432, (2nd,

LSP Pradhu ed., 2018).

 HELEN WONG MBE, CYBER SECURITY LAW AND GUIDANCE 67 (2018),

 INSTITUTE OF MEDICINE, ENSURING SAFE FOODS AND MEDICAL PRODUCTS

THROUGH STRONGER REGULATORY SYSTEMS ABROAD 543 (2012).

 ITGP PRIVACY TEAM, BU GENERAL DATA PROTECTION REGULATION (GDPR):

AN IMPLEMENTATION AND COMPLIANCE GUIDE 432(2ND 2015)

 J BLACKMAN, 'OMNIVEILLANCE, PRIVACY IN PUBLIC, AND THE RIGHT TO

YOUR DIGITAL IDENTITY: A TORT FOR RECORDING AND DISSEMINATING AN

INDIVIDUAL'S IMAGE OVER THE INTERNET' 321 (2009).

 JOHN BUYERS, ARTIFICIAL INTELLIGENCE: THE PRACTICAL LEGAL ISSUES

110 (2018)

 JOHN KLEINIG, THE NATURE OF CONSENT IN THE ETHICS OF

101
 CONSENT- THEORY AND PRACTICE (4th, Alan Wertheimer and Franklin Miller eds,

2009).

 PAWAN DUGGAL, CYBER SECURITY LAW 52 (2019).

 ROBERT ALEXY, LAW, RIGHTS AND DISCOURSE 423 (3RD GEORGE

PAVLAKOS, 2010).

 ROBERT WALTERS, LEON TRAKMAN, BRUNO ZELLER, DATA

PROTECTION LAW 421 (2019).

 ROSEMARY JAY, ANGUS HAMILTON, DATA PROTECTION LAW AND

PRACTICE 445 (1995)

 SOPHIE STALLA-BOURDILLON, JOSHUA PHILLIPS, MARK D. RYAN,

PRIVACY V. SECURITY 654 (2012)

 STUART RUSSEL AND PETER NORVIG, ARTIFICIAL INTELLIGENCE: A MODERN

APPROACH 233 (2009).

 V. RICHARD BENJAMINS, POMPEU CASANOVAS, JOOST

BREUKER, ALDO GANGEMI, LAW AND THE SEMANTIC WEB: LEGAL

ONTOLOGIES, METHODOLOGIES, LEGAL INFORMATION RETRIEVAL, AND

APPLICATIONS 35 (2010).

 WALTERS, ROBERT, TRAKMAN, LEON, ZELLER, BRUNO DATA PROTECTION

LAW: A COMPARATIVE ANALYSIS OF ASIA-PACIFIC AND EUROPEAN

APPROACHES 514 (2019).

 WILLIAM MCGEREVAN, PRIVACY AND DATA PROTECTION LAW 421 (2016).

102
 WOODROW BARFIELD, UGO PAGALLO, RESEARCH HANDBOOK ON LAW OF

ARTIFICIAL INTELLIGFENCE 675 (2018).

ONLINE SOURCES

 Abir Roy, Data Protection: Why A Comprehensive Law Is Needed., THE FINANCIAL

EXPRESS. <https://www.financialexpress.com/opinion/data- protection-why-a-

comprehensive-law-is-needed/1694205>

 African Union (OAU), Convention on Cyber-security and Personal Data Protection

(AU CCPDP, (June 7 2014), CCS/LEG/67/3 REV. 5, 21 I.L.M. 58 (2014),

<https://www.refworld.org/docid/3ae6b3630.html>.

 Alawadhi, P., Govt Messed Up Control Mechanisms: B N Srikrishna On Data Protection

Bill, BUSINESS-STANDARD (January 31, 2020, 2:45 PM),

<https://www.business-standard.com/article/economy-policy/govt-messed-up- control-

mechanisms-b-n-srikrishna-on-data-protection-bill-120013001855_1.html>.

 Amar Toor, Brazil and Germany make moves to protect Online Privacy, but Experts see

a troubling trend toward Balkanization, THE VERGE (2013),

<http://www.theverge.com/2013/11/8/5080554/nsa-backlash-brazil-germany- raises-fears-of-

internet-balkanization/>.

