PRIVACY IN CYBERSPACE

‘Privacy’ is defined as an individual requisite of life characterized by exclusion from

publicity. Privacy is regarded as a natural right which provides the foundation for the
legal right and therefore the right to privacy is protected under private law. Privacy is an
important right because it is a necessary condition for other rights such as freedom and
personal autonomy to exist. Hence there is a strong bond between privacy, freedom and
human dignity. The Right to privacy is now recognized internationally as a basic human
right, and several international treaties and agreements create an obligation to protect the
privacy of individuals. One such instrument, the Universal Declaration of Human
Rights (UDHR), was adopted by the United Nations (UN) in 1948, and represents the
first comprehensive agreement between nations on the specific rights and freedoms of all
human beings. India voted in favour of Article 12 of the UDHR, which provides for the
right to privacy in stating that an individual would have the right to protection of the law
against any arbitrary interference.

In 1979, India ratified the International Covenant on Civil and Political Rights
(ICCPR). Article 17 of the ICCPR states that:
1. “no one shall be subjected to arbitrary or unlawful interference with his privacy,
family, home, correspondence, nor to unlawful attacks on his honor and reputation,”
and:
2. that “everyone has the right to protection of the law against such interference or
attacks.”
However, India has not signed the First Optional Protocol to the ICCPR, and therefore
it is not possible for Indian citizens to make a complaint or “communication” to the UN
based on a failure by India to fully implement Article 17 of the ICCPR.

I. THE RIGHT TO PRIVACY IN INDIA

In the Indian domestic context, the right to privacy is not specifically provided for or
defined in the Constitution of India. Rather, the right has been read into and built on the
foundation of Article 21 of the Constitution of India 1950, which provides that “no
person shall be deprived of his life or personal liberty except according to a procedure
established by law.”

Amongst its earliest Article 21 jurisprudence, the Supreme Court was called upon to
determine whether certain Regulations that granted the police wide discretion to carry out
surveillance infringed individuals’ constitutional right to life and personal liberty. Two
such measures were the powers to (i) to carry out periodical inquiries and reporting of
movements of a suspect from his home, and (ii) to carry out domiciliary visits at night.
The Supreme Court observed that Article 21 is based on the Fifth and Fourteenth
Amendments to the U.S. Constitution, which read “no person …shall be deprived of
life, liberty or property without due process of law,” but noted that the scope of protection
granted by Article 21 may be narrower than that guaranteed by its United States
counterparts, because the word “liberty” was qualified by using the word “personal.”
Nevertheless, the Court refused to adopt an excessively narrow interpretation of the right
to privacy under Article 21, and came to the conclusion that “personal liberty” is a
compendious term which includes all the varieties of rights which make up the “personal
liberties” of man other than the “freedom” guaranteed under Article 19(1) of the
Constitution. In other words, Article 19(1) of the Constitution deals with particular
species or attributes of freedom, whereas Article 21 covers residual rights that serve to
more fully ensure the “freedom” of citizens.

The Supreme Court opined that the term “personal liberty” must be construed in light of
the goal of furthering the dignity of the individual, a phrase that is found in the Preamble
to the Constitution of India. Therefore, even though the Constitution of India does not
contain language akin to the Fourth Amendment of the U.S. Constitution. Drawing
inspiration from J. Subba Rao’s dissenting opinion in Kharak Singh’s case, the Supreme
Court held that the right to privacy encompassed and protected the personal intimacies of
the home, family, marriage, motherhood, procreation, and child rearing. This holding was
based on the conclusion that the rights and freedoms of citizens set forth in the
Constitution guarantee that the individual, his personality, and the things stamped with his
personality shall be free from official interference except where a reasonable basis for
intrusion exists. However, the Supreme Court also held that the right to privacy must be
viewed in the context of other rights and values, and also that the right to privacy maybe
denied if a countervailing State interest of paramount importance can be demonstrated.
Consequently, the Court held that the right to privacy is not an absolute right, and the
scope of the right would have to be determined on a case-by-case basis.

In R. Raja gopal v. State of Tamil Nadu & Ors., (1994) 6 SCC 632 while reaffirming the
view that the right to privacy is implicit in the right to life and liberty guaranteed by
Article 21, the Court held that a third party who published material based on information
that fell within the scope of another individual’s right to privacy would be liable in an
action for damages. However, in balancing the right to privacy with the freedom of the
press, the Supreme Court held that the right to privacy did not apply once a matter
became a part of the public record, and it instead became a legitimate subject for
comment by the press and media, among others.

