<Title of the Thesis>

(Times NewRoman, Bold,Font size24)

A Thesis
submittedto
(TimesNew Roman,Bold,Font size 18&1.5 Line spacing)
KALINGAUNIVERSITY,ATALNAGAR(C.G.),India
Inpartialfulfillment
For the award of the

Masters in Law

in
(YOUR SPECIALISATION)
by
Name of the
CandidateEnrollm
entNo.-
Under the Guidance
ofName of the
GuideDesignationoftheGuid
e(Assistant Professor of Law)

Faculty of Law

KalingaUniversity
 Kotni,NearMantralaya,AtalNagar
Session:<2022> - <2024>

DECLARATION BY THE CANDIDATE

It he undersigned solemnly declare that the report of the thesis work entitled
<NameoftheThesis>,is based on my own work carried out during the course of my study under
the supervision of <Nameof theguide/s>.

I assert that the statements made and conclusions drawn are an outcome of the project
work. I further declare that to the best of my knowledge and belief that the report does not
contain any part of any work which has been submitted for the award of any other
degree/diploma/certificate in this University/deemed University of India or any other
country.Allhelpsreceivedandcitationsusedforthepreparationofthethesishavebeendulyacknowle
dged.

(Signature of the
Candidate)Name of the
CandidateRoll No.
EnrollmentNo.:

Signature of the
Supervisor (Name of the
Supervisor)Designation of
the supervisor Name of the
department
Name of the Institute with address
 CERTIFICATEOFTHESUPERVISOR

This is to certify that the report of the thesis entitled <Title of the thesis> is a record ofbona
fideresearch work carried out by<Nameof thestudent>bearingRoll No....................................&
Enrollment No.: ……….. under my guidance and supervision for the award of Degree
ofMasterofLawinthe(your specialization),ofKalingaUniversity,AtalNagar(C.G.),India.

To the best of my knowledge and belief the thesis

• Embodies he work of the candidate him/herself,
• Has duly been completed,
• Fulfils the requirement of the Ordinance relating to the Master degree of the University and
• Is upto the desired standard both in respect of contents and language for being referred to
the examiners.

(Signatureof theHoD) (Signatureof theSupervisor)

Name: Name: Designation: Department:
kalingaUniversity,AtalNagar,

Designation:

Department:

KalingaUniversity,AtalNagar,
ForwardedtoKalingaUniversity,AtalNagar,(C.G.)

(Signature of the
Dean Academic Affairs)
Name&addressoftheInstitute
 CERTIFICATE BY THE EXAMINERS

The Thesis entitled<Titleof the thesis> Submitted by <Name of the

student>(RollNo.:………..Enrollment No............)has been examined by the under signed
as a part of the examination and is hereby recommended for the award of the degree of Master of
Law in the faculty of <Name of the Faculty> of Kalinga University, AtalNagar (C.G.)

InternalExaminer

ExternalExamimer
Date: Date:

ACKNOWLEDGEMENT
I express my sincere gratitude to many people who have helped me and supported during
project work. Without them I could not have completed the project on time. I am thankful
to my guide, <Nameofguide>forvaluableguidance, encouragementand patience.

I would like to thank <Nameof HOD>(Head of Department) who contributed directly

or indirectly in shaping and achieving the desired outcome.

I thank all my colleagues and friends for their cooperation while completing this project
work. I want to thank my family members, without whose emotional and moral support
nothing was possible.

Nameofthestudent

Roll. No.
EnrollmentNo.
KalingaUniversity,AtalNagar(C.G.)
Data Protection in the Digital Age:

A Comparative Study of India’s

legislative framework with EU and

US, Data Protection law

 TABLE OF CONTENT

CHAPTER NAME OF CHAPTER

1 INTRODUCTION

2 GLOBAL INSTITUTIONS AND THEIR DATA\

PROTECTION PRINCIPLES.

3 DATA PROTECTION IN EU, US

ATAPROTECTIONREGIMEI
4 INDIAN LEGAL SYSTEM

5 COMPARATIVE STUDY OF THE DATA PROTECTION REGIME

IN INDIA WITH REFERNCE TO EU, US

6 CONCLUSIONS AND SUGGESTIONS

 CHAPTER1:

INTRODUCTION

1.1. India and the Need for Data Protection

The phrase "data is the new oil" is used frequently. The importance of data has increased over

the past few decades to previously unheard-of levels in an increasingly digitalized world,

including India. The majority of cyber security incidents that have occurred in India recently

have been motivated by data theft. Health data, financial data, and other critical personal and

sensitive data have all been hacked by cybercriminals on several occasions.

The Aadhar was purportedly accessible for a pitiful 500 INR7 through an explosive

allegation made in an investigative. Think tanks and the international media accurately

labeled the Aadhar leak as the largest data breach in history. Furthermore, in terms of data

breaches, accounting for almost 37% of worldwide data breaches8, The numerous breaches

of data in an increasingly data-driven economy have brought to light the gap left by India's

lack of a strong policy.

India is particularly concerned about data privacy regulation for several reasons, chief among

them being the country's enormous population. With more than 500 than 8% annually, the

digital economy. India's digital economy is poised for an unparalleled expansion.

The difficulties in resolving issues brought on by extensive transactions made through digital

media may quickly materialize. finance sector has increased recently in India as well.

However, with the introduction of more sophisticated technologies and the government's

aggressive stance to support digital transactions following the demonetization digital

channels have becomean essential component of our life, therefore ensuring proper security

for these transactions requires a robust and efficient system in place.

The danger to informational privacy is now more serious, it is now more crucial than ever to

have strong laws in place to guarantee the highest level of protection for these individuals'

personally sensitive data.

1.2. Locating the Meaning of Data Protection

According to definitions, one of the legal ideas that is hardest to pin down to a single

meaning is data protection. Legal experts have stated that "data protection" is a catch-all

phrase used to describe any activity related to handling personal data. Sweden's Data Act, the

first data protection legislation ever, was approved in 1973, over 50 years ago, and went into

force the following year. It is now prohibited for any individual or organization to handle

personal data using any sort of information technology without a license,. The progressive

people of that nation in Scandinavia had grown worried in the late 1960s about the increasing

usage and storage of personal data, and to ease their anxieties, the Data Act was created.

Data protection and legally-mandated guidelines implemented to secure your personal data

and guarantee that you maintain control over it. In a nutshell, you should be free to decide

what information you disclose, with whom, for what length of time, and for what purpose.

You should also be allowed to edit some of this information.

Personal data" and "processing" are two components of data protection regulations that go on

to define the majority of their meaning. Due diligence is necessary because these two ideas

are important to the examination of the underlying reasoning behind. Since the definition of

"processing" is as broad as the data protection legislation as a whole, it should be read

broadly to increase the scope of the protections it affords. Any material operation that directly

affects data is referred to as processing. This includes gathering, storing, erasing, using, and

disseminating data.
The majority of sophisticated data protection policies advocate for interpreting the phrase as

broadly as feasible. would be undermined by a broadly construed definition of the term

"processing." The idea of "Personal Data" of the Data Protection Laws. Anything that may be

used to uniquely identify a person or information that can be connected to their identity is

included in the term. In accordance with this same logic, European Union courts have used

the "personally identifiable" information test24, which establishes whether or not a class of

data qualifies.

Once these tenets behind data protection regulations. Having said that, data protection laws

may be defined as a body of regulations that safeguard the sharing, gathering, application,

deletion, storage, and destruction of any In this case, protection entails handling personal data

with an acceptable level of fairness in accordance with accepted standards. But the idea of

informational autonomy and self-determination has grown jurisprudentially, and data

protection regulations today refer to more than just the fair processing of personal data.

1.3.The Right to Data Protection and Rule of Law

It has been suggested that inadequate autonomy in exercising informational self-

determination "would also impair the common good". This claim is based on the observation

But most of this discussion is limited to the European Constitutional Courts, so it will be

covered in more depth at the proper time.

1.4.Right to Privacy and Its Relation with Data Protection

The right to privacy has been acknowledged as a basic right, which is the basis for the claim

that data protection regulations have evolved to be regarded as such. Along these same lines,

the Indian Supreme Court has instructed That removes no question from the fact that the

purpose of data protection laws is to safeguard the private rights of the people who are under
their care. However, there must be a clear understanding of the right to privacy in a nation

like India where the body of legal precedent around this right is still developing.

Much difficulties among legislators worldwide when it comes to providing a precise

definition. However, a clear and logical understanding. Due to the dearth of legal precedents,

it is necessary to depend on some of the established principles pertaining to it. Additionally,

and perhaps more crucially, data protection regulations themselves ought to be sufficiently

expansive to clearly define

There are advantages and disadvantages to not clearly defining the right to privacy. It could

be advantageous inasmuch as the absence of a definition gives the judge plenty of leeway to

interpret it broadly. Since the world of technology is always evolving and seeming to reinvent

itself, it could be preferable for the general public, democracies, and the rule of law to

maintain an as flexible an. What the most accurate definition of the right to privacy is has

been hotly debated The vast body of research. In the context of data protection, one of the

most often cited interpretations of the right to privacy is that "Privacy is the claim of

individuals, groups, or organizations to select for themselves whenhow and how much

information is shared about them with others. The "right to self-determination" has a

powerful allure for the populace in any democratic setup, which is the only explanation for its

acceptance and popularity. Strictly speaking, no data protection regulation can offer total

informational self-determination, but what a strong law can guarantee is a controlled

determination. This is something that must be accepted.

The right to privacy has historically been understood in a more traditional and widely held

sense as the right to be left alone. This method views the right to privacy as including non-

interference as a fundamental component. According to this interpretation, "secrecy,

anonymity, and solitude" are the three pillars of the right to privacy. The foundational work
of Samuel D. Warren and Louis D. Brandeis, which established the framework for the

recognition of the right to privacy as a separate right, must always be mentioned in any

debate on the right to privacy.

“Based on these considerations, it can be concluded that the protection of ideas, feelings, and

emotions expressed through writing or the arts, to the extent that it prevents publication, is

just an example of upholding an individual's more general right to privacy. Similar rights

include the freedom from abuse or beatings, the freedom from imprisonment, the freedom

from venomous prosecution, and the freedom from defamation. These rights, like all other

legally recognized rights, are characterized by the nature of ownership or possession. Since

this is what makes property unique, it may be appropriate to discuss these rights.

The principle which protects personal writings and all other personal productions, not

against theft and physical appropriation, but against publication in any form, is in reality not

the principle of private property, but that of an inviolate personality.”

These characteristics are taken into account by several data protection standards in order to

guarantee that people receive the highest level of protection. The idea of the right to be left

alone is the origin of data protection principles including the right to erasure, the fairness of

processing principle, and the purpose restriction principle. The revelation of sensitive

material is yet another way to link data protection with the right to privacy46. Sensitive

documents are often ones that include information that might reveal a person's identify, such

as their name, sexual preferences, home address, etc.

There exists a great deal of controversy among academics regarding the efficacy of this

strategy because it is quite possible that in this Big Data era, information that would not

normally be considered sensitive could be collected and processed in a way that would render

it sensitive. The Supreme Court of India decided to embrace the informational self-
determination method while retaining the key components of these many theories about the

nature of the right to privacy:

Above all, the individual's right to privacy acknowledges an unalienable right to choose how

their freedom will be used. It is possible for someone to believe that being silence is the

greatest way to express themselves.

A space of privacy is implied by silence. Through artistic endeavors, an artist discovers a

mirror of their spirit. A writer conveys the idea that results from a mental process. A musician

muses over notes that, when played, produce silence. The inner quiet reflects on one's

capacity to communicate ideas and thoughts or engage in social interactions. These are

essential components of becoming a person. When a person has the freedom to choose what

they want, they can use their rights under Article 19. When interpreted in combination with

Article 21, liberty gives people the freedom to choose how and what they eat, how they dress,

what religion they practice, and a host of other choices.various issues where making a

decision in private of the mind is necessary for autonomy and self-determination. The

capacity to select a faith and the freedom to publicly express or not publicly express such

choices are inalienably linked to the constitutional right to freedom of religion under Article

25. These are a few examples of how privacy promotes freedom and is necessary for

exercising one's right to privacy48.

The passage demonstrates the significance that the Indian Supreme Court has placed on the

right to privacy. Whatever happens, this historic ruling will have a long-term impact on how

India's data protection rules are interpreted in the future. The Bill states that "sensitive

personal data may only be transferred outside of India for the purpose of processing" but that

"critical personal data" is exempt from this restriction. The feminist school of jurisprudence

has heavily criticized the interpretation of the right to privacy in its physical, functional, and
institutional aspects since it is long viewed as a barrier to gender equality. The feminist

school views the right to domestic privacy as a tool to applaud the subjugation of women in

their households. This interpretation has been criticized time and time again for being used to

protect the power disparities within the families.by the constitutional scheme's exclusions

under the pretense of privacy. One tool to "defend the exemption of marital rape from sexual

assault laws, and to discourage state interference with domestic violence or child abuse" is

the spatial and functional conception of the right to privacy.

Three significant elements that were absent from the Srikrishna draft version of the Personal

Data Protection Bill have also caused considerable worry among privacy experts and IT

businesses. These include provisions that will enable the Center to request the disclosure of

anonymized personal data or "other non-personal data" to any "data fiduciary or data

processor" in order to improve governance or target citizen welfare services.

The proposed Indian Data Protection Act of 2019 resembles modern international norms,

such the right to be forgotten, at first glance. Some restrictions are more contentious and may

limit some corporate activities, like as the need to keep sensitive data in systems situated

inside the subcontinent. Additionally, the draft bill says that non-personal data regulation for

the digital economy might be framed by the central government. To facilitate improved

targeting of service delivery or development of evidence-based policies by the Central

Government, it can specifically order any data processor to "provide any personal data

anonymized or other non-personal data."

India's position is somewhat reversed in the final Bill, which states that while "sensitive

personal data may be transferred outside India," it should still be kept in the nation. But it's

still unclear what the lawmakers intended to achieve when they passed a robust data privacy

legislation.
By avoiding the common traps, India might greatly benefit from the experiences of the

nations that are recognized to have robust data protection regulations in place. It is especially

crucial to address data privacy concerns that may have transnational implications in India, as

the country and the rest of the globe move toward a more digitalized and globalized society.

The researcher would consider it beneficial to discuss the accepted principles of data

protection in the developed world, particularly in the EU, as well as the legislation in these

jurisdictions in order to present a compelling case for a data protection regime that is

compatible with the entities situated abroad, and particularly in the developed world.

1.4.Principles of Data Protection

As previously said, the right to privacy is a somewhat nebulous and abstract concept, thus it

is impossible to establish a clear cut rule that would direct the courts in deciding whether or

not there has been an invasion of an individual's private space. Therefore, legislators and

courts worldwide have established a number of rules defining the right to privacy, which act

as a guide for efficient adjudication of claims of privacy infringement. The US Consumer Bill

of Rights, the GDPR51, and the OECD Principles are a few noteworthy principles.

Nevertheless, successful law cannot be achieved by a one-size-fits-all approach.

Therefore, India has to create its own national privacy principles that would be in line with

the ideals of the Indian Constitution while also incorporating the best practices from across

the globe, rather than adopting any of these principles.The goal of these guidelines must be to

ensure the security of all steps in the information gathering, processing, storage, access,

retention, and disclosure process that involve data that may be used to identify a specific

person. The Planning Commission established a committee chaired by Justice A P Shah with

the goal of creating National Privacy Principles. The committee's work resulted in the
formulation of the fundamental ideas that would serve as the foundation for future data

protection laws in India.

Under the direction of Justice AP Shah, the former Planning Committee established the

Group of Experts on Privacy in 2012 (Justice AP Shah Committee). A comprehensive

framework that considers all aspects of privacy and serves as the conceptual basis for an

Indian privacy legislation was advocated in the Justice AP Shah Committee report. Following

a thorough process of consultation and deliberation, it recommended a set of nine National

Privacy Principles that would be adhered to; they were mostly taken from the OECD

Guidelines. In order to discover the Indianized jurisprudence of the data protection law

through the principles outlined by the AP Shah Committee, the researcher will provide a brief

discussion of these principles.

Notice: The necessity of the notice to the data owner is the first and maybe most significant

of the principles outlined by the committee. The principle emphasizes the idea of data

ownership and requires that any processor of an individual's personal data provide adequate

notification to the data owner. The notification needs to be written in a way that makes it

clear enough for the data principal to comprehend what is being processed. It is

recommended that the notice should include information on the nature of the data being

collected, its intended use, and the security protocols the collector has implemented to

safeguard the obtained information.

The principle also requires that the data principal be notified periodically of modifications

made to the process's privacy policy and that prompt notification be given in the event of a

breach. Consent: The second principle is that getting consent is a fundamental prerequisite to

processing an individual's personal data. If the consent is declined, the processor has the right

to reject services. Notwithstanding, in cases where the processing is authorized by law and
aligned with other data protection standards, the data gathered by the agencies will be

anonymized.

CollectionLimitationPrinciple:Only that amount of data must be gathered in order to

achieve the goal for which it was originally intended to be collected.

PurposeLimitationPrinciple:Only those uses of data that were disclosed to the data

principal at the time of consent-obtaining may be carried out. A new consent must be

obtained by notice59 before processing data for any additional purposes.

1.5. Findings

The Chapter addresses the legality and justification for global data protection legislation. The

chapter outlines the components of an efficient data protection framework with a focus on the

necessity of providing sufficient protection for safeguarding informational privacy. The

chapter also discusses the several data protection theories that have been established globally,

critically identifying the point of genesis of the idea that data protection is a component of the

right to privacy. The study provided a comprehensive understanding of the necessity of

finding the ideal balance between achieving informational self-determination and satisfying

the demands of a world that is becoming more and more digitalized.

