Personal Data Protection Bill, 2019 –Examined through the Prism of Fundamental Right to Privacy – A Critical Study

Bhumika Indulia

5 years ago

Right to privacy is a multidimensional concept. In the context of personal data, it refers to the specific right of an individual to control the collection, use and disclosure of his personal information. Personal information could be in the form of identity details, personal interests, habits, activities, records of family, education, communication, health, finance, etc. We are living in an era where personal information can be used innovatively for various purposes including state surveillance and revenue generation by businesses. In this context, the following words of Mr Tim Cook, Apple CEO may be noted; “Our own information is being weaponised against us with military efficiency. Every day, billions of dollars change hands and countless decisions are made on the basis of our likes and dislikes, our friends and families, our relationships and conversations, our wishes and fears, our hopes and dreams. These scraps of data, each one harmless enough on its own, are carefully assembled, synthesized, traded and sold.[1]” You may also recall the statements of Facebook CEO Mr. Mark Zuckerberg, before the United States Senate which were widely discussed across the world. In his statements, he admitted the failure of Facebook to prevent Cambridge Analytica, a data-mining firm affiliated with Donald Trump’s presidential campaign, from gathering personal information of 87 million users of Facebook to influence elections[2].

It is significant to note that there are various techniques like clustering, geotagging and geocoding which enables various other uses of available personal data of an individual without his knowledge. For example, when a picture is posted in the social media platform by an individual, various other connected information like current location, camera/phone used for the photo, service provider details etc. can be dug out from the photo by using data mining techniques. This information can be used by other businesses to send unsolicited advertisements to the person who posted the photo and he might end up buying something. This should bring the salient realisation that ‘data’ has the potential to both empower as well as to harm. It is a fact that innovative technologies make personal data easily accessible and communicable. As such, it is of utmost importance to have a robust and effective data protection regime that will strike a balance between innovation and protection of privacy.An effective data protection law should therefore primarily reconcile all the conflicting interests to information.In this regard, we must look at the following facts:-

Though Indian Constitution doesn’t explicitly guarantee ‘Right to Privacy’ as a fundamental right, the Supreme Court had ruled in August 2017[3] that right to privacy is a fundamental right under Article 21 of the Constitution.
India does not have a data protection Act or a data protection agency as of now in spite of various attempts in that direction by the Government.
India is nearing towards its first ever Data Protection enactment with introduction of the Personal Data Protection Bill in Parliament during December 2019.

This article is an attempt to examine the Personal Data Protection Bill, 2019[4] through the prism of right to privacy to study whether the Bill, in any way, dilutes the right to privacy in India.

Constitutional Jurisprudence on Right to Privacy in India

The Constitution of India does not explicitly provide right to privacy in its text. Whereas, Indian courts had considered the plea that right to privacy is a fundamental right while considering varied cases of State action against individual privacy. In M. P. Sharma v. Satish Chandra[5], an eight-Judge Bench of the Supreme Court of India while examining a question whether search warrant issued under Section 96(1) CrPC[6] is ultra vires Article 19(1)(f), held that right to privacy is not protected by the Constitution of India. Another important judgment worth discussing is the minority/dissenting judgment of the Supreme Court delivered by K. Subbarao and K.C. Shah, JJ. in Kharak Singh v. State of Uttar Pradesh[8], where they recognised the right to privacy as a fundamental right under Articles 21 and 19(1)(d) of the Constitution of India. In this matter, the Court was considering of the validity of the provisions of the U.P. Police Regulations for daily surveillance. The petitioner was accused of dacoity and was later acquitted. The majority judgment in the matter held that right to privacy do not exist under the Constitution.

