TEAM CODE -

7th NATIONAL MOOT COURT COMPETITION

SURANA & SURANA & KLE LAW

COLLEGE – 2024

BEFORE THE HON’BLE

SUPREME COURT OF INDIANA

IN THE MATTER OF

W.P. (PIL)NO. _____/ 2024

MR. AMAN & ORS (Petitioner)

VS

UNION OF INDIANA & ANR (Respondent)

WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS

 Page |2

PETITION INVOKED
UNDER ARTICLES
32 & 139A OF
THE
CONSTITUTION OF
INDICA
PETITION INVOKED
UNDER ARTICLES
32 & 139A OF
INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 Page |3

THE
CONSTITUTION OF
INDICA
PETITION INVOKED
UNDER ARTICLES
32 & 139A OF
THE
CONSTITUTION OF
INDICA
PETITION INVOKED UNDER ARTICLE 32 OF THE

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 Page |4

CONSTITUTION OF INDIANA

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 Page |5

WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS

TABLE OF CONTENTS

SL CONTENTS PAGE
NO. NO.
1. List Of Abbreviations 3

2. Index Of Authorities 4

1. Dictionaries referred 4

2. Books referred: 4

3. Online sources: 4

4. Statutes referred 5

5. Articles referred: 5

6. Table of cases 5-6

7. Law reports 6

8. Conventions referred 6

3. Statement Of Jurisdiction 7

4. Statement Of Facts 8

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 Page |6

5. Issues Presented 9

6. Summary Of Pleadings 10

7. Advanced Pleadings 11 - 26

1. Whether the provisions of Act 22 of 2023 that allow the 11 – 14

processing of Personal data without the consent of the Data
Principal under Section 6 and allied provisions violate the
Right to Privacy?
2. Whether the processing of Bank Account Details constitute a 15 – 19
Legitimate Purpose under Section 7 and allied provisions, as
stated in Act 22 of 2023?
3. Does the provision that provides immunity to the Central 20 – 22
Government under Section 35 on account of Good Faith
violate the Petitioner’s right to seek remedy?
4. Whether the exemption of certain data fiduciaries under 23 – 26
Section 17(5) by means of notification is an arbitrary
exercise of discretion and thus violative of Article 14 of the
Constitution of Indiana?

8. Prayer 27

LIST OF ABBREVIATIONS

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 Page |7

Sl ABBREVIATION EXPANSION
no
.
1. & And
2. AIR All India Reporter
3. Hon’ble Honourable
4. HC High Court
5. No Number
6. Ors. Others
7. SC Supreme Court
8. SCC Supreme Court Cases
9. SCR Supreme Court Reports
10. Art. Article
11. Sec. Section
12. Ss. Sections
13. v. Versus
14. Del Delhi
15. Anr. Another
16. ICCPR International Covenant on Civil and
Political Rights
17. ILR Indian Law Reports
18. UDHR Universal Declaration of Human
Rights
19. GDPR General Data Protection Regulation
20. DPDP Digital Personal Data Protection

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 Page |8

INDEX OF AUTHORITIES

(A). DICTIONARIES REFFERED:

1. Black’s Law Dictionary
2. Oxford Dictionary
3. Legal Dictionary
4. Ballentine’s Dictionary

(B). BOOKS REFERRED:

1. India Constitutional Law, M P Jain, 8th Edition, Lexis Nexis.
2. Constitution of India, Durga Das Basu.
3. The Constitution of India, P. Bakshi.
4. Constitution Of India, V. N. Shukla, 13th Edition, Easter Book Company.
5. Data Protection Laws in India, Prof. S. K. Agarwal ,1st Edition (2022),
LexisNexis
6. The Indian Data Protection Law: An Analytical Perspective, Dr. Shyam
Sundar, 1st Edition (2022), SAGE Publications
7. Cyber Law and Data Protection in India, Dr. R. K. Karan, Universal Law
Publishing, 2nd Edition (2023)
8. A Free and Fair Digital Economy: Protecting Privacy, Empowering
Indians, Justice B.N. Srikrishna ,1st Edition (2018) HarperCollins India
9. Digital Privacy and Data Protection in India, Apar Gupta (Internet
Freedom Foundation), 1st Edition (2023), Oxford University Press

(C). ONLINE SOURCES:

1. www.manupatrafast.com
2. www.ncrb.gov.in
3. www.articles.manupatra.com

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 Page |9

4. www.constitutionofindia.net
5. https://www.prsindia.org/billtrack/personal-data-protection-bill-2019
6. https://gdpr.eu/
7. https://www.coe.int/en/web/data-protection/convention108

(D). STATUTES REFERRED:

1. The Constitution of India, 1950.
2. The Digital Personal Data Protection Act, 2023
3. Universal Declaration of Human Rights (UDHR), 1948
4 General Data Protection Regulation, 2016, European Union
5. The Limitations A ct,1963

(E). ARTICLES REFERRED:

1. Anna Jonsson Cornell, “Right to Privacy”, Max Planck Encyclopedia of
Comparative Constitutional Law (2015).

2. Justice B.N. Sri Krishna A Free and Fair Digital Economy: Protecting
Privacy, Empowering Indians" (2018)
3. Dr Shyam Sundar "The Legal and Ethical Dimensions of Data Privacy in
India"
4 Dr R. K. Karan "Cyber Law & Data Protection in India"

(F). TABLE OF CASES:

1. JUSTICE K.S. PUTTASWAMY (RETD.) VS. UNION OF INDIA, (2017) 10 SCC
1, AIR 2017 SC 4161

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 10

2. ANVAR.P. V P.K. BASHEER (2014)10 SCC 473

3. SHREYA SINGHAL V. UNION OF INDIA
4. RELIANCE COMMUNICATIONS LIMITED V. DIRECTORATE GENERAL OF
GST INTELLIGENCE.
5. GOOGLE INC. V. AEPD AND MARIO COSTEJA GONZÁLEZ.
6. BINOYVISWAM V UNION OF INDIA (2017) 7 SCC 59
7. GOOGLE SPAIN SL V. AGENCIA ESPAÑOLA DE PROTECCIÓN DE DATOS.
8. MAX SCHERM’S V. FACEBOOK IRELAND.
9. KARMANYA SINGH SAREEN & ANR. VS UNION OF INDIA.
10. U.S. V. FACEBOOK, INC.
11. NILABATI BEHERA V. STATE OF ORISSA.
12. RAM JETHMALANI V. UNION OF INDIA.
13. COMMON CAUSE V. UNION OF INDIA.
14. SHAYARA BANO V. UNION OF INDIA (2017).
15. MANEKA GANDHI V. UNION OF INDIA (1978).
16. PEOPLE’S UNION FOR CIVIL LIBERTIES (PUCL) V. UNION OF INDIA (2003).
17. STATE OF WEST BENGAL V. ANWAR ALI SARKAR (1952)
18. GOBIND V STATE OF MADHYA PRADESH (1975) 2 SCC 148
19. VIKRAM SINGH V UNION OF INDIA (2015) 9 SCC 502
20. SHRI SHANTANU MOHAPATRA V UNION OF INDIA (2018)
SCCONLINE ORI 211
21. RAJESH SHARMA V. STATE OF WEST BENGAL (2014)
22. GOVIND V. STATE OF MADHYA PRADESH (1975)
23. R V. SPENCER (2014, SUPREME COURT OF CANADA)
24. CENTRAL PUBLIC INFORMATION OFFICER, SUPREME COURT
OF INDIA V. SUBHASH CHANDRA AGARWAL (2019)

(G). LAW REPORTS:

1. All India Reports

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 11

2. Supreme court Cases

3. International Cases

(H). CONVENTIONS REFFERED:

1. Universal Declaration of Human Rights
2. Declaration of Principles on Equality, 2009 – The Equality Rights Trust
3. General Data Protection Regulation (GDPR) - European Union (2016)
4. International Covenant on Civil and Political Rights (ICCPR)
5. OECD Privacy Guidelines (2013)
6. The UN Guidelines for the Regulation of Computerized Personal Data
Files (1990)

STATEMENT OF JURISDICTION

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 12

The Petitioner humbly submits to the jurisdiction of this Hon’ble Court under Article
32 of the constitution. The Petitioner has approached this hon’ble court in
apprehension of the violation of fundamental rights.

The petitioners have approached the Hon'ble Supreme Court challenging the
constitutionality of certain provisions of the Act, primarily under the grounds of
violation of fundamental rights, including the Right to Privacy1 and the Right to
Equality2 guaranteed under the Constitution of Indiana.

The Hon’ble Supreme Court of India has the Jurisdiction to try, entertain, and dispose
of the present case by virtue of Article 32 and Article 142 3 of the Constitution of
India.

Petitioner maintains that the jurisdiction of Art 324of the constitution, which protects
the citizens of Indiana from any violation of their fundamental rights, is applicable in
the present case.

1
Article 21: “Protection of Life and Personal Liberty: No person shall be deprived of his life or personal liberty
except according to procedure established by law.”

2
Article 14: The State shall not deny to any person equality before the law or the equal protection of the laws
within the territory of India.

3
Article 142 of the Constitution of India empowers the Supreme Court to pass any decree or order necessary for
doing complete justice in any case or matter pending before it

4
Article 32. Remedies for enforcement of rights conferred by this Part:(1) The right to move the SC by
appropriate proceedings for the enforcement of the rights conferred by this Part is guaranteed.(2) The SC shall
have power to issue directions or orders or writs including writs in the nature of habeas corpus, mandamus,
prohibition, quo warranto and certiorari, whichever may be appropriate, for the enforcement of any of the rights
conferred by this Part.(3) Without prejudice to the powers conferred on the SC by clause(1) and (2), Parliament
may by law empower any other court to exercise within the local limits of its jurisdiction all or any of the powers
exercisable by the SC under clause (2).

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 13

STATEMENT OF FACTS

1. Indiana is a federal democratic country with a rich history of over 5000 years. After
gaining independence from Country X in 1947, it adopted the LPG Policy in 1990 for
various political reasons.

2. Medicine. Co., a government company, operates as the largest online pharmaceutical

platform in Indiana’s capital, Compton, offering subsidized medications and health
insurance through Samaveta Indiana Insurance Company.

3. Membership can be obtained via an application on their website or through the Major Pay
platform, which doesn't require direct bank account details.

4. In March 2023, Medicine. Co entered a significant partnership with Safety GPT, an AI

company, to enhance data management and security. Safety GPT's functions include
organizing data, detecting fraud, facilitating payments, and offering personalized product
recommendations.

5. Following data breaches in Indiana, the government introduced Act 22 of 2023 to protect
digital personal data, which came into force on January 21, 2023, with exemptions for
certain companies until 2027.