 CHAPTER 2:

GLOBAL INSTITUTIONS AND THEIR DATA\

PROTECTION PRINCIPLES

2.1.Introduction

The researcher addressed some of the most prominent features of the digitalization era that

have given rise to privacy issues worldwide in the previous chapter. The talk has given a

theoretical understanding of the Principles of Data Protection, but in order to fully understand

the practical aspects of a Comprehensive Data Protection Code, it would be best to study the

ways in which the provisions related to the concept of Data Protection are implemented. As

the saying goes, "the taste of pudding lies in the eating.".. Additionally, the study becomes

crucial for developing a code that complies with international best practices for data

protection.

Academicians and jurists from all over the world have correctly concluded that a nation

acting alone cannot achieve data protection. Since the Internet serves as the primary source,

storage, and transmission channel for most data worldwide, national regulators are unable to

effectively address the myriad obstacles in implementing a strong data protection framework.

Since data transcends national borders, a transnational framework is required to ensure

sufficient protection for residents' personal data while permitting unlimited cross-border data

transfer.

There must be a mutually agreed upon framework to ensure the free movement of data across

borders and to enforce a certain level of security safeguards.

framework that national data protection laws should be based on80. Globally recognized data

protection principles have the potential to significantly contribute to the standardization and

coherence of data protection legislation worldwide81. There is no one-size-fits-all solution

that can effectively address the issue of data protection, as we have shown in the previous

chapter. Instead, the topic of data security is highly abstract.

This makes it necessary to establish a set of global guidelines that would act as a roadmap for

countries creating their own data protection legislation. Numerous international and regional

organizations have reached consensus on some fundamental ideas that have to be included in

national data protection legislation, all while keeping this point of view in mind.82 The

researcher would mainly concentrate on two of the most significant organizations that have a

significant impact on global data protection laws.

2.1.United Nation’s Data Protection Principles

The foundation for a strong data protection framework worldwide is laid forth by the United

Nations Personal Data Protection principles. Although the majority of global data protection

laws attest to following these guidelines, there are occasionally small departures from them.

What's important in this case is the UN's acknowledged principles' persuasive value, which

serves as a guide for governments who sincerely want to establish a strong data protection

framework in their nation. Even though these guidelines are meant to direct United Nations

System Organizations in fulfilling their mandates, they nonetheless have a great deal of

persuasive power on a worldwide scale. The 2019 Personal Data Protection Bill and the

GDPR
and many data protection laws throughout the world base their data protection framework on

these fundamental ideas. In order to help the United Nations System Organizations carry out

their mandated activities, these principles (referred to as the "Principles") lay out a basic

framework for the processing of "personal data," which is defined as information relating to

an identified or identifiable natural person (referred to as the "data subject").

FAIRANDLEGITIMATEPROCESSINGPRINCIPLE

The following justifications should be used by the United Nations System Organizations to

treat personal data fairly, in compliance with their missions and governing instruments:

(i) the data subject's consent; (ii) the data subject's best interests, in accordance with the

relevant United Nations System Organization mandates; (iii) the relevant United Nations

System Organization mandates and governing instruments; or (iv) any other legal basis that

the United Nations System Organization specifically names

PURPOSESPECIFICATION

It is imperative that personal data be processed for specific reasons that align with the

missions of the relevant United Nations System Organization and consider the appropriate

balance of rights, freedoms, and interests. Processing personal data in a way that is

inconsistent with these goals is not appropriate.

PROPORTIONALITYANDNECESSITY

When it comes to the designated purposes of processing personal data, the processing of such

data must be relevant, restricted, and sufficient.

TRANSPARENCY
When relevant and feasible, processing personal data should be done in a way that is

transparent to the data subjects. As long as the stated purpose for which personal data is

processed is not thwarted, this should include, for instance, giving them information about

how their personal data is processed and instructions on how to request access, verification,

rectification,and/or deletion of that data.

The Accountability Principle, which states that United Nations System Organizations should

have sufficient policies and procedures in place to adhere to these Principles, is one of the

other well-known principles. Furthermore, the foundation of the Data Protection Principles is

the idea that a United Nations System Organization may transfer personal data to a third party

in the course of carrying out its mandated activities, so long as the organization is satisfied

that the third party will adequately protect the personal data under the circumstances.

2.1.The Under pinnings of Right to Privacy within the ICCPR

Rather than representing personal rights, the term "privacy" is used collectively in Article 17

of the International Covenant on Civil and Political Rights. The "internet" was still in its

infancy when it was drafted, hence the drafters' considerations and comprehension are now

mostly meaningless. Meanwhile, it is possible to ensure that people's private information is

protected while preventing the possible unlawful nature of targeting and widespread

surveillance operations by implementing specific guidelines and adopting particular actions.

.. This will provide the foundation for a data security solution that is actually successful in the

modern day. In general, the current system encourages data digitization, but it is illegal to

acquire, transmit, or retrieve personally identifiable information that is kept digitally unless it

is done in compliance with legal procedures. A person has the right to know why their data is

being used, where it is being stored, how long it was collected, how to get it corrected, and

other information. Additionally, this has been emphasized repeatedly throughout the remark.
.

The Human Rights Committee has often emphasized how important it is to gather and

manage personal data in a legal manner. "The collection and storage of personal data on

servers, databases, and other devices, by public institutions or private persons or entities,

should be regulated by law," the statement reads. While the connotation of the comment

appears to extend to the digital domain of the right to privacy, there are important gaps that

need to be addressed.

.. Comment 16 ought to incorporate an individual-centric definition of privacy in addition to

considering the Right to Informational Privacy from a wider angle. Countries will find great

assistance from the ECtHR precedents in amending comment 16 to expressly hold normal

public data collection procedures as grounds for violating an individual's right to privacy.

This will serve as the foundation for addressing the threat posed by mass surveillance and

expanding the scope of the provision to encompass the digital world in order to fully

recognize the range of potential risks associated with technological improvements.

Getting Rid of the 4th Amendment’s based-Right to Privacy

The word "home" is used expressly in Article 17 of the ICCPR, which suggests that the

convention's definition of privacy is restricted to "spatial privacy," or the privacy of one's

own personal areas. This implies that "protection from encroachment of man's own castle"

will be the extent of the covenant's security. But such a condensed interpretation of the word

"home" would be dangerous in this day and age, when the potential for private property

invasion has shifted to internet channels. Therefore, "online private spaces"—which include a

person's emails, Facebook and Twitter sites, and other social media accounts—should be

included in the new section.

Nowadays, the only ways for a person to identify themselves in the public sphere on the

internet are through social media pages and mobile phones. The idea of private space, which

dates back a century, has mostly been replaced by electronic devices and social media

accounts.This adjustment should be specifically acknowledged in Article 17. The member

nations' courts have historically defined the term "home" broadly, stating that it encompasses

"a place in which private life can evolve freely.""The convention must accord the phrase

"private domain" the broadest possible meaning, encompassing all methods by which one can

access the online sphere, in order to recognize the growth of private life in the present era.

.Incorporation of Meta data in to the Definition of Correspondence

Article 17 of the agreement has been limited in another essential way, which is the definition

of the term "Correspondence." While letters, phone conversations, emails, and other

correspondences have previously been covered in of personal data that may be merged for

information gathering and statistical analysis..International courts have questioned the extent

to which the metadata may be utilized for mass surveillance and identity. for purposeful

limitation and breaking storage regulations, however the court overlooked the drawbacks of

storing metadata. As a result, this would make it possible for the Indian government to handle

and keep personal data of people via the reliable Aadhar platform. To avoid such careless

misunderstanding of the threats that information might pose

The government might use metadata for a great deal of security-related objectives. Through

the use of metadata, more data Because information about a person's eating habits,

whereabouts, and behavioural patterns is easily accessible, it is crucial to. This would surely

broaden the scope of the provision, making it essential in addressing the issue of widespread

metadata surveillance.

"When gathered and analyzed, communications metadata can create a profile of a person's
life, including health concerns, political and religious beliefs, alliances, relationships, and

interests, revealing as much information as, or even greater detail that may not be

distinguishable from the content of communications."

It is important to note that the judiciaries of other nations with sophisticated data protection

laws, as well as those in Europe, have taken action to maintain that information pertaining to

internet usage is included by Article 8 of the ECHR's definition of "correspondence." States

have a broad window of opportunity to carry out mass surveillance and profiling, however,

because metadata is not specifically included in the examination of communications.

2.1 Decoding the Unlawfulness of the Interferences with the Right to

Informational Privacy

Many internet companies rely on making money off of the customer data they gather, both

for their own use and to sell to other parties. Not all people are privacy hawks, and

millennials aren't as much as previous generations were. However, there has been a

significant increase in awareness of informational privacy following the scandalous

Cambridge Analytica Data dumps. In 2014, Nix, SCL, and Cambridge AnalyticaElections,

got aware of the study being conducted at Cambridge University's Psychometrics Center. The

study found that using publicly accessible Facebook user account data, one can accurately

evaluate a user's personality attributes using a psychometric model called the "OCEAN"

scale. An algorithm developed by researchers was able to identify a person's personality

based on the "likes" they had on publicly accessible Facebook sites.

The algorithm and the ensuing data collection to train the business's model ultimately resulted

in Cambridge Analytica supporting political campaigns such as Brexit and the US elections

in 2016 and set up a global controversy. Facebook's reputation suffered once the data
harvesting was made public, and the company was hit with many fines for improper data

handling.

Over time, following the Facebook/Cambridge Analytica crisis, it became clear that, in spite

of all the government hearings, the public would need to take further steps and take particular

action to get internet corporations to realize that it was time for them to offer sincere

apologies. Users would still not be able to completely prevent someone from gathering their

personal information.

WhatsApp-Facebook Privacy Policy Update

The problem of informational privacy violation has been increasingly obvious with the global

increase of social media users. India, a country with a high concentration of social media

users, faces an increased danger of illegal interference with users' privacy. One of these risks

has emerged in the shape of the vehement resistance to WhatsApp's recently modified

privacy policy. The social networking site updates its privacy policy in a move that has drawn

significant media attention and user anger.

.. The platform will share user data with its parent corporation, Facebook, in accordance with

the revised rules. According to reports, the government is looking into and assessing the most

recent privacy policy update that WhatsApp released, following a backlash against the

contentious modifications that connected user data to Facebook's other services and goods.

It's clear that simply because of the Due to a lack of regulations in India, Indian WhatsApp

users are being treated like second-class citizens and their personal data is being

commercialized by WhatsApp without giving them a clear, concise, and unequivocal warning

before collecting their assent.

However, WhatsApp is unable to do the same for users in the European zone, where privacy

rights are still protected, due to the presence of a strong legislative framework in that region.

This facet of the business's operations clearly illustrates the necessity of a stringent legal

framework to guarantee data protection. The policy has been updated, and users are required

to approve it in order to continue using their conversations. This goes against the fundamental

principles of informational self-determination.

Furthermore, worries about privacy violations are not limited to conversations. The recently

established Atmanirbhar Digital India Foundation (ADIF), an industry group of Indian

entrepreneurs, has demanded more government monitoring after alleging that WhatsApp's

latest privacy policy amendment poses a serious risk to user payments and financial data.

Despite WhatsApp's assertion that the upgrade solely affects WhatsApp Chat, the policy may

potentially result in more data sharing between Facebook, the parent company, and

WhatsApp Payments.

.The corporation had to delay the new policy's adoption for a few months due to public

criticism, but in the absence of any regulations, nothing in the law would make the company's

actions illegal. The tragedy has had several good outcomes, one of which being the increased

awareness of information privacy among the Indian populace. This may be demonstrated by

users switching to other platforms and a sharp drop in the platform's user base growth once

the new policy was announced.

GDPR and Informational Privacy

To safeguard people from arbitrary and illegal interference in their personal lives, the

GDPR's Article 17 states, "No one shall be subjected to arbitrary or unlawful interference

with his privacy, family, home or correspondence, nor to unlawful attacks on his honor and

reputation." Although clearly stipulates that any legitimate governmental interventions that

do not align with the principles outlined in the Covenant will be considered illegal,.Given that

the convention permits "lawful" interferences with the right to privacy, it is important to give

sufficient weight to the criterion when determining whether an act that is alleged to violate

someone's private is lawful.

When it comes to domestic legislation, lawfulness is just another word for it. Any law that

has been duly passed by a state's authorized authority would be considered lawful

interference. Nonetheless, General Comment 16 states clearly that this kind of interference

must not be capricious and must adhere to the convention's guidelines94. Although the

committee's remark is praiseworthy..The sections that aim to safeguard "unlawful"

infringements are mostly pointless, as the convention's existing. The Committee has accepted

the idea that a law does not make invasions of privacy acceptable merely because it permits

such violations. The committee suggests, in a sense, adding the due process provision to

justify the individuals' privacy violations.

The committee established a four-point criteria to evaluate the legitimacy of the methods

used to try to restrict an individual's privacy:

1. The legislation must be available to the public, which means that no provision that tries to

invade someone's private space may be coupled with a confidentiality clause. By taking this

exam, you may be confident that the people are aware

30
2. The second test establishes that the data can only be handled for purposes that are lawful

and combines the purpose limitation and fairness principles.

. The third criteria offers the fundamental notion of certainty, which is that the legislation

need to sufficiently define the subtleties of interference. The legislation should establish an

objective standard whose privacy may be violated, the goal that the violation of privacy is

intended to accomplish, and the specific process by which the violation of privacy may be

authorized. The legislation should also specify exactly how long such data processing must

be permitted for as well as how to store and remove such data.

The third criterion provides the essential idea of certainty, namely that the laws must

adequately specify the nuances of interference. The regulation ought to set up an objective

criterion to determine which groups of people are susceptible to privacy violations, what the

purpose of the breach is, and the precise procedure via which it may be approved. Along with

defining how long such data processing must be allowed for, the regulation should also

outline how to keep and delete such data.

The third requirement, which states that the rules must sufficiently define the subtleties of

interference, offers the fundamental concept of certainty. The law should provide an objective

standard to identify the categories of individuals who are vulnerable to privacy breaches, the

nature of the breach, and the specific process by which it might be authorized. The legislation

should specify how long such data processing may be permitted for as well as how to store

and remove such data.

.3. The essential idea of clarity is provided by the third criteria, which is that the regulations

must adequately describe the nuances of interference. The law ought to provide an impartial

benchmark for identifying the groups of people who are susceptible to privacy violations, the

type of violation, and the particular procedure that may permit it. The law should outline how
31
to keep and delete such data as well as how long such processing of data may be allowed.

2.4.1The need for sufficient safeguards

The third criterion, which states that the regulations must sufficiently explain the subtleties

of interference, provides the fundamental notion of clarity. A fair standard should be set by

the law to determine which individuals are most vulnerable to privacy violations, what kinds

of violations occur, and which specific procedures may allow them. The length of time that

such data processing may be permitted, as well as how to store and destroy such data, should

be specified in the legislation.

The regulatory framework should have enough judicial scrutiny to guarantee the process's

openness and lack of arbitrariness. It is argued that the absence of these protections will

eventually open the door for illegal incursions into persons' private lives.

The necessity of establishing a structure that would provide effective measures that would

increase openness and foster accountability within the state's surveillance system has been

highlighted repeatedly in the UN's subsequent resolutions.

Adequate protections are vital to minimize and completely eradicate the potential for

arbitrary interference, but having strong redressal processes in place is just as crucial. It is

imperative to provide sufficient publicity of the procedures for lodging complaints against

violations of the rights enshrined in Article 17. In order to guarantee that the system has the

necessary components to address the violations of informational privacy, the OHCHR has

defined a few requirements.

The first condition is notice, which is predicated on the idea that it is the state's responsibility

to guarantee that the public is informed about the specifics of the interference and their right

to file a lawsuit against the infringement. The necessity of an expeditious, efficient, and

32
unbiased inquiry of the claimed violations by the state comes next.

A fundamental need for any legislation aiming to violate an individual's privacy is that it

must be fair and non-arbitrary.

. The Human Rights Committee has often argued that having laws that are strictly in line

arbitrarily applied. The qualities of need, proportionality, and validity are also embraced by

the criteria of non-arbitraryness. To legitimize the state's invasion of people' private rights, it

just needs to "show in precise and tailored

It is well known that states frequently cite concerns about public interest and national

security as reasons . While preventing terrorism and outline the bounds around these matters

to keep them from serving as a means of facilitating widespread monitoring.

.2.5.Findings

The conducted study gives the researcher insight into the essential components of a strong

data protection policy in a democracy. In the next chapters, the researcher attempts to develop

the best possible data protection model for the Indian scheme, paying particular attention to

the OCED Principles. The study has made it possible for the researcher to pinpoint the

essential components of a strong data protection policy.

.The preceding chapters have extensively covered the jurisprudential concerns surrounding

the notion of data protection worldwide. Nevertheless, each sovereign state has the freedom

to craft national laws that best suit its own needs, so it would be appropriate to talk about

some of the jurisdictions' approaches to data protection and how they have incorporated the

ideas covered in earlier chapters..

Numerous precautions are enforced by Big Data to guarantee. The Internet of Things will

make it more simpler to consume large volumes of data, which will raise the danger of
33
personal data being threatened. Personal data makes up a significant portion of the data

involved in the process and may include personally identifiable information about the data

subjects.