When we examine various decisions of the Supreme Court over so many years after the judgment in Kharak Singh, it can be seen that judicial activism has brought right to privacy within the realm of fundamental rights by interpreting Articles 19 and 21. In this regard, it is significant to note the judgment of the Supreme Court of India in the following matters:

Govind v. State of M.P[9]– The right to privacy was declared by the Supreme Court to encompass and protect the personal intimacies of the home, the family marriage, motherhood, procreation and child rearing, subject to “compelling state interest”.
People’s Union for Civil Liberties v. Union of India[10]– Supreme Court extended the right to privacy to communications while considering the issue of telephone tapping and held that telephone tapping is a serious invasion of an individual’s privacy.
Selvi v. State of Karnataka[11]– Supreme Court acknowledged the distinction between bodily/physical privacy and mental privacy and held that subjecting a person to techniques such as narco-analysis, polygraph examination and the Brain Electrical Activation Profile (BEAP) test without his consent violates the subject’s mental privacy.
Unique Identification Authority of India v. Central Bureau of Investigation[12] – In this case, CBI sought access to the database of the Unique Identity Authority of India for investigating a criminal offence. The Supreme Court in an interim order held that Unique Identity Authority of India should not transfer any biometric information of any person who has been allotted an Aadhaar number to any other agency without the written consent of that person.

Then came the most celebrated judgment in K.S. Puttuswamy v. Union of India[13], where the issue of privacy was discussed in light of the Unique Identity Scheme. The question before the Court was whether right to privacy is guaranteed under the Constitution, and if it is, the source of such right, given the fact that there is no express provision for privacy in Indian Constitution. The Attorney General for India argued that privacy is not a fundamental right. Ultimately, the Court left the question to be deliberated by a larger Constitutional Bench since the earlier judgments that denied the existence of the right to privacy were given by Benches larger than those which decided the cases where right to privacy was accepted as a fundamental right. Finally, the matter was decided by a Bench of the Supreme Court comprising of nine Judges, holding that there is a fundamental right to privacy in the Constitution of India.

This judgment marked a departure from the prior jurisprudence in its clear and unambiguous declaration that there is a fundamental right to privacy under the Constitution of India. In the context of this article, this judgment is significant as ‘right to privacy’ was conceptualised as a right in itself, for the first time. While, in the other cases stated above, right to privacy was used to protect specific interests, such as privacy from night-time police visits in Kharak Singh case or privacy from telephone tapping in PUCL matter. This judgment also suggests a “menu” of tests that can be used to contemplate how the limits and scope of the constitutional right to privacy could be determined in future cases. The test laid down by the Court to identify whether any State action violates the fundamental right to privacy is to check (a) the existence of a “law”, (b) a “legitimate State interest” and (c) the requirement of “proportionality”. The Court also reiterated four sub-tests of proportionality adopted in a 2016 decision in Modern Dental College and Research Centre v. State of Madhya Pradesh[14] to decide proportionality of a State action. The tests require: (a) the interference must have a legitimate goal (legitimacy stage), (b) it must constitute a suitable mean of achieving the goal (suitability stage), (c) there must not be any less restrictive but equally effective alternative (necessity stage) and (d) the measure must not have a disproportionate impact on the right holder (balancing stage). As such, State actions restricting the right to privacy would amount to violation of fundamental right if such action do not pass the aforesaid tests[15].

Evolution of Personal Data Protection Law in India

Over the last two decades, the issue of privacy – in particular, the collection, processing and sharing of personal data of individuals – has become increasingly prominent in India. This is the period which saw the advent and flourishing of various internet based businesses in India which are dealing with the collection, organisation, and processing of personal information, whether directly, or as a critical component of their business model. As has been noted by the Supreme Court in Puttaswamy case;“Uber, the world’s largest taxi company, owns no vehicles. Facebook – the world’s most popular media owner, creates no content. Alibaba, the most valuable retailer, has no inventory; and ‘Airbnb’, the world’s largest accommodation provider, owns no real estate[16]. This period saw various efforts by the Indian Government which is based on the understanding that online service delivery is a powerful vehicle for achieving policy objectives. The implementation of the project for unique biometric identification (Aadhaar), NATGRID[17], CCTNS[18], e-governance systems and the Aadhaar Act[19] etc., are some of significant steps of the Government in that direction. In spite of such increased collection of information of citizens by the Government, other institutions and service providers; India is yet to have an omnibus data protection law.