6. However, on January 21, 2024, Mr. Aman and over 2558 other members of Medicine. Co
discovered their bank accounts had been emptied. An internal investigation revealed a
breach had occurred, exposing sensitive customer data.

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 14

7. Aman learned from Mr. Samarth, an R&D head at Medicine. Co., that the AI system had
been compromised. As unrest grew among affected members, Aman started a social media
group to organize a response.

8. Despite Medicine. Co’s claims of compliance with Act 22, members were unsatisfied and
approached the Supreme Court, questioning the Act's provisions and the company’s
actions.

9. The Supreme Court agreed to hear the case, involving both Medicine. Co and the Union of
Indiana, amid rising public scrutiny and unrest over the data breach incident.

ISSUES:
1. Whether the provisions of Act 22 of 2023 that allow the processing of Personal data without
the consent of the Data Principal under Section 6 and allied provisions violate the Right to
Privacy?

2. Whether the processing of Bank Account Details constitute a Legitimate Purpose under
Section 7 and allied provisions, as stated in Act 22 of 2023?

3. Does the provision that provides immunity to the Central Government under Section 35 on
account of Good Faith violate the Petitioner’s right to seek remedy?

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 15

4. Whether the exemption of certain data fiduciaries under Section 17(5) by means of
notification is an arbitrary exercise of discretion and thus violative of Article 14 of the
Constitution of Indiana?

SUMMARY OF PLEADINGS

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 16

1. Whether the provisions of Act 22 of 2023 that allow the processing of Personal data
without the consent of the Data Principal under Section 6 and allied provisions violate
the Right to Privacy?

It is most humbly submitted before the hon’ble court Act 22 of 2023 violates the Right
to Privacy guaranteed under Article 21 of the Indian Constitution by allowing the
processing of personal data without explicit consent. Medicine. Co. collected sensitive
financial data, including bank account details, without proper consent, leading to a data
breach and financial harm for individuals. Therefore, the provisions of Act 22 of 2023
under Section 6 and allied provisions violate the Right to Privacy

2. Whether the processing of Bank Account Details constitute a Legitimate Purpose under
Section 7 and allied provisions, as stated in Act 22 of 2023?

It is most humbly submitted before the hon’ble court that the processing of bank
account details by Medicine. Co does not meet the criteria of a legitimate purpose
under Section 7 of Act 22 of 2023. Medicine. Co collected sensitive data without
explicit and informed consent, violating key principles of transparency and data
minimization. The storage and processing of bank account details for recurring
payments were excessive and not required for the service provided. Therefore, the
processing of Bank Account Details does not constitute a Legitimate Purpose under
Section 7 and allied provisions, as stated in Act 22 of 2023

3. Does the provision that provides immunity to the Central Government under Section
35 on account of Good Faith violate the Petitioner’s right to seek remedy?

It is most humbly submitted before the hon’ble court that Section 35 of the DPDPA,
2023, grants blanket immunity to government entities for actions taken in "good faith,"
which undermines accountability and denies individuals fundamental right to seek
justice for harm caused by data breaches. The term "good faith" is vaguely defined,
allowing excessive discretion and enabling potential misuse of the provision. Therefore
Section 35 violates the Petitioners right to seek remedy

4. Whether the exemption of certain data fiduciaries under Section 17(5) by means of
notification is an arbitrary exercise of discretion and thus violative of Article 14 of the
Constitution of Indiana?

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 17

It is most humbly submitted before the hon’ble court that Section 17(5) of Act 22 of
2023 violates Article 14 of the Constitution by granting the government unchecked
discretionary power to exempt certain data fiduciaries from data protection
requirements without clear guidelines. This unregulated discretion enables arbitrary
classifications, undermining equality and fairness. This framework unjustly prioritizes
certain entities over individual protections, contradicting constitutional principles.
Therefore, exemption that is provided under Section 17(5) violates Article 14 of the
Constitution of Indiana.
ADVANCED PLEADINGS

1. WHETHER THE PROVISIONS OF ACT 22 OF 2023 THAT ALLOW THE

PROCESSING OF PERSONAL DATA WITHOUT THE CONSENT OF THE DATA
PRINCIPAL UNDER SECTION 6 AND ALLIED PROVISIONS VIOLATE THE RIGHT
TO PRIVACY?

1. It is most humbly submitted before the hon’ble court that the provisions of Act 22 of 2023 5 that
allows the processing of personal data without the consent of the data principal under section 6 6
and allied provisions violate Right to privacy

2. Section 6 states that the consent given by the Data Principal shall be free, specific, informed,
unconditional and unambiguous with a clear affirmative action, and shall signify an agreement
to the processing of her personal data for the specified purpose and be limited to such personal
data as is necessary for such specified purpose.

5
. Digital personal data protection act,2023

6
Section 6:(1) The consent given by the Data Principal shall be free, specific, informed, unconditional and
unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data
for the specified purpose and be limited to such personal data as is necessary for such specified purpose.

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 18

3. In the digital age, consent is considered the cornerstone of privacy protection. The General Data
Protection Regulation, a leading international data protection framework, mandates that
personal data must be collected and processed based on explicit and informed consent from the
individual. GDPR Article 6(1)(a)7 requires that consent be freely given, specific, informed, and
unambiguous.

4. In the present case, Medicine. Co.’s data collection methods (including the automatic collection
of bank account details) and the absence of explicit consent to collect this sensitive data raises
serious concerns. The Legitimate Use Principle relied upon by the company cannot justify by
passing consent as it is not an adequate safeguard for the fundamental right to privacy. The non-
consensual collection and processing of sensitive personal data without the knowledge of the
individual amounts to an invasion of privacy.