In People’s Union for Civil Liberties (PUCL) v. Union of India &Anr., the Supreme
Court was faced with a challenge to the constitutionality of Section 5(2) of the Indian
Telegraph Act 1885, which vests the Government with the power to carry out telephone-
tapping of any person or class of persons in the interest of public safety or in the event of
a public emergency. In the alternative, it was argued that the provision should be read to
include procedural safeguards to rule out arbitrariness and to prevent indiscriminate
telephone-tapping. From the outset, the Court recognized that the right to hold a telephone
conversation in the privacy of one’s home or office without interference can be claimed
as within the “right to privacy,” and held that telephone-tapping would infringe Article 21
of the Constitution unless it was permitted under a procedure established by law.
In Mr. X v. Hospital Z, the Supreme Court held that the disclosure of Mr. X having AIDS
by his doctor to Mr. X’s fiancée, which led to their marriage being called off, was not a
violation of Mr. X’s right to privacy. The Court recognized that public disclosure of true
but private facts may amount to an invasion of the right to privacy, since “disclosure of
even true private facts has the tendency to disturb a person’s tranquility. It may generate
many complexes in him and may even lead to psychological problems. He may,
thereafter, have a disturbed life all through.” However, the case presented the Court with
a tension between fundamental rights: a person’s right to privacy or “right to be let alone”
on the one hand, and another’s right to life and health on the other. The Court held that
such a conflict must be resolved by enforcing the right that would best advance the public
morality or public interest in the specific case. Crucially, the Court noted that “moral
considerations cannot be kept at bay and the Judges are not expected to sit as mute
structures of clay in the hall known as the courtroom, but have to be sensitive, ‘in the
sense that they must keep their fingers firmly upon the pulse of the accepted morality of
the day.’” This judgment is noteworthy due to its examination of the impact of the right to
privacy between private parties, in contrast to the cases involving Government
infringement discussed previously. However, the Court did not significantly analyze the
enforceability of the right to privacy in such a private context, having held that the right to
privacy must give way to another’s right to life.

However, the scope of the right to privacy in India was at issue before the Supreme Court
in 2015, in K.S. Puttaswamy (Retired) & Anr. v. Union of India &Ors., (2015) 8 SCC
735 when the Government sought to implement the “Aadhaar Card Scheme,” which
would include the issuing of a “multi-purpose national identity card” to every citizen.
This system would operate by collecting demographic and biometric data from
individuals that would be used for a number of purposes, including facilitating a Public
Distribution System. It was argued that the collection of such data was a violation of
individuals’ right to privacy, and the legislation establishing this system has been severely
criticized for lacking any procedures for establishing proper safeguards. This case is the
cornerstone of the ‘Right to Privacy’ jurisprudence in India. The nine Judge Bench
in this case unanimously reaffirmed the right to privacy as a fundamental right
under the Constitution of India. The Court held that the right to privacy was
integral to freedoms guaranteed across fundamental rights, and was an intrinsic
aspect of dignity, autonomy and liberty.
 SUMMARY OF K S PUTTASWAMY CASE –

Facts of the case-

This case was initiated through a petition filed by Justice K.S. Puttaswamy, a retired judge
of the Karnataka High Court in relation to the Aadhaar Project, which was spearheaded
by the Unique Identification Authority of India (UIDAI). The Aadhaar number was a 12-
digit identification number issued by the UIDAI to the residents of India. The Aadhaar
project was linked with several welfare schemes, with a view to streamline the process of
service delivery and remove false beneficiaries. The petition filed by Justice Puttaswamy
was a case which sought to challenge the constitutional validity of the Aadhaar card scheme.
Over time, other petitions challenging different aspects of Aadhaar were also referred to the
Supreme Court.

In 2015, before a three Judge Bench of the Court, the norms for, and compilation of,
demographic biometric data by the government were questioned on the grounds of violation
of the right to privacy. The Attorney General of India argued against the existence of the
fundamental right to privacy based on the judgments in M.P. Sharma and Kharak Singh
case. While addressing these challenges, the three Judge Bench took note of several
decisions of the Supreme Court in which the right to privacy had been held to be a
constitutionally protected fundamental right. However, these subsequent decisions which
affirmed the existence of a constitutionally protected right of privacy, were rendered by
benches of a strength smaller than those in M.P. Sharma and Kharak Singh. The case was
referred to a Constitution Bench to scrutinize the precedents laid down in M.P.
Sharma and Kharak Singh and the correctness of the subsequent decisions. On 18 July 2017,
a Constitution Bench considered it appropriate that the issue be resolved by a bench of nine
judges.

Issue:

A. Whether the right to privacy was a fundamental right under Part III of the Constitution of
India.
Arguments advanced:

The Respondents mainly relied upon the judgments in the cases of M.P. Sharma, as well as
the case of Kharak Singh, which had observed that the Constitution did not specifically
protect the right to privacy. The judgments were pronounced by an eight Judge and a six
Judge Bench respectively, and the Respondents argued that they would therefore be binding
over the judgments of smaller benches given subsequently. The Respondents further argued
that the makers of the Constitution did not intend to make the right to privacy a fundamental
right.
On the other hand, the submission of the Petitioners was that M.P. Sharma and Kharak
Singh were founded on principles expounded in A.K. Gopalan vs. State of Madras (1950
SCR 88). The Petitioners argued that A.K. Gopalan, which construed each provision
contained in the Chapter on fundamental rights as embodying a distinct protection, was held
not to be good law by an eleven Judge Bench in Rustom Cavasji Cooper vs. Union of India
((1970) 1 SCC 248). Hence, the Petitioners submitted that the basis of the two earlier
decisions was not valid. It was also urged that in the seven Judge Bench decision in Maneka
Gandhi vs. Union of India ((1978) 1 SCC 248), the minority judgment of Justice Subba
Rao in Kharak Singh was specifically approved while the decision of the majority was
overruled.
In addition to this, other arguments made during the hearing dealt with the scope of the right
to privacy. The Petitioners argued for a multi-dimensional model of privacy as a
fundamental right, while the Respondents stated that the right to privacy was an ambiguous
concept and could only be crystallized as a statutory and common law right.