CHAPTER3:

DATA PROTECTION IN EU, US

3.1. Introduction

Big data is the deliberate and specialist services may require data processing, analysis, and

assessment. For instance, personalized advertisements for internet users may be displayed by

analyzing the purchase patterns of individuals in a certain area. The consolidation and

revaluation of this data can be advantageous for financial transactions, creditworthiness,

healthcare, personal surveillance While there are clearly many scientific benefits to big data,

managing it still carries a certain level of risk. Artificial intelligence-based car information

may also be falsified, and employing these data further restricts the length of time that people

may participate. However, a number of serious issues relating to the remedy and the right

have emerged as a result of the lack of human connection. In the next section, we'll discuss

some of the impending problems that big data will provide for the data protection framework.

In general, Americans feel that the government has less responsibility for securing internet

data and information than many of its European Union counterparts.What does the law mean

for India's engagement in the international data discourse?

India has been praised by commentators for its ability to influence foreign policy and for its

34
high level of participation in the UN General Assembly and other forums on internet policy.

The specific institutional choices India makes on data privacy would most The given

numerical statistics show the many ways in which different sectors of the Indian economy

might be impacted by a data privacy law, even if they might not apply to India modelled after

GDPR.

While both of these rights are based upon the theme that an individual have a right to live

their life with dignity and hence, they need a personal sphere which. The right to respect for

private life is a far larger notion than the other two, even though they are also predicated on

the idea that everyone.

Every time an individual's data is processed, they are guaranteed the right to have their data

protected, even if such processing has no bearing on the subject's right to privacy. Even in

situations when such processing has no influence on the right to privacy, it may still violate

that right.

3.2. Role of ECHR In Developing Data Protection Jurisprudence In EU

Very precise conclusions to be drawn concerning the private lives of the persons whose data

has been retained, such as the habits of everyday life, permanent or temporary places of

residence, daily or other movements, the activities carried out, the social relationships of

those persons and the social environments frequented by them."

A vital component of any sound data protection regime is the range of rights that its citizens

are granted. A strong data protection system that aims to preserve the integrity of all valued

rights in all of its manifestations must fundamentally include the explicit acknowledgment of

certain of the rights that are seen to be the parameters of the right to privacy. It is thus thought

35
to be best to examine some of the most important rights in this area that are recognized by EU

law.

3.3. Right to Religion

Nowadays, a person's religion, beliefs, and mode of worship may have a significant influence

on how the rest of society perceives them.

The petitioner in SinakIsik v. Turkey had challenged a law on the grounds that the identity

card's religious name was incorrect. The domestic laws in effect at the time required people to

carry identification cards, which were documents proving one's faith that had to be produced

upon request to any governmental agency or private company. Such a duty overlooked the

fact that the freedom to express one's faith also granted the freedom from having to reveal

one's views.

Notably, the government said that people no longer had to include their religion on their

identity card and could choose to leave it blank if they so desired. The court dismissed the

argument, stating that such a recusal would place the relevant parties in an awkward situation.

As a result, the disputed law was ruled to be violative of the Article 9 of the ECHR.

Certain analysts contend that churches that keep track of visitor information should have been

required under GDPR Article 91 to create internal data processing policies that adhere to the

requirements.

3.4.Financial Interests

The global corporate landscape has undergone a radical transformation with the arrival of the

digital era. Data has never been more important, and rightfully so; many economists concur

that data is the new oil. Data processing is a key component of many businesses worldwide,

and concerns over the financial effects of stringent compliance guidelines for the protection
36
of personal data are frequently voiced by both data controllers and data subjects. In the

historic Google Spain case, it was questioned whether financial interests might be considered

a legitimate basis for restricting the processing of data. The court determined that because

search engines hold a significant quantity of personally identifiable information, the data they

have gathered might pose a severe danger to privacy.146 The court concluded that, in

addressing the contention regarding the underlying economic interest in this type of data

processing, a just balance should be struck between that interest and the fundamental rights of

the data subject, particularly the right to privacy and the right to have personal data protected.

Therefore, it was decided that the underlying economic and other interests are subordinated to

the right to privacy and the right to personal data. The Court additionally notes that a great

deal of his personal life may be covered by this information, and that without thesearch

engine, it would have been extremely difficult or impossible to link the information.

Thus, internet users might create a more or a less thorough profile of the individual being

looked up. Furthermore, because search engines and the internet play such a significant part

in modern society and make the information found in these lists of results widely available,

the impact of the interference with an individual's rights is amplified. The Court holds that

the engine operator's financial interest in the data processing is insufficient justification for

such intervention given its potential significance.

The court held that the fundamental records of the relevant firm should be released first,

even though it acknowledged that the petitioners' prospective clients had a right to see the

information. that their contents and other information about the firm, including the specifics

of the individuals who have the authority to bind the company, may be accessible to third

parties148. Therefore, the learned court noted that the disclosure's goal of furthering the

genuine public interest made the infringement37of the petitioner's personal data interference
justifiable.149 The court did note, however, that in some circumstances, people may be able

to object to the processing of their personal data even in cases where there are unusually

special circumstances and legitimate general interests.The court has underlined time and

again that a valid public interest exists when all the facts surrounding a case are taken into

account.

3.4. Freedom of the arts and sciences

The case VereinigungbildenderKünstler v. Austria151 dealt with a disagreement about a

painting that depicted nudity and included a politician who had properly requested an

injunction from the domestic court due to privacy invasion. The European Court of Human

Rights (ECtHR) noted that, rather than addressing specifics of [the portrayed's] personal life,

the painting was more likely to refer to his public position as a politician and the need for [the

depicted] to show a greater degree of tolerance toward criticism in this role.

3.4.1. Freedom of Expression

The GDPR's Article 85 regulates how to balance the two rights and provides a number of

exemptions and derogations from certain chapters. The link between the two rights was

controlled by Article 9 of the directive before the GDPR was passed. Nevertheless, it is

important to acknowledge that there have been many instances where the rights used the

chance to clarify the link between the two rights, ruling that a balance between the two rights

is necessary. furthermore, while the right to free speech and expression is an essential

component of any democratic society, the restrictions and limitations. The court ruled that

while political discourse is a necessary component of any organic democracy and that

discussions about matters of public interest cannot be legitimately restricted, editorial gossip

intended to pique the interest of certain readers does not advance the conversation or serve

any fundamental public interest.

38
An injunction order against a publishing business that forbade the reporting of the arrest of a

well-known German actor was contested before the ECtHR in Axel Springer AG v.

Germany, on the grounds that the order violated Article 10 of the ECHR. Applying the

margin of appreciation concept, the court considered the fundamental question and

established a comprehensive set of standards for balancing the rights to privacy and freedom

of speech and expression.. Whether the article advances a topic of public interest; The extent

of the subject's notoriety and the topic of the report; the subject's past behavior; the source of

the information and its accuracy; the kind, structure, and implications of the publication;as

well as the harshness of the penalty applied.

3.4.2. Professional Secrecy

The idea of professional secrecy has strong roots in the moral standards of all professions,

while not being a basic right. Confidentiality is a crucial component in professions that rely

on trust, such as client-lawyer and doctor-patient relationships.

3.5. Important Definitions under GDPR

It would be best to take a quick look at some of the GDPR's pertinent definitions before

delving into the specifics of the European Union's .

3.5.1. Personal Data

Understanding that the most essential component of the data protection system is, of course,

the personal data. According to the GDPR, any information that may be used to identify a

specific person or be linked to them is deemed personal data159. According to the GDPR,

data controllers must take all reasonable steps to determine the type of information they have

collected160. Furthermore, the individual whose information is being processed—the data

subject—is the most significant stakeholder in the data.

39
3.5.2. Data Subject

Any identified natural person whose personal information is being processed is referred to as

a data subject. Legal entities may, however, only assert their claim to the protection of

Articles 7 and 8 of the Charter with respect to this identification to the extent that the legal

entity's official title names one or more natural people. Articles 7 and 8 of the Charter

recognize the right to respect for private life with relation to the processing of personal data.

This right pertains to any information that may be used to identify or identify a specific

person.

3.6.Principles of EU Data Protection Regime

These guidelines provide a framework for evaluating instances in which data subjects' rights

to data protection have been violated. Notably, all of these guidelines are still in place under

the GDPR to guarantee the highest level of security and data subjects' control.

3.6.1. Data Accountability Principle

The controller bears the responsibility of adhering to the principles of personal data

processing and must be able to provide evidence of compliance. Additionally, the controller

should be capable of guaranteeing. This concept rests on the idea that when breaches occur,

the data controllers should be held responsible.

3.6.2. Data security principle

The foundation of the European data protection legislation is the idea of providing data

subjects with appropriate security and confidentiality. It includes the notion of a system that

guarantees the implementation of suitable organizational or technological safeguards

throughout the processing of personal data to guard against unintentional, unauthorized, or

illegal access, use, alteration, disclosure, loss, destruction, or damage

40
Pseudonyms and encryptions are specifically mentioned in the GDPR as ways to increase

security. Additionally, as was previously mentioned, the GDPR requires controllers to notify

data subjects of any potential data breaches within a certain amount of time.

3.6.3. The Storage Limitation Principle

In order to eliminate the possibility of any breaches, it stipulates that data must only be kept

on file for as long as is strictly required. This idea is appropriately included by the GDPR,

which states that data must be retained in a format that allows. Furthermore, it stipulates that

the controller must set deadlines for deletion or frequent reviews1

The case involved the two applicants' fingerprints, cell samples, and DNA profiles being kept

on file indefinitely even after they were found not guilty. These rulings serve to illustrate the

concerns that data storage poses to people' right to privacy and the inherent hazards

associated with it for European courts. By destroying any data that is no longer absolutely

essential for the reason for which it was gathered, the idea seeks to reduce the amount of data

stored.

The courts have acknowledged a broad variety of exceptions to the storage principle, though,

and data may be kept for extended lengths of time if it is needed for statistical analysisas long

as it is used exclusively for these purposes. The CJEU clarified the necessity of an objective

standard for issuing data retention directives169 in the Digital Rights Ireland case . The

observation was founded on the idea that information shouldn't be kept around longer than is

absolutely required.

3.6.4. Data Minimization Principle

According to GDPR, citing the significance of data minimization and the broad reach of data

processing through the use of a generic language. In order to combat severe crime, the
41
directive stipulated that all people, all electronic communication devices, and all traffic data

must be treated equally and without distinction, restriction, or exception.

The court reaffirmed its support of the principle by noting that the directive contradicts the

principle prohibiting the excessive processing of data and that personal data that is

appropriate and pertinent but would cause an undue interference with the fundamental

freedoms and rights at issue should be deemed excessive.

3.7. Purpose Limitation Principle

When the aim of processing is adequately defined and unambiguous, people are better

informed about what to expect, and legal certainty and transparency are improved. However,

it's crucial to define the aim precisely so that data subjects may use it to properly

The tightly worded clause prohibits the gathering and use of data for ambiguous, future

purposes by stating that a separate legal basis must exist even for uses that are related to the

original goal of the data acquisition.

.This implies that the data controller will be permitted to treat the data in these circumstances,

even if the data collected by the subject fails the compatibility test. The law, however, is

well-established regarding what types of data are compatible, and the data controller is

required to take into account the following factors: any connection between those purposes

and the intended further processing

3.8. Fairness Principle

Ensuring data subjects that their information will be treated in a transparent and lawful

manner is the motivation behind the fairness principle. According to the concept, data

controllers must show off their compliance procedures and alert data subjects to any possible

risks. Additionally, where a data subject's permission serves refused to provide the
42
petitioners access to their own medical reports because of the possibility of data misuse.

According to the European Court of Human Rights, the state had not demonstrated that there

were adequate and convincing grounds to prevent the applicants from having effective access

to information about their health.It was decided that data subjects could not be denied the

ability to access their data unless there were very strong grounds for doing so.

Nothing has a more significant place in the EU's whole data protection framework than the

transparency aspect. Data processing must be transparent with regard to the data subject, as

required by the GDPR. The term "transparency" has been used broadly to refer to a variety of

informational materials, such as those provided to individuals prior to the commencement of

processing, those that should be easily accessible to data subjects during processing, and

those that are provided to data subjects upon request for access to their own data.One of the

important instances where the right to data accessibility was emphasized was Haralambie v.

Romania

The petitioner was eventually allowed access to the material held about him after a grueling

five years. It was the responsibility of the government to provide a reliable process for

gaining access to this kind of data.181 Additionally, it was decided that delays in granting

data subjects access to their information could not be justified by flaws in the archive section.

3.9. Rights of Data Subjects under GDPR

The GDPR establishes extensive right-based regulations to provide individuals with the

highest level of data control. A wide variety of rights that persons have with regard to their

data are mandated by Article 8 in order to advance this goal. Establishing procedures that

allow data subjects to contest infringements of their rights, hold controllers accountable, and

seek compensation is just as crucial as giving them rights.

43
3.10. Right to Rectification

The GDPR envisions a legislative framework that aims to provide data subjects with the

greatest amount of control over their data, keeping in mind the significance of protecting

personal information. In Ciubotaru v. Moldova, despite the existence of factual proof

supporting his argument, the petitioner was not allowed to have his ethnicity's name

corrected.

The State had not complied with its affirmative commitment to. Data controllers are required

to promptly provide data subjects with the opportunity to update their stored information. The

police information report, according to the court in CemalettinCanli v. Turkey, is a

methodically gathered public record that is kept in files owned by the government and may

also be considered private life

3.11. Right to Data Portability

Only when data is submitted in accordance with contractual requirements or is based on

permission are data subjects guaranteed the right to data portability. Under the EU data

protection law, cases where the data was collected legally do not have this privilegeThe

GDPR places a strong emphasis on the necessity of creating interoperable formats to provide

increased data portability.

It should be mentioned that, in terms of data portability, the legislation does not place undue

burden on data controllers. Nevertheless, the right to data portability cannot be restricted

outside of these two exceptional situations. It is also clear that giving data subjects authority

44
 over their own personal data is the only goal of the recognition of the right, which is to

guarantee user choice, control, and empowerment.

3.12. Findings

An examination of a few significant pieces of US legislation pertaining to data protection

does suggest that these rules may be used as a means of defending people's rights to total

control over their personal information. But some significant gaps that have surfaced are as

follows.

 The US has an excessive number of data protection laws, each with a narrow reach, in

contrast to the European Union, which has a comprehensive rule in the shape of the General

Data Protection Regulation. Consequently, the nation's data protection structure is extensive,

intricate, and technically advanced. Additionally, there are several federal and state laws

covering the same topic, which causes needless complexity.

 The bulk of the regulations (or at least most of them) were passed more than two or three

decades ago, and many of these rules find it difficult to deal with the issues raised in the

contemporary period. Therefore, it is imperative that technology advancements be taken into

account in order to fulfill the goal of protecting residents' private information.

 In spite of these drawbacks, it is undeniable that the US has a strong and efficient structure in

place to safeguard citizens' rights to data protection. But as compared to the US, the EU has a

far more sophisticated, advanced, comprehensive, and contemporary data protection system.

 The following two factors provide the European Union a slight advantage in the area of data

protection. First, unlike the EU, which has what is perhaps the most individual-centric data

protection regulation in the world, the US lacks a comprehensive federal law governing the

45
 processing of data. The second explanation has to do with the European Courts' permissive

view of data privacy problems.

 In order to successfully address the issues of the current period, the United States must also

have a comprehensive federal regulation along the lines of the General Data Protection

Regulation.India has frequently been referred to as the most significant offshore business

destination in the world. The growing network of Indian data outsourcing enterprises was the

first to raise worries about possible data breaches in India. It is sometimes asserted that India

would never have needed a data protection legislation at all if not for the concerns of

informational privacy breaches brought on by data offshore corporations .

.There was no legislative structure in place to control the data outsourcing process in India,

which led to several cases of data theft and informational privacy violations by these

offshoring businesse. Naturally, the world press took notice of these instances and finally

pressured the Indian government to pass a data protection law.

 The researcher's identification of the essential elements of a strong data protection regime in

nations with sophisticated data protection legal frameworks has created the ideal foundation

for a detailed examination of the current data protection legislation in India. To date, the

researcher has identified the best practices used by various jurisdictions to provide citizens'

personal data with a fair degree of protection as well as the difficulties governments face in

effectively addressing privacy issues related to technological advancements.

 The chapter's conclusion has allowed the author to also pinpoint the level of protection that,

in terms of informational privacy, a digitalized society has grown to demand.Therefore, the

goal of the upcoming chapter is to get a thorough understanding of India's current Data

Protection laws.

46
 CHAPTER4:

DATA PROTECTION REGIME IN INDIAN LEGAL SYSTEM

4.1. Introduction

The researcher now has a fairly comprehensive grasp of the various methods to personal data

protection that the. It would be important to do a comprehensive analysis of India's current

data protection laws before delving into talks on the viability of a certain data protection

model. This chapter's talks aim only to provide readers with the most comprehensive

knowledge of India's current situation of data protection.Every day, the globe gets more and

more digitalized, and India is not an exception to this phenomenon.

Many billions of people worldwide communicate with one another via digital media,

resulting in the global generation of enormous amounts of data. A sizable portion of the

population is reached via the recently discovered digital Twitter, WhatsApp, and others. In

India, almost 53% of people have an online presence thanks to more affordable internet and

increased connectivity.

Additionally, the Indian economy has a significant presence of online payment programs like

Paytm and Google Pay. The vast amount of data engaged in the digital space has increased as

a result of individuals using these apps. But technological advancements have also given both

governmental and commercial sector organizations the ability to quickly access, store, and

process an individual's personal data

An increase in internet users also suggests that these transactions often contain a large

amount of personal and financial data. India is a digital transmission hotspot due to the

enormous popularity of these apps among Indian users.