5. Article 218 states “Protection of Life and Personal Liberty: No person shall be deprived of his
life or personal liberty except according to procedure established by law. In this particular case
the procedure established by law is not followed and right to privacy is violated as data is
collected without proper means and unconditionally and also not utilised as per agreed terms as
9
mentioned in Appendix II. In Justice K.S. Puttaswamy The nine-judge Bench judgment,
declaring privacy as intrinsic to life and liberty and an inherent right protected by Part III of the
Constitution, is that an ordinary man can now directly approach the Supreme Court and the
High Courts for violation of his fundamental right under the Constitution.

7
ARTICLE 6(1)(a) confirms that the consent of the data subject must be given in relation to “one or more
specific” purposes and that a data subject has a choice in relation to each of them.
8
India Constitutional Law, M P Jain, 8th Edition, Lexis Nexis.

9
. AIR 2018 SC (SUPP) 1841, 2019 (1) SCC 1, (2018) 12 SCALE 1, (2018) 4 CURCC 1, (2018) 255 DLT 1,
2018 (4) KCCR SN 331 (SC), AIRONLINE 2018 SC 237

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 19

6. The recent data breach that occurred in Medicine. Co., where sensitive customer information,
including bank account details, was leaked or stolen. The breach was exacerbated by the AI
system storing more data than it was authorized to collect, including bank account details from
the Major Pay platform, which were not part of the originally disclosed in subscription terms.

7. This breach underscores the vulnerability of individuals’ personal data when it is processed
without proper consent and when the safeguards to protect privacy are insufficient. A data
breach especially involving financial data is a direct infringement of the Right to Privacy
because it exposes individuals to risks such as identity theft, financial fraud, and unauthorized
surveillance. Thus, allowing companies like Medicine. Co. to collect and process data without
explicit consent increases the risk of such breaches and endangers the privacy rights of
individuals.

8. The Act 22 of 2023 does not adequately protect the data principal’s right to control their
personal data, especially where it concerns sensitive financial information. The Legitimate Use
Principle relied upon by Medicine. Co. to justify the processing of bank account details
without explicit consent is overly broad and insufficient to address the serious privacy risks
posed by this data.

9. The data breach caused by Safety GPT, leading to the exposure and theft of 4500 bank accounts,
underscores the inadequacy of the safeguards in place. This data breach highlights that the data
was not only collected without explicit consent, but also stored and processed in an insecure
manner, rendering the data vulnerable to theft and misuse.

10. The breach led to significant financial harm for individuals, including the petitioners, whose life
savings were stolen. The absence of informed consent and the negligent data protection
measures violate the Right to Privacy as it enables unauthorized access to sensitive personal

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 20

information without proper safeguards the broad, sweeping data collection practices show a
failure to adhere to data protection principles, particularly the principle of data minimization
under the GDPR and similar international standards.

10
11. Shreya Singhal v. Union of India In this case, the Court held that any restriction on a
fundamental right must meet the strict scrutiny test and be proportionate. While the case
primarily concerned free speech, it established a strict standard for when fundamental rights
may be overridden by law. Similarly, the processing of personal data without consent must
meet a strict scrutiny test—something that the provisions of Act 22 of 2023 do not satisfy, as
the processing is neither sufficiently specific nor proportionate.

12. National Consumer Disputes Redressal Commission (NCDRC) - Financial Fraud Due to
Data Breach This case concerned bank fraud resulting from data breaches where customer
information was misused for fraudulent transactions. The fraud was traced back to the
mishandling and unauthorized processing of sensitive data by the company. NCDRC held that
companies must take adequate measures to secure consumer data and be transparent about their
data handling practices. Failure to protect consumer data can lead to liability for fraud and
compensation to affected consumers the principles outlined in this case regarding the protection
of financial data can be applied to Medicine. Co., which similarly processed sensitive financial
information and failed to adequately protect it. The Court ruled that those responsible for data
breaches are liable for fraud and must take responsibility for the harm caused.

13. Reliance Communications Limited v. Directorate General of GST Intelligence 11:This case
dealt with unauthorized access to sensitive corporate data, including financial records, which led
10
AIR 2015 SC 1523.
11
(2019) 8 SCC 597

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 21

to significant monetary loss. The data was accessed by external parties who exploited the lack of
secure systems to conduct fraudulent transactions. Court emphasized the need for strict data
protection measures in sensitive sectors like finance. Companies can be held liable for financial
fraud caused by poor data management and breach of privacy.

14. (INTERNATIONAL HUMAN RIGHTS STANDARD) India is bound by international

12
standards like Article 12 of the UDHR13 and Article 1714 of the ICCPR, which protect
against arbitrary privacy interference. Comparable regulations, like the EU’s 15 GDPR,
emphasize stringent safeguards, judicial oversight, and proportional measures. The actions of
the Medicine co. do not align with these standards. Therefore, it is humbly submitted that Act
22 of 2023 Right to privacy by failing to adhere to constitutional and international legal
standards.

15. While protecting national security is legitimate, measures must be balanced against individual
rights. In Anuradha Bhasin vs. Union of India 16, the Supreme Court emphasized the need for
proportionality in restrictions on fundamental rights. Blanket access without explicit consent
fails this criterion.

12
. Article 12: No one shall be subjected to arbitrary interference with his privacy, family, home or
correspondence, nor to attacks upon his honour and reputation.

