This article is written by Deep Kumar Mohanty, a Third-year student from University Law College, Utkal University, Bhubaneswar.

Introduction

In recent times there is an unending occurrence of cybercrimes throughout the globe. The pilfering and sale of stolen data is happening transversely continents where physical territories façade no restraint or appear non-existent in this technological era. It is pertinent to note that India being the biggest mass of outsourced data might become the centre of cyber crimes as there is no express legislation for data protection in India.

Meaning of Data Protection

Data protection refers to the safeguarding of sensitive information from falling into the wrong hands in order to prevent corruption and nepotism. Sensitive information protection is based on 3 important functions such as a) controlling physical and logical access to sensitive information  b) Individual accountability of that sensitive information and identification of people who have access to it c) audit trails both physical and logical of who accessed the sensitive information i.e. who, when, how, what and why. ^[1]

Jurisprudential Dimensions of Data Protection

Data sharing is an intrinsic part of the right to privacy. Personal data such as birth date, financial capabilities, health are all included within the ambit of privacy. Privacy is a human right enjoyed by every human being which may extend to bodily integrity, personal autonomy, informational self-determination, protection from state surveillance, dignity, confidentiality, compelled speech and freedom to dissent or move or think.  The right of privacy is the right to be free from unwarranted publicity, to live a life of seclusion, and to live without unwarranted interference by the public in matters with which the public is not necessarily concerned. ^[2]The Semayne’s Case (1604)^[3] relates to the entry into a property by the Sheriff of London in order to execute a valid writ wherein Sir Edward Coke, while recognising a man’s right to privacy famously said that “the house of everyone is to him as his castle and fortress, as well for his defence against injury and violence, as for his repose”. The concept of privacy further developed in England in the 19th century and has been well established in today’s world. In case of Campbell v. MGN^[4], the court held that if “there is an intrusion in a situation where a person can reasonably expect his privacy to be respected, that intrusion will be capable of giving rise to liability unless the intrusion can be justified”.

International Conventions and Reports

1. Article 12 of the Universal Declaration of Human Rights states, “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
2. Article 17 of the International Covenant on Civil and Political Rights states that “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.”  Everyone has the right to the protection of the law against such interference or attacks.
3. Article 16 of the UNCRC states that” No child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, or correspondence, nor to unlawful attacks on his or her honour and reputation. The child has the right to the protection of the law against such interference or attacks.
4. The gathering and holding of personal information on computers, data banks, and other devices, whether by public authorities or private individuals or bodies, must be regulated by law. Every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes. Every individual should also be able to ascertain which public authorities or private individuals or bodies control or may control their files. If such files have been collected or processed contrary to the provisions of the law, every individual should have the right to request rectification or elimination.^[5]

Indian Jurisprudence on Privacy of Data

The Hon’ble Supreme Court in the case of K. S. Puttaswamy (Retd.) v Union of India^[6] , in which case the ‘Aadhaar Card Scheme’ was challenged on the ground that collecting and compiling the demographic and biometric data of the residents of the country to be used for various purposes is in breach of the fundamental right to privacy embodied in Article 21 of the Constitution of India. The Hon’ble Supreme Court by its decision pronounced on August 24, 201711 unanimously held as under: –

• M P Sharma^[7] decision which mandates that the right to privacy is not protected by the Constitution stands over-ruled;
• The decision in Kharak Singh^[8] to the extent which states that the right to privacy is not protected by the Constitution stands over-ruled;
• The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.
• Privacy is a constitutionally protected right which emerges primarily from the guarantee of life and personal liberty in Article 21 of the Constitution. Elements of privacy also arise in varying contexts from the other facets of freedom and dignity recognised and guaranteed by the fundamental rights contained in Part III.
• Privacy includes at its core the preservation of personal intimacies, the sanctity of family life, marriage, procreation, the home and sexual orientation. Privacy also connotes a right to be left alone. Privacy safeguards individual autonomy and recognises the ability of the individual to control vital aspects of his or her life. Personal choices governing a way of life are intrinsic to privacy. Privacy protects heterogeneity and recognises the plurality and diversity of our culture. While the legitimate expectation of privacy may vary from the intimate zone to the private zone and from the private to the public arenas, it is important to underscore that privacy is not lost or surrendered merely because the individual is in a public place.
• As per Article 21, an invasion of privacy must be justified on the basis of a law which stipulates a procedure which is fair, just and reasonable. An invasion of life or personal liberty must meet the three-fold requirement of (i) legality, which postulates the existence of law; (ii) need, defined in terms of a legitimate state aim; and (iii) proportionality which ensures a rational nexus between the objects and the means adopted to achieve them.

