Memorial on behalf of the Petitioner Team Code: TN - 321 3 RD SYMBIOSIS LAW SCHOOL HYDERABAD, NATIONAL MOOT COURT COMPETITION 2018 Before, THE HON’BLE HIGH COURT OF CITY OF JOY
WRIT PETITION UNDER ARTICLE 226 OF THE CONSTITUTION OF NARNIA W.P. No. ______/2018 MR. TRUE LIES.............................................................................................................................PETITIONER V.
SAYPM AND GOVERNMENT...................................................................................................RESPONDENT
1 WRITTEN SUBMISSION ON BEHALF OF THE PETITIONER
Memorial on behalf of the Petitioner TABLE OF CONTENTS
LIST OF ABBREVIATIONS...................................................................................................IV INDEX OF AUTHORITIES.....................................................................................................V STATEMENT OF JURISDICTION........................................................................................IX STATEMENT OF FACTS.........................................................................................................X ISSUES RAISED.....................................................................................................................XI SUMMARY OF ARGUMENTS............................................................................................XII ARGUMENTS ADVANCED....................................................................................................1 1. THE PIL FILED UNDER ARTICLE 226 OF THE CONSTITUTION OF NARNIA IS MAINTAINABLE.....................................................................................................................1 [1.1] THE PETITIONER HAS A LOCUS STANDI.................................................................1 [1.2] THERE IS VIOLATION OF FUNDAMENTAL RIGHT.................................................1 [1.3] ALTERNATIVE REMEDY CANNOT BE THE GROUND FOR REJECTING PETITION..................................................................................................................................3 [1.4] SAYPM SHOULD BE ALLOWED TO BE A PARTY TO THE SAID WRIT PETITION..................................................................................................................................4 2. THE GOVT. AND SAYPM HAVE ACTED IN COLLUSION TO BREACH THE PRIVACY OF THE CITIZENS OF NARNIA...........................................................................4 [2.1] THE GOVT. AND SAYPM HAVE ACTED IN COLLUSION........................................4 [2.1.1] Banners during demonetization:.................................................................................5 [2.1.2] Sting operation video release:.....................................................................................5 [2.2] RIGHT TO PRIVACY OF CITIZENS OF NARNIA HAVE BEEN BREACHED..........6 [2.2.1] Violation of informational privacy:............................................................................7 [2.2.2] Violation of privacy of choice and personal autonomy:.............................................8 [2.3] ASKING USER DATA FROM SAYPM AND TRANSFERRING SAYMO’S USER DATA TO FOREIGN COMPANIES BY PMO IS NOT REASONABLE RISTRICTION ON RIGHT TO PRIVACY UNDER ARTCLE 21............................................................................9
2
Memorial on behalf of the Petitioner 3. THE DATA MINING BY SAYPM AND SHARING IT WITH ANY THIRD PARTY IS NOT PERMISSIBLE...............................................................................................................10 4. THE PROVISIONS OF IT ACT AND OTHER ACTS HAVE BEEN VIOLATED...........12 [4.1] IT ACT:........................................................................................................................12 Section 43A.......................................................................................................................12 Section 72A.......................................................................................................................13 Section 69.........................................................................................................................14 [4.2] Narnian Penal Code.....................................................................................................14 [4.3] Regulations by Telecom Regulatory Authority of Narnia:..........................................14 [4.4] Reserve Bank of Narnia...............................................................................................15 5. EXISTING LAWS OF NARNIA ARE NOT SUFFICIENT TO SAFEGUARD AND SECURE THE PRIVACY OF CITIZENS...............................................................................15 Retention of Data:.................................................................................................................16 Collection of Information:....................................................................................................16 Disclosure of Information:...................................................................................................17 Disclosure of Sensitive Personal Data to the Government:..................................................17 [5.1] Remedies to be requested................................................................................................18 PRAYER...............................................................................................................................XIII
3
Memorial on behalf of the Petitioner
LIST OF ABBREVIATIONS
SERIAL NO.
ABBREVIATION
EXPANSION
1
PIL
Public Interest Litigation
2
Hon’ble
Honourable
3
Art.
Article
4
SCC
Supreme Court Cases
5
AIR
All India Reporter
6
SC
Supreme Court
7
PM
Prime Minister
8
ICCPR
International Covenant on Civil and Political Rights
9
IT
Information Technology Act 2000
10
Rules 2011
Information
Technology
(Reasonable
security
practices and procedures and sensitive personal data or information) Rules 2011 11
TRAI
Telecom Regulatory Authority of India
12
NPC
Narnian Penal Code
13
Ltd.
Limited
14 15
Co. Govt.
Corporation Government
16
PMO
Prime Minister’s Office
17
UDHR
Universal Declaration of Human Rights
18
DPB
Data Protection Bill 2018
19
RBI
Reserve Bank of India
20
GDPR
General Data Protection Bill
21
SAR
System Audit Report
22
CRPC
Criminal Procedure Code
23
TRAN
Telecom Regularity Authority of Narnia
24
RBN
Reserve Bank of Narnia
25
TSP
Telecom Service Provider
4
Memorial on behalf of the Petitioner
INDEX OF AUTHORITIES
Cases State of Maharashtra v. Bharat Shanti Lal Shah, (2008) 13 SCC 5...........................................6 A. Janardhana v. Union of India, AIR 1983 SC 769..................................................................4 A.V. Venkateswaran v. R.S. Wadhwani, AIR 1961 SC 1506.....................................................3 Ahmedabad Cotton Mfg. Co. v. Union of India, AIR 1977 (Guj.) 113......................................3 Air India Statutory Corporation v. United Labour Union, AIR 1997 SC 645, 680...................3 Anuj Garg v. Hotel Association of India, (2008) 3 SCC 1.........................................................8 Balbir Singh v. F.D. Tapase, AIR 1985 P&H 244......................................................................1 Bandhua Mukti Morcha v. Union of India, AIR 1984 SC 802..................................................1 Bar Council of India v. Surjeet Singh, AIR 1980 SC 1612........................................................3 Basheshsar Nath v. Commissioner of Income Tax, AIR 1959 SC 149....................................11 District Registrar and Collector, Hyderabad v. Canara Bank, AIR 2005 SC 186......................7 General Manager v. A.V.R. Siddhanti, AIR 1974 SC 1755........................................................4 Gujarat State Financial Corporation v. Lotus Hotel, AIR 1983 SC 848....................................3 Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, 127..............................2 Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, 445..............................8 Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, 62................................7 Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, 81................................6 Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1......................................2 Kharak Singh v. State of Uttar Pradesh, (1964) 1 SCR 332......................................................6 L.I.C. of India v. Consumer Education and Research Centre, (1995) 5 SCC 482.....................8 National Legal Services Authority v. Union of India, (2014) 5 SCC 438.................................6 National Legal Services Authority v. Union of India, (2014) 5 SCC 438, 449.........................7 Naz Foundation v. Government of N.C.T. of Delhi, (2009) 3 CCR 1.....................................17 Olga Tellis v. Bombay Municipal Corporation, (1985) 3 SCC 545...........................................8 People’s Union for Democratic Rights v. Union of India, (1982) 3 SCC 235...........................1 R. Rajagopal v. State of Tamil Nadu, (1994) 6 SCC 632...........................................................6 Rai Ramakrishna v. State of Bihar, AIR 1963 SC 1667.............................................................9 Rajagopal Alias Gopal v. State of Tamil Nadu, (1994) 6 SCC 632.........................................17 Ram Jethmalani v. Union of India, (2011) 8 SCC 1...................................................................2 5