 Anonymous, State Of Privacy India., PRIVACY INTERNATIONAL (January 26, 2019),

<https://privacyinternational.org/state-privacy/1002/state-privacy- india>.

 Apar Gupta, Notes from a Digital Republic, Internet Freedom Foundation , INTERNET

FREEDOM (January 26, 2020), <https://internetfreedom.in/our- digital-republic/>.

103
 Aroon Deep, The dissenting voices in the Srikrishna Committee's Data Protection

report, MEDIANAMA (July 28, 2018),

<https://www.medianama.com/2018/07/223-srikrishna-dissent/>.

 Bauer et. al, The Costs of Data Localisation: A Friendly Fire on Economic Recovery,

ECIPE (2014), <https://ecipe.org/publications/dataloc/>.

 BEATE ROESSLER, SHOULD PERSONAL DATA BE A TRADABLE GOOD? ON THE

MORAL LIMITS OF MARKETS IN PRIVACY‘321 (BEATE ROESSLER AND DOROTA

MOKROSINSKA 2015)

 Benjamin Wittes, Jonah Force Hill: The Growth of Data Localization Post- Snowden,

LAWFARE (July 21, 2014, 9:14

pm),<https://www.lawfareblog.com/jonah-force-hill-growth-data-localization-post- snowden-

lawfare-research-paper-series>.

 Bhageshpur, K., Council Post: Data Is The New Oil And That's A Good Thing,

FORBES (May.28,2020, 4:32 P.M.),

<https://www.forbes.com/sites/forbestechcouncil/2019/11/15/data-is-the-new-oil- and-thats-a-

good-thing/#4bd8a6473045>.

 Brazilian Internet Steering Committee, Contributions already submitted, Global

Multistakeholder Meeting on the Future of Internet Governance, SAO PAULO, BRAZIL,

(April 2014),< http:// content.netmundial.br/docs/contribs>.

 Bureau, E., Biggest Data Leaks Of 2019 That Hit Indian Users Hard - What Causes Data

Breach?., THE ECONOMIC TIMES. (17 Dec 2019, 04:35 PM),

<https://economictimes.indiatimes.com/industry/tech/8-biggest-data-leaks-of-2019- that-hit-
104
 indian-users-hard/what-causes-data-breach/slideshow/72839190.cms>

 CCPR General Comment No. 16: Article 17); The Right to Respect of Privacy, Family, Home

and Correspondence, and Protection of Honour and Reputation, UNHRC (April, 8, 1988),

<https://www.refworld.org/docid/453883f922.html>.

 Chander, A. et. al, Breaking the Web: Data Localization vs. the Global Internet, SSRN

(2014), <http://dx.doi.org/10.2139/ssrn.2407858>.

 Chandrashekhar, A.,German Firm Finds One Million Files Of Indian Patients Leaked,

THE ECONOMIC TIMES (Nov 15, 2019,08:15am),

<https://economictimes.indiatimes.com/tech/internet/german-firm-finds-one- million-files-of-

indian-patients-leaked/articleshow/73921423.cms?from=mdr>.

 CIPL, Regulatory Sandboxes in Data Protection: Constructive Engagement and Innovative

Regulation in Practice CIPL, CENTRE FOR INFORMATION AND POLICY

LEADERSHIP(2019),

<https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl_wh

ite_paper_on_regulatory_sandboxes_in_data_protection_constructive_engage

ment_and_innovative_regulation_in_practice 8_march_2019_.pdf>.

 Ciso Mag | Cyber Security Magazine. 2019.In 3 Indian Firms Suffer High Financial Losses

From Hacking, CYBER SECURITY MAGAZINE (December 25, 4:35

P.M),<https://www.cisomag.com/survey-reveals-1-in-3-indian-companies-suffered-huge-

financial-costs-from-hacking/>.