However, there were attempts from the government, over the last decade towards formulating a data protection law. In 2012, a group of experts constituted by the Planning Commission under the chairmanship of Justice A.P. Shah recommended enactment of the Privacy Act and provided a draft[20]. Furthermore, the Department of Personnel and Training which was the nodal authority working on a privacy/data protection legislation, made at least two different drafts, one in 2011 and another in 2014. None of these attempts were successful due to a lack of political will.

Nonetheless, data protection in India was being achieved through provisions under various statutes and rules like the following:

Constitutional protection in recognition of right to privacy as a fundamental right under Part III of the Constitution in Puttuswamy case.
Information Technology Act, 2000 – (a) Section 43-A – Entities dealing with sensitive personal data or information are liable for damages for negligence in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person. (b) Section 72-A – disclosure of materials containing personal information of any person by the service providers without the consent of the person or in breach of a lawful contract, is punishable.
Telegraph Act, 1885 – Sections 5 & 24 regulates interception of messages by the Central Government and the State Governments of India.
Telegraph Rules, 1951- Rule 419-A prescribes stringent procedures and conditions for issuance of orders for interception of communications.
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Rules), 2011 – Rules provide for protection of personal information by imposing certain obligations on the entities that collect information.
Unlawful Activities Prevention Act, 1967 – Intercepted communications are not admissible as evidence unless the accused is given a copy of the order approving the interception, thus making illegal interceptions inadmissible.
Right to Information Act, 2005–As per Section 8(1((j), information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual, is exempted from disclosure.
Post Office Act, 1898 – Section 26 regulates interception of postal articles by the Central Government and the State Governments of India.
Code of Criminal Procedure, 1973 – Section 91 regulates targeted access to stored content.
Wireless Telegraphy Act, 1933 – As per Section 3, unauthorised establishment, maintenance or operation of wireless communications networks for the purpose of monitoring, intercepting and surveilling communications is an offence.

Ultimately, any law is only as good as its enforcement. None of the existing laws mentioned above provides for a statutory redress mechanism that an individual can resort to in cases of suspected arbitrary state actions like illegal interception/surveillance.

Personal Data Protection Bill, 2019

In Puttuswamy case[21], it was held that informational privacy is a facet of the right to privacy. In the said judgment, there was a further command to the Union Government to examine about bringing a robust regime for data protection, balancing individual interests and legitimate State concerns. The Government responded by setting up a Committee of Experts headed by Justice B.N. Sri Krishna to study various issues relating to data protection in India and suggest a Draft Data Protection Bill. In September 2019, the MeitY[22] also set up an expert committee under the chairman ship of Shri Kris Gopalakrishnan (Co-founder of Infosys) to provide recommendations on the governance framework for non-personal data.

More than a year after the report was released by the Expert Committee headed by Justice B.N. Sri Krishna, India is now set to have a comprehensive personal data protection law. On 11.12.2019, India’s Minister for Electronics and Information Technology, introduced the Personal Data Protection Bill (PDP Bill) in Lok Sabha as Bill No. 373 of 2019[23]. A resolution moved by Union Minister Ravi Shankar Prasad was passed by Lok Sabha by a voice vote and the Bill was then referred to a Joint Select Committee consisting of 20 members from Lok Sabha and 10 from Rajya Sabha[24]. Though the Joint Select Committee was due to report back to the Lok Sabha by the last week of the 2020 Budget Session of Parliament, the report is yet to be submitted. As such, the Bill which was to be tabled for discussions in the Budget Session, in now likely during the monsoon session of Parliament (between July and September); if the ongoing pandemic crisis and lock down settles down by then. So, it is clear that India is just a few legislative steps away from having its first data protection legislation.

What is there in the Personal Data Protection Bill?