Memorial on behalf of the Petitioner Secretory O.N.G.C. Ltd. v. V.U. Warrier, (2005) 5 SCC 245.....................................................4 State of Uttar Pradesh v. Indian Hume Pipe Co. Ltd., (1977) 2 SCC 724.................................3 Subramanium Swamy v. Director, Central Bureau of Investigation, AIR 2014 SC 2140.........6 Swayamber Prasad v. State of Rajasthan, AIR 1972 (Raj.) 69...................................................3 Vishaka v. State of Rajasthan, (1997) 6 SCC 241......................................................................2 Water Supply and Sewage Board v. Unique Erectors, AIR 1989 SC 973...............................16 Whalen v. Roe, 429 U.S. 589 (1977).........................................................................................8 Statutes Data
Protection
Act,
1998,
schedule
2,
https://www.legislation.gov.uk/ukpga/1998/29/schedule/2..................................................17 Information Technology Act, 2000, § 69, No. 21, Acts of Parliament, 2000...........................13 Information Technology Act, 2000, § 72A, No. 21, Acts of Parliament, 2000........................13 Information Technology Act, 2000, § 43A, No. 21, Acts of Parliament, 2000........................10 The Code of Criminal Procedure, 1973, § 91, No. 2, Acts of Parliament, 1974......................18 The Emblems and Names (Prevention of Improper Use) Act, 1950, § 3, No. 12, Acts of Parliament, 1950.....................................................................................................................5 The Emblems and Names (Prevention of Improper Use) Act, 1950, No. 12, Acts of Parliament, 1950.....................................................................................................................5 The Indian Penal Code, § 405, No. 45, Acts of Parliament, 1860...........................................14 Other Authorities Notification
by
Department
of
Information
Technology,
http://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf..............................12 Notifications
on
Storage
of
Payment
System
Data,
https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244&Mode=0.........................15 P.R.S. Legislative Research, www.prsindia.org/......................................................................17 Recommendations on Privacy, Security and Ownership of the data in Telecom Sector, https://www.trai.gov.in/sites/default/files/RecommendationDataPrivacy16072018_0.pdf..14 Rules Information Technology (Reasonable security practices and procedures and sensitive personal data
or
information)
Rules,
2011,
http://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf..............................10 6
Memorial on behalf of the Petitioner Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, rule 6 (1).........................................................................10 The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, rule 5 (7)............................................................9 The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, rule 6 (4)..........................................................16 Treatises International Covenant on Civil and Political Rights, 1966, art. 17..........................................6 Regulations E.U. Directives, art. 6...............................................................................................................16 Constitutional Provisions INDIA CONST. art. 226.............................................................................................................3 INDIA CONST. art. 51, cl. c......................................................................................................6 Books M.P. JAIN, INDIAN CONSTITUTIONAL LAW (10th ed. 2018).............................................1 S.R. BHANSALI, COMMENTARY ON THE INFORMATION TECHNOLOGY ACT 169 (2015)...................................................................................................................................13 S.R. BHANSALI, COMMENTARY ON THE INFORMATION TECHNOLOGY ACT 315 (2015)...................................................................................................................................13 Declarations of UN Universal Declaration of Human Rights, 1948, art. 12..............................................................6 Articles Apar Gupta, Comments on Draft Sensitive Personal Information Rules, India Law and Technology Blog, https://iltb.net/comments-on-draft-sensitive-personal-information-rulesda110e9c1f1c........................................................................................................................15 Francois Nawrot, Katarzyna Syska & Przemyslaw Switalski, Horizontal application of fundamental rights – Right to privacy on the internet, 9th Annual European Constitutionalism
Seminar
(May
2010),
University
of
Warsaw,
7
Memorial on behalf of the Petitioner http://en.zpc.wpia.uw.edu.pl/wpcontent/uploads/2010/04/9_Horizontal_Application_of_Fu ndamental_Rights.pdf...........................................................................................................10 India’s
telecom
regulator
recommends
stricter
data
security
rules,
Reuters,
https://www.reuters.com/article/us-trai-dataprivacy-recommendations/indias-telecomregulator-recommends-stricter-data-security-rules-idUSKBN1K61X1...............................18 Pankaj Doval, Consent must for collection, sharing of personal data: Panel, The Times of India,.....................................................................................................................................10 Prashant Iyengar, Privacy and the Information Technology Act in India, S.S.R.N.................16 Yvonne McDermott, Conceptualizing the right to data protection in an era of Big Data, 4 Big Data and Society (2017).........................................................................................................7 Reports Data Protection Committee Report, 2018................................................................................10 Data Protection Committee Report, 2018, 163........................................................................12 Data Protection Committee Report, 2018, 51..........................................................................11 X
8
Memorial on behalf of the Petitioner
9
Memorial on behalf of the Petitioner
STATEMENT OF JURISDICTION
The Counsel for the Petitioner humbly submits before the Hon’ble High Court of City of Joy, the Memorandum on behalf of the Petitioner who filed PIL by way of writ petition under Article 226 of the Constitution of Narnia.
This memorandum sets forth the facts, contentions and arguments for the petitioner in the given case.
10
Memorial on behalf of the Petitioner STATEMENT OF FACTS SayPM is an e-payment system and digital wallet company founded by Mr. Money Bag in January 2009 based outside the City of Joy in Narnia. SayPM collects various sensitive data from its customers and uses it to allow the customers to access its e-payment services. Customers need to agree to a consent form before they are allowed to use SayPM’s services. During demonetization in Narnia in November 2016, SayPM advertised with its billboards containing Prime Minister’s photograph which read “SayPM congratulates the Prime Minister of Narnia for taking the boldest financial decision in the history of Narnia”. AnacondaPole, Narnian non-profit news website and television production house, founded in 2003 by Mr. Khabri Lal conducted an investigation titled “Operation Swachch Narnia” and released the transcripts and video clips of Mrs. Money Bag (2/6 th director of SayPM) on its social media profiles in Legbook and MeTube. In the investigation, Anaconda Pole’s star journalist Mr. Narad Lal informed SayPM’s top executives that he is meeting at the behest of Jai Narnia Samiti to bolster the prospects of the ruling party in the Parliamentary elections slated to be conducted in 2019. In the sting video, Mrs. Money Bag during a drunken conversation said that the SayPM app is selling a book Chai Time Tales written by PM and the e-wallet company received a call from PMO, right before the general elections in Narnia demanding some user data regarding the sale and popularity of the book and some other information for the upcoming elections. SayPM in its response, denied these allegations. Earlier this year, allegations were imposed on SayMo and applications of opposition parties in Narnia that they have transferred user data to a few foreign companies for data analytics which was denied by the PMO. However, no investigation was conducted. SayPM revised its privacy and added a new clause stating, “I understand and permit SayPM, at its sole discretion, to share my data with any third party for any purpose linked to the business of SayPM.” Users who did not consent to the said clause were blocked from using SayPM’s application and the sum of money in the user’s wallet could neither be transferred to any third party’s bank accounts nor be used to conduct other e-transactions rather the users had the option to transfer the money in their wallet to their own bank account linked with the application by paying a minor fee. Mr. True Lies, a privacy activist, filed a public interest litigation by way of a writ petition in the High Court of City of Joy under Article 226 of the Constitution.