47
. It is important to remember that these smartphone apps, which provide users with a variety

of services including online chat, digital payments, online shopping, taxi services, etc., save

and handle a significant amount of personal data about its users..digital economy that places

data at its centre:

Even something as basic as calling for a cab today requires using a smartphone app that

gathers and utilizes several kinds of data, including the user's financial information, her

current location, and details about her past travels. People's communication, decision-making,

and business practices are all being profoundly altered by data. Nowadays, companies are

compiling enormous databases about customer behaviour and preferences. It is now easier

than ever to compress, sort, modify, discover, and understand information, which can then be

turned into knowledge that is useful

The majority of the time, the process includes transmitting and storing personal data in

addition to collecting and processing it. Technology has advanced to the point where

processing and storing personal data is now very a technically and financially feasible choice.

These phenomena guarantee that data aggregators not only gather but also retain personal

information about individuals, which may be utilized to create user profiles and, naturally,

improve the effectiveness of the apps.

Service providers may speed up transactions and improve service quality by creating

personalized user profiles. The things that consumers might be interested in purchasing are

suggested by internet aggregators and e-commerce corporations based on their past online

activity. Precisely said, the way things function in the digital age may be greatly influenced

by the usage of data, and all organizations, public and commercial, want to maximize the

amount of information that can be obtained from their users' data. To enhance traffic

conditions, data analysis on the positions of residents in a certain region might be employed.
48
the examination of the patients' medical records might assist the researchers in developing a

more accurate diagnosing process. The government may benefit much from the examination

of people's demographics and economic circumstances when formulating and implementing

socially beneficial policies. Data processing may also greatly assist law enforcement

organizations in preventing crimes and financial regulators in identifying frauds. Drone

cameras and more sophisticated surveillance techniques employing internet and advanced

technology have been increasingly popular among police enforcement agencies.

However, the preservation of people's personal data poses a serious danger to informational

privacy even as it makes things more easy for consumers and promotes a safer society. An

rising, which has opened up a world of worries about potential data breaches. Since the

government is the entity that processes personal data on individuals the most in India, it is

critical that laws governing data collection, storage, and processing be in place in order to

provide the appropriate protections.

Our ability to gather, store, process, and transfer information has significantly increased

because to the advancement of science and information and communication technologies,

which are made possible by computers and other electronic devices. However, it also leaves

us open to more widespread breaches of our privacy. This violation of privacy might also

originate from a personal relationship. It might occur in any of the following ways:

risky of being intercepted; and in this era of cloud computing, where a large portion of our

data, including emails, chat logs, personal profiles, bank statements, and other data, are stored

onOur privacy thus depends on the internal electronic security mechanisms of the far-

off servers of the businesses whose services we consume.Due to their increased vulnerability

to exploitation, minorities, women, the elderly, and children's privacy are particularly

vulnerable in this digital age, and • the management of data online has given rise to new types

49
of annoyances that might compromise anyone's privacy, such as electronic voyeurism, spam

or offensive emails, 'phishing,' etc.

4.2. The Information Technology Act, 2000

As previously mentioned, the offshoring industry and the information technology sector were

the primary focus of India's original data protection legislation plan 334. Due to the gaps in

India's current legal system, there have been several cases of in response to increasing

international pressure and instances of data theft, India passed .

The IT Act continues to be the cornerstone of the many Indian legislation intended to

safeguard a society supportive of the cause of data protection. The IT Act largely regulates

the issues mentioned above, which led to the emergence of a data-driven culture in India with

the growth of the IT sector. The Act has undergone many amendments to date in response to

the constantly changing threats that the development of technology poses to data security.

This section will address the current Act provisions in order to examine the current Indian

data protection system.Within its system, the IT Act defines "data" according to a traditional

meaning focused on e-commerce. The original legislative aim behind the clause is implied by

the focus on computer and other types of memory storage. Furthermore, it should be

mentioned that in the wake of later rules, the limited definition of term data has had

significant modifications

"(o). They can be stored internally in the computer's memory or printed out on a computer, as

well as on magnetic or optical storage media, punched cards, punched tapes, and computer

printouts. “The IT Act's purview seems to be limited to e-commerce operations, and the

Indian legal definition of data was primarily intended to further .

The fact that there is any law in existence in India can be attributed to the subsequent
50
 amendments that were brought in the IT Act. The two most notable pillars of the data

protection scheme in the country are Section 43A and Section 72A of the Act.

Indian conceptions of privacy and informational self-determination differ greatly from those

of data protection. The following amendments made to the IT Act are responsible for the

existence of any laws in India today of the Act are the two most significant foundations of the

nation's data protection program. The cyber contraventions and cyber offenses are the two

main categories into which the Indian data protection system may be divided. Even so, the

cyber protocols.338

Cyber violation includes breaking the rules outlined in this section. The word "convention" is

notable for being extremely narrow in its definition, encompassing any unjustified inference

into an individual's informational privacy by an unlawful breach into data held on a computer

or computer network. Chapter IX of the IT Act is the cornerstone of codified Indian data

protection legislation. The Information Technology Act of 2000's Section 43 stipulates the

data controller's obligation in the event of a breach.

(i) 43A Compensation for Data Protection Violation. -If a corporate entity owns, controls, or

operates, the corporate entity shall be liable to compensate the individual in question for

damages. Justification. With respect to this section, -

(ii) "body corporate" refers to any organization of people involved in business or

professional activities, including firms, sole proprietorships, and other associations;

(iii) "reasonable security practices and procedures" refers to security measures intended

to guard against.

(iv) Specified in any law currently in force, between the parties, or in the absence of such

an agreement or any law; (iii) "Sensitive personal data or information" refers to any personal
51
 data that the Central Government may prescribe after consulting with any organizations or

professional bodies that it may see fit

(v) .As implied by the language of the provision, the Section aims to penalize body

corporates that deal with, possess, and handle sensitive data but neglect to maintain and

implement reasonable security measures. Should this lead to an individual's wrongful gain or

loss, the body corporate in question will be responsible for compensating the individual for

damages. The Indian Penal Code's concept of unjust gain must be used while interpreting the

term.

(vi) From a cursory reading of the passage, it is clear that the obligations are limited to the

body corporates, which includes businesses, corporations, proprietorships, and other divisions

of groups of persons. The fact that the people are spared from the harsh penalties outlined in

the provision does indicate that the legislature's primary goal in establishing the stated section

was to target corporations that handle the processing of personal data. However, the author

believes that the provision's scope and ambit are extremely limited, and the following

prerequisites must be met in order for the criminal penalties to apply.

(vii) The information in question needs to be sensitive.

(viii) A body corporate must be the owner and operator of the computer resource handling

the data.

(ix) There must be a lack of adequate security standards and the corporate body cannot

handle the data carelessly.

Above all, there must have been unjust gain or wrongful loss as a consequence of the

carelessness., which protects privacy under contractual relationships, in addition to a very

52
restrictive provision that aims to prevent breaches of informational privacy in non-contractual

relationships.

In response to the 26/11 Mumbai assaults, India enacted the IT (Amendment) Act, 2008

(ITAA 2008), which established a robust data protection framework. It resolves data

protection issues raised by the sector and, among other things, establishes a more foreseeably

structured legislative framework with provisions for cybercrimes and data protection.

Corporate entities are expected to secure sensitive personal information of customers stored

in digital environments using acceptable security measures.

Furthermore, the ITAA 2008 mandated that they safeguard data in accordance with valid

contracts by establishing fines for privacy and confidentiality violations.

4.3. Information Technology (Reasonable Security Practices and

Procedures and Sensitive Person Data or Information) Rules, 2011

The Ministry of Communications and Information Technology created the "Information

technology (Reasonable Security Practices and Procedures and Sensitive Person Data or

Information) Rules, 2011" in 2011 as a result of using the authority granted by section 43 A

of the Act to periodically enact new regulations. It would be excellent for us analysis to

quickly review some of the rule's pertinent sections

Although the guidelines mostly preserve the definitions of the IT Act of 2000, they also close

some of the Act's main gaps, attempting to provide a viable framework for data protection

laws that would safeguard people' information privacy. The definition of "sensitive data" is

one of the most important improvements to the Rules.

The Rule is fairly broad in its wording and includes nearly any information that, in the event

of a breach, might directly affect a person's right to privacy. The rule's proviso does,
53
however, exclude material that is already in the public domain from the category of sensitive

data.

The need for the supplier of the sensitive data to grant their consent is embodied in the

obligation to get that consent. Additionally, the regulation stipulates that data must only be

gathered for legally authorized purposes. These regulations also acknowledge the well-

established principles of data protection, such as the rights to fairness in processing, purpose

limitation, and the.Apart from these fundamental guidelines, the regulations mandate that

corporations that gather confidential data have a strong privacy policy and implement

appropriate safeguards to ensure the security of the individuals' private information.

Nonetheless, the regulations give the government carte blanche to disregard any data privacy

norms and grant access to law enforcement and the government to individuals' sensitive

personal information without the individuals' agreement.

Furthermore, the central government appoints adjudicating body346. A strong data protection

framework in India is still a pipe dream since there is no independent adjudicating body in

existence and no safeguard against potential government violations of the right to privacy.

4.4. Privacy in the Health Sector

It is irrefutable that a. Constitutional courts in India and other countries have consistently

maintained that disclosing medical information might result in an unjustified intrusion into an

individual's personal space, severely upsetting that person's peace of mind. declared the

following, emphasizing the value of informed self-determination in cases involving medical

histories:

“In addition to a contract, a right to privacy may also result from a particular connection,

54
such as a business partnership, marriage, or even a political one. As was previously said, the

doctor-patient relationship is essentially commercial, but it is also a professional matter of

confidence. As such, doctors have an ethical and moral obligation to safeguard patient

confidentiality.

Under such circumstances, making even factual private information publicly available might

violate someone's right to privacy and can result in a conflict between one person's "right to

be let alone" and another person's right to information. Even genuine private information

disclosed has the potential to upset someone's peace of mind. It can cause him to develop a

lot of complexes and possibly develop psychiatric issues. After then, he could lead a chaotic

existence for the rest of his life

In the most straightforward language possible, this precedent-setting decision from the

Honorable Supreme Court establishes the prohibition on disclosing even accurate medical

history information about a patient without that patient's consent. Health-related data is even

classified as sensitive data by the SPDI Rules, 2011, which means that it cannot be shared

with a third party without authorization. On the other hand, hospitals are required under the

Clinical Establishment Rules, 2012 to keep an electronic record of their patients' medical

histories.

However, because the regulations are not applied to public entities, government-run hospitals

are free from all of them, giving them a reputation for protection against unjustified invasions

of individuals' private rights.

4.5. Existing Surveillance Regime in India

The limitations that the proposed data protection law in India aims to place on the breadth

and depth of the right to privacy are its most important feature. Since the subject of law is

55
still extremely young, it will take some years before the courts develop a clear methodology

for determining the boundaries of when and how the right to privacy can be used. Without a

doubt, the Puttaswamy ruling will launch a system that will significantly protect the privacy

of billions of Indians' personal information. It would be incorrect to assume that Puttaswamy

marks the end of the effort to protect citizens' private information; rather, it marks the

beginning. We are now worried about the ruling in Puttaswamy, how the court justified it,

and how this may affect India's future data protection laws.

.It should be mentioned that the nature of the right to privacy was the main point of argument

in the Puttaswamy case between the petitioners and the defendants. Is there an unrestricted

right to privacy, or does it include certain built-in restrictions? What are the imitations, and

how does the court defend them if it isn't absolute? Although the legislation on the matter is

still in its infancy, the Puttaswamy does offer a model.to ascertain the circumstances that

warrant the state's invasion of privacy. The next portions of our debate will aim to delve more

into the subtleties of the restrictions imposed on the right to privacy by the SC. This is the

most crucial aspect of the problem as, even while the government is likely to acknowledge

that citizens have a fundamental right to privacy, it will undoubtedly hunt for other

justifications for interfering in people's private lives.The Data Protection Bill, 2019 has been

sent to a select committee, which is unlikely to change the draft bill's "exemptions" section.

4.6. Privacy and Surveillance

The lack of explicit or even implicit reference of privacy in the constitution's text or in the

deliberations of the Constituent Assembly is the biggest obstacle to the acceptance of the

right to privacy in the Indian constitutional structure. The Indian courts have only been able

to identify the right to privacy in the constitution by means of a functional and structural

interpretation of its provisions. It is hardly unexpected, then, that it has taken more than 60
56
years for Indian courts to acknowledge that an individual's private rights are fundamental to

their rights...”[i]f India wants to avoid coming out as an authoritarian state, it must be open

and honest about who will be allowed to gather data, what information will be gathered, how

it will be put to use, and how the right to privacy would be upheldRegrettably, the impending

data protection regime unintentionally allows enforcement authorities to access individuals'

personal information, which is exactly what it should not have done.

The fact that the constituent assembly summarily rejected the inclusion of any such

protection in the Indian constitution, and this understanding of the right to privacy under the

fourth amendment served as the only source of guidance—or rather, misguidance—for the

Indian courts for years. This rejection had a significant impact on the development of the data

protection regime in India for years. M. P. Sharma and Others v. Satish Chandra was the first

case in which the Supreme Court had the opportunity to consider whether a right to privacy

existed within the context of a right to property.The SC cited many rulings from the US

Supreme Court to consider the legality of the state's intrusion and adoption under the Indian

scheme. The court determined that: Despite rejecting the acceptance of spatial privacy in the

context of governmental search and seizure

"In any system of jurisprudence, the State's power of search and seizure is paramount for

safeguarding social security, and it is inevitably subject to legal regulations." We have no

basis to import a fundamental right to privacy—which is comparable to the American Fourth

Amendment—into a completely different fundamental right through a process of strained

construction when the framers of the Constitution saw fit to exempt such regulation from

constitutional limitations

It is evident from this that the court declined to incorporate the fourth amendment into the

constitutional framework for two reasons. First, it adopted the originalist approach and just
57
refused to include the fourth amendment in the Indian plan on the grounds that the

Constituent Assembly had not included it. The second rationale was more of a defense

predicated on the idea that the state could have the authority to search and seize in order to

protect social security.

This idea, however, was short-lived, since the Supreme Court quickly established a

completely different definition of the scope of the right to privacy in Kharak Singh v. State of

UP. The matter at hand was to an administrative directive that aimed to grantthe authority to

search and seize property from police officers on historical sheeters' homes. The court

continued to consider the legitimacy of this restriction based on Article 21 of the Constitution

even though, as an executive order, it would not be considered a law under Article 13 of the

Constitution. Based on the preamble's use of the word "dignity," the SC observed that an

arbitrary incursion into someone's house would rob them of their dignity and mental serenity.

. The court essentially acknowledged that following a person's activities did in fact breach

their right to privacy, even if it declined to interpret this as one of the core liberties protected

by the constitution. Judge Subba Rao, on the other hand, established a connection between

privacy and personal freedom and concluded that:While the right to privacy is not

specifically stated as a basic right in our Constitution, it is still a necessary component of

individual freedom. Domestic life is sacred in any democratic nation; it should provide him

with security, tranquillity, pleasure, and relaxation. When everything else fails, a person's

home, where they reside with their family, serves as their "castle" and barrier against

intrusions on their personal freedom

It is important to highlight that Justice Subba Rao displayed remarkable judicial innovation in

his dissenting opinion by interpreting the right to privacy in both Article 19 and the right to

life and liberty. "Be free from restrictions or encroachments on his person, whether those
58
restrictions or encroachments are directly imposed or indirectly brought about by calculated

measures," he said, emphasizing the word freely.He rejected the idea that the right to free

speech and expression is an abstract idea without any psychological foundation, but he

refused to omit the aspect of privacy from these rights:

We have arrived at the conclusion that Art. 19 (1) (d) of the Constitution, when combined

with the freedom of speech and expression, must only apply to bodily movements.

Undoubtedly, the act of spying imposes limitations on the aforementioned freedom. It cannot

be argued that the aforementioned freedom would just uphold the procedures of speech and

expression and lack any subjective or psychological substance.

One may argue that Kharak Singh represented the hesitant acceptance of the "individual"

oriented understanding of the right to privacy. One may argue that this case did bring to light

some of the most urgent issues with India's current monitoring policy. To understand the

characteristics of the current surveillance system in India, a quick review of the cases that

followed is required before going into the difficulties that are similar in the current situation

and those that the court addressed or neglected to address in Kharak Singh.

Courts will safeguard innocent citizens' phone conversations against improper or haughty

intervention by listening in on the call. The guilty are not the ones who are protected. It

should not be interpreted as meaning that the courts will accept measures that put citizens'

safety at jeopardy in order to allow the police to act in an illegal or unusual way. There isn't

currently an illegal or unethical way to get the conversation's tape recording.

It should be noted that the clause fully supported the idea that even the most little information

about a person's medical history might be harmful to their dignity and thus require further

protection. At this point, the ruling in Mr. X v. Hospital Z is relevant since the SC

emphasized that the clause has been acknowledged in both text and spirit.,
59
"Private facts may constitute an infringement on one's right to privacy, which may

occasionally result in a conflict between one person's "right to be let alone" and another

person's right to information." Even genuine private information disclosed has the potential to

upset someone's peace of mind. It might cause him to develop several complexes and

possibly even psychiatric issues

With the post-Puttaswamy period law on phone tapping and surveillance, the Bombay High

Court was given the chance to rule in 2019 by applying the principles of the right to privacy

to section 5(2) of the IT Act.Regarding the interception issue in the Vinit Kumar Case, the

High Court decided as follows: An The IT Act's section 5(2) only permits orders of

interception to be granted in "public emergency" or "public safety" situations. The

aforementioned intercepted messages must be deleted if the interception was done in

violation of Section 5(2) of the IT Act.