The Petitioners argued that the Constitution would have to be read in line with the Preamble,
while keeping in mind that privacy was a natural right, and an international human right.
The Respondents advocated for a narrow approach which focused on the Constitution as the
repository of fundamental rights and the Parliament as the only body which had the powers
to modify the same.

Decision:

The Supreme Court, through six separate opinions, pronounced privacy to be a distinct
and independent fundamental right under Article 21 of the Constitution. The crux of
the decision spelled out an expansive interpretation of the right to privacy - it was not a
narrow right against physical invasion, or a derivative right under Article 21, but one that
covered the body and mind, including decisions, choices, information and freedom. Privacy
was held to be an overarching right of Part III of the Constitution which was enforceable
and multifaceted. Details regarding the scope of the right were discussed in the multiple
opinions.

The Court overruled the judgments in M.P. Sharma, and Kharak Singh, in so far as the latter
held that the right to privacy was not a fundamental right. With respect to M.P. Sharma, the
Court held that the judgment was valid for maintaining that the Indian Constitution did not
contain any limit to the laws on search and seizure analogous to the Fourth Amendment in
the United States Constitution. However, the Court held that the Fourth Amendment was not
an exhaustive concept of privacy and an absence of a comparable protection in the
Constitution did not imply that there was no inherent right to privacy in India at all – and
therefore the conclusion in M.P. Sharma was overruled. The Court rejected the insular view
of personal liberty (“ordered liberty”) adopted by Kharak Singh, which Justice D.Y.
Chandrachud referred to as the “silos” approach borrowed from A.K. Gopalan. The Court
observed that this approach of viewing fundamental rights in water-tight compartments was
abrogated after Maneka Gandhi. The Court further observed that he majority opinion
in Kharak Singh suffered from an internal contradiction, as there was no legal basis to have
struck down domiciliary visits and police surveillance on any ground other than privacy – a
right which they referred to in theory but held not to be a part of the Constitution. The Court
also held that the decisions subsequent to Kharak Singh upholding the right to privacy were
to be read subject to the principles laid down in the judgment.
The Court also analysed the affirmative case for whether the right to privacy was protected
under the right to life, personal liberty and the freedoms guaranteed under Part III of the
Constitution. The Bench established that privacy was “not an elitist construct”. It rejected
the argument of the Attorney General that the right to privacy must be forsaken in the
interest of welfare entitlements provided by the state.

Significantly, while holding that the right to privacy was not absolute in nature, the
judgment also gave an overview of the standard of judicial review that must be applied in
 cases of intrusion by the State in the privacy of an individual. It held that the right to privacy
may be restricted where such invasion meets the three-fold requirement of

A. legality, which postulates the existence of law;

B. need, defined in terms of a legitimate state aim; and
C. proportionality which ensures a rational nexus between the objects and the means adopted to
achieve them.
Justice S.K Kaul added a fourth prong to this test which mandated “procedural guarantees
against abuse of such interference”. At the same time, Justice J. Chelameswar held that the
standard of “compelling state interest” was only to be used in privacy claims which deserve
“strict scrutiny”. As for other privacy claims, he held that the just, fair and reasonable
standard under Article 21 would apply. According to his judgment, the application of the
“compelling state interest” standard would depend on the context of the case.

The Court also emphasised the fact that sexual orientation was an essential facet of privacy.
It further discussed the negative and positive content of the right to privacy, where the State
was not only restrained from committing an intrusion upon the right but was also obligated
to take necessary measures to protect the privacy of an individual.

The judgment held informational privacy to be a part of the right to privacy. The Court
while noting the need for a data protection law left it in the domain of Parliament to legislate
on the subject.

II. ACTIVITIES ON INTERNET WHICH CAN AFFECT PRIVACY

What is internet privacy: The ability for an individual to interact online without losing
their personal privacy is a significant part of the internet’s value which is intimately
related to its trustworthiness. Due to the continuous growth of ecommerce it has gained
traction online and internet privacy has become vital for business owners and managed IT
service providers. Internet privacy or online privacy is a serious concern for internet
users who visit social networking sites, makes an online purchase, or participates in
online games, as they wish for their privacy to be protected. Businesses and users are
concerned about privacy threats and violations as the risk of information making its way
into cybercriminal’s hands is greater than ever before.
Risks of Internet Privacy: In the digital world we are being trapped in a system in which
whatever we do is monitored and logged which has pushed privacy as a thing of the past.
Whatever we do using modern communications equipment a digital trail is left which is
followed assiduously by giant corporations, governments and their security services.
Things to be considered when using the modern technology are:
1. Spyware: An application that gathers all data without the user’s consent when offline
and send the data to the spyware source when online.
2. Malware: An application that harms both offline and online computer users via
viruses, Trojans and spyware.
3. Web bugs: Objects that can be embedded into an email or web page to check if a user
has read a specific email or has visited a certain website which is usually unknown to
the user.
4. Phishing: A tactic used to steal secure user data including credit card numbers,
usernames, passwords, security PINs or bank account numbers through someone
disguised as a trustworthy person by means of some form of electronic
communication.