Various legislative enactments in India do not confer protection of all types of data

Information and Technology Act

1. Section 43A of the IT Act mandates that where a body corporate possessing, dealing or handling any sensitive personal data or information^[9] in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures^[10] thereby causing wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, which shall not exceed a sum of INR 5,00,00,000 (Rupees Five Crore).
2. Section 66 C deals with identity theft and states that whoever, fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment for a term which may extend up to three years and shall also be liable to a fine of up to INR 1,00,000
3. Section 72 requires that any person who has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned and thereafter, discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to INR 1,00,000 (Rupees One Lakh) , or with both. 
4. Section 72A mandates, any person, including an intermediary ^[11]who, while providing services under the terms of a lawful contract, has secured access to any material containing personal information.

Loopholes

1. The IT Act does not contain a definition of a data breach.
2. The provisions of the IT Act only deal with the collection and distribution of information by a ‘body corporate’.
3. IT Act does not include the overarching stipulation that interception can only transpire in the case of public emergency or in cases involving public safety. Additionally, section 69 of the IT Act mandates that any person or intermediary who fails to assist the specified agency with the interception, monitoring, decryption or provision of information stored in a computer resource shall be punished with an imprisonment for a term which may extend to seven years, and shall be liable for a fine.
4. The term “consent” has not been defined under the IT Act.

The Rules and provisions of the IT Act principally sought to shelter ‘personal information’ and ‘sensitive personal data or information’, i.e. the information related to (i) password; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; and (vi) biometric information. However, the information which is freely accessible in the public domain is not considered within the ambit of ‘sensitive personal data or information’.

Click Above

Aadhar Act, 2016

1. Biometric information means photograph, fingerprint, iris scan, or such other biological attributes of an individual as may be specified by regulations.^[12]
2. Core biometric information means fingerprint, Iris scan, or such other biological attribute of an individual as may be specified by regulations.^[13]
3. Demographic information includes information relating to the name, date of birth, address and other relevant information of an individual, as may be specified by regulations for the purpose of issuing an Aadhaar number, but shall not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.^[14]
4. The Authority shall ensure the security of identity information and authentication records of individuals.^[15]
5. No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it.^[16]

Loopholes

1. Section 28 of the Act says that the Authority shall ensure the security of identity information and authentication records of individuals. Section 2(e) of the Act defined ‘authority’ which refers to the Unique Identification Authority of India established under sub-section (1) of Section 11 of the Act. It is to be noted that Section 139AA of the Income Tax Act, 1961 provides for the linking of Aadhaar to PAN. The provision was challenged in the Supreme Court and was subsequently upheld by a Hon’ble Division Bench of Justices A.K. Sikri and Ashok Bhusan in Binoy Viswam Case^[17]. However, when Aadhaar is linked, the data which were collected by the UIDAI would be shared with the Income Tax Authorities. But, the Income Tax Act doesn’t provide for any designation or any authority for the purpose of protection of that information and data. Therefore, a major loophole remains in the decision.
2. Section 33(1) of the Act says that disclosure of information including identity information or authentication records may be made pursuant to an order of a court not inferior to that of a District Judge and further says that no order by the Court may be made under the sub-section shall be made without giving an opportunity of hearing to the UIDAI. However, it doesn’t provide for an opportunity of hearing to the data principal, which against the principles of natural justice and in contravention of observation of the Hon’ble Apex Court in Puttaswamy’s Constitutional Morality requires a Government not to act in a manner which would become violative of rule of law and not giving opportunity to the affected party is against the notion of rule of law. Hence, it is against constitutional morality.
3. As the centralised body for the storage and organization of information is Central Identities Data Repository (CIDR) there is an enormous possibility of data breach or piracy and once the centralised repository is hacked, it may lead to the breach of the personal data and information of millions of people.
4. As per Section 47(1), a court can take cognizance of an offence punishable under the Act only if a complaint is given by UIDAI or any officer or any other person authorised by it. Section 47 of the Act is arbitrary, irrational and illogical as it doesn’t provide a method to individuals to seek effectual remedies for violation of their right to privacy. Thus, it can be safely said that section 47 violates the rights of citizens to seek remedies in case of violation of their fundamental rights.
5. It is a fundamental principle that ownership of an individual’s data must at all times vest with the individual. But it is pertinent to note that the proviso to Section 28(5)^[18] of the Aadhaar Act, disallows individual access to the biometric information that forms the core of his or her unique ID and thereby violates this fundamental principle.
6. As per Section 23(2)(s)^[19] UIDAI which is administering the Aadhaar project is also accountable for establishing a grievance redressal mechanism in order to address grievances arising from Aadhar thereby massively compromising the independence of the grievance redressal body.