13
UDHR - Universal Declaration of Human Rights
14
article17: No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or
correspondence, nor to unlawful attacks on his honour and reputation.
15
.EU- European union
16
. AIR 2020 SUPREME COURT 1308, (2020) 1 MAD LJ 574, (2020) 1 SCALE 691, (2020) 77 OCR 784,
AIRONLINE 2020 SC 17

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 22

16. The DPDPA 2023 lacks adequate safeguards to prevent misuse of provisions allowing data
access. The absence of judicial or independent oversight increases the risk of abuse and
infringement of fundamental rights, violating principles established in the Puttaswamy
judgment. Compared to the GDPR in the European Union, DPDPA 2023 lacks stringent
safeguards and accountability mechanisms.

17. The Human Rights Committee’s General Comment No. 34 requires restrictions to be lawful,
serve a legitimate aim, and be necessary and proportionate, standards not met by DPDPA 2023.
Therefore, it is humbly submitted that the DPDPA 2023 fails to balance personal
data protection and national security, resulting in the violation of fundamental right

2. WHETHER THE PROCESSING OF BANK ACCOUNT DETAILS CONSTITUTE A

LEGITIMATE PURPOSE UNDER SECTION 7 AND ALLIED PROVISIONS, AS
STATED IN ACT 22 OF 2023?

1. It is most humbly submitted before the hon’ble court that the processing of Bank Account
Details does not constitute a Legitimate Purpose under Section 7 17 and allied provisions, as
stated in Act 22 of 2023.

2. Section 7 of 22 of 20203 states that A Data Fiduciary 18 may process personal data of a Data
Principal for any of following uses, namely (a) for the specified purpose for which the Data

17
Section 7: A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely—
(a) for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data
Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use
of her personal data.

18
Section2 (i): “Data Fiduciary” means any person who alone or in conjunction with other persons determines the
purpose and means of processing of personal data

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 23

Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of
which she has not indicated to the Data Fiduciary that she does not consent to the use of her
personal data.

3. Under Section 7 of the Digital Personal Data Protection Act (Act 22 of 2023), the processing of
personal data must be carried out for legitimate purposes only. Legitimate purposes are
generally defined as those purposes that are necessary for the performance of a contract,
compliance with a legal obligation, protection of vital interests, or consent from the data subject
for specific uses. The processing of bank account details for recurring payments by Medicine.
Co. does not fall within any of these purposes.

4. The collection of bank account details by Medicine. Co. was done without explicit and
informed consent from the customers. Under Section 519 of the Act, there is a clear mandate for
explicit consent from the data principal (i.e., the individual whose data is being processed),
especially when sensitive personal data like bank account details are involved. The fact that
customers were not adequately informed about the storage and processing of their sensitive data
violates the transparency and consent requirements under Section 5 and Section 6 20of Act 22 of
2023.

19
Section5(1): Every request made to a Data Principal under section 6 for consent shall be accompanied or
preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— (i) the personal data and
the purpose for which the same is proposed to be processed; (ii) the manner in which she may exercise her rights
under sub-section (4) of section 6 and section 13; and (iii) the manner in which the Data Principal may make a
complaint to the Board, in such manner and as may be prescribed.

20
section6: (1) The consent given by the Data Principal shall be free, specific, informed, unconditional and
unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data
for the specified purpose and be limited to such personal data as is necessary for such specified purpose.

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 24

5. Justice K.S. Puttaswamy (Retd.) vs Union of India - The Supreme Court in the Puttaswamy
case emphasized the right to informational privacy, which includes the need for consent and
transparency in data processing. Consent must be informed, voluntary, and specific to the data
being processed.

6. Google Inc. v. AEPD and Mario Costeja González 21- The Court of Justice of the European
Union ruled that personal data must be processed with the explicit consent of the data subject
and in compliance with the purposes for which it was originally collected.

7. There is no legal obligation under Indiana’s laws that mandates the processing of users' bank
account details for the purpose of offering a subscription model. While Medicine. Co. claims
that it stores such data for "legitimate purposes" related to membership renewals, there is no
clear provision in the Act or other laws that compels the company to process and store bank
account details for this purpose. The Act does not provide CARTE BLANCHE for companies
to process sensitive data without adhering to strict safeguards.

8. K.S. Puttaswamy (Retd.) v. Union of India - The Supreme Court emphasized that the State or
any entity cannot interfere with the data subject’s privacy rights unless there is a legitimate
purpose and clear legal basis for doing so. Misuse of Personal Data and the Risk of Data Breach
The processing of sensitive data such as bank account details without adequate safeguards
exposes the data subjects to significant risks, including data theft, identity theft, and financial
harm.

9. The data breach suffered by the petitioners, which involved the hacking and emptying of their
bank accounts, shows that Medicine. Co. failed to implement the necessary safeguards to protect
this data. The storage of sensitive personal data by an AI system without sufficient security
21
. Case C-131/12

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 25

measures undermines the purpose of the Act, which aims to protect personal data and prevent
harm to individuals.

22
10. Shreya Singhal v. Union of India - The Supreme Court emphasized that any regulation of
personal data or privacy must be proportionate to the objective sought to be achieved and must
not unnecessarily infringe upon individual rights. In the case at hand, the company has not
shown how the collection and storage of bank account details meet the criteria for a legitimate
purpose under the Act.

11. Under Section 3 23 and Section 7(a)24 of the Act, sensitive personal data (including financial data
like bank account details) is afforded a higher level of protection compared to other personal
data. The collection, processing, and storage of such sensitive data by Medicine. Co. without
explicit informed consent, and without adequate safeguards, constitutes a violation of the Act’s
provisions.