The PDP Bill contemplates a drastic change in data collection and processing practices in India. So far, both the private sector and the state have operated in a largely unregulated space, where they do not have to worry about checks and balances and processes to protect the privacy interests of the citizens. As per Section 3(28) of the PDP Bill, “personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling. So, identifiability of a natural person is the central idea behind determining what personal data is.

The following are the salient features of the Bill:

The PDP Bill is meant to improve data handling and data privacy in a way that is similar to the European Union’s GDPR[25].
The PDP Bill calls for creation of a Data Protection Authority (DPA) similar to the organisations found among members of the European Union, and defines the categories of sensitive personal data that are to be protected.
The PDP Bill defines ‘data fiduciary’ and prescribes various obligations for them on how they shall obtain, deal/process and retain personal data. It makes them accountable for compliance of the obligations in respect of processing of personal data undertaken by it or on its behalf.
If the PDP Bill comes into force, businesses would have to tell users about their data collection practices and seek customers’ consent. They would have to collect and store evidence of the fact that such notice was given and consent was received. PDP Bill gives consumers the right to withdraw their consent and as such the businesses would have to come up with systems to allow consumers to withdraw their consent.
The PDP Bill gives consumers the right to access, correct, and erase their data after the same is processed for the purpose for which it was meant. As such, the businesses would have to create ways to allow consumers to do so.
The PDP Bill allow consumers to transfer their data, including any inferences made by businesses based on such data, to other businesses. All companies would have to develop ways for allowing the consumers to do this.
The PDP Bill requires all businesses to make organisational changes to protect data better. This include privacy-by-design principles (an approach in which privacy is a key consideration in how the business is organised), security safeguards, and so on.
The PDP Bill provides for data localisation requiring businesses to store certain categories of date only in Indian servers. In this regard, it establish a three-tiered structure as follows: –

Personal data: Localisation or data transfer restrictions do not apply to personal data that is not considered “sensitive” or “critical.” This type of personal data may be stored entirely outside of India and no transfer restrictions would apply.
Sensitive personal data: “sensitive personal data’ may be transferred outside of India, but such data shall continue to be stored in India. Sensitive personal data includes “special categories of personal data” including data relating to health, religion, sex life, political beliefs, biometric, genetic, finance etc. Notably, passwords have been removed from the definition.
Critical personal data: The Bill permits the Government to define certain personal data as “critical personal data” which can’t be transferred outside India. However, the Bill permits transfers to countries or organisations deemed to provide an adequate level of protection (where the State’s security or strategic interests will not be prejudiced).

The PDP Bill provides for a right to be forgotten which enables a data principal to restrict or prevent the continuing disclosure of his personal data by a data fiduciary where such disclosure (a) has served the purpose for which it was collected or is no longer necessary for the purpose; (b) was made with the consent of the data principal and such consent has since been withdrawn; or (c) was made contrary to the provisions of this Act or any other law for the time being in force.
The PDP Bill requires data fiduciaries to inform the DPA by notice about the breach of any personal data processed by them where such breach is likely to cause harm to any data principal.
Under the Bill, “significant data fiduciaries” will have extra duties, such as carrying out data audits and appointing data protection officers. The Bill empowers the Central Government to declare any social media intermediary (who enables interaction between 2 or more individuals like Facebook) with users above such threshold as may be notified, as a significant data fiduciary:
The PDP Bill gives enormous powers to the Central Government to exempt any agency of Government from the application of the Act[26].
Under Section 91 of the PDP Bill, the Government can access any personal data anonymised or non-personal data from the data fiduciaries and processors. So, the Government can require business to share valuable non-personal data (such as aggregate mobility data collected by apps like Google maps or Uber) with the Government. The Bill is silent on whether businesses will be compensated for their loss.
Penalties for not complying – The PDP Bill gives the DPA the power to fine any business that does not comply with the bill or the regulations made by either the DPA or the Government. The maximum amount of penalties that can be imposed is 150 million Indian rupees (about $2.1 million), or 4 per cent of the global turnover of the firm in the preceding financial year.

Whether Personal Data Protection Bill, 2019 dilutes the Right to Privacy?