11
Memorial on behalf of the Petitioner
ISSUES RAISED
I.
WHETHER THE PIL FILED BY THE WAY OF WRIT PETITION UNDER
II.
ARTICLE 226 OF THE CONSTITUTION OF NARNIA IS MAINTAINABLE? WHETHER THE GOVERNMENT AND SAYPM HAVE ACTED IN COLLUSION AND THEREBY BREACHED THE PRIVACY OF THE
III.
CITIZENS OF NARNIA? WHETHER DATA MINING BY SAYPM AND SHARING IT WITH ANY
IV.
THIRD PARTY IS PERMISSIBLE? WHETHER THE PROVISIONS OF IT ACT AND OTHER ACTS HAVE BEEN
V.
VIOLATED? WHETHER THE EXISTING LAWS OF NARNIA ARE SUFFICIENT TO SAFEGUARD AND SECURE THE PRIVACY OF ITS CITIZENS?
12
Memorial on behalf of the Petitioner
SUMMARY OF ARGUMENTS I. THE PIL FILED BY THE WAY OF WRIT PETITION UNDER ARTICLE 226 OF THE CONSTITUTION OF NARNIA IS MAINTAINABLE. Petitioner has a locus standi, fundamental right to privacy has been violated and the alternate remedy which is available is not adequate, therefore the jurisdiction of the HC can be invoked under article 226 and the petition is maintainable. II. THE GOVERNMENT AND SAYPM HAVE ACTED IN COLLUSION AND THEREBY BREACHED THE PRIVACY OF THE CITIZENS OF NARNIA. There are several instances to show that the govt. and SayPM have acted in collusion. PMO asked for user data from SayPM for the elections and SayPM introduced arbitrary clause to share user data with any third party which breaches the privacy of the citizens of Narnia. III. THE DATA MINING BY SAYPM AND SHARING IT WITH ANY THIRD PARTY IS NOT PERMISSIBLE. SayPM violates Rule 5(7) and Rule 6(1) of the IT Rules, 2011 and does not follow the suggestions of Data Protection Committee Report. The new clause which is added in SayPM’s revised privacy policy does not provide for any opt-out option neither does it takes free consent from the users to share user data. Moreover, the new clause is arbitrary for the new customers of SayPM and amounts to material alteration for the existing customers. IV. THE PROVISIONS OF IT ACT AND OTHER ACTS HAVE BEEN VIOLATED. The provisions of IT Act namely Section 43A, Section 72A and Section 69 of the IT Act have been violated by the misdeeds of the SayPM, their act is also punishable under Section 405 of NPC. The company has failed to follow the regulations of TRAN and RBN which have been issued for customer’s interest, thereby threatening the rights of the users. V. EXISTING LAWS OF NARNIA ARE NOT SUFFICIENT TO SAFEGUARD AND SECURE THE PRIVACY OF CITIZENS. The IT Act is having so many terms that have been loosely defined. There are no Penal laws so as to control company’s activities. The Data Protection Bill 2018 has also missed on few important dimensions of data privacy. There is a dire need of stricter laws and regulations under section 87 of the IT Act, 2000. 13
Memorial on behalf of the Petitioner
ARGUMENTS ADVANCED
1. THE PIL FILED UNDER ARTICLE 226 OF THE CONSTITUTION OF NARNIA IS MAINTAINABLE. The council humbly submits that the PIL filed by way of writ petition under article 226 of the Constitution of the Narnia is maintainable because there is violation of fundamental right of public at large and the petitioner has a locus standi to file it. [1.1] THE PETITIONER HAS A LOCUS STANDI. In People’s Union For Democratic Rights & Others v. Union of India & Others 1, the Hon’ble Court defined Pubic Interest Litigation and observed that, “Public Interest Litigation is a cooperative or collaborative effort by the petitioner, the State of public authority and the judiciary to secure observance of constitutional or basic human rights, benefits and privileges upon poor, downtrodden and vulnerable sections of the society.” If the matter to be reviewed is one which affects the public at large 2, any member of public or organisation may bring it for scrutiny. 3The expression “public interest litigation” means a legal action initiated in a Court for enforcement of public interest.4 In case of an injury affecting the public, a public man having some interest can maintain an action challenging the action of the government.5 In the present case, the petitioner is a privacy activist and he filed this petition in order to protect the fundamental rights of common people of the country thus the present petition is in public interest and the petitioner has the locus standi to file this petition under article 226 of the Narnian Constitution. [1.2] THERE IS VIOLATION OF FUNDAMENTAL RIGHT. Article 21 states that, “No person shall be deprived of his life or personal liberty except according to procedure established by law.” Life and Personal Liberty in this article has a very wide ambit and Supreme Court defines it time and again in its judgements. In the recent judgement of Justice K.S. Puttaswamy (Retd.) and Anr. V. Union of India and Ors. 6, Supreme Court said that the Right to Privacy is an integral part of Right to Life and Personal Liberty. 1 People’s Union for Democratic Rights v. Union of India, (1982) 3 SCC 235. 2 Id. 3 Bandhua Mukti Morcha v. Union of India, AIR 1984 SC 802. 4 M.P. JAIN, INDIAN CONSTITUTIONAL LAW (10th ed. 2018). 5 Balbir Singh v. F.D. Tapase, AIR 1985 P&H 244. 6 Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.
1
Memorial on behalf of the Petitioner In the present case, Prime Minister’s mobile application SayMo transferred user data to a few foreign companies for data analytics7 and asked a private company SayPM to transfer their user data to the ruling party for the upcoming elections8 and all this was done without the prior consent of the users of the application thus breaching the Right to Privacy of the users and imposing a serious threat to the fundamental right of the general public at large. Moreover, SayPM introduced a new clause in its application which gives the company the sole rights to share user data with any third party for any purpose linked to its business which is arbitrary and violates the rights of more than 1,00,00,000 users of SayPM across the country. In the landmark Vishaka v State of Rajasthan 9, the Supreme Court issued detailed guidelines for the protection of the fundamental rights of working women under Articles 14, 19 and 21. These guidelines were issued for mandatory adoption by all workplaces, which include both State and non-State actors. This case indicates that the Supreme Court has not restricted the issuance of writs and enforcement of fundamental rights against the State only. There thus exists the possibility of enforceability of fundamental rights against private bodies as well. In Ram Jethmalani v. Union of India10 , the court observed that the notion of fundamental rights, such as a right to privacy as part of right to life, is not merely that the State is enjoined from derogating from them. It also includes the responsibility of the State to uphold them against the actions of others in the society, even in the context of exercise of fundamental rights by those others.11The ICCPR casts an obligation on states to respect, protect and fulfil its norms. The duty to protect mandates that the government must protect it against interference by private parties.12 [1.3] ALTERNATIVE REMEDY CANNOT BE THE GROUND FOR REJECTING PETITION. Objective of Article 22613 is to rectify an instance of grave injustice. The fact that aggrieved party has another adequate remedy may be taken into consideration but it is not the rule of law. It is a rule of policy, convenience and discretion. 14 It is again held in the case of A.V 7 Moot Proposition, ¶ 9. 8 Moot Proposition, ¶ 6. 9 Vishaka v. State of Rajasthan, (1997) 6 SCC 241. 10 Ram Jethmalani v. Union of India, (2011) 8 SCC 1. 11 Id. 35, 36. 12 Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, 127. 13 INDIA CONST. art. 226. 14 State of Uttar Pradesh v. Mohd. Nooh, AIR 1958 SC 86.