Preventive Measures: Doing the following can help to overcome the risks of internet
privacy to some extent:
1. Avoid exposing personal data on websites with less security.
2. Make sure that websites are secure and verify if “https” is used instead of “http.”
3. Use complicated passwords consisting of numerals, letters and special characters.
4. Clear the history of your browser and cache regularly to ensure the browser is clear.
Avoid shopping on websites that are not reliable.
5. Use software applications such as anti-malware, anti-spam, anti-virus and firewalls
for protection.

Issues with Privacy on internet :

1. Email- Most of the email services (Gmail etc) are susceptible because the real
difficulty with email is securing the metadata. While there are ways of keeping the
 content of messages private, the "metadata" that is send along with the message can
be very revealing and it cannot be encrypted because it is needed by the internet
routing system hence available to most security services without a warrant.
2. Encryption- Encryption being the sole province of mathematicians has changed in
recent years since various publicly available tools have taken the rocket science out of
encrypting (and decrypting) email and files. These software scramble the data, but do
not protect one from government authorities who demand the encryption key under
the Regulation of Investigatory Powers Act (2000).
3. Web browsing- The fundamental use of internet is web browsing since it is what
internet users do most hence it's worth taking browser security and privacy seriously.
Configuring of browser is one of the ways to protect against tracking the online
behavior.
4. Cloud services- The working assumption is that anything stored on such systems is
potentially accessible by others. Therefore if you must entrust data to them, make sure
it is encrypted.
5. Social media networking- In social networks such as Facebook, no matter what your
privacy settings, you don't have control over information about you that is posted by
your friends.
6. Location data- Avoid using services that require location information.
7. Wireless services- Switch off Bluetooth by default in the mobile devices and switch
on only when in use. Avoid using open wifi in public places and always secure your
personal wifi connection using password.
8. Search engines- Most of the search engines track search history and build profiles
based on it to serve with personalized results. So it is better switch to a search engine
that does not track your search history thus escaping from the "filter bubble". One of
the most obvious and effective search engine is the DuckDuckGo.
9. Online Tracking- one might notice that many advertisements they see online hits
their tastes and interests? The reason behind is that almost every major website one
visits tracks their online activity following them from site to site, track and compile
their activity, and compile all the gathered information into a database. Almost all
browsers gives the user some control over how much information is revealed, kept
 and stored. Therefore the settings to restrict cookies must be set thus enhancing one’s
privacy. Some of the tools used to track one online includes cookies, flash cookies,
fingerprinting and cross device tracking.
10. Cookies- Cookies are defined as the pieces of information on your hard drive sent by
a web server to a user's browser gathered while visiting different websites. Cookies
encompass information such as login identification, user preferences, online shopping
cart information etc. The web server makes use of the cookies to customize the
display it sends to the user by keeping track of various pages within the site that the
user accesses. We use the internet to complete the registration card through online
mode for a product such as a computer or refrigerator. In the registration process we
generally provide our name and address, which then may be stored in a cookie.
There are three types of cookies namely first party, third party and flash cookies. First
party cookies are used by the legitimate websites to make special offers to returning
users and to track the results of their advertising. Third-party cookies are those which
communicate data about users to an advertising clearinghouse which in turn shares
that data with other online marketers using the user’s online history to deliver other
ads. The browser and some software products enable us to detect and delete all types
of cookies. Flash cookies also called as super cookies are more persistent than a
regular cookie which is utilized by many websites. Erasing standard cookies, clearing
history, clearing within the browser will not affect flash cookies since they persist
despite user efforts to delete all cookies. Flash cookies cannot be deleted by any
commercially available anti-spyware or adware removal program except in the
Firefox browser, there is an add-on called Better Privacy which assists in the deletion
of flash cookies.
11. Fingerprinting- A device fingerprint also known as machine fingerprint is the
concise form of the software and hardware settings collected from a computer and
each device has a different clock setting, fonts, software which make it unique. When
one goes online, the corresponding device broadcasts these details, which are
collected and combined together to form a unique fingerprint for that particular
device. Fingerprint is then assigned an identifying number; used for similar intentions
as a cookie. Tracking companies are embracing fingerprinting which is now replacing
 cookies because it is tougher to block than cookies. Unlike cookies which are
subjected to deletion, expiration and is of no use if a user decides to switch to a new
browser, fingerprinting leave no evidence on a user's computer for you to realize
when you are being tracked. Since fingerprinting is generally invisible and difficult to
prevent it is not easy to delete fingerprints that have been collected. One of the ways
to prevent fingerprinting is to block JavaScript on their computer but some parts of a
website may not load, resulting in a blank space on the webpage.
12. Cross-device tracking- Cross-device tracking enables companies to link a
consumer’s behavior across all of their devices such as smart phones, tablets, desktop
computers and other connected devices. Although this information serves many
purposes, it is specifically valuable to advertisers for marketing purposes. Both
“deterministic” and “probabilistic” techniques are used by companies to engage in
cross-device tracking. The deterministic techniques are used to track characteristics
such as a login while the probabilistic techniques are used to infer which consumer is
using a device, even when a consumer has not logged into a service. Most browsers
give access to a Do Not Track (DNT) setting to keep your online activity from being
followed across the Internet by advertisers, analytics companies and social media
sites.