The BN Srikrishna committee report states that "the Puttaswamy test of necessity,

proportionality, and due process should not be passed without a degree of transparency being

followed in the surveillance process." The investigation made clear that, when it comes to

monitoring, the state must follow the guidelines established in the Puttaswamy ruling.

We will first go into great length in this part on the guidelines established by the Indian

Supreme Court that must be adhered to when denying someone their fundamental rights. The

Puttaswamy ruling recognized As such, the state agencies that are allowed exemptions from

these constitutional safeguards must meet the criteria outlined in the ruling.

Indian courts have customarily employed distinct standards to ascertain the boundaries within

which individuals' rights might be curtailed. The Supreme Court has developed three

standards throughout the years to determine whether the limitation of basic rights is

appropriate. We will now have a quick review of these criteria in order to assess if the current
60
bill's provisions, which aim to exclude the agencies from applying the Act's safeguards, can

pass muster with the standards established by legally binding judicial decisions.

In the Puttaswamy majority ruling, the proportionality test was interpreted in a way that was

specific to the Indian constitutional framework. In assessing the degree of privacy violations,

Indian courts will apply the theory of proportionality in the upcoming days and the

constitutionality of the provisions providing for. While the Puttaswamy judges' understanding

of proportionality differs from other jurisdictions around the globe, it is important to note that

the judges thoroughly examined the test's design before changing the current standards for

privacy infringement.

The validity of the objective for which the action is being done is the subject of the test's first

component. A sensible relationship between the methods and the desired outcome is

necessary for the second component to be met. The third component, often known as the need

stage, stipulates that there must be no less restrictive option that is equally effective in

achieving the objective.

.The last phase, referred to as the "balancing stage," calls for the government action to not

disproportionately affect people' rights. Citing a passage from Professor Bilchitz's thesis, the

Supreme Court has clarified that, in order to determine whether a policy is necessary, it must

first identify all potential alternatives to the government's adopted policy. Only then can it

investigate whether these measures could be a viable alternative.

.The less restrictive alternative policy ought to be chosen if it can actually and significantly

accomplish the goal that the government is trying to accomplish.

4.7. Findings

61
This chapter's examination focused on the many aspects of India's current data protection

laws. A cursory examination of the laws now in effect and previous rulings paints an

extremely negative image of the nation's data protection framework. It must be acknowledged

that the notion of acknowledging the right to privacy as a separate right that might be linked

to dignity and the rights to life and liberty was not well received by the Indian populace as a

whole, including the constituent assembly.

In accordance with the same logic, it took the Indian Constitutional Courts more than 70

years to acknowledge that the Indian Constitution had a separate right to privacy. Regarding

data security, the Indian legislative first addressed the rising number of cases of fraud and

data theft in the rapidly expanding Indian sector of information technology. India's data

protection laws are extremely lax since the Information Technology Act, 2000 was enacted

primarily to combat the rising threat of cyber fraud rather than to address data protection

issues.The researcher has examined these laws' various provisions in order to assess how

effective India's current data protection laws are.

a) Indian data protection laws have a relatively weak stance on data protection and lack

enough safeguards

b) The Indian data protection regime does not incorporate the internationally recognized Data

Protection Principles.

b) Given that the State is the entity that processes data the most, the legislation need to

provide adequate protections against the potential for the, it is difficult to prevent unjustified

data breaches by the government and its agencies.

d) There is an urgent need to advance a paradigm change in the approach of the legislative to

provide the ownership of data to the data principals, since there are now insufficient

62
mechanisms to ensure and enforce the data protection standards. e) To defend people's rights

against data breaches, India needs to establish an impartial Data Protection Authority. At the

moment, there isn't The executive staffs the clause requiring the creation of a data protection

authority and oversees the whole system for resolving data breach claims.

e) There is a need to incorporate laws controlling social media intermediaries and data

localization because the current data protection framework in India places little focus on data

security measures. f) The Information Technology Act of 2000 is unfavorable to the rights of

data principals because it places several obstacles in the way of the implementation of the

right to compensation for data breaches.

f) The fundamental tenets of data protection—such as the right to erasure, the right to

informational self-determination, the right to informed consent, the right to be forgotten, etc.

—are absent from the current framework.b) The current framework excludes minors from the

definition of personal data and provides no protection for their data.

h) Because the responsibilities of data processors are severely limited, it is very challenging

to get the remedies that the current laws have established.

63
 CHAPTER 5:

COMPARATIVE STUDY OF THE DATA PROTECTIONREGIMEININDIA

WITHREFERNCETOEU,US

5.1. Introduction

Comparing India's data protection legislation with those of the European Union, the US, the

UK, and several of the BRICS nations would be the main goal of the study. In order to create

a synergy between the study effort and the practicalities, the researcher has opted to compare

the peace-meal law that now governs data protection in India withthe complete text of the

proposed Indian data protection laws.

It's safe to assume that India's current data protection regime is nearing its end, and within the

next year, a completely new one may take its place. For this reason, it's critical to monitor

how the nation's data protection laws are evolving. With this normative consideration in

mind, the researcher will contrast some of the most important features of Indian data

protection regulations with those of the US, UK, and EU.

5.2. Scope of The Indian Data Protection Laws in India and Elsewhere

The goal of the GDPR's passage is outlined in over 168 recitals in its incredibly long

preamble . The recitals acknowledge the basic right to privacy in the clearest possible terms

while outlining the need of adopting the measures. Similarly, "An Act to make provision for

the regulation of the processing of information relating to individuals; to make provision in

connection with the Information Commissioner's functions under certain regulations relating

to information; to make provision for a direct marketing code of practice; and for connected

purposes" is what the preamble of the UK Data Protection Act reads.

64
It is said that a bill's preamble establishes the general direction and voice of the law, and that

it serves more than just as a formality. It is also a primary source used by judges to interpret

any law's requirements. Therefore, it is essential that the preamble includes a wide range of

auxiliary goals in its description without straying from the spirit and core of the law.

Nonetheless, the right to privacy is never mentioned once in the preamble of the IT Act 2000.

The goal of the so-called Personal Data Protection Bill, 2019 is to establish a strong data

protection framework in the nation that would grant citizens the right to their personal data.

For this reason, it is imperative that the law's preamble clearly state the goals for which it is

being brought. Additionally, it states that protecting personal data is required by the

constitution and is "an essential facet of informational privacy."

It should be noted that, in contrast to the GDPR, the preamble of the proposed Indian Act

promotes digital governance and the digital economy rather than emphasizing the value of

informational privacy. It also acknowledges that data has become a vital communication tool

in the digital age and should be protected to a higher extent. However, it is concerning that

too much emphasis is placed on advancing the digital economy at the expense of

safeguarding individuals' right to privacy.

The bill, among other things, aims to establish a comprehensive framework for the creation of

a data protection regime that does not acknowledge the data principal as the owner of their

data, but rather guarantees the implementation of structural and technical safeguards to

control the processing of personal data and prevent its unauthorized use. To achieve these

goals, the proposed bill also aims to create a data protection authority, but neglects to

emphasize the degree of autonomy provided to the authority . An ideal preamble of a data

protection law in a country like India should have been liberal in its approach towards

highlighting the importance of protecting the right to informational self-determination

65
because the data protection regime in that country is still in its infancy and there are no

judicial precedents (apart from Puttaswamy) that we can rely upon.

.. India lacks the benefit enjoyed by the European Union, where a substantial body of data

protection jurisprudence has already been produced by the judiciary. The preamble of the

proposed bill, however, makes no mention of the admirable goal of prioritizing the rights of

the data principals over any other aspect of data processing. In contrast, even the various US

laws attest to the provision of an adequate degree of protection to citizens' right to privacy.

The proposed measure prioritizes innovation and the development of a digital economy over

the preservation of individual rights. It is argued that the absence of a clear mention of

protecting data subjects' rights from state intrusion in the bill's preamble, given that the state

serves as the data controller in the vast majority of these cases, could be harmful to efforts to

establish a strong data protection framework.

In contrast to the GDPR, the measure as it stands now offers the explicit ways in which the

goal of advancing the data protection system is intended to be accomplished.

The data's economic component takes precedence over the data principals' rights. A data

protection regime that treats citizen data more as a tool of commercialization is indicated by

the preamble's disregard for the need to establish an open surveillance regime that would be

subject to the rule of law, as well as its excessive emphasis on fostering a digital economy

and "ensuring empowerment, progress, and innovation through digital governance."

.It is recommended that the fundamental component of the proposed data protection regime

be the bill's inclusion of the idea that the data principal is the genuine owner of their data and

that their right to informational self-determination and decisional autonomy falls under its

purview. Although the government's strategy may be focused on developing the digital

66
economy and digital governance, these goals shouldn't be permitted to take precedence over

the more important goal of defending the right to privacy.

The pledge of protection against governmental intervention in an individual's private sphere

and the case for surveillance reform in India should be made clear in the preamble. When

comparing the preamble of the law to that of the GDPR, it becomes clear that there are

inherent weaknesses that have existed.

5.3. ApplicationofActtoProcessingofPersonalData.

Individuals' personal information is not protected in any way by the Information Technology

Act of 20000 or the SDPI Rules of 2011 unless it is considered sensitive information.

Notably, the Telegraph Act addresses several issues of informational privacy. The Telegraph

Act and Rules, which include clauses that make illegal communication interception illegal

and punishable. Moreover, telecom service providers' (TSPs') licensesTSPs are required by

this Act to take precautions to protect their customers' privacy and communication

secrecy.427 Furthermore, governmental institutions are exempt from the Act's restrictions.

The Act's application is both extraterritorial and territorial, and it also covers organizations

located outside of India if their processing of personal data involves any particular activity or

business conducted in India. Regarding how the act is applied, the GDPR's scope, US data

protection regulations, and the UK Data Protection Act are comparable. The following

situations will result in the Act's provisions being applicable:,

Even if the proposed law eliminates many of the significant shortcomings of the prior

application of the rules to non-sensitive personal data, there are still several gaps that make

the forthcoming data protection regime less effective than the GDPR at protecting

individuals' right to privacy. Among the strangest features of theThe proposed measure would

67
exclude "non-personal" data from the Act's protections, giving the Central government the

right to refuse these data's access to the Act's safeguards. It is argued that the phrase "non-

personal data" has a very ambiguous and misleading meaning. It is argued that legislation

aimed at safeguarding citizens' personal information and establishing a robust data protection

framework should not allow for the infringement of informational privacy through the use of

provisions such as "non-personal" data. and excluding them from the proposed Act's

applicability. Artificial intelligence and widespread technological advancements have made it

possible to turn data that lacks characteristics of a specific individual into personal data. It is

argued that one shouldn't completely rule out the potential of non-personal data being

misused. However, no such categorization is provided by the GDPR, the US Privacy Act, or

THE UK Data Protection Act.

5.4. Personal Data ,Non-Personal Data and Sensitive Data

And disqualifying them from the application of the proposed Act. Data without particular

individual traits may now be transformed into personal data thanks to artificial intelligence

and other technology advancements. There is a contention that non-personal data misuse

should not be entirely ruled out. Nevertheless, neither THE UK Data Protection Act nor THE

US Privacy Act offer any such classification.

5.4.1. PersonalData

The proposed bill and the GDPR define personal data nearly identically; however, the Indian

approach is weaker since it includes the idea of non-personal data. According to the Draft

Bill, the terms "personal data" and "non-personal data" are clearly defined, and sensitive data

is also distinguished. The definition of personal data in the proposed bill is predicated on the

same logic, as the study heavily drew from Puttaswamy's observations and argued that the

68
"sphere of privacy includes a right to protect one's identity." According to the bill's proposed

language

"Personal data" is defined as information about or pertaining to an identifiable natural person,

either directly or indirectly, based on any feature of their identity, whether they are found

online or offline, or by combining those features with other information. It also includes any

conclusions that are made about them for the purpose of profiling.

The word "personal data" has been interpreted extremely broadly, encompassing any

personally identifiable information that can be used, directly or indirectly, to identify a real

person. It also includes in its purview all information that, when put together, can be linked to

any feature or attribute of a real person..The BN Srikrishna Committee report, which

recommended that a "flexible definition" of personal data be outlined in legislation, is

supported by the proposed bill. The study also made it clear that the flexible definition must

be compatible with new technological advancements that might change the data categories

while maintaining sufficient certainty.

The construction of an identifiability-cantered definition of personal data necessitates a

thorough understanding of how its scope is contingent upon the context in which the pertinent

data is being processed. In light of this, we think that a wide and accommodating definition of

personal data needs to be implemented.

The proposed law incorporates all of the committee's recommendations about the parameters

of the definition of personal data. It is noteworthy that the committee's proposals have been

seriously considered by the legislature in defining personal data. There are rumors that the

planned Indian law and the GDPR have a similar definition of personal data. Legal

precedents in the United States seem to be moving in the same direction.

69
5.4.2. Sensitive Data

Only sensitive personal data is granted protection under the IT Act of 2000 and the SDPI

Rules of 2011. In Puttaswamy, the Supreme Court upheld increased protection for data that

directly affects an individual's fundamental characteristics, even as it acknowledged the

dignity inherent in the right to privacy under the constitutional framework. The BN

Srikrishna Committee report emphasized the necessity for distinct definition of specific types

of personal data, stating that they "may be likely to cause greater harm, or harm of a graver

nature."

Rama Vedashree states that the "concept of Sensitive Personal Data is primarily used for

providing higher level protection to the data subject against instances of identity-driven harm,

discrimination, and profiling." Sensitive information is defined under the proposed measure

to include genetic, biometric, and health-related data.information related to caste, religious

belief, sex, sexual orientation, political affiliation, caste, intersex status or any other officially

identifiable information.

5.4.3 .Financial Data

The United States' Fair Credit Reporting Act (FCRA)439 requires credit rating organizations

to ensure the confidentiality of consumer financial information while also providing a high

level of security for individuals' financial data. Additionally, as required by the Act, credit

agencies must notify clients of any data that may be used against them.. “Lenders have a duty

to tell customers of any information used against them. This offers the consumers a chance to

know and, if feasible, contest the information. Additionally, the Act requires rating agencies

to notify customers about the specifics of the information. Ensuring the secrecy of the data is

one of the many ways the FCRA works to protect consumer privacy.”.

70
5.4.5. Health Data

The HIPAA regulations give sufficient security for sensitive data pertaining to the right to

privacy..However, there is a discrepancy in the laws regarding the validity of the processing

of health data, as we have seen in the Medical Council of India's numerous rules, the SDPI

Rules, 2011, and the IT Act 2000. Even though medical history data is classified as sensitive

data by the SDPI Rules, 2011, there is still a significant risk of privacy breach since the

restrictions are not applied to government institutions.

Extensive body of rulings has also demonstrated how crucial it is to adequately safeguard

personal health information in the EU441. The proposed bill includes a fairly thorough

description of the health data and proceeds cautiously in including all relevant information

about an individual's medical history.

It should be noted that the clause fully supported the idea that even the most little information

about a person's medical history might be harmful to their dignity and thus require further

protection. Right nowat this point, the ruling in Mr. X v. Hospital Z443, in which the SC said

that the clause had been accepted in text and spirit,

"Private facts may constitute an infringement on one's right to privacy, which may

occasionally result in a conflict between one person's "right to be let alone" and another

person's right to information." Even genuine private information disclosed has the potential to

upset someone's peace of mind. It might cause him to develop a lot of complexes and

possibly even psychiatric issues

The proposed measure provides a higher level of security for health-related data by

classifying it as sensitive data. The purpose of the bill is to address the present gap in the

security of sensitive medical data, which is now covered by IMC regulations that are

insufficient to provide effective protection and safeguards..Additionally, the current data

71
protection framework provides no protection at all for personal data in public sector medical

facilities. However, the Preamble of the proposed law states that this would no longer be the

case, meaning that the public sector will also be subject to similar protections.

5.5. Data Anonymization

The current Indian data protection laws provide very little guidance on the presence of an

anonymized data policy. There are no requirements for data anonymization under either the

SDPI Rules 2011 or the Information Technology Act of 2000. However, there is a wealth of

well-developed global law regarding the principles of data anonymization. However, the

GDPR also states that anonymized data that cannot be restored to its original form should not

be free from the regulations' obligations.

.The data anonymization concept is incorporated into the proposed bills to alter the

characteristics of the personal data. in accordance with the suggestions made by the B N Sri

Krishna committee, which recommended following the data anonymization principle in order

to prevent the improper use of personally identifiable information. The Act gives data

anonymization a wide scope and stipulates that:

The data anonymization concept is incorporated into the proposed bills to alter the

characteristics of the personal data. The Act provides broad guidelines for data

anonymization and states that:

Although the idea of data anonymization is not unique to any one data protection legislation

in the world, the state's intricate network of betrayal in handling personal data most definitely

is. In the first place, the proposed bill makes the unscientific assumption that any processor

will be forced to share anonymized personal data in order to improve service targeting,

72
despite the possibility that such data may become de-anonymized in the future due to

technological advancements.

In layman's words, this means that the central government can demand that the data

fiduciaries provide the citizens' anonymized, non-personal data in order to support evidence-

based policymaking and improved service targeting. It is argued that a thorough definition of

anonymized data and non-personal data is absent from the draft statute.