12. The breach of customer data, leading to financial harm (bank accounts being emptied), directly
results from the company's failure to adequately safeguard this sensitive personal data, contrary
to the principles of security and accountability outlined in the Act.

22
AIR 2015 SC 1523.

23
section3: Subject to the provisions of this Act, it shall— (a) apply to the processing of digital personal data
within the territory of India where the personal data is collected–– (i) in digital form; or (ii) in non-digital form
and digitised subsequently

24
section7(a): for the specified purpose for which the Data Principal has voluntarily provided her personal data to
the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent
to the use of her personal data.

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 26

13. Google Spain SL v. Agencia Española de Protección de Datos 25The Court of Justice of the
European Union held that processing sensitive data, such as financial information, requires extra
care and safeguards. It must be subject to strict conditions, and failure to comply can result in
violation of privacy rights. In Max Scherm’s v. Facebook Ireland 26The European Court of
Justice ruled that even though the data processing might serve legitimate business interests, the
use of sensitive data must have adequate security measures, and failure to protect it adequately
violates data protection laws.

14. The permissions page on the website, which customers must agree to before joining the
platform, did not explicitly inform customers about the automatic collection and storage of their
bank details. This violates the right to informational privacy and informed consent under the
Act, which are key aspects of Section 5. Moreover, the argument that such data processing falls
under a "legitimate purpose" is tenuous because the company never provided a proper
mechanism for users to withdraw consent once given. This is an essential feature of data
protection laws worldwide, which the Act also implicitly supports through its provisions on
consent.

27
15. Karmanya singh sareen & Anr. Vs Union of India The Delhi High Court ruled that in the
digital age, users must have explicit consent regarding data processing, and failure to obtain this
consent could lead to a breach of the fundamental right to privacy.

25
Case C-131/12

26
Case C-498/16

27
Writ Petition (Civil) No. 7663 of 2016, Delhi High Court

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 27

16. The petitioner argues that Medicine. Co.'s data collection practices were unfair and
disproportionate, as they collected more data than necessary for the purpose of providing the
service. Specifically, the company could have facilitated recurring payments without collecting
sensitive bank account details directly, but chose to do so as part of a broader data collection
and customer profiling strategy.

17. The Act emphasizes that personal data should only be collected when it is adequate, relevant,
and limited to what is necessary for the purposes for which it is processed (Section 6, Act 22 of
2023). The collection of bank account details for the purpose of facilitating a recurring payment
model exceeds what is necessary for the service provided by Medicine. Co., thus constituting an
infringement of the data minimization principle. In Google Inc. v. AEPD and Mario Costeja
González 28The European Court of Justice ruled that data collection must be proportional to the
service provided. Collecting unnecessary or excessive data constitutes an infringement of data
protection principles.

18. The company’s reliance on the third-party AI software, Safety GPT, to process customer data
without proper oversight or transparency also raises questions about the adequacy of the
company's security protocols. While it is claimed that the AI system was intended to improve
fraud detection, its apparent failure to prevent the breach shows a lack of proper safeguards.

29
19. U.S. v. Facebook, Inc. The Federal Trade Commission found that Facebook’s failure to
protect users' personal information, despite collecting it for specific purposes, led to a
substantial fine. The court ruled that failure to safeguard sensitive data constitutes a breach of
data protection laws.
28
Case C-131/12

29
Civil Action No. 19-2184 (TJK)

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 28

20. Under Section 13(1)30 of Act 22 of 2023, data principals (i.e., customers) have the right to
access their personal data and request its deletion or correction. However, Medicine. Co's
handling of bank account details appears to infringe this right, particularly because users were
never informed that their sensitive financial information would be stored or used beyond the
immediate transaction for membership. The inability of users to access and manage their
personal data creates a significant violation of the core principles of data access and control.

21. The Latin maxim Salus populi suprema lex" (The welfare of the people is the supreme
law) is applicable here This maxim emphasizes that public welfare and protection of citizens'
rights must take precedence over any other interests, including commercial or governmental
interests. The violation of personal data protection, especially through unauthorized or poorly
disclosed data processing practices (as in Medicine. Co.’s AI software breach), undermines
public welfare and public trust.

22. The company failed to uphold the principles of transparency, data minimization, and user
consent as required under the Act. Therefore, it is humbly submitted that the processing of Bank
Account Details does not constitute a Legitimate Purpose under Section 7 31 and allied
provisions, as stated in Act 22 of 2023.

30
Section13(1): A Data Principal shall have the right to have readily available means of grievance redressal
provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or
Consent Manager regarding the performance of its obligations in relation to the personal data of such Data
Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder.

31
(7) A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,
(a) erase personal data, upon the Data Principal withdrawing her consent or as General obligations of Data
Fiduciary soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is
earlier; and
(b) cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for
processing to such Data Processor.

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 29

3. DOES THE PROVISION THAT PROVIDES IMMUNITY TO THE CENTRAL

GOVERNMENT UNDER SECTION 35 ON ACCOUNT OF GOOD FAITH VIOLATE THE
PETITIONER’S RIGHT TO SEEK REMEDY?

1. Your Lordships, we stand before this Hon’ble Court to challenge the constitutional validity of the
immunity granted under Section 35 of Act 22 of 2023. The immunity provision, as it currently
stands, deprives Mr. Aman and others like him of their fundamental right to seek justice and
accountability for the harm they have suffered.