Section 29(4)^[20] is too broad as it renders wide discretionary power to UIDAI to display, publish or post core biometric information of any person for purposes specified by the regulations.

Non Compliance of the mandates laid down by the Supreme Court in the Aadhar Amendment Act 2019

1. The Supreme Court in the Aadhar Judgement^[21] (Para 322) has held, “ No doubt, the Government cannot take umbrage under the aforesaid provision to enlarge the scope of subsidies, services and benefits. ‘Benefits’ should be such which are in the nature of welfare schemes for which resources are to be drawn from the Consolidated Fund of India. Therefore actions by CBSE, NEET, JEE and UGC requirements for scholarship shall not be covered under Section 7 unless it is demonstrated that the expenditure is incurred from Consolidated Fund of India. We are of the opinion that the respondents shall not unreasonably expand the scope of ‘subsidies, services and benefits’ thereby widening the net of Aadhaar, where it is not permitted.” The court went on to elaborate that Sections 24 & 25 of the Aadhar Amendment Act 2019 mention about the utilize of Aadhaar by telecom service providers, banks and financial institutions for doing reporting functions under the Prevention of Money Laundering Act ( PMLA) which have no connection with subsidies, benefits, welfare or DBT. Merely making Aadhaar ( online or hard copy) as two out of four options in these sections, without mentioning the third one ( merely empowering the government to do so) and providing passport as the fourth one ( which a large majority do not possess) does not comply with the SC intent which primarily constrained use of Aadhaar to “ benefits” from the Consolidated Fund of India, as above restrictively defined.
2. Section 57 of the original act states, “Nothing contained in this act shall prevent the use of Aadhaar for establishing the identity of an individual for any purpose whether by the State or any body, corporate or person.” In a lengthy discussion on the Aadhaar Judgment (paras 355 to 367), Section 57 was declared unconstitutional and struck down of being too wide. The re-embodiment of the same invalid 57 is available in 5(7) of 2019 amendment Act, where an alike provision, expressly overriding all other provisions, allows compulsory use of Aadhaar alone if Parliament by any law ( not yet specified) so provides. Sections 24 and 25 discussed above, additionally reflect a similar reincarnation.
3. The Supreme Court in the Aadhar Judgement(Para 349), while upholding Section 33 which dealt with compulsory disclosure in interests of national security, altered the decision-maker from Joint Secretary to a higher level and considerably added, “ There has to be a higher ranking officer along with, preferably, a judicial officer.”

In the 2019 Aadhar Amendment Act though a Secretary level officer has been designated, no judicial element along with has been provided, thereby palpably violating the mandate laid by the Supreme Court.

Critical Analysis of Personal Data Protection Bill, 2018

It is pertinent to note here that there is no specific legislation for the protection of data in India. In 2006, the Personal Data Protection Bill, 2006 was introduced in the Rajya Sabha with a vision of providing protection to personal data and information of an individual collected for a particular purpose by an organisation and to prevent its usage by other organisations for commercial or other purposes. Subsequently in the wake of the decision of the Apex Court in Justice (Retd.) K.S. Puttaswamy v. Union of India (Right to Privacy matter), right to privacy being declared as a fundamental right, it was felt that it is essential to protect personal data as a facet of informational privacy. Hence, the Personal Data Protection Bill, 2018 was introduced in the Parliament with provisions covering aspects of protection of data. 

Loopholes

Though the bill provides a skeletal framework of a data protection law and attempts at covering some aspects of data protection yet it suffers from major loopholes.