2
Memorial on behalf of the Petitioner Venkateswaran v R.S. Wadhwani that “The rule that when there is an adequate alternative remedy, the High Court will not interfere under Article 226 is only a rule of discretion and not a rule of law.”15 But where the alternative remedy is not appropriate and where the remedy is not fully covered to challenge the election, a writ petition is maintainable. 16 The Court observed that the rule of exhaustion of an alternative remedy is not one that bars the jurisdiction of court, but it is a rule which courts have laid down for the exercise of their discretion.17 To be an alternative remedy, it must be equally adequate or efficacious so that qualitatively and quantitatively the same relief would be given to redress the injury of petitioner.18 In the present case, fundamental right of privacy of the citizens of Narnia is at stake and there is no sufficient alternative remedy available. There is no dedicated law to completely address the issue of data protection and data privacy and laws which are claimed by the govt. to safeguard the privacy of the citizens such as IT Act 2000, TRAI, Narnian Penal Code are not sufficient to enforce the fundamental rights of the citizens of Narnia and therefore this petition cannot be rejected on the grounds of available alternative remedy. The significant point to note is that under article 226, the power of a High Court is not confined only to issue of writs; it is broader than that for a High Court can also issue any directions to enforce any of the Fundamental Rights or “for any other purpose”. In a number of cases, courts have issue directions rather than writs.19 [1.4] SAYPM SHOULD BE ALLOWED TO BE A PARTY TO THE SAID WRIT PETITION. In the present case, the government asked for the user data from the private company of SayPM and the nexus between the two resulting in compromise of any citizen’s personal data needs to be scrutinised. Thus making SayPM a necessary party in this writ petition for which SayPM should be allowed to be a party to the said writ petition. The SC held in one of its judgement that a necessary party is one without whom no effective order can be made. The question is whether the presence of a particular party is necessary in order to enable the Court effectively and completely to adjudicate upon and settle all the 15 A.V. Venkateswaran v. R.S. Wadhwani, AIR 1961 SC 1506. 16 Bar Council of India v. Surjeet Singh, AIR 1980 SC 1612. 17 State of Uttar Pradesh v. Indian Hume Pipe Co. Ltd., (1977) 2 SCC 724. 18 Ahmedabad Cotton Mfg. Co. v. Union of India, AIR 1977 (Guj.) 113. 19 Swayamber Prasad v. State of Rajasthan, AIR 1972 (Raj.) 69; Gujarat State Financial Corporation v. Lotus Hotel, AIR 1983 SC 848; Air India Statutory Corporation v. United Labour Union, AIR 1997 SC 645, 680.
3
Memorial on behalf of the Petitioner questions which are involved in the writ petition.20 In another judgement, the apex court held that a proper party is one, in whose absence, an effective order can be made but whose presence is considered proper for a complete and final decision on the question involved in the proceeding.21 Power under article 226 can be exercised by the High Courts to reach injustice wherever it is found.22 The relief claimed by the petitioner is not a relief claimed against a private party only. He is aggrieved by inadequacy of law laid down by the Parliament and ineffectiveness of the machinery for enforcement of such laws in the circumstances of the present case as the law and machinery are not ensuring protection of fundamental right of privacy of the citizens of Narnia as submitted in foregoing paragraph. He has a grievance against the Parliament and the Central govt. and both these institutions are ‘state’ within the meaning of Art. 12 of the Constitution. 2. THE GOVT. AND SAYPM HAVE ACTED IN COLLUSION TO BREACH THE PRIVACY OF THE CITIZENS OF NARNIA. It is humbly submitted before the Hon’ble Court that the SayPM and Govt. of India have acted in collusion in several instances and thereby breached the privacy of the citizens of Narnia. [2.1] THE GOVT. AND SAYPM HAVE ACTED IN COLLUSION. In the present case, there has been many instances which show that Govt. and SayPM have nexus and thus acted in collusion. [2.1.1] Banners during demonetization: During demonetization, SayPM advertised heavily by putting billboards and print adverts containing the Prime Minister’s photograph which read “SayPM congratulates the Prime Minister of Narnia for taking the boldest financial decision in the history of independent Narnia”.23 The Section 324 of the Emblems and Names (Prevention of Improper Use) Act 251950 clearly provides that no person shall use or continue to use any name or emblem for the purpose of any trade, business, calling or profession without the previous permission of the central 20 A. Janardhana v. Union of India, AIR 1983 SC 769. 21 General Manager v. A.V.R. Siddhanti, AIR 1974 SC 1755; A. Janardhana v. Union of India, AIR 1983 SC 769. 22 Secretory O.N.G.C. Ltd. v. V.U. Warrier, (2005) 5 SCC 245. 23 Moot Proposition, ¶ 2. 24 The Emblems and Names (Prevention of Improper Use) Act, 1950, § 3, No. 12, Acts of Parliament, 1950. 25 The Emblems and Names (Prevention of Improper Use) Act, 1950, No. 12, Acts of Parliament, 1950.
4
Memorial on behalf of the Petitioner government. This law suggests that written permission is required. The law provides that “any person who contravenes the provisions of Section 3 shall be punishable with fine, which may exceed to Rs 500”. It is highly unlikely that this brand campaign would have occurred without some sort of informal agreement or at the very least prior intimation on the part of SayPM. Despite of the law, the Govt. didn’t issue any notice to SayPM under the Emblems and Names (Prevention of Improper Use) Act 26 of 1950, which bars use of Prime Minister’s name and picture for commercial use and no fine was imposed. The government’s decision benefitted digital wallet company like SayPM and its image and services were also boosted by the government’s direct campaign to promote cashless transactions and therefore SayPM’s action of advertising with PM’s photograph was more like a thanksgiving gesture and not something done to boost nationalist feeling as claimed by SayPM. 27 Govt.’s non-action for this act of SayPM only indicates towards their collusion. [2.1.2]Sting operation video release: A non-profit news website AnacondaPole in its investigation arranged a meeting with SayPM’s 2/6 director, Mrs. Money Bag who’s also the wife of the founder of SayPM. Mrs. Money Bag, during the meeting, revealed that the company had some association with the ruling party of Narnia 28. AnacondaPole released the transcripts and video clips of Mrs. Money Bag in which she is clearly stating that the e-wallet company received a call from the PMO demanding some user data, right before general elections in Narnia.29 She told that Prime Minister’s book Chai Time Tales is being sold on their platform and for the upcoming elections, they wanted information regarding the sale and popularity of the book with some other information also.30 SayPM responding to this claim posted on its official social media profile that “There is absolutely NO TRUTH in the sensational headlines of a video doing rounds on social media. Our user data is 100% secure and had never been shared with anyone, except law enforcement agencies on request.” 31 The point of contention is that SayPM never challenged the authenticity of the video itself, only the claim. And it has also not explicitly commented on the alleged request from the PMO. All these instances clearly indicates towards the collusion of Govt. and SayPM, and imposes imminent threat on the infringement of right to privacy of citizens of Narnia.