Current policy for Internet Privacy in India- Currently, India's most comprehensive
legal provisions related to privacy on the internet can be found in the Information
Technology Act (ITA) 2000. The ITA contains a number of provisions regarding safeguard
online privacy which encompasses penalizing child pornography, hacking and fraud and
defining data protection standards for body corporate. The ITA does not address issues and
circumstances like the evidentiary status of social media content in India, merging and
sharing of data across databases, the use of electronic personal identifiers across data bases,
and if individuals have the right to request service providers to take down and delete their
personal content. Future frameworks for internet privacy in India Future frameworks for
internet privacy in India would apply to all data controllers both in the private sector and
the public sector to ensure that businesses and governments are held accountable to
protecting privacy and that legislation and practices found across sectors,
 states/governments, organizations, and governmental bodies are harmonized. The privacy
principles include: notice, choice & consent, collection limitation, purpose limitation,
access and correction, accountability, openness, disclosure of information, security and
also envisions a system of co-regulation, in which the National Privacy Principles will be
binding for every data controller. However self-regulatory organizations at the industry
level will have the option of developing principles for that specific sector which has to be
approved by the privacy commissioner and be in compliance with the National Privacy
Principles. In addition to defining principles, the establishment of a privacy commissioner
for overseeing the implementation of the right to privacy in India is recommended. A
Privacy Legislation for India Since 2010, there has been a strong public discourse around
the need for a privacy legislation in India and in 2011, the Department of Personnel and
Training released a draft privacy bill that defined a privacy regime for data protection,
surveillance, mass marketing and recognized privacy as a fundamental right.

Digital Personal Data Protection Act 2023 (DPDP)

The DPDP Act is India’s comprehensive legislation for personal data protection. The Act
came into effect on September 1, 2023, and it applies to all organizations that process
personal data of individuals in India . It regulates the processing of personal data and
establishes the rights of individuals over their data. Its key features include:

1. Scope:
o Applies to organizations processing personal data of individuals in India.
o Applicable to entities both within and outside India, if they process data of individuals in
India.
2. Consent:
o Allows data processing without explicit consent in specific cases, such as contractual
obligations or public interest.
o Emphasizes the right to be forgotten and the right to erasure.
3. Data Localization:
o Does not mandate the storage of personal data within India.
o Provides for the cross-border transfer of data, subject to certain conditions.
4. Data Breaches:
o Requires organizations to notify the Data Protection Board and affected individuals within
72 hours of becoming aware of a data breach.
o Establishes obligations for data fiduciaries to implement security safeguards.
5. Penalties:
o Imposes fines up to INR 250 crores for violations.
o Includes penalties for failure to conduct a data impact assessment or follow breach
notification procedures.

6. What is personal data?

Personal data is defined under the DPDPA as "any data that relates to a natural person
who can be identified, directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, or an online identifier." This
broad definition encompasses a wide range of information, including but not limited
to:

 Name, address, and contact information

 Date of birth and gender
 Financial information, such as bank account numbers and credit card details
 Online browsing history and search queries
 Social media posts and messages
 Location data, such as GPS coordinates

7. What data is protected by the DPDPA?

The DPDPA protects personal data that is processed in India, regardless of whether
the data was originally collected in India or elsewhere. The Act also applies to the
processing of personal data of Indian citizens, even if the data is processed outside of
India. The DPDPA does not apply to personal data that is:

 Processed for law enforcement or national security purposes

 Processed for the purpose of journalism or artistic expression
 Processed for personal or family purposes
 Key principles of the DPDPA:

The DPDPA is based on six key principles:

1. Lawfulness: Personal data must be processed lawfully, fairly, and transparently.

2. Purpose Limitation: Personal data must be collected for specified, explicit, and
legitimate purposes and not further processed in a manner that is incompatible with
those purposes.
3. Data Minimization: Personal data must be adequate, relevant, and limited to what is
necessary in relation to the purposes for which they are processed.
4. Accuracy: Personal data must be accurate and, where necessary, kept up to date.
5. Storage Limitation: Personal data must be kept in a form which permits
identification of data subjects for no longer than is necessary for the purposes for
which the personal data are processed.
6. Integrity and Confidentiality: Personal data must be processed in a manner that
ensures appropriate security of the personal data, including protection against
unauthorized or unlawful processing and against accidental loss, destruction, or
damage, using appropriate technical or organizational measures.

Rights of data principals:

The DPDPA grants individuals several rights with respect to their personal data,
including:

 The right to access their personal data

 The right to rectification of inaccurate personal data
 The right to erasure of their personal data
 The right to restrict the processing of their personal data
 The right to data portability
 The right to object to the processing of their personal data

Enforcement of the DPDPA:

The DPDPA is enforced by the Data Protection Authority of India (DPA), which is
an independent body responsible for overseeing the implementation of the Act. The
 DPA has the power to investigate complaints, issue fines, and order organizations
to comply with the Act.