The Expert Committee on Data Protection had rightly stated in their report that “a data protection law, to be meaningful should, in principle, apply to the State. It would indeed be odd if a law enacted to give effect to a fundamental right to privacy does not serve to protect persons from privacy harms caused by processing of personal data by the State.”[27] This stand of the Expert Committee is clearly visible in their recommendations and in the draft of the Bill proposed by them. Whereas, the PDP Bill as introduced in Parliament was altered substantially from the Expert Committee’s draft on various counts, particularly on its applicability to the state. One of the serious criticisms against the PDP Bill is that it invades the citizens’ fundamental right to privacy. This criticism was raised considering the extensive grounds in the Bill permitting the Central government to exempt any government agency from the requirements of the Bill.

The following are certain facts which leads to an inference that the PDP Bill, 2019 dilutes the fundamental right to privacy:

The PDP Bill gives India’s Central Government the power to issue reasoned orders exempting any government agency from the bill’s requirements on grounds related to security and sovereignty of the State and public order[28].
The Expert Committee’s draft Bill allowed exemption in the interests of national security, when the same is authorised by a law enacted by Parliament; provided that it satisfy the internationally recognised principles of necessity and proportionality[29]. Whereas, under Section 35 of the PDP Bill; a simple executive order of the Central Government authorising any government agency to process personal data can allow them to conduct surveillance without any clear safeguards. When the Expert Committee recommended such exemptions to be made only with laws, the alteration as aforesaid is to be considered as a deliberate attempt to dilute the right to privacy.
These blanket exemptions fail to meet the standards laid out by the Supreme Court in Puttaswamy case, where it ruled that measures restricting the right to privacy must (1) be backed by law, (2) serve a legitimate aim, (3) be proportionate to the objective of the law, and (4) have procedural safeguards against abuse. The PDP Bill seems to expand the scope of exemptions while simultaneously diluting important safeguards when compared to the draft Bill proposed by the Justice Srikrishna Committee. While national interests may in some cases override individual interest in privacy, it is critical, as the Justice Srikrishna Committee noted, “to ensure that the pillars of the data protection framework are not shaken by a vague and nebulous national security exception.”[30]
Limited powers of Data Protection Authority in comparison with the Central Government – In comparison with the last version of the Personal Data Protection Bill, 2018 prepared by the Committee of Experts led by Justice Srikrishna, we witness an abrogation of powers of the Data Protection Authority (Authority), to be created, in this Bill. The powers and functions that were originally intended to be performed by the Authority have now been allocated to the Central Government. For example: (i) In the 2018 Bill, the Authority had the power to notify further categories of sensitive personal data. Under the present Bill, the Central Government in consultation with the sectoral regulators has been conferred the power to do so. (ii) Under the 2018 Bill, the Authority had the sole power to determine and notify significant data fiduciaries, however, under the present Bill, the Central Government has in consultation with the Authority been given the power to notify social media intermediaries as significant data fiduciaries.
As per the PDP Bill, the “procedure, safeguards and oversight mechanism to be followed” for surveillance will be prescribed in the rules to be made by the Government. It is trite law that if discretionary powers are given to the executive branch of the government, it must be accompanied by clear and specific guidelines for the executive to exercise the power[31]. This cardinal rule is ignored by the PDP Bill.
When we look at the GDPR on which the PDP Bill is largely based, it can be seen that GDPR offers European Union (EU) member States similar escape clauses. Whereas, they are tightly regulated by other EU directives. Without these safeguards, India’s Bill potentially gives India’s Central Government the power to access individual data over and above the existing Indian laws.
The PDP Bill provides for the government-mandated sharing of privately collected and developed non-personal data. Section 91(2) of the Bill states that the Government may direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government. Firstly, it is inconceivable why a law on personal data protection deals with non-personal data at all. Secondly, this provision does not indicate the manner in which the Government will use such data and does not specify whether businesses mandated to share such data will be compensated. As such, under this provision, the Central Government has the power to expropriate intellectual property and this is likely to have deleterious effects on the incentives for innovation in the long run.
Furthermore, as per Section 3(2) of the PDP Bill, anonymised data is data that has undergone an “irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified”. In this regard, it may be noted that irreversible anonymisation is impossible as per the available research findings[32]. As such, in the absence of provisions in the Bill prescribing standards for anonymisation and penalties for breach; the State’s right to access anonymised personal data is an invasion of right to privacy over personal data. It is concerning that the Data Protection Bill has specifically carved out an exception for the Central Government to frame policies for the digital economy and seems to indicate that the government plans to freely use any and all anonymised and/or non-personal data that rests with any data fiduciary that falls under the ambit of the Bill to support the digital economy including for its growth, security, integrity, and prevention of misuse.
The PDP Bill allow exemptions for small businesses that look after customers’ personal information manually. Under the Bill proposed by the Expert Committee, such businesses needed to meet three conditions, based on annual turnover; whether they shared personal data; and how much personal data they processed. But under the PDP Bill, the new Data Protection Authority decides which small businesses qualify for exemption and the Bill does not prescribe any qualification to be eligible for the exemption.
The Expert Committee’s draft provided for exemption for prevention, detection, investigation and prosecution of contraventions of law (Section 43). It further made it clear that in order to invoke the exemption, the law enforcement agencies must be authorised by law. This requirement for authorisation by law is not explicit in the PDP Bill.
As per Section 14 of the PDP Bill, the Government can process personal data without consent for some “reasonable purposes” which include whistleblowing. The section further empowers the Government to determine by way of regulation as to whether the requirement of notice to data principal is required or not. This could result in systematic harassment of whistleblowers who may expose scams or irregularities.
The PDP Bill prescribes certain provisions on data breach like mandatory reporting of breach and penalty for contravention. Whereas, the Bill empower the Central Government to exempt the same for government agencies. In this context, let us go back to early 2018, when, news broke that access to the country’s UIDAI database was found being advertised in Whatsapp for a sum of 300 Rupees. Considering the fact that information of the country’s 1.3 billion citizens is available in Aadhaar database, this was considered the largest data breach in the world[33].