26 Id. 27 Moot Proposition, ¶ 2. 28 Moot Proposition, ¶ 6. 29 Moot Proposition, ¶ 5. 30 Moot Proposition, ¶ 6. 31 Moot Proposition, ¶ 7.
5
Memorial on behalf of the Petitioner [2.2] RIGHT TO PRIVACY OF CITIZENS OF NARNIA HAVE BEEN BREACHED. It is humbly submitted before the Hon’ble Court that the Right to Privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution, as held by the Supreme Court in the recent case of Justice K.S Puttaswamy (Retd.) v. Union of India 32 and hereby govt. asking SayPM for user data right before general elections, SayMo sharing its user data with foreign companies for data analytics and SayPM’s revised privacy policy’s new clause is in violation of this fundamental right. The recognition of privacy as a fundamental constitutional value is a part of Narnia’s commitment to a global human rights regime. The state is required to endeavour to “foster respect for international law and treaty obligations in the dealings of organized peoples with one another”33. In pursuance of this, many cases 34 have adverted to international conventions like UDHR35 and ICCPR36 which establish privacy as an inherent and universal right and confer “protection against arbitrary and unlawful interference with a person’s privacy, family and home’, in a manner which harmonizes the fundamental rights contained in Articles 14, 19 and 21 with Narnia’s international obligations.” In the Puttaswamy case, Justice Nariman linked the three aspects of privacy (informational privacy, privacy of choice, and bodily integrity)37 with the preamble (which guarantees dignity, fraternity, and democracy)38. Hence, it is humbly submitted before the Hon’ble Court that the SayPM sharing its user data with PMO right before the general elections, SayMo sharing its user data with foreign companies for data analytics and inclusion of the new clause in SayPM’s revised privacy policy leads to a violation of these three aspects of privacy- informational privacy including right to be let alone, right to bodily integrity and dignity, and privacy of choice and personal autonomy. [2.2.1] Violation of informational privacy: Informational privacy does not deal with a person’s body but deals with a person’s mind, and therefore recognizes that an individual may 32 Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1; R. Rajagopal v. State of Tamil Nadu, (1994) 6 SCC 632; People's Union for Civil Liberties v. Union of India, (1997) 1 SCC 301; State of Maharashtra v. Bharat Shanti Lal Shah, (2008) 13 SCC 5; Kharak Singh v. State of Uttar Pradesh, (1964) 1 SCR 332 (Minority judgement by Subba Rao). 33 INDIA CONST. art. 51, cl. c. 34 National Legal Services Authority v. Union of India, (2014) 5 SCC 438; Subramanium Swamy v. Director, Central Bureau of Investigation, AIR 2014 SC 2140. 35 Universal Declaration of Human Rights, 1948, art. 12. 36 International Covenant on Civil and Political Rights, 1966, art. 17. 37 Supra note 6. 38 Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, 81.
6
Memorial on behalf of the Petitioner have control over the dissemination of material that is personal to him. Unauthorized use of such information may, therefore lead to infringement of this right.39 In the instant case, SayPM shares its customers’ user data with PMO without informing the users and includes a new clause in its privacy policy which compels its customers to agree to the term of SayPM sharing their data on its sole discretion with any third party in order to avail its services. This leads to an infringement of right to have control over dissemination of personal data of the Narnians. SayMo, the Prime Minister’s own mobile application transferred user data to few foreign companies for data analytics.40 The new clause41 of SayPM’s privacy policy reflects its mandatory nature which makes informed consent illusory. Moreover, the new clause allows SayPM to share the various sensitive data42 it collects from its customers for any purpose linked to the business of SayPM with any third party, which is unjust, unfair and unreasonable. Further, blocking the account of those who did not consent to the said new clause and not providing them the option to optout from its services reflects the arbitrary approach. Moreover, a solely consent-based model does not entirely ensure the protection of one’s data, especially when data collected for one purpose can be repurposed for another.43 In the SC case of Canara Bank 44 , in the view of the Court, even if the documents cease to be at a place other than in the custody and control of the customer, privacy attaches to persons and not places and hence the protection of privacy is not diluted45. The decision in Canara Bank has thus important consequences for recognising informational privacy.46 As legal rights were broadened, the right to life had “come to mean the right to enjoy life – the right to be let alone”47. In R. Rajagopal v. State of Tamil Nadu 48 , the Court observed that-
39 National Legal Services Authority v. Union of India, (2014) 5 SCC 438, 449; District Registrar and Collector, Hyderabad v. Canara Bank, AIR 2005 SC 186. 40 Moot Proposition, ¶ 9. 41 Moot Proposition, ¶ 10. 42 Moot Proposition, ¶ 3. 43 Yvonne McDermott, Conceptualizing the right to data protection in an era of Big Data, 4 Big Data and Society (2017). 44 District Registrar and Collector v. Canara Bank, (2005) 1 SCC 496. 45 Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, 62. 46 Id. 67. 47 Supra note 6. 48 R. Rajagopal v. State of Tamil Nadu, (1994) 6 SCC 632; Whalen v. Roe, 429 U.S. 589 (1977); Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, 445.
7
Memorial on behalf of the Petitioner “...the right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by article 21. It is alright to be let alone.” Therefore, SayMo transferring user data with foreign companies for data analytics, SayPM sharing user data with PMO without informing users and further including a new clause to deal with growing controversies around its data sharing policy specifically violates the right to informational privacy i.e., an aspect of right to be let alone of the people of Narnia, owing to its mandatory and arbitrary approach. [2.2.2] Violation of privacy of choice and personal autonomy: SayPM is now a diversified ecommerce company with more than 10, 00,000 registered merchants and more than 1, 00, 00,000 users across the country making it indispensable for Narnia’s shoppers. It has become akin to a necessary public utility in Narnia. The choice between accessing benefits and losing privacy is a false choice, because it requires them to choose between a privilege that is essential for their livelihood, and a fundamental right. The Preamble chapter on Fundamental Rights and Directive Principles accords right to livelihood contained within the meaning of right to life as a meaningful life, social security and disablement benefits are integral schemes of socio-economic justice to the people.49 Article 21 guarantees the protection of “personal autonomy”50 and hence the ability of an individual to make choices lies at the core of the human personality. 51 By depriving the people of their ability to choose, the government of Narnia and SayPM are severely infringing on the right to life of their people. PMO asking SayPM for user data and transferring PM’s own mobile application SayMo’s user data to foreign companies for data analytics does not provide a choice to the users nor they are informed before sharing such data. Blocking of the user account on not consenting to the new clause without deleting the information of such users is also arbitrary. This means once an individual open an account in SayPM, his/her private information remains in the database for life and he/she does not have a choice and the right to opt out even if there is no desire to have their information stored, violating right to choose and personal autonomy of Narnians. Further, Rule 5(7)52 of the IT Act requires that the individual must be provided with 49 L.I.C. of India v. Consumer Education and Research Centre, (1995) 5 SCC 482; Olga Tellis v. Bombay Municipal Corporation, (1985) 3 SCC 545. 50 Anuj Garg v. Hotel Association of India, (2008) 3 SCC 1. 51 Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1. 52 The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, rule 5 (7).