General Data Protection Regulation (GDPR):

GDPR is the European Union’s data protection regulation implemented in 2018. It sets
out rules for the processing of personal data and the rights of individuals. Key aspects
include:

1. Scope:
o Applies to organizations processing personal data of individuals in the European Union.
o Extraterritorial application, impacting organizations worldwide.
2. Consent:
o Requires explicit consent for processing personal data.
o Individuals have the right to withdraw consent.
3. Data Localization:
o Generally, requires the storage of personal data within the EU.
o Permits data transfers based on adequacy decisions, binding corporate rules, or standard
contractual clauses.
4. Data Breaches:
o Mandates notifying the relevant data protection authority within 72 hours of a data breach.
o Emphasizes the principles of data protection by design and by default.
5. Penalties:
o Imposes fines up to €20 million or 4% of the global annual turnover for serious violations.
o Focuses on accountability, transparency, and data protection impact assessments.
Both DPDP and GDPR aim to safeguard individuals’ privacy but differ in certain
approaches, such as consent requirements, data localization, and penalty structures.
III. INTERMEDIARY LIABILITY IN INDIA

In India the word ‘intermediary’ with respect of an electronic record is described in Section
2(1)(w) of the Information Technology Act, 2000 stated as “any one person on behalf of
another person receive, stores, or transmits, that record and provide any service to that of
record ; this include internet service provider, network service provider, telecom service
provider online market place, cyber café.” Definition of intermediary is only satisfied if there
is exchange of data, information, goods and service through the internet on the social media
platform. The provisions in the IT Act 2000, which deal with the primary liability of a
body corporate or an individual that collects and handles data, may be viewed under two
heads:

1. Liability which arises out of negligence in maintaining reasonable security

practices and procedures to safeguard data, where such negligence results in
wrongful loss to any person.

In this regard, Section 43A of the IT Act 2000 requires that intermediaries maintain
reasonable security practices and procedures, and failure to do so which results in
wrongful loss or gain to any person will render such body corporate liable to the injured
person for damages. Therefore, it appears that the standard applied to a body corporate
that handles and collects data is not one of strict liability, but rather one of taking
reasonable care to ensure that it maintains reasonable security practices and procedures.
The Section goes on to explain that “reasonable security practices and procedures”
means security practices and procedures designed to protect such information from
unauthorized access, damage, use, modification, disclosure, or impairment, as may be
specified in any law, agreement between the parties, or prescribed by the Central
Government.

2. Liability which arises out of the intentional disclosure of any personal

information that is capable of identifying such person.
In this regard, Section 72A of the IT Act 2000 provides for criminal liability on any
 person (including an intermediary) who discloses the personal information of another
person to any other person without the consent of the person concerned or in breach of a
lawful contract, with intent to cause or knowing that he is likely to cause a wrongful loss
or gain.

Therefore, under the IT Act 2000, a person who has suffered a breach of personal data
may seek a remedy under either Section 43A, which grants compensation for failure to
implement reasonable security procedures, or under Section 72A, which provides for
criminal liability for the defendant in cases where an intermediary secures personal
information and discloses it without consent or in breach of contract, with the intent of
causing wrongful loss or gain. Apart from these provisions, Section 45 provides for a
residuary penalty of Rs. 25,000 for non-compliance with the provisions of the Act where
no specific penalty has been defined

“Safe Harbour”

The other approach is the “safe harbour” model, which provides immunity to
intermediaries if they comply with certain requirements. Under this model, the liability of
an intermediary with respect to illegal or offensive content hosted by it is dependent upon
the role played by the intermediary in distributing such content (e.g., whether it is active or
passive). An intermediary that is aware of the content made available by it, and which
exercises control over such content by editing it, is much more likely to be held liable for
such content.
In the United States, the safe harbour model is primarily applied to intermediaries with
respect to copyright issues. However, a different approach is used for defamatory or
offensive content, thereby preventing online intermediaries from being treated as the
publisher of user content that gives rise to claims of defamation, invasion of privacy,
tortious interference, and general negligence.

India adopted the conditional “safe harbour” approach in 2008 by amending the
Information Technology Act 2000 to modify the safe harbour provision contained in
Section 79. Under the amended statute, an intermediary is only liable for infringing or
offensive content if it is established that the intermediary was notified of the content and
subsequently failed to take steps to take it down. If an intermediary does not fall within the
safe harbour, it may incur civil or criminal liability for defamation, obscenity, sedition, or
other actions.108
Section 79 of the IT Act 2000 provides that “an intermediary shall not be liable for any
third party information, data, or communication link made available or hosted by him.”
This protection from liability is not absolute, and is subject to the conditions laid down in
Sub-Section (2) of Section 79:
 The function of the intermediary is limited to providing access to a communication
system over which information made available by third parties is transmitted or
temporarily stored or hosted;

 the intermediary does not initiate the transmission, select the receiver of the
transmission, or select or modify the information contained in the transmission; and
 the intermediary observes due diligence while discharging its duties under theAct, and
observes the guidelines prescribed by the Central Government in this respect.

Furthermore, Subsection (3) provides for two exceptional situations in which the safe
harbour provision under Section 79(1) will not apply:
 The first exception, under Section 79(3)(a) is for cases where the intermediary has
conspired, abetted, aided, or induced the commission of the unlawful act.
 The second exception, contained in Section 79(3)(b), is an incorporation of the
“notice and takedown” approach. It provides that the safe harbour provision shall
not apply if, “upon receiving actual knowledge, or on being notified by the
appropriate Government or its agency that any information, data or
communication link residing in or connected to a computer resource controlled by
the intermediary is being used to commit the unlawful act, the intermediary fails
to expeditiously remove or disable access to that material on that resource without
vitiating the evidence in any manner.”