These sweeping powers given to the Government under the Bill opens up a possibility of mass surveillance which goes against the fundamental right of privacy. As such, the PDP Bill in more than one way fails to qualify the tests prescribed in Puttaswamy judgment to identify violation of constitutional right to privacy.

Conclusion

While, the Data Protection Bill is a welcome step in establishing a data protection regime, it is fraught with various provisions that dilute the fundamental right to privacy. The Bill lacks many necessary safeguards that are needed to protect the right to privacy. Not only is this problematic since the proposed framework is unlikely to protect privacy adequately, but the PDP Bill also significantly, dilutes right to privacy and increases State power to surveillance without creating adequate checks and balances. This is likely to have deleterious consequences for the stated objective of protecting informational privacy. There is a need to see the privacy of the citizens as the primary end goal of a data protection legislation. It is perhaps this clarity of vision that may help the policymakers in resolving the competing interests of the State’s welfare and surveillance agendas, the private sector’s gargantuan appetite for personal data, the need for community data to facilitate bottom-up innovation, and the ability of individuals to exercise their right to privacy.

*BA LLB (Hons.), LLM – Currently working as Manager-Legal with Hindustan Petroleum Corporation Limited at Zonal Administrative Office, Chennai

[1] https://www.cnbc.com/2018/10/24/apples-tim-cook-warns-silicon-valley-it-would-be-destructive-to-block-strong-privacy-laws.html, last accessed on 02.05.2020 at 2:20 p.m.

[2] Facebook CEO Mark Zuckerberg testifies before US Congress: Highlights, The Economic Times (11/04/2018) available at https://economictimes.indiatimes.com/tech/internet/facebook-ceo-mark-zuckerberg-testifies-before-us-congress-highlights/articleshow/63704337.cms?from=mdr, last accessed on 02.05.2020 at 2:36 p.m.