1. Absence of guidelines for fair and reasonable data processing

As per the recommendations of Justice Srikrishna Committee courts of law and regulatory authorities should be allowed to develop principles of fair and reasonable data processing.  The Bill places the obligation on data fiduciaries to collect data in a fair and reasonable manner that respects the privacy of the individual but does not explicitly specify fair and reasonable manner of personal data processing which could result in fairness and reasonability principles to vary across fiduciaries processing similar types of data and fiduciaries in the same business may evolve and follow different standards.

2. Proposal for data localization is quite concerning

Data localization could cast an adverse impact on smaller data fiduciaries who resort to alternative cheaper storage mechanisms with compliance burden and raised costs and some of them may be dismayed from investing in India as a market because of extra costs arising from putting up duplicate servers as a result of which consumers may not have the choice of availing services of all data fiduciaries. In some cases where the data fiduciary is registered as an entity in a foreign country, law enforcement may not essentially be expedited. Furthermore, India needs to invest and enhance data centre infrastructure and grid capacity before mandating data localization.

3. Functions of the legislature for non-consensual processing of data is uncertain

Personal data may be processed if such processing is necessary for any function of Parliament or any State Legislature.^[22] The Bill allows for processing of an individual’s personal data without their consent if it is necessary for any function of the Parliament or state legislature which is irrational and it is quite uncertain to predict about the possible requirement of the Parliament or State Legislature to access any personal data without the consent of the individual.

4. Certain types of data are exempted which may not satisfy test of proportionality

The State can process data for the purposes of (i) national security, (ii) prevention, investigation and prosecution of violations of law, (iii) legal proceedings, (iv) personal or domestic purposes, and (v) research and journalistic purposes.  A vital question is whether all exceptions provide in the Bill are justified. The Supreme Court, in Puttaswamy vs Union of India, allowed exceptions to the right to privacy of an individual only in cases where a larger public purpose backed by law is satisfied by the infringement of privacy of an individual and highlighted that the exemption must be necessary for and proportionate to achieving the purpose. Thus it is apparent that an exception for national security, pursuant to a law, may be justified.   But, it is uncertain if exceptions for legal proceedings, or for research and journalistic purposes meet the requisites of necessity and proportionality.

5. Data processing for providing all services of the state without consent  is unjustified

Personal data may be processed if such processing is necessary for the exercise of any function of the State authorised by law for (a) the provision of any service or benefit to the data principal from the State; or (b) the issuance of any certification, license or permit for any action or activity of the data principal by the State.^[23]  The recommendations of Sri Krishna Committee cite that only those government entities which are exercising functions directly related to the provision of welfare should be allowed non-consensual processing of data and acknowledges that non-consensual processing by government entities for all types of public functions may be too broad to an exception to consent.  But the Bill utterly disregards the recommendation and allows non-consensual data processing for all services of the State.

6. A complaint may be filed only  in case of possibility of harm

A data principal may raise a grievance in case of a violation of any of the provisions of this Act, or rules prescribed, or regulations specified thereunder, which has caused or is likely to cause harm to such data principal, to— (a) the data protection officer, in case of a significant data fiduciary; or (b) an officer designated for this purpose, in case of any other data fiduciary.^[24] It is questionable as to why the sheer violation of the rights of the principal isn’t sufficient to file a complaint. Nothing contained in sub-section (1) shall render any such person liable to any punishment provided in this Act if she proves that the offence was committed without her knowledge or that she had exercised all due diligence to prevent the commission of such offence. ^[25] The data principal also has to exhibit and prove that harm has been caused to them as a result of unlawful data processing thereby placing an unnecessary burden on the data principal.

7. No stipulated time limit for reporting data breach

If we take into consideration notifications of data breaches the bill states that the data breach notifications are to be made by the data fiduciary to the Data Protection Authority For India(DPAI) “as soon as possible”, in case they pose potential “harm” to data principals.^[26] However, there is ambiguity in this provision as it does not explicitly mention how soon and within what stipulated time the breach is to be notified.