The modalities of the “notice and takedown” regime are provided in the Information
Technology (Intermediaries Guidelines) Rules 2011, Rule 3 of which provides that an
intermediary “shall not knowingly host or publish any information or shall not initiate the
transmission, select the receiver of the transmission, and select or modify the
information,” and casts an obligation on the intermediary to disable such information
within 36 hours of it being brought to the intermediary’s attention by any affected person.

In Shreya Singhal v. Union of India, the landmark case that dealt with the State’s power
to regulate content on the internet, one of the challenges was against Section 79(3)(b) of
the IT Act 2000, on the ground that it requires the intermediary to exercise its own
judgment upon receiving actual knowledge that any information is being used to commit
unlawful acts. Furthermore, it was argued that any restrictions on the ability of
intermediaries to host content would have an immediate, direct, and adverse bearing on
internet users’ freedoms under Article 19(1) (a). While the Supreme Court refused to
strike down the provision altogether, the Court read it down to mean that the intermediary
will be liable if “upon receiving actual knowledge that a court order has been passed
asking it to expeditiously remove or disable access to certain material must then fail to
expeditiously remove or disable access to that material …otherwise it would be very
difficult for intermediaries like Google, Facebook, etc. to act when millions of requests
are made and the intermediary is then to judge as to which of such requests are legitimate
and which are not.”

Power of the Government- The IT Act 2000 contains provisions which vest in the
Government the power to issue directions to intercept, monitor, and collect information
that flows through “computer resources.”
1. Section 69- empowers the Government to “direct any agency of the appropriate
Government to intercept, monitor, or decrypt or cause to be intercepted or monitored
or decrypted any information generated, transmitted, received or stored in any
computer resource,” if it finds that it is necessary or expedient to do so in the interest
of “the sovereignty or integrity of India, defence of India, security of theState,
friendly relations with foreign States or public order or for preventing incitement to
the commission of any cognizable offence relating to above or for investigation of any
offence.”
 2. Section 69A- This provision provides the government with the power to issue
directions for blocking for public access of any information through any computer
resource. This power can be exercised in the interest of the sovereignty or integrity of
India, defence of India, the security of the state, friendly relations with foreign states,
public order, and for investigating any offence. This provision enables the government
to ask any agency of the government, or any intermediary, to block access to the public
of any information generated, transmitted, received or stored or hosted on any
computer resource.
3. In addition, Section 69B empowers the Government to “monitor and collect traffic
data or information generated, transmitted, received or stored in any computer
resource,” in order to “enhance cyber security and for identification, analysis and
prevention of intrusion or spread of computer contaminant in the country.” “Traffic
data” has been defined in Explanation (ii) to Section 69B as “any data identifying or
purporting to identify any person, computer system or computer network or any
location to or from which communication is or may be transmitted.”