[3] Justice K.S. Puttuswamy v. Union of India , (2017) 10 SCC 641

[4]Personal Data Protection Bill, 2019

[5] M.P Sharma v. Satish Chandra, 1954 SCR 1077

[6] The Code of Criminal Procedure (Act V of 1898) was in force at the relevant point of time.

[7] When this matter was decided, Right to Property was a fundamental right under Article 19(1)(f) of the Constitution which was later omitted by the 44^th Amendment to Constitution in 1978.

[8] Kharak Singh v. State of Uttar Pradesh, 1964 SCR (1) 332.

[9] Govind v. State of Madhya Pradesh, (1975) 2 SCC 148.

[10] People’s Union for Civil Liberties v. Union of India, (1997) 1 SCC 301.

[11] Selvi v. State of Karnataka , (2010) 7 SCC 263

[12] (2017) 7 SCC 157

[13] (2017) 10 SCC 641.

[14] Modern Dental College and Research Centre v. State of Madhya Pradesh, (2016) 7 SCC 353

[15] IndraStra Global, An Analysis of Puttaswamy: The Supreme Court’s Privacy Verdict, available at https://medium.com/indrastra/an-analysis-of-puttaswamy-the-supreme-courts-privacy-verdict-53d97d0b3fc6, last accessed on 02.05.2020 at 5:00 P.M.

[16] Tom Goodwin, ‘The Battle is for Customer Interface‘, TechCrunch (3 March 2015), available at: https://techcrunch.com/2015/03/03/in-the-age-of-disintermediation-the-battle-is-all-for-the-customer-interface/, last accessed on 29 April 2020.

[17] National Intelligence Grid.

[18] Crime and Criminal Tracking Network and Systems.

[19] Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016

[20] Report of the Group of Experts on Privacy Constituted by Planning Commission of India under the Chairmanship of Justice A.P Shah, Former Chief Justice, Delhi High Court, available at https://www.dsci.in/content/report-group-experts-privacyconstituted-planning-commission-india, last accessed on 02.05.2020 at 5:30 p.m.

[21] (2017) 10 SCC 641.

[22] Ministry of Electronics and Information Technology, Government of India.

[23] Personal Data Protection Bill, 2019

[24] Anurag Vaishnav, “The Personal Data Protection Bill, 2019: All you need to know”, available at https://www.prsindia.org/theprsblog/personal-data-protection-bill-2019-all-you-need-know, last accessed on 28.04.2020 at 3:00 p.m.

[25] General Data Protection Regulation – Regulation (EU) 2016/679 of the European Parliament and of the on data protection and privacy in the European Union and the European Economic Area.

[26] Chapter VIII of the Personal Data Protection Bill provides exemptions.

[27] Justice B.N. Srikrishna Committee of Experts, “Report of the Committee on Data Protection –A Free and Fair Digital Economy Protecting Privacy, Empowering Indians” submitted to Ministry of Electronics and Information Technology, (July, 2018); Pg. 114

[28] Section 35 of the Personal Data Protection Bill, 2019 (pending)

[29] Personal Data Protection Bill, 2019, , page. 156.

[30] Krishnaveer Singh, Does the Data Protection Bill threaten the right to privacy?; National Herald (2/1/2020) available at https://www.nationalheraldindia.com/opinion/does-the-data-protection-bill-threaten-the-right-to-privacy, last accessed on 02.05.2020 .

[31] Anirudh Burman & Suyash Rai, What Is in India’s Sweeping Personal Data Protection Bill?, available at https://carnegieindia.org, last accessed on 02.05.2020 at 7:00 p.m.

[32] “Opinion of Anonymization Techniques” adopted by Data Protection Working Committee, European Commission, available at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/ wp216_en.pdf, last accessed on 02.05.2020.

[33] State of Privacy India, available at https://privacyinternational.org/state-privacy/1002/state-privacy-india, last accessed on 02.05.2020 at 9:00 p.m.