8. Discretionary reporting of data breaches could result in clash of interests

The Bill states that the fiduciary shall inform the DPA in the event of a data breach (i.e., accidental or unauthorised use or disclosure of data) only if such a breach is likely to cause harm to any data principal.^[27]  The question which remains unanswered is whether the fiduciary should have the discretion to determine whether a data breach needs to be reported to the DPA. From a plain reading, we can interpret that the fiduciary has the discretion to determine if the data breach has caused data principal any harm. This could result in choosy reporting of data breaches which will avoid the DPA from being loaded with a high volume of low-impact data breach reports on one hand and on the other also not make the fiduciary responsibilities of the duty reporting. Conversely, there may be a clash of interest while deciding whether a breach is to be reported, as the fiduciary is regulated by the DPA and cases of breaches and promptness of notification are evaluated  in independent data audits ordered by the DPA whose  results are summarised into a score, made public and influences the insight of a fiduciary’s trustworthiness.

9. Arrest, Detention, Attachment of Properties in the form of compensation can be made by DPA without court order

The Recovery Officer, per the orders of the Data Protection Authority, may conduct several enforcement actions against a person including (i) attachment and sale of the persons movable property; (ii) attachment of the persons bank accounts; (iii) attachment and sale of the persons immovable property; (iv) arrest and detention of the person in prison; (v) appointing a receiver for the management of the persons movable and immovable properties.^[28] The Bill vests unfettered power to the Recovery Officer to act in pursuance of the orders of the Data Protection Authority and do not stipulate approval of a court order for the above enforcement actions unlike the RBI^[29] or the IRDA.^[30]

10. The definitions of ‘Serving copy’ and ‘Critical personal data’ are not provided

It is uncertain what is meant by a ‘serving copy’ of data.  It might be alive, an actual time reproduction of data on a server within India, or it might be a backup at a particular frequency. The exclusive definition needs to be provided, as expenses, implications and execution timelines for fiduciaries would differ substantially with the exact nature of a ‘serving copy’.  Furthermore, what covers the ambit of ‘critical personal data’ needs to be explicitly mentioned, as it is an indispensable prerequisite for fiduciaries to prepare for storing this data solely in India.

Comparative Study of the European Union’s General Data Protection Regulation (GDPR) and the Personal Data Protection Bill, 2018

1. However Section 27(1) which says that the data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciary related to the data principal where such disclosure (a) has served the purpose for which it was made or is no longer necessary; (b) was made on the basis of consent. The major difference is that in India, a citizen has not been warranted the right to demand his/her data to be erased. Data reassure, which is an article in itself in GDPR does not even find a mention in the Indian draft bill.

2. Sharing of source of personal data to data principal
   The data fiduciary does not need to share the source of the personal data to the data principal in case the data has not been collected from him/her as per PDPB which is an explicit requirement in GDPR.
3. As per the Personal Data Protection Bill notifications of data breaches are to be made by the data fiduciary to the Data Protection Authority For India(DPAI) “as soon as possible”, in case they pose potential “harm” to data principals but does not explicitly mention how soon and within what stipulated time the breach is to be notified in contrast to GDPR which has a time limit of 72 hours.
4. Breach notification to data subject is required in GDPR whereas in PDPB it depends upon discretion of DPA
   In case of a breach, there’s no requirement by Indian draft bill to share it with the data principal; rather, the data protection authority shall determine whether such breach should be reported to the data principal. This is also in contrast to GDPR provisions.
5. Accountability
   GDPR places more emphasis on explicit accountability for data protection thereby putting a straight responsibility on companies to prove that they comply with the principles of the regulation, rather than the hands-off approach of the Data Protection Act which means firms will have to perform mandatory activities such as staff training, internal data audits and keeping detailed documentation if they wish to avoid falling foul of the GDPR rules.
6. GDPR explicitly requires data principal to be provided a copy of data processing whereas PDPB vaguely mentions summary of data to be provided
   GDPR requires that the data subject (data principal) is provided with a copy of data undergoing processing. The Indian legislation mandates a summary of that data to be shared, with no definition of what that summary is.
7. Obligation on data fiduciary
   There is no obligation on data fiduciary in the Bill to share with the data principal for how much time period the data will be stored while collecting or at any time, as GDPR mandates.
8. The Data Protection Bill does not mandate the data fiduciary to allocate the names and categories of other recipients of the personal data with the data principal, unlike GDPR.
9. Consent policies
   Under the PDPB data compilation does not essentially mandate an opt-in but under GDPR apparent privacy notices are provided to consumers, allowing them to make a well-versed decision on whether they should consent to allow their data to be stored and used and the consent can be withdrawn at any time.

