COMPENDIUM

PETITIONER
(M-38)

1
THE INFORMATION TECHNOLOGY ACT, 2000

2
3
4
5
6
7
8
9
UNIVERSAL DECLARATION OF HUMAN RIGHTS

10
International Covenant on Civil and Political Rights

The Convention on Cybercrime (Budapest Convention, ETS No. 185) and its
Protocols

PRIVACY BY DESIGN
Principle 1: Proactive not reactive; Preventative not remedial

11
A privacy-first attitude supports a preventative approach to privacy. Instead of reacting to privacy
risks or invasions when they happen, companies will actively build processes and procedures to
prevent them from occurring in the first place.

Principle 2: Privacy as the default setting

Users shouldn’t have to worry about their privacy settings when browsing a website, opening an app,
or logging into software. Privacy as Default ensures they don’t have to. It automatically sets users’
privacy to the highest level of protection, whether or not a user interacts with those settings. Such
default settings include:
 Collection limitation: You only collect the amount and types of data you’re legally allowed to.
 Data minimization: You collect only the absolute minimum amount of data necessary. You
won’t collect data just for the sake of collection or because you can.
 Use, retention & disclosure limitation: You won’t use the collected data for any other
purpose than to which the user has agreed. You won’t keep data after it’s no longer needed
for the purposes you stated to users, and you won’t disclose the data unless necessary to
achieve the purpose for which it was collected.
 Security: You implement appropriate technical and organizational measures, such as
encryption, to ensure the confidentiality, integrity, and availability of the personal data.

Principle 3: Privacy embedded into design

Protecting users’ data and privacy should now be a part of the conversation when building a website,
a mobile app, or a software application. For embedded privacy to work, it can’t just be a feature
tacked on at the end. It also can’t be obvious or awkwardly included so as to detract from the
functionality of the program you’re designing. Every decision and new process must be filtered
through a privacy-first mindset to promote both functionality and privacy protection.

Principle 4: Full functionality – Positive-sum, not zero-sum

A fatalistic attitude won’t work with Privacy by Design. Those who argue trade-offs must be made
with the user experience or with security protocols have a zero-sum attitude. Those who work to
integrate privacy into every design element seamlessly take a positive-sum approach. These
innovators will see their brands grow in a world where privacy is increasingly a market mover, not
just an issue of legal compliance.

Principle 5: End-to-end security – Lifecycle protection

From the point at which users provide personal data, to when it can be destroyed after serving its
purpose — and everything in between — Privacy by Design ensures the security of this data through
the processing lifecycle. This full lifecycle protection is where the interdisciplinary nature of Privacy
by Design shines. It leans heavily on security best practices to provide end-to-end data protection.
Security also ensures data remains confidential, true to its original form, and accessible during its
time with the company.

Principle 6: Visibility and transparency – Keep it open

Openness with users about your privacy policies and procedures builds accountability and trust.
Privacy by Design means documenting and communicating actions clearly, consistently, and
transparently. It presents a shared attitude of privacy as a duty, and one your team takes seriously.

12
That promise should be supported by an accessible and effective complaint submission and
resolution process, as well as independent verification of your policies and promises to users.

Principle 7: Respect for user privacy – Keep it user-centric

Respect for user privacy involves always having the users’ privacy interests in mind and providing the
necessary safeguards and features to protect such interests. This respect inspires every design
decision and understands that the best user experience puts privacy first. This includes putting the
power in the hands of the user to manage their own data and actively seeking their engagement in
the process.

DOCTRINE OF PROPORTIONALITY
The same was agreed to in essence by a nine-judge Bench of the Supreme Court in Justice KS
Puttaswamy v. Union of India, in which the Court upheld privacy as a fundamental right. In the
judgment authored by Justice Sanjay Kishan Kaul, proportionality can be ascertained on the basis of
the following:
(a) the action must be sanctioned by law;
(b) the proposed action must be necessary in a democratic society for a legitimate aim;
(c) the extent of such interference must be proportionate to the need for such interference;
(d) There must be procedural guarantees against abuse of such interference
Justice AK Sikri, in the majority judgment, considers the above for determining whether Aadhaar
passes the proportionality test, albeit with a more nuanced approach.
He has also considered the approach suggested by Prof David Bilchitz of the Faculty of Law at
Johannesburg University.
“Bilchitz proposes the following inquiry. First, a range of possible alternatives to the measure
employed by the Government must be identified. Secondly, the effectiveness of these measures must
be determined individually; the test here is not whether each respective measure realises the
governmental objective to the same extent, but rather whether it realises it in a ‘real and substantial
manner’. Thirdly, the impact of the respective measures on the right at stake must be determined.
Finally, an overall judgment must be made as to whether in light of the findings of the previous steps,
there exists an alternative which is preferable.”