 Committee of Experts under the Chairmanship of Justice B.N. Srikrishna,, A Free and Fair

Digital Economy Protecting Privacy Empowering Indians, PRS INDIA (July 27,
105
 2018)<https://www.prsindia.org/sites/default/files/parliament_or_policy_pdfs/Free%

20and%20Fare%20Srikrishna%20Committee%20Report%20Summary.pdf>

 Committee of Experts, White Paper of The Committee Of Experts On A Data Protection

Framework For India., 99 (2017)

<http://meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_

171127_final_v2.pdf>.

 Communication From The Commission To The European Parliament And The Council

Exchanging and Protecting Personal Data in a Globalised World, EUROPEAN

COMMISSION(January10,2017), <https://eur-lex.europa.eu/legal- content/EN/TXT/?

uri=COM%3A2017%3A7%3AFIN>.

 Council of Europe, Committee of Convention 108, Opinion on the Data protection

implications of the processing of Passenger Name Records, T-PD (2016)18REV, 19 (2016).

 Dana Polatin-Reuben and Joss Wright. An internet with BRICS characteristics: Data

Sovereignty and the Balkanization of the Internet, USENIX (2014),

<https://pdfs.semanticscholar.org/b139/318d4b752dbc6c0383775323edc5823d 9449.pdf>.

 Daniel J. Solove, A Brief History of Information Privacy Law, PROSKAUER ON PRIVACY,

(2006),

<https://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=2076&contex

t=faculty_publications>

 De hert p. & gutwirth s., ‘Data Protection in the Case Law of Strasbourg and Luxemburg:

Constitutionalisation in Action’, REINVENTING DATA PROTECTION (2009),

file:///C:/Users/dell/Downloads/fulltext_stamped.pdf
106
 Draft Report, Study on the Harmonization of Telecommunication and Information and

Communication Technologies Policies and Regulation, AFRICAN UNION (2008),

<https://www.itu.int/ITU-

D/projects/ITU_EC_ACP/hipssa/docs/2_Draft_Report_Study_on_Telecom_ICT_Po

licy_31_March_08.pdf>.

 Eben Moglen & Mishi Choudhary, Huffpost Is Now A Part Of Verizon Media.,

HUFFINGTONPOST (September 8, 2018, 3:50 PM

),<https://www.huffingtonpost.in/2018/09/07/the-draft-data-protection-bill-is- flawed-here-s-

how-to-fix-it_a_23520171/>.

 Edward J. Eberle, The Right to Information Self-Determination,

2001 UTAH L. REV. 965 (2001).

 Electronic Frontier Foundation, “The Principles,” INTERNATIONAL PRINCIPLES ON

THE APPLICATION OF HUMAN RIGHTS TO COMMUNICATIONS

SURVEILLANCE, (July 10, 2013), <https://en.necessaryandproportionate.org/text>.

 European Commission, 'Questions and Answers - Data protection reform' (Press

release,EUROPEAN COMMISSION (December 21, 2015),

<https://ec.europa.eu/commission/presscorner/detail/en/MEMO_15_6385>.

 Expert Committee Report, A Free and Fair Digital Economy Protecting Privacy,

Empowering Indians, Committee of Experts under the Chairmanship of Justice

B.N. Srikrishna, PRS INDIA (2018),

<https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report. pdf>.
107
 Expert Committee, Report of the Financial Sector Legislative Reforms Commission,

GOVERNMENTOF INDIA VOLUME 1 (2013),

<https://dea.gov.in/sites/default/files/fslrc_report_vol1_1.pdf>.

 Gautam Bhatia, Right to Privacy Indian Constitutional Law and Philosophy,

WORDPRESS(Oct22,2019),

<https://indconlawphil.wordpress.com/category/privacy/>.

 GDPR Associates., GDPR And Brexit - Does The UK Still Need To Comply?,

(2019), <https://www.gdpr.associates/gdpr-brexit/>.

 GRAHAM WILLIAM GREENLEAF, ASIAN DATA AND PRIVACY LAWS

321(2014).

 Grata, International Personal Data Protection In Russia, GRATA

INTERNATIONAL

(2017),<https://gratanet.com/laravelfilemanager/files/3/Data%20Protection%2 0in%20Russia

%202018%20final.pdf>.