Recommendations

• The PDPB should exclusively mention rules and guidelines for the fair and reasonable principles of data processing by data fiduciaries because the provisions of Section 4 of the Bill mandates that the data fiduciary should collect data in a logical and fair method.
• The Data Protection bill should authorize the Data Protection Authority to declare templates for an assortment of consent, and the required businesses should comply with these templates.
• The mention of incidental purposes and the ambiguous language of Section 5(2) of the Bill should be abrogated in order to avoid misinterpretation.
• Section 32 of the Personal Data Protection Bill should incorporate a specific time limit to report the breach of data by the data fiduciary to the data processor instead of using a vague term like as soon as possible.
• The provisions of Section 13 are very wide and there is a possibility that this provision might be arbitrarily used under the blanket of state functions and therefore this provision must define in a more elaborate and detailed manner the realm of necessary data.
• Data fiduciaries might be required to supply information about any data breaches on their website to ensure transparency.
• Insertion of a qualified right to erasure in the Bill as mandated in the GDPR will be of significant importance to the privacy rights of the people.
• In case there is a breach of data then in such a case the Data Protection Authority in order to maintain transparency could make the data protection impact estimation and data audits available publicly.
• Though the bill prescribes broad principles, more work needs to be done in order to make consent work in practice.

Conclusion

Though the existing laws in India do not confer necessary data protection but India is on the way of drafting a legislative enactment for data protection. A deep insight into the above loopholes and further debates and discussions in the Parliament to provide necessary recommendations to eradicate the same would pave the way for creating a strong data protection law in India. 

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.

Endnotes

^[1]  W. Boni and G.L.Kovacich, Netspionage: Global Threat to Information, 147( 1^st ed., 2000)

^[2] Strutner v Dispatch Printing Co., 2 Ohio App. 3d 377 (Ohio Ct. App., Franklin County 1982).

^[3] Peter Semayne v Richard Gresham, 77 ER 194.

^[4] 2004 UKHL 22.

^[5] UN Doc. HRI/GEN/1/Rev.9, General Comment No. 16: Article 17, para 10.

^[6] (2015) 8 SCC 735.

^[7] M. P. Sharma and Ors. v Satish Chandra, District Magistrate, Delhi and Ors 1954 SCR 1077

^[8] Kharak Singh v State of Uttar Pradesh and Ors, (1964) 1 SCR 334

^[9] The term “sensitive personal data or information” of a person is defined to mean such personal information which consists of information relating to— (i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise: provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these regulations.

^[10] The term “reasonable security practices and procedures” has been defined to mean security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

^[11] The term “intermediary” with respect to any particular electronic records, has been defined to mean any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online auction sites, online market places and cyber cafes.

^[12] S.2(g), The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016

^[13] S.2(j), The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016

^[14] S.2(k), The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016

^[15] S.28, The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016

^[16] S.47, The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016

^[17] Binoy Viswam v. Union of India and Ors (2017)7 SCC 59

^[18] Notwithstanding anything contained in any other law for the time being in force, and save as otherwise provided in this Act, the Authority or any of its officers or other employees or any agency that maintains the Central Identities Data Repository shall not, whether during his service or thereafter, reveal any information stored in the Central Identities Data Repository or authentication record to anyone: Provided that an Aadhaar number holder may request the Authority to provide access to his identity information excluding his core biometric information in such manner as may be specified by regulations.

^[19]  Section 23(2)(s) states, ”Without prejudice to sub-section (1), the powers and functions of the Authority, inter alia, include— (s) setting up facilitation centres and grievance redressal mechanism for redressal of grievances of individuals, Registrars, enrolling agencies and other service providers;”

^[20] Section 29(4) states that”No Aadhaar number or core biometric information collected or created under this Act in respect of an Aadhaar number holder shall be published, displayed or posted publicly, except for the purposes as may be specified by regulations.”

^[21] K.S. Puttaswamy v. Union of India

^[22] S.13(1), Personal Data Protection Bill 2018

^[23] S.13(2), Personal Data Protection Bill, 2018

^[24] S.39(2), The Personal Data Protection Bill, 2018

^[25] S.96(2), The Personal Data Protection Bill, 2018

^[26] S.32(3), The Personal Data Protection Bill, 2018

^[27] Ibid

^[28] S.78, The Personal Data Protection Bill, 2018

^[29] Reserve Bank of India

^[30] Insurance Regulatory and Development Authority