Justice DY Chandrachud, in his dissenting judgment, on Aadhar Act came to an altogether different
conclusion with respect to the proportionality test. To determine the same, he used the four-fold test
laid down in Puttaswamy.
As regards the legitimacy of the State’s interference with the Right to Privacy, Chandrachud J held,
“…by collecting identity information, the Aadhaar program treats every citizen as a potential
criminal without even requiring the State to draw a reasonable belief that a citizen might be
perpetrating a crime or an identity fraud. When the State is not required to have a reasonable
belief and judicial determination to this effect, a program like Aadhaar, which infringes on the
justifiable expectations of privacy of citizens flowing from the Constitution, is completely
disproportionate to the objective sought to be achieved by the State.”
On the subject of a less restrictive but equally effective alternative, he held,
“The object of the state is to ensure that the benefits which it offers are being availed of by genuine
students who are entitled to them. This legitimate aim can be fulfilled by adopting less intrusive
measures as opposed to the mandatory enforcement of the Aadhaar scheme as the sole repository of

13
identification. The state has failed to demonstrate that a less intrusive measure other than biometric
authentication will not subserve its purposes.”
Needless to say, he was of the opinion that the Aadhaar scheme does indeed have a
disproportionate impact on the right holder [point (d), as per Sikri J’s tests for proportionality. He
also held that the existence of a legitimate aim is insufficient to uphold the validity of the law, which
must also meet the other parameters of proportionality spelt out in Puttaswamy. To put it in his
words,
“Constitutional guarantees cannot be subject to the vicissitudes of technology.”
https://www.barandbench.com/columns/legal-insights-on-cryptocurrency-restructuring-the-wazirx-
case-and-why-creditor-votes-are-key-to-successful-recovery

CHILLING EFFECT
A "chilling effect" refers to a situation where individuals or groups refrain from engaging in protected
activities, like free speech or expression, due to fear of potential negative consequences, like legal
sanctions or retaliation, even if those consequences are not guaranteed. The chilling effect is a
phenomenon where the threat of legal or social repercussions discourages people from exercising
their rights or engaging in activities, they would otherwise be free to do. Examples:
A journalist might avoid reporting on a controversial issue due to fear of legal action or reprisal.
Employees might be hesitant to speak out against workplace discrimination or harassment due to
fear of losing their jobs.
People might avoid participating in protests or expressing dissenting opinions due to fear of police
action or public condemnation. Related Concepts:
Overbreadth: A law is considered overbroad if it restricts more speech than necessary to achieve a
legitimate government purpose.
Vagueness: A law is considered vague if it is not clear what conduct is prohibited, leading to
uncertainty and a chilling effect.

BUDAPEST CONVENTION
Article 15 – Conditions and safeguards

Each Party shall ensure that the establishment, implementation and application of the powers and
procedures provided for in this Section are subject to conditions and safeguards provided for under
its domestic law, which shall provide for the adequate protection of human rights and liberties,
including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe
Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations
International Covenant on Civil and Political Rights, and other applicable international human rights
instruments, and which shall incorporate the principle of proportionality. Such conditions and
safeguards shall, as appropriate in view of the nature of the procedure or power concerned, inter
alia, include judicial or other independent supervision, grounds justifying application, and limitation
of the scope and the duration of such power or procedure. To the extent that it is consistent with the
public interest, in particular the sound administration of justice, each Party shall consider the impact
of the powers and procedures in this section upon the rights, responsibilities and legitimate interests
of third parties.
PUTTASWAMY 2017

14
15