Case Laws on Intermediary Liability-

In Sanjay Kumar Kedia v. Narcotics Control Bureau the petitioner’s plea to escape liability
under the old section 79 was rejected by the court as the petitioner’s company had actual
knowledge of the malafide actions of sale of ‘psychotropic substance’ through their website
which violated the Narcotic Drugs Psychotropic Substance Act, 1985. On this ground they
were not considered to fall within the immunity provision provided under Section 79 of the
I.T. Act,2000.
Obscene video on Intermediary website- In a case, Avnish Bajaj v State the CEO of
Bazee.com failed to prove lack of knowledge and adoption of due diligence when a third
party uploaded MMS of two students of a school on its auction site. The FIR against the
Director was not quashed as Section 85 of the I.T. Act,2000 made a Director vicariously
liable for acts committed by the company as the Director was in charge of the conduct of the
business of the company when such contravention was made.
The court held that under Section 272 of Indian Penal Code there is no automatic liability of
a Director for publishing obscene material by a third party in the absence of mensrea. FIR
was quashed against the Director but vicarious liability existed due to the deeming provision
of Section 85 of the I.T. Act,2000 r/w Section 67 of the I.T. Act,2000 which provides
publication of obscene contents is an offence. According to Section 85 of the I.T. Act,2000
where an offence is made by a company every person who at that time was responsible for
the conduct of the business of the company shall be liable to be prosecuted and punished
unless the Director proves the lack of knowledge and compliance with due diligence. The
provision of Section 85 of the IT Act,2000 fails to provide whether the knowledge should be
constructive or actual knowledge. However, it is clear if a contravention is made with
consent or connivance of a Director such person may be liable. Hence, the FIR was not
quashed as despite actual notice the illegal material (MMS clip) was not removed for two
days and the filtering mechanism failed to block publication of such content. Later this
decision was overruled in Anita Handa v. God Father Travels and Tours (P) Ltd. wherein
the Hon’ble Supreme Court considered the case of Avnish Bajaj v. State popularly known
as the Bazee.com case along with the other Criminal Appeals to decide the question of
liability. The Court considered the material question whether a Director shall be liable in
case a company is not arraigned as
an accused in the complaint. The court held that in Section 85 of the I.T Act which provides
for deemed liability of the Directors where an offence is committed by a company, a
Director shall not be liable when complainant has not made the company as an accused. On
this reasoning, the court quashed the proceedings against the Director as the company was
not arraigned as an accused in the complaint.
After the amendment of Section 79 of the I.T. Act,2000, the liability of an Intermediary has
been clarified to some extent. The current law states that an Intermediary is not liable unless
there is an actual knowledge with Intermediaries or the Intermediaries modify/select third
party content and publishes it (provided it observes due diligence requirements and other
conditions mentioned in Section 79 of the IT Act,2000) or is proved to have
conspired/abetted in the commission of unlawful act by threats or promise.
Defamatory material on Intermediary website-In the case of Nirmaljeet Singh Narula v.
Yashwant Sinha, the Plaintiff filed a suit for permanent injunction and damages against
Bhadas4media.com a news portal. The Plaintiff filed an application for interim relief of
temporary injunction against the Defendants on the ground that Defendants published false
and malafide allegations against the Plaintiff which were defamatory in nature. It was
alleged that the freedom of press was being misused by the Defendants as its sole agenda
was to defame the Plaintiff. The court granted a conditional injunction restraining the
Defendants from licensing, writing, publishing,
hosting, advertising defamatory material against the Plaintiff through their website or other
media. In defamation cases, a party may ask for compensation and/or prosecute accused
under Section 500 of Indian Penal code, 1860, which prescribes punishment of
imprisonment of upto 2 years and fine or both.
In another case, Vyakti Vikas Kendra v. Jitender Bagga the Delhi High Court granted
interim injunction against the Defendant restraining them from publishing defamatory
materials about the founder of Art Living Foundation on www.blogger.com. The court held
that Defendant No.2 was an Intermediary within the definition of Section 2(1)(w) and
Section 79 of the I.T. Act, 2000. On receiving actual notice the Defendant ought to remove
such defamatory content within 36 hours. By virtue of this order, the Defendant No.1 was
injuncted from sending any email or posting any materials defamatory to Plaintiff.
Infringing material in intermediary account-In Olive e-business pvt ltd vs Kirti
Dhanawat, (CS(OS) 2393/2011) the Hon’ble High court of Delhi directed Google India to
freeze the email accounts of defendants who had allegedly stolen data of its ex employer
and the account contained infringing material. Thus, an intermediary could be directed by
courts to suspend/freeze email accounts if plaintiff seeks an injunction restraining
defendants from using the email account. However, Intermediary would not be liable as it is
only a carrier or provider of service and has no knowledge of contents being transmitted
through its service nor selects a sender or receiver of emails.
In the case of Super Cassettes Industries v. My Space Inc, the Plaintiff filed a suit for
permanent injunction restraining copyright infringement and claim for damages against
Defendant No.1, a social networking website wherein the users could share pirated
copyrighted materials, images, videos at its location in United States of America. The
Plaintiff contended that the Defendant made available infringing songs, pictures that users
copy and share over Internet but also material which is not yet been released officially on
other authorized channels. The Defendant claimed exclusion under Section 79 of the I.T.
Act being an Intermediary on the ground that it had no knowledge or control over third party
materials posted on its websites and had exercised due diligence. The court held that Section
79 (2) (a) of the IT Act were not satisfied as the Defendant not only provided access
communication system where the third party information is stored, transmitted or hosted but
also added advertisements to the said information thereby modifying the work which means
it offered its platform as the place for profit with knowledge. The court took the view that
the Defendants’ action did not satisfy the due diligence and the criteria of no modification of
information to claim exclusion of liability. The court observed that the Defendants took
limited license to amend their content from its users and the Defendants thus had “the
chance to keep a check on the works”. The court further held as follows: -
“The defendants have sufficient means to modify the work by taking licenses from the users,
adding advertisements to the works of the plaintiff. Consequently, the effective means for
pre infringement enquires are also necessarily have to be performed by the defendants only.
If the defendants state that there no means to do so due to some impossibilities, the
defendants must take preliminary measures at the time of modification of the works and
prior to making them available to the public so as to ensure that the same does not infringe
any one’s copyright. In other words, the court was of the view that defendants had ability to
control and had reserved rights to control, did in fact monitor content so it should filter
infringing materials as matter of pre infringement due diligence and not later when it
receives actual notice. This situation is different from those networks who do not modify any
third party content and simply provide access to internet or other service
In the landmark Napster case, Napster introduced software that enabled Peer to Peer (P2P)
sharing of music MP3 files on the internet which were stored on hard disks of its members.
In a claim for copyright infringement, Napster contended it cannot be liable for copyright
infringement as it was only a carrier of service. The court rejected the contention holding
Napster liable for copyright infringement as Napster was doing more than just being an
internet service provider by enabling its members to share in a P2P model, pirated music
files. Whereas in Napster users downloaded files through Napster’s server, in case of
‘Gnutella’, there was no central server. Gnutella was an open source software to exchange
messages. Grokster used MP3 and other file formats which also faced an action for
copyright infringement that was dismissed by the Ninth circuit for court of appeals but the
Supreme court of U.S later held that P2P file sharing companies like Grokster could be sued
for inducing copyright infringement for acts taken in the course of marketing file sharing
software. The Ninth Circuit court of appeals had held Grokster was neither held liable for
vicarious copyright infringement nor for contributory infringement as it had no central
server and the software would only be providing some method of cataloguing the available
information. Grokster was not imputed constructive knowledge of infringement as software
could also be used for non infringing activities. However, the Supreme court of U.S
overruled the decision and held that they could be sued for inducing copyright infringement
for acts taken in the course of marketing file sharing software.