2. Section 35 lacks many specific guidelines for what constitutes "good faith 32," allowing excessive
discretion to government entities, including Medicine. Co., to interpret this term to their
advantage. We submit that such a vaguely worded immunity provision fails to meet the
reasonableness requirement under Article 1433. It enables state entities to bypass accountability
without objective criteria, which is inherently arbitrary and inconsistent with constitutional
principles.

3. SECTION 35 PROTECTION OF ACTION TAKEN IN GOOD FAITH No suit, prosecution or

other legal proceedings shall lie against the Central Government, the Board, its
Chairperson and any Member, officer or employee thereof for anything which is done or

32
section2(h): "Good faith"—nothing shall be deemed to be done in good faith which is not done with due care
and attention.

33
Article14: The State shall not deny to any person equality before the law or the equal protection of the laws
within the territory of India.

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 30

intended to be done in good faith under the provisions of this Act or the rules made
thereunder.

4. The immunity provision under Section 35of the DPDPA, 2023, violates the fundamental right to
privacy and the right to seek remedy for harm caused by data breaches. The Supreme Court, in
Justice K.S. Puttaswamy (Retd.) vs. Union of India, recognized the right to privacy as a
fundamental right under Article 2134 of the Constitution of India. This judgment underscores the
importance of protecting personal data and ensuring that privacy is safeguarded against
intrusions. The immunity provision undermines the accountability and transparency necessary to
protect individuals' privacy.

5. The provision of immunity may lead to a lack of accountability for the Central Government and
its officers. This lack of accountability undermines the trust of citizens in the government's ability
to protect their personal data and respond to breaches effectively. If the government and its
officials are not held accountable for breaches, it can lead to a lack of diligence and necessary
precautions in handling personal data.

6. Handling any individual's privacy requires an element of trust, and therefore, Data Fiduciary are
intended to perform their set of regulations in accordance with the expectations of the Data
Principal and the specific statute. Any act which is not performed in good-faith or not intended to
be in compliance with the said statute would be considered a violation of the Act.

7. Good faith has not been defined under the said act but have been used in numerous legislation
and statutes in India for example, 2(h) of the Limitation Act, 1963[5] which defines good faith as
an act not done with due care and attention.
34
“Protection of Life and Personal Liberty: No person shall be deprived of his life or personal liberty except
according to procedure established by law.”

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 31

8. The principles of natural justice are fundamental legal principles that ensure fairness,
accountability, and transparency in legal proceedings and administrative actions. In the context of
Section 35 of the Digital Personal Data Protection Act (DPDPA), 2023, the principles of natural
justice are relevant for several reasons:

9. One of the core principles of natural justice is that no one should be condemned unheard. This
means individuals have the right to be heard before any action is taken that adversely affects their
rights or interests. Section 35 provides immunity to the Central Government and its officers for
actions taken in good faith, which can prevent individuals from challenging these actions in court.
This undermines their right to be heard and seek redress for the harm caused by data breaches.

10. Natural justice entails the right to seek an effective remedy for violations of rights. Individuals
should have access to legal mechanisms to challenge wrongful actions and obtain redress. The
immunity provision under Section 35 denies individuals the right to seek remedy for data
breaches caused by the government's actions or inactions. This is a direct violation of the
principles of natural justice, as it prevents individuals from holding the government accountable
and obtaining justice for the harm they have suffered.

11. Section 35 provides immunity to the Central Government and its officers for actions taken in
good faith, which means they are protected from legal consequences even if their actions result in
data breaches. This lack of accountability can lead to negligence or insufficient efforts to protect
personal data. Without the threat of legal repercussions, there may be less incentive for the
government to implement robust data protection measures, potentially increasing the risk of data
breaches.

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 32

12. In Nilabati Behera v. State of Orissa35 (1993) The Supreme Court ruled that the state can be
held liable for violations of fundamental rights, including the right to life under Article 21, and
awarded compensation to the victim’s family. The case held that the state cannot claim immunity
for acts that result in violations of citizens’ rights. This case supports the argument that
government immunity cannot absolve the state from accountability when fundamental rights are
at stake. It reinforces that compensation and remedy must be available to citizens, even if the
government claims its actions were in “good faith.”

13. The Latin maxim “Ex injuria jus non oritur" (The law does not arise from injustice) is
applicable here This maxim holds that illegal or unjust acts cannot give rise to legal rights.
Medicine. Co.’s actions in processing and storing data without proper consent or notice were
unlawful, and any legal consequences arising from those actions (such as the immunity granted
under Section 35) cannot be justified because the law was violated in the first place. Hence any
immunity offered under Section 35 cannot protect Medicine. Co. from the illegal processing of
personal data. Since the breach was unlawful and against the spirit of the Act, the law cannot
protect the company from the consequences of its actions.

14. Your Lordships, the blanket immunity offered under Section 35, while intended to protect bona
fide government actions, operates here to prevent judicial oversight of a serious data breach that
impacted the livelihoods and fundamental rights of thousands of citizens. Such a provision, we
argue, should not and cannot be used to deny individuals like Mr. Aman their right to seek
remedy or to shield potential negligence from scrutiny.

35
1993 AIR 1960 1993 SCR (2) 581 1993 SCC (2) 746 JT 1993 (2) 503 1993 SCALE (2)309

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 33

4. WHETHER THE EXEMPTION OF CERTAIN DATA FIDUCIARIES UNDER SECTION

17(5) BY MEANS OF NOTIFICATION IS AN ARBITRARY EXERCISE OF
DISCRETION AND THUS VIOLATIVE OF ARTICLE 14 OF THE CONSTITUTION OF
INDIANA?