8
Memorial on behalf of the Petitioner the option of ‘opting out’ of providing data or information sought by the body corporate and must have the right to withdraw consent at any point of time. Whereas in the present, SayPM and SayMo does not provide an opt-out provision and also does not provide an option to withdraw consent at any point of time. Therefore, it is most humbly submitted that SayPM and SayMo are devoid of an option to opt-in or opt-out which violates the right to choose and personal autonomy under Article 21, of the people of Narnia. [2.3] ASKING USER DATA FROM SAYPM AND TRANSFERRING SAYMO’S USER DATA TO FOREIGN COMPANIES BY PMO IS NOT REASONABLE RISTRICTION ON RIGHT TO PRIVACY UNDER ARTCLE 21. In the context of Article 21, an invasion of privacy must be justified on the basis of a
law
which stipulates a procedure which is fair, just and reasonable. The law must also be valid with reference to the encroachment on ‘life and personal liberty under Article 21’. A restriction on life and personal liberty must meet the three-fold requirement as laid down by Justice Chandrachud53: (i) legality, which postulates the existence of law; (ii) need, defined in terms of a legitimate state aim and; (iii) proportionality, which ensures a rational nexus between the objects and the means adopted to achieve them. In this case, SayMo’s data transferring to foreign companies for data analytics and PMO asking for user data from SayPM neither has any legitimate state aim nor is it proportional which clears the fact that these acts does not fall into reasonable restrictions which can be imposed on the fundamental right to privacy under art. 21 of the Narnian Constitution. 3. THE DATA MINING BY SAYPM AND SHARING IT WITH ANY THIRD PARTY IS NOT PERMISSIBLE. It is humbly submitted before the Hon’ble High Court that data mining by SayPM and sharing it with any third party, PMO or any third party as mentioned in the new clause, is not in compliance with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 54, Information Technology Act 200055 and the Data Protection Bill 201856, and thus is not permissible. 53 Rai Ramakrishna v. State of Bihar, AIR 1963 SC 1667. 54 Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, http://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf. 55 Information Technology Act, 2000, No. 21, Acts of Parliament, 2000. 56 Data Protection Committee Report, 2018, http://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf.
9
Memorial on behalf of the Petitioner In Justice Puttaswamy (Retd.) v. Union of India57, it is held that every transaction of an individual user and every site that she visits, leaves electronic tracks generally without her knowledge. These electronic tracks contain powerful means of information which provide knowledge of the sort of person that the user is and her interests.58 Data mining is sorting through large data amounts for useful information and it can generate information other than that was provided. The Telecom Regulatory Authority of India (TRAI) in its recent recommendations, had stated that each user owns his data and the entities processing such data are mere custodians.59 The IT Rules, 201160 only deals with protection of "Sensitive personal data or information of a person", which includes such personal information which consists of information relating to:- Passwords; Financial information such as bank account or credit card or debit card or other payment instrument details; Physical, physiological and mental health condition; Sexual orientation; Medical records and history; Biometric information. 61 These rules62will apply in the instant case because SayPM collects various sensitive data from its customers, such as their bank account credit and debit card details and it also tracks customers’ usage pattern to make targeted advertisements to them.63 Rule 6(1)64 of IT Rules, 2011 states that disclosure of information by body corporate to any third party shall require prior permission from the provider of the information unless such disclosure has been agreed to in the contract between the body corporate and the provider of the information. And in the present case, SayPM did not take prior permission when call from PMO came. Rule 5(7)65 of IT Rules, 2011 states that the provider of information shall, at any time while availing the services or otherwise, also have an option to withdraw its consent given earlier to the body corporate. SayPM while introducing the new clause in its revised 57 Supra note 6. 58 Francois Nawrot, Katarzyna Syska & Przemyslaw Switalski, Horizontal application of fundamental rights – Right to privacy on the internet, 9th Annual European Constitutionalism Seminar (May 2010), University of Warsaw, http://en.zpc.wpia.uw.edu.pl/wpcontent/uploads/2010/04/9_Horizontal_Application_of_Fundamental_Rights.pd f. 59 Pankaj Doval, Consent must for collection, sharing of personal data: Panel, The Times of India, http://timesofindia.indiatimes.com/articleshow/65171122.cms? utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst. 60 Supra note 54. 61 Id. Rule 3. 62 Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. 63 Moot Proposition, ¶ 3. 64 Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, rule 6 (1). 65 Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, rule 5 (7).
10
Memorial on behalf of the Petitioner privacy policy nowhere provided to its customers the opt-out option or any revocation of consent option which is again is in non-compliance with the law of the land. Even if the customers agree to the new clause, it would amount to waiver of their fundamental right to privacy which is not permissible. Justice NH Bhagwati and Justice Subba Rao expressed their views in Basheshsar Nath v. CIT66 that the fundamental rights enshrined in Part-III of the Constitution are absolutely inviolable and cannot be waived by a citizen. 67 Moreover, the new clause amounts to material alteration for the existing customers. The proposed Data Protection Bill 201868 essentially makes individual consent central to data sharing.69Unless you have given your explicit consent, your personal data cannot be shared or processed. Consent needs to be informed, consent needs to be specific, consent must be clear, and consent needs to be capable to being withdrawn as easily as it was given. 70 SayPM, however took consent in its revised privacy policy by introducing the new clause but the consent was not free but only illusory because the customers had no other option then agreeing to the clause in order to continue using SayPM. Since SayPM occupied the largest chunk in the market, it became akin to a necessary public utility in Narnia 71 and not agreeing to the new clause would be a great loss for the existing customers as they would be barred from using the application and their money will also be blocked. 72 Next, the draft bill also states that any person processing your personal data is obligated to do so in a fair and reasonable manner.73 In other words, your data should be processed only for the purposes it was intended for in the first place. And the clause added by SayPM states that the data will be used for any purpose linked to the business of SayPM which makes it ambiguous. The committee has also laid down steps that guard against personal profiling of individuals and uninformed harvesting of data by third-party applications, something that occurred in the data leak case involving facebook and Cambridge analytica.74
66 Basheshsar Nath v. Commissioner of Income Tax, AIR 1959 SC 149. 67 Id. ¶ 12. 68 Data Protection Committee Report, 2018, http://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf. 69 Id. 32. 70 Id. 36. 71 Moot Proposition, ¶ 8. 72 Moot Proposition, ¶ 10. 73 Data Protection Committee Report, 2018, 51. 74 Supra note 69.
11
Memorial on behalf of the Petitioner There are provisions for penalties for non-compliance with the rules and the law in Data Protection Bill75 as well as IT Act 200076. In light of the above arguments, the counsel humbly submits that the data mining by SayPM and sharing it with any third party is not in compliance with the existing laws of Narnia and thus not permissible. 4. THE PROVISIONS OF IT ACT AND OTHER ACTS HAVE BEEN VIOLATED. It is humbly submitted that the IT Act and other acts have been violated. [4.1] IT ACT: The Information Technology (Amendment) Act, 2008 inserted Section 43A in the IT Act and the Central Government, in exercise of the powers conferred by clause (ob) of sub-section (2) of Section 87 read with Section 43A of the IT Act, 2000 notified the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 201177 (hereinafter referred to as the "2011 Rules"). Section 43A78 of the IT Act explicitly provides that whenever a corporate body possessing, dealing or handling any sensitive personal data or information which includes “Financial information such as bank account or credit card or debit card or other payment instrument details”, which it owns, controls or operates, is negligent in implementing and maintaining a reasonable security practices and procedures to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected. The only condition is that such body corporate must be engaged in commercial or professional activities. Rule 4 of 2011 Rules provides that the body corporate shall provide privacy policy for handling the information and sensitive personnel data. Such policy shall be published on the website of the body corporate. According to Rule 5 the body corporate shall obtain consent in writing through letter etc., before collection of such information. And shall use the information for the purpose for which it has been collected. It shall keep such information secure as provided in Rule 8. Rule 6 lays down an important condition that any disclosure of information to third party shall require prior permission from any provider of such information. The government agency shall also state that the information so obtained shall not be published or shared with any other person. Rule 7 provides that a body corporate 75 Data Protection Committee Report, 2018, 163, http://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf. 76 Information Technology Act, 2000, No. 2, Acts of Parliament, 2000 (India). 77 Notification by Department of Information Technology, http://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf. 78 Information Technology Act, 2000, § 43A, No. 21, Acts of Parliament, 2000.