 GREENLEAF, G., ASIAN DATA PRIVACY LAWS: TRADE AND HUMAN RIGHTS

PERSPECTIVE 432 (2014).

 Gupta, A., Summary Of The Report On Privacy Law By The Group Of Experts Headed By

Justice A.P. Shah,, INDIAN LAW AND TECHNOLOGY BLOG (Nov 15, 2012),

<https://iltb.net/summary-of-the-report-on-privacy-law-by-the-group-of- experts-headed-by-

justice-a-p-shah-6e5917ea9c18>.

 Ilya Khrennikov. Google to visa face Russia rules, Boon to Local Data Centers
108
 BLOOMBERG (2014), <http://www.bloomberg.com/news/2014-09-25/ google-to-visa-face-

russia-data-rules-in-boon-to-local-operators.html>.

 Indra Spiecker , Olivia Tambou, Paul Bernal & Margaret Hu, The Regulation of

Commercial Profiling - A Comparative Analysis, 2 EUR. DATA PROT. L. REV. 535, 540

(2016).

 Information Commissioners’ office, Data Protection And Brexit. INFORMATION RIGHTS,

2018 <https://ico.org.uk/for-organisations/data- protection-and-brexit/>.

 James Manyika, Susan Lund, Jacques Bughin,Jonathan Woetzel, Kalin Stamenov, and

Dhruv Dhingra, Digital Globalization: The New Era of Global Flows, MCKINSEY

GLOBAL INSTITUTE (February 24, 2016)<http://www.

mckinsey.com/business-functions/mckinsey-digital/our-insights/digital- globalization-the-

new-era-of-global-flows>.

 James Mullock, Simon Shooter, Philippe Bradley-Schmieg, Brexit: Data

Protection And Cybersecurity Law Implications, BIRD & BIRD,

(2020),<http://www.twobirds.com/en/news/articles/2016/uk/brexit-data- protection-and-cyber-

security-law-implications>.

 JERRY KOSEF, CYBER SECURITY LAW 345 (2017).

 Jflrgen Schaaf and Thomas Meyer, Outsourcing to India: Crouching Tiger Set to Pounce,

Deutsche Bank Research , DEUTSCHE BANK RESEARCH (Oct. 25, 2005),

<http://www.dbresearch.com/PROD/DBRINTERNETENPROD/PROD00000

00000192125.pdf>.

 Kavita Thirkey,Demonetisation And Digitalisation, THE HINDU (DECEMBER 25, 2016

109
 17:00)., <https://www.thehindu.com/education/Demonetisation-and-

digitalisation/article16938094.ece>.

 Kaushik Basu. India’s Digital Transformation., THE HINDU (FEBRUARY 12, 2016 00:57),

<https://www.thehindu.com/opinion/op-ed/indias-digital- transformation/article8224206.ece>.

 Khaira, R., Rs 500, 10 Minutes, And You Have Access to Billion Aadhaar Details.,

TRIBUNEINDIA NEWS SERVICE. (Jan 04, 2018, 02:07 AM),

<https://www.tribuneindia.com/news/archive/nation/rs-500-10-minutes-and-you- have-access-

to-billion-aadhaar-details-523361>.

 KS Puttaswamy v. Union of India, 2017 SCC ONLINE SC 996

 Maneesh Chhibber, 35 Years Later: A Former Chief Justice of India Pleads Guilty,

INDIAN EXPRESS (Sept. 16, 2011),

<http://indianexpress.com/article/>.

 Meera Kosambi, Gender Reform and Competing State Controls over Women: TheRakhmabai

Case (1884-1888), INDIAN EXPRESS (1995)

<https://doi.org/10.1177/0069966795029001013>.

 Megha Mandavia., India Has Second Highest Number Of Internet Users After China:

Report, THE ECONOMIC TIMES. (Sep 26, 2019, 04:24 PM),

<https://economictimes.indiatimes.com/tech/internet/india-has-second-highest- number-of-

internet-users-after-china- report/articleshow/71311705.cms?from=mdr>.