Additionally, the method by which the non-personal, anonymized data might become

personally identifiable data is disregarded by the law. The ability of the central government to

force data fiduciaries to provide information in these categories for evidence-based

policymaking and more precisely targeted services is as concerning448. Justice

Chandrachud's dissenting opinion in the adhaar judgment had also expressed doubts over

the irreversibility of the anonymized data.

5.5.1. Points of Concern

The potential for anonymized data in particular and non-personal data in general to be

converted into personally identifiable information is the most urgent worry. Although

analysts worldwide have consistently expressed doubts regarding the irreversibility of

anonymized data, the bill introduces an additional avenue for introducing uncertainty into the

data protection regime by involving non-personal data, even as it ignores these concerns.

.. The researcher would want to state up front that terms such as non-personal data were not

needed at all and should not be included in a data protection framework. It is quite possible

that the Central government would use the gap to violate peoples' privacy about their

personal information, as will be mentioned in the upcoming chapter.

73
The potential for reversibility is the most serious issue raised by the so-called anonymized

data. It should be mentioned right away that the Bill's definition of anonymized data is

incorrect. The clause should clearly state that in order for data to be considered anonymized,

"all the means likely reasonably to be used" to identify a natural person must no longer be

able to be used to do so

The laws leave it up to the Data Protection Authority to define the standards for determining

the standards of data rather than developing an impartial and healthy standard for identifying

the nature of data. Invisibility. Furthermore, there are risks involved in the anonymization

process. It should be highlighted that over time, non-personal data in the existing

environment may take on the characteristics of personal data.

Thus, it can be seen that the legislature has left open a broad loophole through which

personally identifiable information may evade the implementation of the data protection

legislation and endanger individuals' basic rights by disguising it as non-personal and

anonymized data. The ability of the federal government to designate data as sensitive data is

another unsettling feature of the law; this will be discussed in more detail later.Nonetheless,

the legislature's disregard for the dangers associated with drawing a clear distinction between

personal and anonymized data raises grave concerns over the efficacy of the proposed data

protection framework.

Regretfully, Justice Chandrachud's objections to the biometric data's uniqueness are

disregarded by the Personal Data Protection Bill, 2019, which defines biometric data as

information that "allows or confirms the unique identification of the individual." The

proposed bill's definition stipulates that:

“Biometric data refers to any similar personal information obtained through measurements or

technical processing operations performed on the physical, physiological, or behavioural

74
traits of a data principal that permit or validate that natural person's unique identification; this

includes fingerprints, iris scans, and facial images;

”The underlying assumption of the proposed bill's definition of biometric data is that it only

refers to information that permits the verification of a natural person's identity. By doing this,

the proposed measure effectively opens the door for the exclusion of a significant amount of

personal data under the guise that it lacks sufficient information to establish an individual's

identity. However, the bill incorporates biometric data under the definition of sensitive data

in accordance with the committee's recommendations, which calls for a higher level of

security for such data.

5.6 Conclusion

Numerous problems that still afflict the Indian data protection framework have been brought

to light by the comparative study of the data protection regimes in India, the United States,

the United Kingdom, and several of the BRICS nations. Even the planned data protection

framework does not offer a solid firewall against the unauthorised incursion inside the

citizens' private sphere, despite the fact that the State and its agencies are totally exempt from

the present data protection law in India.

The following points summarize the primary distinction between the approaches used in the

analysis by the participating nations and Indiana: The proposed Personal Data Protection Bill

2019 aims to narrow the current gap by implementing the fundamental data protection

principles, even if India's current data protection laws are far from meeting international best

practices.

A significant divergence from the basic characteristics of the data protection legislation of the

nations under consideration illustrates an effort by the lawmakers to exclude the central

75
government's agencies from the act's requirements. The proposed Indian law contains

extensive exemption clauses, in contrast to the GDPR and the UK Data Protection Act, 2018

which grant government bodies relatively narrow grounds of exemption.

The way in which the rights granted by law are enforced is yet another noteworthy

divergence from the Indian approach to data protection. The safeguards against the state and

its agents are rendered inapplicable.

CHAPTER6:

CONCLUSIONS AND SUGGESTIONS

6.0. Introduction

Some of the most important problems that jeopardize India's chances of becoming a secure

jurisdiction for data protection have been brought to light by the talks in the preceding

chapter. To address the current shortcomings in the draft bill, this chapter effectively

incorporates the recommendations that might be included in the proposed Personal Data

Protection Bill, 2019.

76
The study's six chapters, which cover the many facets of data protection laws in India and

elsewhere, have been loosely separated. To arrive at an equitable evaluation of the study

hypothesis, the investigator allegedly categorized the chapters in a way that would facilitate

the best comprehension of the significance of a strong data protection legislation in the

nation.

The main aim of the research was to critically analyze the provisions of the proposed data

protection bill, with the ultimate goal of answering the thesis's hypothesis. After carefully

examining some of the most significant aspects of the proposed law, the researcher came to

the conclusion that the research hypothesis is answered in the affirmative. This conclusion

was somewhat suggested by the discussions in each of the chapters.

It is undeniably true that some of the most important concerns about data protection

regulations in a free and democratic society are not addressed by the Personal Data Protection

Bill, 2019. The researcher will categorically underline the elements of the proposed law in the

following sections that support the conclusions drawn by the researcher in relation to the

hypothesis.

One of the most important elements affecting how the courts will read a piece of law is its

preamble. As a result, having a prelude that is clear and forceful about its goal becomes ideal.

Ensuring the inhabitants of India have the right to privacy regarding their data and developing

a data protection framework that is attentive to even the smallest infringements on that right

should be the main goals of the Data Protection Bill.

The preamble should include a clear government pledge to prevent unauthorized access to

individuals' private information as well as a comprehensive plan for reforming surveillance.

The preamble ought to consider the urgent necessity of raising national understanding of the

77
parameters of the right to privacy and fostering a culture that values privacy. The following

changes are suggested to the preamble of the Data Protection Bill, 2019:

The preamble, which succinctly and substantively includes these goals, will expand the scope

of the rights stipulated in the law. It is argued that policies that promote the digital economy

and place an excessive focus on data's commercial benefits would not advance people's right

to privacy. The promotion of the digital economy should not come at the expense of

protecting people's right to privacy, even though these goals may be incidental to a strong

data protection system.

The prologue has to "call a spade a spade," acknowledge the urgent need for surveillance

reform in the nation, and put forth a plan for a system that would ultimately defend people's

right to privacy. The preamble should unequivocally support the need for the establishment of

a fully independent authority to enforce the basic right to privacy, as well as the imperative of

defending and preserving it under the constitution.

6.1. Conclusion

The chapter provides a summary of the findings from the previous chapters' analysis and

makes recommendations for a solid framework that would serve as the cornerstone of India's

future comprehensive data protection laws. The recommendations include modifying the

draft data protection law's main clauses in order to include internationally recognized data

protection concepts into India's data protection framework.The Chapter addresses the legality

and justification for global data protection legislation. The chapter outlines the components of

an efficient data protection framework with a focus on the necessity of providing sufficient

protection for safeguarding informational privacy.

78
The chapter on "GLOBAL ORGANISATIONS AND THEIR DATA PROTECTION

PRINCIPLES" examines the many data protection principles that are accepted by

international organizations worldwide while also fundamentally outlining the regime's

origins. .The study that was conducted gives the researcher insight into the essential components of a

strong data protection policy in a democracy. In the next chapters, the researcher attempts to develop

the best possible data protection model for the Indian scheme, paying particular attention to the

OCED Principles. • The study has made it possible for the researcher to pinpoint the essential

components of a strong data protection policy. •Numerous problems that still afflict the Indian data

protection framework have been brought to light by the comparative study of the data protection

regimes in India, the United States, the United Kingdom, and several of the BRICS nations.

To get insight into global best practices linked to data protection, a specialized research of the

legislation currently in place governing Union has had one in place for more than thirty years.

thorough examination of its data protection architecture in order to pragmatistically expand

the scope of the topic's analysis.

Indian policy makers regarding the different forms of an ideal data protection regime, of

course with the modifications required to fit Indian society. The goal of the BRICS study on

data protection laws was to draw comparisons between the approaches taken by authoritarian

communist regimes and liberal democracies in this area. The study emphasized the

importance of having a strong data protection framework while also highlighting the

difficulties in maintaining information privacy and advancing global trade.

A thorough analysis of the current laws and court rulings pertaining to the right to privacy

and data protection within the Indian legal system is conducted in the Chapter on Data

Protection Regime in Indian Legal System.The analysis reveals a wide range of shortcomings

in the Indian data protection system, which makes it unable to address the threats to

79
informational privacy resulting from widespread digitalization. It also highlights the fact that

the nation's current laws do not include important data protection concepts.

The proposed Personal Data Protection Bill 2019 aims to narrow the current gap by

implementing the fundamental data protection principles, even though India's current data

protection framework is far from the world's best practices.

A significant divergence from the basic characteristics of the data protection legislation of the

nations under consideration illustrates an effort by the lawmakers to exclude the central

government's agencies from the act's requirements.

These exemptions are quite broad in their scope and application, and the central government

shall be able to exempt any agency from the application of the Act's provisions for offenses

like "preventing incitement to the commission of any cognizable offence relating to public

order.600" The exemption clauses in the Personal Data Protection Bill, 2019 do not follow

the doctrine of proportionality while justifying the non-application of the proposed law's

provisions to any central agencies on the absolutely wide grounds of the sovereignty of India

and public order

To illustrate the fundamental distinctions in the approaches to data protection, the chapter

compares and contrasts the salient features of the data protection laws of India and the three

other regimes. As it tests the research premise, the study reveals significant differences

between the Indian legislative and its counterparts in the study on the legislature's dedication

to establishing a strong data protection framework. • The goal of the research of the data

protection principles of international and regional organizations was to gain understanding of

the common best practices in relation to data protection regulations. .

80
81
 BIBLIOGRAPHY

STATUTES

 Children’sOnlinePrivacyProtectionAct,15U.S.C.6501–6505

 ElectronicCommunicationsPrivacyAct,1986(P.L.99-508).

 FairCreditReporting Act15 U.S.C.§ 1681

 FamilyEducationalRightsAndPrivacyActOf1974,20U.S.C.§ 1232g

 GeneralDataProtectionRegulation(EUGDPR), (EU)2016/679

 Health InsurancePortabilityAnd AccountabilityAct,P.L.No.104-191

 IndianContractAct,1872, No.09,Acts OfParliament,1872. (India)

 InformationTechnologyAct,2000,No. 21,ActsOfParliament,2000. (India)

 IT(Amendment)Act,2008,No.10,Acts OfParliament,2009.·(India)

 PersonalDataProtectionBill,2019,BillsofParliament,2019(India)

 TheAadhaar(TargetedDeliveryOfFinancialAndOtherSubsidies,BenefitsAnd Services) Act,

2016, No. 18, Acts Of Parliament, 2016. (India)

 VideoPrivacyProtection Act,1988Pub.L.100–618

ARTICLES

 Adriana-MariaSandru;Daniel-MihailSandru, Humanitarian Law andPersonal Data

Protection, 2018 PANDECTELE ROMANE 58, 61 (2018).

 Addison Litton, The State of Surveillance in India: The Central Monitoring

82
 System’sChillingEffectonSelf-Expression,14WASH.U.GLOBALSTUD.L. REV. 799, 720

(2015).

 AimeeBoramYang,ChinainGlobalTrade:ProposedDataProtectionLawand Encryption

Standard Dispute, 4 ISJLP 897, 901 (2018)

 AlanF.Westin,PrivacyandFreedom33(1967);AndrewJ.McClurg,KissandTell:

Protecting Intimate Relationship Privacy through Implied Contracts of Confidentiality, 74 U.

CIN. L. REV. 887, 901 (2006).

 Alex B. Makulilo, The Quest for Information Privacy in Africa, 8 JOURNAL OF

INFORMATION POLICY 317, 337 (2018).

 Alina Savoiu&CatalinCapatinaBasarabescu, The Right to Privacy, ANNALS

CONSTANTIN BRANCUSIU. TARGU JIU JURIDICAL SCI. SERIES 89, 101 (2013).

 AndrewJayMcClurg,BringingPrivacyLawOutoftheCloset:ATortTheoryof

LiabilityforIntrusionsinPublicPlaces,73N.C.L.REV.989,999-1002(1995).

 ANNE S. Y CHEUNG, ROLF H WEBER, PRIVACY AND LEGAL ISSUES IN CLOUD

COMPUTING248 (2015).

 Antonio Tavares Paes,Privacy and Data Protection in Brazil,

5J.L. &CYBERWARFARE225, 220 (2018).

 AnupamChander& Molly Land, United Nations General Assembly Resolution on the Right to

Privacy in the Digital Age, 53 INT’L LEGAL MATERIALS 727 735 (2014).

 Asang Wankhede, Data Protection in India and the EU: Insights in Recent Trends and Issues

in the Protection of Personal Data, 2 EUR. DATA PROT.L. REV. 70, 73 (2016).

83
 Asang Wankhede, Data Protection in India and the EU: Insights in Recent

TrendsandIssuesintheProtectionofPersonalData,2EUR.DATAPROT.L. REV. 70, 86 (2016).

 Balla, Stephen J., Administrative Procedures and Political Control of the

Bureaucracy,92AMERICANPOLITICALSCIENCEREV.1998663,670(2012).

 Brandon Faulkner,Hacking into Data Breach Notification Laws,

59FLA.L.REV.1097,1198(2007).

 Brent Snook, Joseph Eastwood, Paul Gendreau, Claire Goggin &Richard M.Cullen,Taking

Stock of Criminal Profiling: A Narrative Review and Meta-Analysis, 34 CRIM. JUST. &

BEHAVIOR 437, 455 (2007).

 BrianGorlick,HumanRightsandRefugees:EnhancingProtectionthrough International Human

Rights Law, 69 NORDIC J. INT'L L. 117, 126 (2000).

 Cheng-Yun Tsang, From Industry Sandbox to Supervisory Control Box:

RethinkingtheRoleofRegulatorsintheEraofFinTech, 2019 U. ILL. J.L. TECH. & POL’Y 355,

360 (2019).

 Daniel Garrie and Irene Byhovsky, Privacy and Data Protection in Russia, 5(2) JOURNAL

OF LAW & CYBER WARFARE 235, 253 (2017).

 DanielGarrie&Irene, Byhovsky,PrivacyandDataProtectioninRussia,

5J.L. &CYBERWARFARE235, 243 (2017).

 David Wallace&Mark Visger, Responding to the Call for a Digital Geneva

Convention:AnOpenLettertoBradSmithandtheTechnologyCommunity, 6 J.L. & CYBER

WARFARE 3, 5 (2018).

84
 DhirajR.Duraiswami,PrivacyandDataProtectioninIndia, 6 J.L. & CYBER WARFARE 166,

169 (2017).

 Dhiraj R. Duraiswami,Privacy and Data Protection in India,

6J.L. &CYBERWARFARE166, 168 (2017).

 Dorothy A. Hertzel, Note: Don't Talk to Strangers: An Analysis of Government and Industry

Efforts to Protect a Child's Privacy Online, 52 FED. COMM. L.J. 429, 441 (2000).

 DOUGLAS N. WALTON, ARGUMENTATION METHODS FOR ARTIFICIAL

INTELLIGENCE IN LAW 150 (2005).

 Elliott, D., Opinions Data Protection is More Than Privacy, 5(1) EUROPEAN DATA

PROTECTION LAW REVIEW 13, 16(2019).

 EricaFraser, DataLocalisationandtheBalkanisationoftheInternet, 13 SCRIPTED 359, 365

(2016) ID.

 Eva Fialova, Data Portability and Informational Self-Determination, 8

MASARYK U. J.L. & TECH. 45, 53 (2014).

 Evans,A.C European DataProtectionLaw. 29THEAMERICANJOURNAL OF

COMPARATIVE LAW 571, 580 (1981).

 FrederikZuiderveenBorgesius,JonathanGray&MireilleVanEechoud,OpenData,

Privacy,andFairInformationPrinciples:TowardsaBalancingFramework, 30 BERKELEY

TECH. L.J. 2073 2097 (2015).

 Gillian Metzger, Designing Agency Independence, (2011) JOTWELL: J. THINGS WE LIKE

141, 145 (2011)

85
 . M. Seervai, The emergency, future safeguards and the habeas corpus case: A Criticism, 21

TEMP. INT'L & COMP. L. J. 103, 111 (2007).

 Hallinan,D.,2019.Opinions∙DataProtectionwithoutData:CouldDataProtection Law Apply

without Personal Data Being Processed?,5(3) EUROPEAN DATA PROTECTION LAW

REVIEW 293, 299.(2019).

 Henry Pearce, Systems Thinking, Big Data, and Data Protection Law, 18EUR. J.L. REFORM

478, 500 (2016).

 HerbertSpencer Hadley,RighttoPrivacy, 3N.W.L.REV.1,5 (1895).

 Ian Walden, Anonymising Personal Data, 10 INT’L J.L. & INFO. TECH. 224, 333 (2002).

 Ilina Georgieva, The Right to Privacy under Fire-Foreign Surveillance under the

NSA and the GCHQ and Its Compatibility with Art. 17 ICCPR and Art. 8 ECHR,

31(80)UTRECHTJOURNALOFINTERNATIONALANDEUROPEANLAW104, 114 (2015).