12
Memorial on behalf of the Petitioner or any person on its behalf may transfer information to any other body corporate or person in India or located in any other country, which ensures the same level of data protection that is adhered to by the body corporates as provided for under these rules. The transfer may be allowed only if it is necessary for the performance of the contract.79 SayPM which is an electronic payment system and digital wallet company which has access to the personal information of its users is unable to devise a proper and focused privacy policy and instead abusing them by inserting arbitrary clauses. It was also heard that the company has shared some information with the PM office. The consent should be an informed one so that customers are aware as to how their information is being used. Section 72A80 provides for the punishment for disclosure of information in breach of lawful contract and any person may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding up to five lakh rupees, or with both in case disclosure of information is made in breach of lawful contract. The two important ingredients to be fulfilled are:- (i) without the consent of the person concerned under section 72, or (ii) with the intention or knowledge of causing wrongful loss or wrongful gain in breach of contract under section 72 A.81 SayPM didn’t acquire the consent of the users as there might be a possibility that they are not aware of what they are consenting for and have mechanically pressed the “I Agree” button. After this, by inserting such an arbitrary and abusive clause they are bullying their users to give their consent which is not out of their free will but because they are left with no choice. The company will be wrongfully gaining by using their user data. Section 6982 of the IT Act states that only if “sovereignty or integrity of India, the security and defence of the State, friendly relations with foreign states or public order” is in danger “or for preventing incitement to the commission of any cognisable offence” can websites or mobile apps share details with any government agency. But, as per the section 69 of the IT Act, the reasons for sharing personal details have to be “recorded in writing, by order.” SayPM said that they shared the information with law enforcement agencies but they did not reveal the names as to whom they shared the user data information with and for what 79 S.R. BHANSALI, COMMENTARY ON THE INFORMATION TECHNOLOGY ACT 16 (2015). 80 Information Technology Act, 2000, § 72A, No. 21, Acts of Parliament, 2000. 81 S.R. BHANSALI, COMMENTARY ON THE INFORMATION TECHNOLOGY ACT 315 (2015). 82 Information Technology Act, 2000, § 69, No. 21, Acts of Parliament, 2000.
13
Memorial on behalf of the Petitioner purpose. A proper procedure has to follow when the information is shared with the third party. One cannot do that if the other party is requesting for it. The Prime Minister’s own mobile application (SayMo) transferred user data to few foreign companies for data analytics which indicate that there might be misuse of data when shared with the government. [4.2] Narnian Penal Code: Section 40583 of I.P.C. refers to “property” and not “movable property”, hence, the word “property” is not restrictive. Therefore, ‘data’ would be covered within the ambit of “property” in Section 405 of I.P.C. and thus any such act would attract a penalty of imprisonment up to 3 years, or fine, or both, under this section. This section penalizes Data Criminals from the independent contractors (Call Centers etc.) to whom Data may be entrusted in the course of business for carrying out specific tasks /assignments. [4.3] Regulations by Telecom Regulatory Authority of Narnia: A general data protection law is notified by the Government, the existing Rules/ License conditions applicable to TSPs for protection of users’ privacy be made applicable to all the entities in the digital ecosystem. Breach of any of these terms can result in the license of the TSPs being suspended or terminated. TRAN released its recommendations84 on the subject titled ‘Privacy, Security and Ownership of Data in the Telecom Sector’ which are applicable for apps, browsers, operating systems and handset makers. In its recommendations, TRAN said that individual users owned their data, or personal information, and entities such as devices were "mere custodians” and do not have primary rights over that information. Terming the existing data protection framework as inadequate, TRAN said that companies should not use meta-data to identify users and should disclose any data breaches. SayPM is the mere custodian of the information provided by the users but by inserting the clause they are absolving themselves from all the obligations as they can now act according to their discretion. [4.4] Reserve Bank of Narnia: RBN has directed all payment system operators in the country to store data within India to ensure safety and security of users' information. It is observed that not all system providers store the payments data in India. In order to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers as also with their service providers / intermediaries/ third party vendors and 83 The Indian Penal Code, § 405, No. 45, Acts of Parliament, 1860. 84 Recommendations on Privacy, Security and Ownership of the data in Telecom Sector, https://www.trai.gov.in/sites/default/files/RecommendationDataPrivacy16072018_0.pdf.
14
Memorial on behalf of the Petitioner other entities in the payment ecosystem. It has, therefore, been decided that: All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required. System providers shall submit the System Audit Report (SAR) on completion of the above requirement.85 By inserting the clause, they want to act according to their sole discretion as to any decisions to taken for the users’ data. 5. EXISTING LAWS OF NARNIA ARE NOT SUFFICIENT TO SAFEGUARD AND SECURE THE PRIVACY OF CITIZENS. It is humbly submitted before the Hon’ble High Court that the ITR 2011 suffer from ambiguity vis-à-vis its ambit and extent as discussed infra. The main objective of these Rules was to impose restrictions on businesses with regard to handling of personal data. In order for these Rules to meet its end, the term “sensitive personal data” should have been defined more stringently. Instead, only a mere list of the constituents of the term is prescribed under Rule 3. It can be observed here that clauses (vii) and (viii) appear to be of a very broad character. The importance of a precise definition of ‘sensitive personal information’ is paramount as clauses of such broad interpretation add to the ambiguity of the scope of not only these rules but also of Section 43A. In order for this clause to be clearer, the definition could be amended to include inter alia, “information which is capable of personally identifying a person, individually or when aggregated”.86 A need for distinction between Personal Data and Sensitive Personal Data: The absence of a distinction between the two concepts seems to be an important point in illustration with respect to the difference between Indian Data Privacy Laws and its UK counterpart, the Data Protection Act, 1998. The latter makes a definite distinction between the two concepts and has prescribed separate rules for handling the two different data. The Indian Rules, on the other hand, fails to recognize different levels of stringency with regard to collection, transfer, disclosure and handling of “Personal Data” and “Sensitive Personal Data”.
85 Notifications on Storage of Payment System Data, https://www.rbi.org.in/scripts/NotificationUser.aspx? Id=11244&Mode=0. 86 Apar Gupta, Comments on Draft Sensitive Personal Information Rules, India Law and Technology Blog, https://iltb.net/comments-on-draft-sensitive-personal-information-rules-da110e9c1f1c.