 Meghna Mandavia, Personal Data Protection Bill can turn India into ‘Orwellian State’:

Justice BN Srikrishna, THE ECONOMIC TIMES (Dec 12, 2019, 11.34

110
 AM), <https://economictimes.indiatimes.com/news/economy/policy/personal- data-

protection-bill-can-turn-india-into-orwellian-state-justice-bn-

srikrishna/articleshow/72483355.cms?utm_source=contentofinterest&utm_me

dium=text&utm_campaign=cppst>.

 Ministry of Law and Justice, Committee of Experts under the Chairmanship of Justice B.N.

Srikrishna, A Free and Fair Digital Economy Protecting Privacy, Empowering Indians,

MY GOVERNMENT (Jan. 20, 2020, 3:40 pm),

<https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report. pdf>.

 Nandta Mathur, India Now Has Over 500 Million Active Internet Users: IAMAI.,

LIVEMINT. (05 May 2020, 05:48) ,< https://www.livemint.com/news/india/india- now-has-

over-500-million-active-internet-users-iamai-11588679804774.html >

 OECD, Guidelines On The Protection of Privacy And Transborder Flows Of PersonalData,

(2013),

<https://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacya

ndtransborderflowsofpersonaldata.html>.

 OECD., G20/OECD Principles of Corporate Governance – OECD, (2015),

<https://www.oecd.org/corporate/principles-corporate-governance/>.

 Pacific Bell Survey: Small Business Slowly Adapting to Information Age,

COMMUNICATIONS DAILY (July 24, 1985), <https://www.Pacific

Bell.com/action/showCitFormats?doi=10.1080%/survey>.

 Parry Aftab & Nancy Savitt, Children, Data and the Web; New Rules Stress Privacy, Safety,

NEW YORK TIMES (Nov. 15, 1999),

111
 <https://www.NYT.com/action/showCitFormats?doi=10.1080%2F13600830420003 25274>.

 Peter Hustinx., EDPS Speeches & Articles, EU Data Protection Law: the Review of Directive

95/46/EC and the Proposed General Data Protection Regulation, (2013),

<https://gegevensbeschermingsrecht.nl/onewebmedia/peter.pdf>

 Peter Margulies, The NSA in the Global Perspective: Surveillance: Human Rights and

International Counterterrorism, 82 FORDHAM LAW REVIEW 2137, 2153 (2014).

 Preeti Mehta, Franchising Data Protection and E-Commerce in India, 3 INT’L

J. FRANCHISING L. 23, 27 (2005).

 Press Trust of India, India Recorded 37% Of Total Global Data Breaches Second Only To

The US: Report- Technology News, FIRSTPOST. (OCT 16, 2018 09:19 A.M.),

<https://www.firstpost.com/tech/news-analysis/india-recorded-37-of-total- global-data-

breaches-second-only-to-the-us-report-5384941.html>.

 PTI, Some Reforms In India Show Benefits Of Digitalisation: IMF.,

ECONOMICS TIMES, (Apr10,2019,10:33AM)

<https://economictimes.indiatimes.com/news/economy/policy/some-reforms- in-india-show-

benefits-of-digitalisation- imf/articleshow/68806028.cms?from=mdr>

 Report of the Justice AP Shah Committee, White Paper of The Committee Of Experts On A

Data Protection Framework For India, PLANNING COMMISSION (October 16, 2012),

<https://www.meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_

india_171127_final_v2.pdf>.

 Report of the United Nations High Commissioner for Human Rights Council The right to
112
 privacy in the digital age, (UNGA RES 28/16), OHCR, 39TH SESSION UN DOC

A/HRC/28/16, (26 March 2015), <http://daccess-

ddsny.un.org/doc/UNDOC/LTD/N13/544/07/ PDF/N1354407/>.

 Rhonda Copelon, Unpacking Patriarchy: Reproduction, Sexuality, Originalism, and

Constitutional Change, In A Less Than Perfect Union: Alternative Perspectives on THE U.S.

CONSTITUTION 303, 314 (1988).

 Robinson, Neil, Hans Graux, Maarten Botterman, and Lorenzo Valeri, Review of the

European Data Protection Directive. Santa Monica, CA: RAND CORPORATION

(2009),

<https://www.rand.org/pubs/technical_reports/TR710.html>.