 JakubMisek,Consent toPersonalData Processing -ThePanaceaor the Dead End,8

MASARYKU.J.L. & TECH. 69, 76 (2014).

 JoanM.Kiel,TheHealthInsurancePortabilityandAccountabilityAct(HIPAA) Implementation

Via Case Law, 20 J. CONTEMP. HEALTH L. & POL'Y 435, 448 (2004).

 Jonathan Miller, S.,How Did You Know That: Protecting Privacy Interests of

ResearchParticipantsviaCertificatesofConfidentiality,17 COLUM. SCI. & TECH. L. REV.

90, 100 (2015).

 JordanJ.Paust,CanYouHearMeNow?PrivateCommunications,NationalSecurity and the

Human Rights Disconnect (2014), 15(2) CHICAGO JOURNAL OF INTERNATIONAL

LAW 612, 625 (2015).

86
 Joseph A Cannataci& Jeanne Pia Mifsud-Bonnici, Data Protection Comes of Age: The Data

Protection Clauses in the European Constitutional Treaty,Information & Communications

Technology Law, INFORMATION AND TECHNOLOGY LAW(Jan 27,

2007),

<https://www.tandfonline.com/action/showCitFormats?doi=10.1080%2F136008304

2000325274>

 Joshua Warmund, Can COPPA Work - An Analysis of the Parental Consent Measures in the

Children's Online Privacy Protection Act, 11 FORDHAM INTELL. PROP. MEDIA & ENT.

L.J. 189, 210 (2000).

 JossWright.RegionalvariationinChineseInternetFiltering.INFORMATION,

COMMUNICATION & SOCIETY 121, 123 (2014).

 JudyMeadows;BobOakley,BalancingAct-ReconcilingPrivacywiththePublic's Right to Know, 8

AALL SPECTRUM 14, 35 (2004).

 KalyaniRamnath, ADM Jabalpur's Antecedents: Political Emergencies, Civil Liberties, and

Arguments from Colonial Continuities in India, 31 AM. U. INT’L L. REV. 209,225 (2016).

 Kenbei Zhang, Incomplete Data Protection Law, 15GERMANL.J.1071, 1081 (2014).

 KevinMcGillivray,Conflictsinthe Cloud:ContractsandCompliance withData Protection Law

in the EU, 17 TUL. J. TECH. & INTELL. PROP. 217, 254 (2014).

 Kevin McGillivray, Conflicts in the Cloud: Contracts and Compliance with Data Protection

Law in the EU, 17 TUL. J. TECH. & INTELL. PROP. 217, 230 (2014).

 LathaR. Nair, Data Protection Efforts in India:Blind Leading theBlind, 4 INDIAN J.L.&

TECH. 19, 27 (2008).

87
 Laura F. Edwards, Rights That Made the World Right, 102 JUDICATURE 15, 20 (2018)

 Lee A. Bygrave,Data Protection Pursuant to the Right to Privacy in Human Rights Treaties,

6 INT'L J.L. & INFO. TECH. 247, 246 (1998).

 Lilian Edwards, Privacy, Security and Data Protection in Smart Cities:

ACriticalEULawPerspective,2EUR.DATAPROT.L.REV.28,40 (2016)

 Lina Jasmontaite, European Union: The European Data Protection Supervisor

(EDPS)Opinion4/2015TowardsaNewDigitalEthics,2EUR.DATAPROT.L. REV. 93, 112

(2016).

 LokkeMoerel;RonanTigner,DataProtectionImplicationsofBrexit,2 EUR. DATA PROT. L.

REV. 381, 388 (2016).

 LotharDetermann&ChetanGupta,India'sPersonalDataProtectionAct,2018: Comparison with

the General Data Protection Regulation and the California Consumer Privacy Act of 2018,

37 BERKELEY J. INT'L L. 481, 501 (2019).

 MahendraPalSingh,TheConstitutionofIndia:AContextualAnalysis,14SOCIO-LEGALREV.

228,229 (2018).

 MAJABRKAN,EVANGELIAPSYCHOGIOPOULOU,COURTS,PRIVACY

ANDDATAPROTECTIONINTHEDIGITALENVIRONMENT232(2017)

 MarcChaseMcAllister,ModernizingtheVideoPrivacyProtectionAct,25GEO. MASON L. REV.

102, 108 (2017).

 Maria Tzanou, Data protection as a fundamental right next to privacy? ‘Reconstructing’ a

not so new right, 3(2) INTERNATIONAL DATA PRIVACY LAW 88, 99 (2013),

<https://doi.org/10.1093/idpl/ipt004>.
88
  MatthiasBerberich;MalgorzataSteiner,BlockchainTechnologyandtheGDPR-How to

ReconcilePrivacyandDistributed Ledgers, 2 EUR. DATAPROT.L. REV. 422, 431 (2016).S

 MichaelA.Livermore,Cost-BenefitAnalysisandAgencyIndependence,81 U. CHI. L. REV. 609,

615 (2014).

 Mike Hintze, Privacy Statements under the GDPR, 42 SEATTLE U. L. REV. 1129, 1134

(2019).

 Mike Hintze, Privacy Statements under the GDPR, 42 SEATTLE U. L. REV. 1129,1132

(2019)

 MonikaZalnieriute,AnInternationalConstitutionalMomentforDataPrivacyinthe times of Mass-

Surveillance, 23(2) INTERNATIONAL JOURNAL OF LAW AND INFORMATION 99,

107 (2015).

 NandanNilekani, Data to the People: India’s Inclusive Internet, 97 FOREIGN AFF. 19, 33

(2018).

 Orla Lynskey,Deconstructing Data Protection: The Added-Value of a Right to Data

Protection in the EU Legal Order, 63 INT'L & COMP. L.Q. 569, 575 (2014).

 PaulOhm,BrokenPromisesofPrivacy:RespondingtotheSurprisingFailureof Anonymization, 57

UCLA L. REV. 1701, 1744 (2010).

 PeterBlume,PracticalDataProtection,2INT'LJ.L.& INFO.TECH.194 (1994); Rupert

Battcock, Data Protection: Where Next, 3 INT’L J.L. & INFO. TECH. 156 (1995); Anneliese

Roos, Core Principles Of Data Protection Law, 39 COMP. & INT’L L.J. S. AFR. 102,110

(2006).

 Raghunath Ananthapur, India's New Data Protection Legislation, 8 SCRIPTED 192, 201
89
 (2011)

 RATNA KAPUR AND BRENDA COSSMAN,SUBVERSIVE SITES: FEMINIST

ENGAGEMENTS WITH LAW ININDIA 54 (1996).

 RenatoOpiceBlum &CamilaRioja, Brazil'sGDPRSanctioned, 2 INT'L J. DATA

PROTECTION OFFICER, PRIVACY OFFICER & PRIVA CY COUNS. 12, 16 (2018).

 RightsinConflict-ReconcilingPrivacywiththePublic'sRighttoKnow,63LAW LIBR. J. 551, 563

(1970).

 Ruth Gavison,Feminism and the Public/Private Distinction,

45STAN. L.REV. 1,8 (1992).

 RyanM.Calo,AgainstNoticeSkepticisminPrivacy(andElsewhere),87(3) NOTRE DAME LAW

REVIEW 1030, 1031

 SamuelD.Warren;LouisD.Brandeis,RighttoPrivacy,4HARV.L.REV.193,201 (1890-1891).

 D McGoldrick, Developments in the Right tobe Forgotten, 13(4) HRLR 76, 777 (2013).

 SilviaLuciaCristea&ViorelBanulescu,TheRighttoPersonalDataProtection.The

RighttoPrivacy.AComparativeLawApproach,,ANALELESTIINTIFICE

ALEUNIVERSITATIIALEXANDRUIOANCUZADINIASISTIINTEJURIDICE1,9 (2018).

 Singh, S., Privacy and Data Protection In India: A Critical Assessment., 110 JILI, VOL. 53,

57 (2020)

 Sophie Stalla-Bourdillon& AlisonKnight, Anonymous Data v. Personal Data -

FalseDebate:AnEUPerspectiveonAnonymization,PSEUDONYMIZATION AND

PERSONAL DATA, 34 WIS. INT’L L.J. 284, 295 (2016).

90
 SougataTalukdar,PrivacyandItsProtectioninInformativeTechnologicalCompass in India, 12

NUJS L. REV. 1, 55 (2019).

 SougataTalukdar,PrivacyandItsProtectioninInformativeTechnological Compass in India, 12

NUJS L. REV. 1, 11 (2019)

 Subhajit Basu, Policy-Making, Technology and Privacy in India,

6INDIANJ.L.&TECH.65,70 (2010).

 Susan Nevelow Mart, The Right to Receive Information, 95 LAW LIBR. J. 175,190 (2003).

 Tschentscher, A.,. Privacy and Data Protection by Rules Rather than

Principles. SSRN ELECTRONIC JOURNAL 153 (2017),

<http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2372088>.

 Uchenna Jerome Orji,The African Union Convention on Cybersecurity: A Regional Response

Towards Cyber Stability?,12(2) MASARYK UNIVERSITY JOURNALOF LAW AND

TECHNOLOGY 91, 107( 2018).

 Uchenna Jerome Orji,The African Union Convention on Cybersecurity: a Regional Response

towards Cyber Stability, 12 MASARYK U. J.L. & TECH. 91 102 (2018).

 Umang Joshi, Online Privacy and Data Protection in India: A Legal Perspective, 7 NUALS

L.J. III 75, 77 (2013)

 ViktorMayer-Schonberger&YannPadova,RegimeChange:EnablingBigData

throughEurope'sNewDataProtectionRegulation, 17 COLUM. SCI. & TECH. L. REV. 315,

320 (2016)

 Vinita Bali, Data Privacy, Data Piracy: Can India Provide Adequate Protection for
91
 Electronically Transferred Data, 21 TEMP. INT'L & COMP. L.J. 103, 106 (2007).

 Will Thomas DeVries, Protecting Privacy in the Digital Age, BERKELEY TECHNOLOGY

LAW JOURNAL 283, 311 (2003).

 Wilson, B., Data Privacy in India: The Information Technology Act.2 SSRNELECTRONIC

JOURNAL 82, 88 (2010).

 WOLFJ.SCHÜNEMANN,MAX-OTTOBAUMANN,PRIVACY,DATA PROTECTION

AND CYBERSECURITY IN EUROPE 100 (2017)

BOOKS

 CATHERINE MACKINNON, TOWARDS A FEMINIST THEORY OF THE STATE 322

(1989).

 CHRSTOPHER KUNAR, EUROPEAN DATA PROTECTION LAW:

CORPORATE COMPLIANCE AND REGULATION 57 (2003).

 CYRUS FARIVAR, HABEAS DATA: PRIVACY VS. THE RISE OF

SURVEILLANCE TECH 353 (2018).

 ETERLL.M. CAREY,DATAPROTECTIONHANDBOOK334 (2004).

 GUTWIRTH, S. AND DE HERT, P., REGULATING PROFILING IN A DEMOCRATIC

CONSTITUTIONAL STATE. IN PROFILING THE EUROPEAN CITIZEN 271 (2008).

 GWENKENNEDY,DATAPRIVACYLAWANDPRACTICALGUIDE432,(2nd,

LSPPradhued.,2018).

 HELENWONGMBE,CYBERSECURITYLAWANDGUIDANCE67(2018),

92
 INSTITUTE OF MEDICINE,ENSURING SAFE FOODS AND MEDICAL

PRODUCTSTHROUGHSTRONGERREGULATORYSYSTEMSABROAD543 (2012).

 ITGP PRIVACY TEAM, BU GENERAL DATA PROTECTION

REGULATION(GDPR):ANIMPLEMENTATIONANDCOMPLIANCE GUIDE 432(2ND

2015)

 J BLACKMAN, 'OMNIVEILLANCE, PRIVACY IN PUBLIC, AND THE RIGHT TO

YOUR DIGITAL IDENTITY: A TORT FOR RECORDING AND DISSEMINATING AN

INDIVIDUAL'S IMAGE OVER THE INTERNET' 321 (2009).

 JOHNBUYERS,ARTIFICIALINTELLIGENCE:THEPRACTICALLEGAL ISSUES 110

(2018)

 JOHNKLEINIG,THENATUREOFCONSENTINTHEETHICSOF

CONSENT- THEORY AND PRACTICE (4th, Alan Wertheimer and Franklin Miller eds,

2009).

 PAWANDUGGAL,CYBERSECURITYLAW 52 (2019).

 ROBERTALEXY,LAW,RIGHTSANDDISCOURSE423(3RDGEORGEPAVLAKOS, 2010).

 ROBERT WALTERS, LEON TRAKMAN, BRUNO ZELLER, DATA

PROTECTION LAW 421 (2019).

 ROSEMARYJAY,ANGUSHAMILTON,DATAPROTECTIONLAWANDPRACTICE 445

(1995)

 SOPHIESTALLA-BOURDILLON,JOSHUAPHILLIPS,MARKD.RYAN, PRIVACY V.

SECURITY 654 (2012)

93
 STUART RUSSEL AND PETER NORVIG, ARTIFICIAL INTELLIGENCE: A MODERN

APPROACH 233 (2009).

 V. RICHARD BENJAMINS, POMPEU CASANOVAS,JOOST

BREUKER,ALDO GANGEMI, LAW AND THE SEMANTIC WEB: LEGAL

ONTOLOGIES, METHODOLOGIES, LEGAL INFORMATION RETRIEVAL, AND

APPLICATIONS 35 (2010).

 WALTERS, ROBERT, TRAKMAN, LEON, ZELLER,BRUNODATA PROTECTION

LAW: A COMPARATIVE ANALYSIS OF ASIA-PACIFIC AND EUROPEAN

APPROACHES 514 (2019).

 WILLIAM MCGEREVAN, PRIVACY AND DATA PROTECTION LAW 421 (2016).

 WOODROWBARFIELD,UGOPAGALLO,RESEARCHHANDBOOKONLAW OF

ARTIFICIAL INTELLIGFENCE 675 (2018).

ONLINESOURCES

 Abir Roy, Data Protection: Why A Comprehensive Law Is Needed.,THE FINANCIAL

EXPRESS. <https://www.financialexpress.com/opinion/data- protection-why-a-

comprehensive-law-is-needed/1694205>

 African Union(OAU),ConventiononCyber-securityandPersonalDataProtection

(AUCCPDP,(June72014),CCS/LEG/67/3REV.5,21I.L.M.58(2014),

<https://www.refworld.org/docid/3ae6b3630.html>.

 Alawadhi,P.,GovtMessedUpControlMechanisms:BNSrikrishnaOnData Protection Bill,

BUSINESS-STANDARD (January 31, 2020, 2:45 PM),

94
 <https://www.business-standard.com/article/economy-policy/govt-messed-up- control-

mechanisms-b-n-srikrishna-on-data-protection-bill-120013001855_1.html>.

 AmarToor,BrazilandGermanymakemovestoprotectOnlinePrivacy,but

ExpertsseeatroublingtrendtowardBalkanization,THEVERGE(2013),

<http://www.theverge.com/2013/11/8/5080554/nsa-backlash-brazil-germany- raises-fears-of-

internet-balkanization/>.

 Anonymous, State Of Privacy India., PRIVACY INTERNATIONAL (January 26, 2019),

<https://privacyinternational.org/state-privacy/1002/state-privacy- india>.

 Apar Gupta, Notes from a Digital Republic, Internet Freedom Foundation , INTERNET

FREEDOM (January 26, 2020), <https://internetfreedom.in/our-digital-republic/>.

 Aroon Deep, The dissenting voices in the Srikrishna Committee's Data

Protectionreport,MEDIANAMA(July28,2018),

<https://www.medianama.com/2018/07/223-srikrishna-dissent/>.

 Baueret.al,TheCostsofDataLocalisation:AFriendlyFireonEconomic Recovery, ECIPE (2014),

<https://ecipe.org/publications/dataloc/>.

 BEATE ROESSLER, SHOULD PERSONAL DATA BE A TRADABLE GOOD? ON THE

MORAL LIMITS OF MARKETS IN PRIVACY‘321 (BEATE ROESSLER AND DOROTA

MOKROSINSKA 2015)

 Benjamin Wittes, Jonah Force Hill: The Growth of Data Localization Post-

Snowden,LAWFARE(July21,2014,9:14pm),<https://www.lawfareblog.com/jonah-force-hill-

growth-data-localization-post-snowden-lawfare-research-paper-series>.

95
 Bhageshpur,K.,CouncilPost:DataIsTheNewOilAndThat'sAGoodThing, FORBES

(May.28,2020, 4:32 P.M.),

<https://www.forbes.com/sites/forbestechcouncil/2019/11/15/data-is-the-new-oil- and-thats-a-

good-thing/#4bd8a6473045>.

 Brazilian InternetSteeringCommittee, Contributionsalreadysubmitted,Global

MultistakeholderMeetingontheFutureofInternetGovernance,SAOPAULO, BRAZIL, (April

2014),< http:// content.netmundial.br/docs/contribs>.

 Bureau, E., Biggest Data Leaks Of 2019 That Hit Indian Users Hard - What Causes

DataBreach?.,THEECONOMICTIMES.(17Dec2019,04:35PM),

<https://economictimes.indiatimes.com/industry/tech/8-biggest-data-leaks-of-2019- that-hit-

indian-users-hard/what-causes-data-breach/slideshow/72839190.cms>

 CCPR General Comment No. 16: Article 17); The Right to Respect of Privacy, Family, Home

and Correspondence, and Protection of Honour and Reputation, UNHRC (April, 8, 1988),

<https://www.refworld.org/docid/453883f922.html>.