15
Memorial on behalf of the Petitioner Retention of Data: Rule 5 spells out that the information should not be retained for a period longer than what is required to carry out the object for which it was collected and the information should be kept secure. Although it states that the body corporate cannot retain any information for longer than is required.87 The contention of including a retention period is justified because more often than not websites hold archival data. Hence, it is imperative that the rules contain such provisions that would also include a procedure to delete and destroy the data making retrieval impossible.88 Collection of Information: Rule 5 deals with the collection of sensitive personal data or information. It states inter alia that a body corporate has to first obtain consent in writing through letter, fax or email, from the provider of such information, regarding purpose of usage, before collection of such information. The consent must be informed, explicit and freely given. In addition, Rule 5(3), falling in line with Article 6 89 of the EU directive, says that the body corporate or any person on its behalf shall take such steps “as are, in the circumstances, reasonable”90 to ensure that the person concerned is aware of the fact that the information is being collected, the purpose for which it is being collected, the recipients of such information, etc. The phrase in Rule 5(3) uses convoluted language instead of using simple phrases like “take reasonable steps”-reasonableness has generally been interpreted by courts contextually.91 The Supreme Court in Water Supply and Sewage Board v. Unique Erectors (Guj)92 has observed that “in law, prima facie meaning of reasonable in regard to those circumstances of which the actor, called upon to act reasonably, knows or ought to know”. Disclosure of Information: Rule 6 states that prior permission of the provider of information has to be obtained before disclosure is made to a third party and any third party receiving such information is not entitled to disclose it further.93 If the information of a person is being transferred to a third party for a different purpose, it looks to be right to be done only with the knowledge of the data subject. It does not suffice if the provider of information, who may be a party other than the data subject, to grant consent for the same. This may lead to a misuse of
87 The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, rule 5 (7). 88 Supra note 1. 89 E.U. Directives, art. 6. 90 Water Supply and Sewage Board v. Unique Erectors, AIR 1989 SC 973. 91 Prashant Iyengar, Privacy and the Information Technology Act in India, S.S.R.N. 92 Supra note 7. 93 The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, rule 6 (4).
16
Memorial on behalf of the Petitioner information in three party cases. The Schedule 2 of the Data Protection Act, 1998 94 specifies that the consent of the data subject is essential for the transfer of information wherein the “data subject” has been defined as ‘an individual who is the subject of personal data’. This concept must be incorporated into these Rules in question. Disclosure of Sensitive Personal Data to the Government: Rule 6 enables the government to access any sensitive personal data, maintained by the body corporates under law, for several purposes including detection and investigation of crimes, cyber incidents, prosecution, punishment for offences, etc.95 It is thus apparent that the government has the power to obtain sensitive personal information of individuals from body corporates without a warrant or the concerned person’s consent. With an enforcement of such a rule, the body corporates may willingly give away such information in order to avoid prosecution. The government has, in this regard, given itself the “master key” and there are no checks on this power despite the fact that the government has to make a written request stating the purpose for seeking such information.96 Thus, the rule raises issues of personal privacy infringement. In the Naz Foundation Case97, it was found that the State cannot invade the privacy of citizens based solely on consideration of ‘public morals’. The court also said that the “right to privacy has thus been held to protect a private space in which man may become and remain himself”.98 With respect to information in public domain, the Supreme Court, in the case of Rajagopal alias Gopal v. State of Tamil Nadu 99 held that there is no protection for personal information in public records, and protection of privacy for persons who have voluntarily placed themselves in the public eye is reduced. Vishwanathan considers that the Supreme Court ‘in Rajagopal, for the first time, articulated the twin pillars of privacy law in India’. [5.1] Remedies to be requested. The object of any statute or rule is to prevent mischief and promote the object. The virtue of a statute or rule is certainty and clarity as opposed to ambiguity and vagueness. The quality of any statute or rule has to be judged on these yardsticks.
94 Data Protection Act, 1998, schedule 2, https://www.legislation.gov.uk/ukpga/1998/29/schedule/2. 95 The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, rule 6 (1). 96 P.R.S. Legislative Research, www.prsindia.org/. 97 Naz Foundation v. Government of N.C.T. of Delhi, (2009) 3 CCR 1. 98 Id. ¶ 40. 99 Rajagopal Alias Gopal v. State of Tamil Nadu, (1994) 6 SCC 632.
17
Memorial on behalf of the Petitioner Law enforcement agencies requesting data from Indian online service providers primarily rely on a legacy framework in the CrPC 1973 that was never meant to request electronic data. An investigating officer, to obtain data from an Indian service provider for the purposes of an investigation, usually produces a written order under Section 91 100 of the CrPC to the person in possession of the “document or thing.” Companies have identified procedural requirements that police agencies need to adhere to. These include the requirements for a request to come from an authorised government email id, with the appropriate letterhead and containing the relevant sections under which the crime is being investigated. Even for the purpose of investigation there is a law enforcement procedure is listed in order to access data, hence there is a definite need of law when data is being demanded for other purposes. The European Union in May 2018 brought into effect new privacy regulations in the bloc, forcing companies to be more attentive to how they handle customer data, while bringing consumers new ways to control their data and tougher enforcement of existing rights.101 The Data Protection Bill 2018 has also been unable to recognise all concerns of the public. It does not allow Indians to ask companies to completely delete data they have shared, an accepted practice in the EU. The “right to be forgotten” suggested in the bill only allows individuals to restrict companies from using their data. The bill fails to hold the state accountable in any meaningful way for the processing of personal data or sensitive personal data,” says Nayantara Ranganathan of the Internet Democracy Project. “The government has been given some excuses to process personal data, and some of these are under weak standards of ‘necessity’ and ‘any breakdown of public order’. While the draft bill gives individuals greater control of their data, it still gives the government enough leeway to access this. Till the Data Protection Bill comes into force, there is a need of an injunction upon the clause so that the users don’t have to compromise upon their privacy of data. Also, there is a dire need for new laws and regulations to be formed and implemented under section 87 102 of the IT Act so that our laws can be at par with other countries and secure our users’ rights.
100 The Code of Criminal Procedure, 1973, § 91, No. 2, Acts of Parliament, 1974. 101 India’s telecom regulator recommends stricter data security rules, Reuters, https://www.reuters.com/article/us-trai-dataprivacy-recommendations/indias-telecom-regulator-recommendsstricter-data-security-rules-idUSKBN1K61X1. 102 Information Technology Act, 2000, § 87, No. 21, Acts of Parliament, 2000.
18
Memorial on behalf of the Petitioner
PRAYER
Wherefore in the light of the facts of the case, issues raised, arguments advanced and authorities cited, may this Hon’ble court may be pleased to adjudge and declare that: 1. 2. 3. 4.
The PIL by the way of writ petition under article 226 is maintainable. The right to privacy under article 21 of the citizens of Narnia have been breached. The provisions of IT Act 2000 have been breached. Issue a writ of mandamus so as to: Direct the govt. to frame or amend rules for the protection of privacy rights. Direct CIA to investigate any nexus between the Govt. and SayPM. Pass an injunction for the new clause added by SayPM until new Data
Protection laws are implemented. Direct govt. to make new rules under section 87 of the IT Act, 2000.
And pass any other order in favour of the petitioners that it may deem fit in the interest of justice, equity and good conscience. SD/Counsel for Petitioner.
13