 Russell Buchan, The International Legal Regulation of State-Sponsored Cyber

Espionage, NATO CCD COE (2016),

<https://ccdcoe.org/uploads/2018/10/InternationalCyberNorms_Ch4.pdf>

 Sashidhar K J, Easing the US-India divergence on data localization, ORF DIGITAL

FRONTIERS(2019),<https://www.orfonline.org/expert- speak/easing-us-india-

divergence-data-localisation-53256/>.

 Smith, D., BRICS eye infrastructure funding through New Development Bank, THE

GUARDIAN (2013), <http://www.theguardian.com/global-

development/2013/mar/28/bricscountries-infrastructure-spendingdevelopment- bank?.

 Sohini Bagchi, Data Privacy Day: India’s PDP Bill Needs Clarification, CX TODAY (Jan.

28, 2020, 8:14 am), <https://www.cxotoday.com/news- analysis/data-privacy-day-indias-pdp-

bill-needs-clarification/>.
113
 Soldatov, A., and Borogan, I., Russia’s Surveillance State, World Policy Journal, WORLD

POLICY (2013), <http://www.worldpolicy.org/journal/ fall2013/Russia-surveillance>.

 Sreenidhi Srinivasan and Namrata Mukherjee, Building an effective data protection regime,

VIDHI CENTRE FOR LEGAL POLICY (2017),

<https://www.livemint.com/Industry/32kLqMlXEh0w4GhvLKxGkN/Indian- data-protection-

norms-insufficient-report.html>.

 Stephen Mason, Electronic Signatures in Law, School of Advanced Study, University of

London, JSTOR (2016), <www.jstor.org/stable/j.ctv5137w8.23>.

 Swathi Moorthy, Data Protection Authority Will Be A Government Stooge And Weaken

Personal Data Bill: Justice BN Srikrishna, FIRST POST (January 30, 2020,

12:18IST),<https://www.firstpost.com/tech/news-analysis/data- protection-authority-

will-be-a-government-stooge-and-weaken-personal-data- bill-justice-bn-srikrishna-

7976651.html>.

 The ET bureau,. Justice Srikrishna Committee Submits Report On Data Protection. Here're

Its Top 10 Suggestions. THE ECONOMIC TIMES (Jul 28, 2018, 04:35 PM),

<https://economictimes.indiatimes.com/news/politics-and-nation/justice-bn- srikrishna-

committee-submits-report-on-data-protection-herere-the-

highlights/articleshow/65164663.cms?from=mdr.>

 The Hindu (Staff Reporter) Experts Raise Concern Over Draft Data Protection Bill., THE

HINDU (JULY 29, 2018 23:40),

<https://www.thehindu.com/news/cities/Hyderabad/experts-raise-concern-over- draft-data-

protection-bill/article24547899.ece>.
114
 The Hindu. What Is The Right Way Of Regulating Social Media? OPINION (AUGUST 30,

2019 00:15), <\https://www.thehindu.com/opinion/op-ed/what- is-the-right-way-of-

regulating-social-media/article29291424.ece>.

 UNHR, The Right to Privacy in a Digital Age, YOUR HUMAN RIGHTS (Nov. 1, 2013),

<http://daccess-ddsny.un.org/doc/UNDOC/LTD/N13/544/07/ PDF/N1354407>.

 United Nations Conference on Trade and Development (UNCTAD), Information Economy

Study 2015-Unlocking the Potential of E-commerce for Developing countries,UNTAD

(2015), <http://unctad.org/en/PublicationsLibrary/ier2015_ en.pdf>.

 Yamini Aiyar , Shrayana Bhattacharya , Lant Pritchett,The Solutions State: Why The Digital

Needs The Human ,INDIAN EXPRESS (March 14, 2019 8:54:07 am),

<https://indianexpress.com/article/explained/the-solutions-state-why-the- digital-needs-the-

human-5625290/>.

 Yuxiao Duan Renmin, China’s Private Law Approach to Personal Data Protection

SSRN (2019),

<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3484725>.

115