 Chander,A.et. al, Breaking theWeb: Data Localization vs. theGlobal Internet, SSRN (2014),

<http://dx.doi.org/10.2139/ssrn.2407858>.

 Chandrashekhar,A.,GermanFirmFindsOneMillionFilesOfIndianPatientsLeaked, THE

ECONOMIC TIMES (Nov 15, 2019,08:15am),

<https://economictimes.indiatimes.com/tech/internet/german-firm-finds-one- million-files-of-

indian-patients-leaked/articleshow/73921423.cms?from=mdr>.

 CIPL,RegulatorySandboxesinDataProtection:ConstructiveEngagementand Innovative

Regulation in Practice CIPL, CENTRE FOR INFORMATION AND POLICY

96
 LEADERSHIP(2019),

<https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/

cipl_white_paper_on_regulatory_sandboxes_in_data_protection_constructive_engagement_an

d_innovative_regulation_in_practice 8_march_2019_.pdf>.

 Ciso Mag | Cyber Security Magazine. 2019.In 3 Indian Firms Suffer High Financial

LossesFromHacking,CYBERSECURITYMAGAZINE(December25,4:35P.M),<https://

www.cisomag.com/survey-reveals-1-in-3-indian-companies-suffered-huge- financial-costs-

from-hacking/>.

 CommitteeofExpertsundertheChairmanshipofJusticeB.N.Srikrishna,,AFree and Fair Digital

Economy Protecting Privacy Empowering Indians, PRS INDIA (July 27,

2018)<https://www.prsindia.org/sites/default/files/parliament_or_policy_pdfs/Free%

20and%20Fare%20Srikrishna%20Committee%20Report%20Summary.pdf>

 CommitteeofExperts,WhitePaperofTheCommitteeOfExpertsOnADataProtection

Framework For India., 99 (2017)

<http://meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_

171127_final_v2.pdf>.

 Communication From The Commission To The European Parliament And The Council

Exchanging and Protecting Personal Data in a Globalised World, EUROPEAN

COMMISSION(January10,2017), <https://eur-lex.europa.eu/legal- content/EN/TXT/?

uri=COM%3A2017%3A7%3AFIN>.

 CouncilofEurope,CommitteeofConvention108,OpinionontheDataprotection implications of

the processing of Passenger Name Records, T-PD (2016)18REV, 19 (2016).

97
 Dana Polatin-Reuben and Joss Wright. An internet with BRICS characteristics:

DataSovereigntyandtheBalkanizationoftheInternet,USENIX(2014),

<https://pdfs.semanticscholar.org/b139/318d4b752dbc6c0383775323edc5823d9449.pdf>.

 DanielJ.Solove,ABriefHistoryofInformationPrivacyLaw,PROSKAUER ON PRIVACY,

(2006),

<https://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=2076&contex

t=faculty_publications>

 De hert p. &gutwirth s., ‘Data Protection in the Case Law of Strasbourg and Luxemburg:

Constitutionalisation in Action’, REINVENTING DATA PROTECTION (2009),

file:///C:/Users/dell/Downloads/fulltext_stamped.pdf

 DraftReport,StudyontheHarmonizationofTelecommunicationandInformationand

Communication Technologies Policies and Regulation, AFRICAN UNION (2008),

<https://www.itu.int/ITU-

D/projects/ITU_EC_ACP/hipssa/docs/2_Draft_Report_Study_on_Telecom_ICT_Po

licy_31_March_08.pdf>.

 EbenMoglen&MishiChoudhary,HuffpostIsNowAPartOfVerizonMedia., HUFFINGTONPOST

(September 8, 2018, 3:50 PM

),<https://www.huffingtonpost.in/2018/09/07/the-draft-data-protection-bill-is- flawed-here-s-

how-to-fix-it_a_23520171/>.

 Edward J. Eberle, The Right to Information Self-Determination,

2001 UTAH L. REV. 965 (2001).

98
 ElectronicFrontierFoundation,“ThePrinciples,”INTERNATIONALPRINCIPLES

ONTHEAPPLICATIONOFHUMANRIGHTSTOCOMMUNICATIONS

SURVEILLANCE,(July10,2013),<https://en.necessaryandproportionate.org/text>.

 European Commission, 'Questions and Answers - Data protection reform' (Press

release,EUROPEAN COMMISSION (December 21, 2015),

<https://ec.europa.eu/commission/presscorner/detail/en/MEMO_15_6385>.

 ExpertCommitteeReport,AFreeandFairDigitalEconomyProtectingPrivacy,

EmpoweringIndians,CommitteeofExpertsunder theChairmanshipofJustice

B.N. Srikrishna, PRS INDIA (2018),

<https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf>.

 ExpertCommittee,ReportoftheFinancialSectorLegislativeReformsCommission,

GOVERNMENTOF INDIA VOLUME 1 (2013),

<https://dea.gov.in/sites/default/files/fslrc_report_vol1_1.pdf>.

 Gautam Bhatia, Right to Privacy Indian ConstitutionalLawand Philosophy,

WORDPRESS(Oct22,2019),

<https://indconlawphil.wordpress.com/category/privacy/>.

 GDPRAssociates.,GDPRAndBrexit-DoesTheUKStillNeedToComply?,

(2019),<https://www.gdpr.associates/gdpr-brexit/>.

 GRAHAMWILLIAMGREENLEAF,ASIANDATAANDPRIVACYLAWS 321(2014).

 Grata, International Personal Data Protection In Russia, GRATA

99
 INTERNATIONAL

(2017),<https://gratanet.com/laravelfilemanager/files/3/Data%20Protection%20in%20Russia

%202018%20final.pdf>.

 GREENLEAF,G.,ASIANDATAPRIVACYLAWS:TRADEANDHUMAN RIGHTS

PERSPECTIVE 432 (2014).

 Gupta, A., Summary Of The Report On Privacy Law By The Group Of Experts Headed By

Justice A.P. Shah,, INDIAN LAW AND TECHNOLOGY BLOG (Nov 15, 2012),

<https://iltb.net/summary-of-the-report-on-privacy-law-by-the-group-of- experts-headed-by-

justice-a-p-shah-6e5917ea9c18>.

 Ilya Khrennikov. Google to visa face Russia rules, Boon to Local Data Centers

BLOOMBERG (2014), <http://www.bloomberg.com/news/2014-09-25/google-to-visa-face-

russia-data-rules-in-boon-to-local-operators.html>.

 IndraSpiecker , Olivia Tambou, Paul Bernal &Margaret Hu, The Regulation of

CommercialProfiling-AComparativeAnalysis,2EUR.DATAPROT.L.REV.535, 540 (2016).

 Information Commissioners’ office, Data Protection And Brexit. INFORMATION RIGHTS,

2018 <https://ico.org.uk/for-organisations/data- protection-and-brexit/>.

 JamesManyika,SusanLund,JacquesBughin,JonathanWoetzel,KalinStamenov,

andDhruvDhingra,DigitalGlobalization:TheNewEraofGlobalFlows, MCKINSEY GLOBAL

INSTITUTE (February 24, 2016) <http://www.

mckinsey.com/business-functions/mckinsey-digital/our-insights/digital-globalization-the-new-

era-of-global-flows>.

 James Mullock, Simon Shooter,Philippe Bradley-Schmieg, Brexit: Data

100
 Protection And Cybersecurity Law Implications, BIRD & BIRD,

(2020),<http://www.twobirds.com/en/news/articles/2016/uk/brexit-data- protection-and-cyber-

security-law-implications>.

 JERRYKOSEF,CYBERSECURITYLAW345(2017).

 JflrgenSchaaf and Thomas Meyer, Outsourcing to India: Crouching Tiger Set to Pounce,

Deutsche Bank Research , DEUTSCHE BANK RESEARCH (Oct. 25, 2005),

<http://www.dbresearch.com/PROD/DBRINTERNETENPROD/PROD00000

00000192125.pdf>.

 KavitaThirkey,DemonetisationAndDigitalisation,THEHINDU(DECEMBER 25, 2016

17:00)., <https://www.thehindu.com/education/Demonetisation-and-digitalisation/

article16938094.ece>.

 KaushikBasu.India’sDigitalTransformation.,THEHINDU (FEBRUARY12, 2016 00:57),

<https://www.thehindu.com/opinion/op-ed/indias-digital-transformation/article8224206.ece>.

 Khaira,R.,Rs500,10Minutes,AndYouHaveAccesstoBillionAadhaarDetails.,

TRIBUNEINDIA NEWS SERVICE. (Jan 04, 2018, 02:07 AM),

<https://www.tribuneindia.com/news/archive/nation/rs-500-10-minutes-and-you- have-access-

to-billion-aadhaar-details-523361>.

 KSPuttaswamyv. Unionof India,2017SCCONLINESC996

 ManeeshChhibber, 35 Years Later: A Former Chief Justice of India Pleads Guilty,

INDIAN EXPRESS (Sept. 16, 2011),

<http://indianexpress.com/article/>.
101
 MeeraKosambi, Gender Reform and Competing State Controls over Women:The Rakhmabai

Case (1884-1888), INDIAN EXPRESS (1995)

<https://doi.org/10.1177/0069966795029001013>.

 MeghaMandavia., India Has Second Highest Number Of Internet Users After

China:Report,THEECONOMICTIMES.(Sep26,2019,04:24PM),

<https://economictimes.indiatimes.com/tech/internet/india-has-second-highest- number-of-

internet-users-after-china- report/articleshow/71311705.cms?from=mdr>.

 MeghnaMandavia,PersonalDataProtectionBillcanturnIndiainto‘Orwellian

State’:JusticeBNSrikrishna, THEECONOMICTIMES(Dec12,2019,11.34

AM),<https://economictimes.indiatimes.com/news/economy/policy/personal- data-protection-

bill-can-turn-india-into-orwellian-state-justice-bn- srikrishna/articleshow/72483355.cms?

utm_source=contentofinterest&utm_me dium=text&utm_campaign=cppst>.

 Ministry of Law and Justice, Committee of Experts under the Chairmanship of Justice B.N.

Srikrishna, A Free and Fair Digital Economy Protecting Privacy,

EmpoweringIndians,MYGOVERNMENT(Jan.20,2020,3:40pm),

<https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf>.

 NandtaMathur, India Now Has Over 500 Million Active Internet Users: IAMAI.,

LIVEMINT. (05 May 2020, 05:48) ,< https://www.livemint.com/news/india/india- now-has-

over-500-million-active-internet-users-iamai-11588679804774.html >

 OECD, Guidelines On The Protection of Privacy And Transborder Flows Of PersonalData,

(2013),

102
 <https://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacya

ndtransborderflowsofpersonaldata.html>.

 OECD.,G20/OECDPrinciplesofCorporateGovernance–OECD,(2015),

<https://www.oecd.org/corporate/principles-corporate-governance/>.

 Pacific Bell Survey: Small Business Slowly Adapting to Information Age,

COMMUNICATIONS DAILY (July 24, 1985), <https://www.Pacific

Bell.com/action/showCitFormats?doi=10.1080%/survey>.

 ParryAftab&NancySavitt,Children,DataandtheWeb;NewRulesStressPrivacy, Safety, NEW

YORK TIMES (Nov. 15, 1999),

<https://www.NYT.com/action/showCitFormats?doi=10.1080%2F13600830420003 25274>.

 Peter Hustinx., EDPS Speeches & Articles, EU Data Protection Law: the Review of Directive

95/46/EC and the Proposed General Data Protection Regulation, (2013),

<https://gegevensbeschermingsrecht.nl/onewebmedia/peter.pdf>

 PeterMargulies,TheNSAintheGlobalPerspective:Surveillance:HumanRightsand

InternationalCounterterrorism,82FORDHAMLAWREVIEW2137,2153(2014).

 PreetiMehta,FranchisingDataProtectionandE-CommerceinIndia,3INT’L

J.FRANCHISINGL.23, 27(2005).

 Press Trust of India, India Recorded 37% Of Total Global Data Breaches Second Only To

The US: Report- Technology News, FIRSTPOST. (OCT 16, 2018 09:19 A.M.),

<https://www.firstpost.com/tech/news-analysis/india-recorded-37-of-total-global-data-

breaches-second-only-to-the-us-report-5384941.html>.

103
 PTI,SomeReformsInIndiaShowBenefitsOfDigitalisation:IMF.,

ECONOMICS TIMES, (Apr10,2019,10:33AM)

<https://economictimes.indiatimes.com/news/economy/policy/some-reforms- in-india-show-

benefits-of-digitalisation- imf/articleshow/68806028.cms?from=mdr>

 ReportoftheJusticeAPShahCommittee,WhitePaperofTheCommitteeOfExperts

OnADataProtectionFrameworkForIndia,PLANNINGCOMMISSION(October 16, 2012),

<https://www.meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_

india_171127_final_v2.pdf>.

 ReportoftheUnitedNationsHighCommissionerforHumanRightsCouncilTheright to privacyin

the digital age, (UNGARES 28/16),OHCR, 39THSESSION UNDOC A/HRC/28/16, (26

March 2015),

<http://daccess-ddsny.un.org/doc/UNDOC/LTD/N13/544/07/ PDF/N1354407/>.

 Rhonda Copelon, Unpacking Patriarchy: Reproduction, Sexuality, Originalism, and

Constitutional Change, In A Less Than Perfect Union: Alternative Perspectives on THE U.S.

CONSTITUTION 303, 314 (1988).

 Robinson, Neil, Hans Graux, Maarten Botterman, and Lorenzo Valeri, Review of the

European Data Protection Directive. Santa Monica, CA: RAND CORPORATION

(2009),

<https://www.rand.org/pubs/technical_reports/TR710.html>.

 RussellBuchan,TheInternationalLegalRegulationofState-SponsoredCyberEspionage, NATO

CCD COE (2016),

104
 <https://ccdcoe.org/uploads/2018/10/InternationalCyberNorms_Ch4.pdf>

 Sashidhar K J, Easing the US-India divergence on data localization, ORF DIGITAL

FRONTIERS(2019),<https://www.orfonline.org/expert-speak/easing-us-india-

divergence-data-localisation-53256/>.

 Smith, D., BRICS eye infrastructure funding through New Development Bank, THE

GUARDIAN (2013),

<http://www.theguardian.com/global-development/2013/mar/28/bricscountries-infrastructure-

spendingdevelopment-bank?.

 SohiniBagchi, Data Privacy Day: India’s PDP Bill Needs Clarification, CX TODAY (Jan.

28, 2020, 8:14 am), <https://www.cxotoday.com/news-analysis/data-privacy-day-indias-pdp-

bill-needs-clarification/>.

 Soldatov, A., and Borogan, I., Russia’s Surveillance State, World Policy Journal, WORLD

POLICY (2013), <http://www.worldpolicy.org/journal/fall2013/Russia-surveillance>.

 Sreenidhi Srinivasan and Namrata Mukherjee, Building an effective data

protectionregime,VIDHICENTREFORLEGALPOLICY(2017),

<https://www.livemint.com/Industry/32kLqMlXEh0w4GhvLKxGkN/Indian- data-protection-

norms-insufficient-report.html>.

 StephenMason,ElectronicSignaturesinLaw,SchoolofAdvancedStudy,UniversityofLondon,JST

OR(2016),<www.jstor.org/stable/j.ctv5137w8.23>.

 SwathiMoorthy, Data Protection Authority Will Be A Government Stooge And Weaken

Personal Data Bill: Justice BN Srikrishna, FIRST POST (January 30, 2020,

12:18IST),<https://www.firstpost.com/tech/news-analysis/data-protection-authority-
105
 will-be-a-government-stooge-and-weaken-personal-data-bill-justice-bn-srikrishna-

7976651.html>.

 The ET bureau,. Justice Srikrishna Committee Submits Report On Data Protection.

Here'reItsTop10Suggestions.THEECONOMICTIMES(Jul28,2018,04:35PM),

<https://economictimes.indiatimes.com/news/politics-and-nation/justice-bn- srikrishna-

committee-submits-report-on-data-protection-herere-the-

highlights/articleshow/65164663.cms?from=mdr.>

 TheHindu(StaffReporter)ExpertsRaiseConcernOverDraftDataProtectionBill., THE

HINDU (JULY 29, 2018 23:40),

<https://www.thehindu.com/news/cities/Hyderabad/experts-raise-concern-over- draft-data-

protection-bill/article24547899.ece>.

 The Hindu. What Is The Right Way Of Regulating Social Media? OPINION (AUGUST 30,

2019 00:15), <\https://www.thehindu.com/opinion/op-ed/what-is-the-right-way-of-regulating-

social-media/article29291424.ece>.

 UNHR, The Right to Privacy in a Digital Age, YOUR HUMAN RIGHTS (Nov. 1, 2013),

<http://daccess-ddsny.un.org/doc/UNDOC/LTD/N13/544/07/ PDF/N1354407>.

 United Nations Conference on Trade and Development (UNCTAD), Information Economy

Study 2015-Unlocking the Potential of E-commerce for Developing countries,UNTAD

(2015), <http://unctad.org/en/PublicationsLibrary/ier2015_en.pdf>.

 Yamini Aiyar,Shrayana Bhattacharya,Lant Pritchett,TheSolutions State:Why The Digital

Needs The Human ,INDIAN EXPRESS (March 14, 2019 8:54:07 am),

<https://indianexpress.com/article/explained/the-solutions-state-why-the- digital-needs-the-
106
 human-5625290/>.

 YuxiaoDuanRenmin, China’s Private Law Approach to Personal Data Protection SSRN

(2019),

<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3484725>.

107