1. "Your Lordships, we contend that Section 17(5) 36 of Act 22 of 2023 violates Article 14 of the
Constitution of Indiana, which ensures equality before the law and protects against arbitrary state
action. This section grants the executive discretionary power to exempt certain data fiduciaries
from complying with data protection requirements, merely through a notification process, without
specifying adequate guidelines or criteria for such exemptions. We argue that this unregulated
discretion is arbitrary, fails the test of reasonableness, and consequently breaches Article 14."

2. Section 17(5) grants the executive discretionary power to exempt certain data fiduciaries from
compliance with data protection requirements via a simple notification, without specifying
adequate guidelines or criteria. This lack of regulation allows for arbitrary application, failing the
test of reasonableness under Article 14 of the Constitution of Indiana, which mandates equality
before the law and protects against arbitrary state action.

36
Scetion17(5): (e) the processing is necessary for a scheme of compromise or arrangement or merger or
amalgamation of two or more companies or a reconstruction by way of demerger or otherwise of a company, or
transfer of undertaking of one or more company to another company, or involving division of one or more
companies, approved by a court or tribunal or other authority competent to do so by any law for the time being in
force.

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 34

3. Data protection is integral part of the fundamental right to privacy, and exemptions under Section
17(5) compromise this right. By allowing certain data fiduciaries, such as Medicine. Co, to
bypass compliance, citizens, like Aman, are left vulnerable to potential misuse of their personal
data. The data breach involving Medicine Co. exemplifies the risk of harm that unchecked
exemptions can pose to individuals.

4. Shayara Bano v. Union of India (2017) 37 The principle established in Shayara Bano holds that
laws impacting fundamental rights must meet the standards of reasonableness and non-
arbitrariness. By allowing selective exemptions for certain entities, Section 17(5) creates an
uneven playing field that puts individuals’ privacy at risk. This discriminatory exemption
structure fails the test of reasonableness and violates the right to equality under Article 14.

5. Section 17(5) allows the Central Government to exempt any data fiduciary or class of data
fiduciaries from compliance with provisions of the Data Protection Act for a specified period via
notification. This exemption can delay compliance with data protection standards until 2027,
creating arbitrary classifications that disadvantage ordinary citizens.

6. There is no rational basis for treating public entities like Medicine Co. differently from private
companies in the pharmaceutical or digital data sector. Both public and private entities collect
sensitive personal data, including financial information, yet Section 17(5) provides an exemption
to public entities like Medicine. Co., while imposing strict obligations on private companies. This
unequal treatment is arbitrary and discriminatory.

7. In Re: The Kerala Education Bill38, the Supreme Court stated that any classification made by the
law must bear a rational relationship to the purpose sought to be achieved. There is no rational
37
AIR 2017 SC 4609

38
[(1957) SCR 995]

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 35

basis for exempting Medicine Co. from the provisions of the Act, while other entities in the same
sector are held to the same standards. The classification made by Section 17(5) is thus
unreasonable and violates the equal protection of the law.

8. The Medicine. Co.'s failure to secure personal and financial data, resulting in widespread bank
account theft, is a direct consequence of the government's failure to regulate data fiduciaries
through robust legal provisions. The exemption granted under Section 17(5) deprives the
Petitioners and other data principals of the protection of their personal data and exposes them to
greater risks of data theft and financial harm.

9. In K.S. Puttaswamy v. Union of India39, the Supreme Court recognized the right to privacy as a
fundamental right under Article 21 of the Constitution of Indiana. The Court held that the state
has a duty to protect individuals' privacy through adequate laws and regulatory mechanisms. By
exempting data fiduciaries like Medicine. Co., Section 17(5) fails to protect the privacy rights of
data principals and subjects them to potential harm.

10. This exemption framework lacks clear guidelines, leading to arbitrary classifications. And
exposes citizens, like Aman, to heightened risks, as evidenced by the Medicine. Co breach. The
absence of uniform data protection obligations fails to ensure equal data security for all citizens,
contravening Article 14’s guarantee of equality.

11. In the case of Maneka Gandhi v. Union of India (1978)40The Supreme Court established that
arbitrariness is inherently discriminatory and thus violates Article 14. Equality under the law is
antithetical to arbitrariness. Section 17(5) introduces arbitrary distinctions among data fiduciaries,
violating the right to equality by unjustly favouring some entities over others.
39
[(2017) 10 SCC 1]

40
AIR 597, 1978 SCR (2) 621

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 36

12. Disproportionate Harm to Citizens Due to Lack of Compliance by the Exemptions that
excuse certain companies from data security requirements place citizens at unjustified risk, as
illustrated by the Medicine. Co breach, which compromised Aman's sensitive personal
information. The exemption structure thus undermines the state’s duty to protect citizens from
foreseeable harm, especially when dealing with personal data.

13. People’s Union for Civil Liberties (PUCL) v. Union of India (2003) 41 The court recognized
that the state has an obligation to safeguard citizens' fundamental rights, including privacy.
Exemptions under Section 17(5) violate this duty, as they leave citizens unprotected from
potential misuse of data by certain exempted entities, such as Medicine. Co.

14. Lack of Accountability and Transparency Breaches Public Trust by this, Section 17(5) lacks
clear criteria for granting exemptions, leading to opacity and limited accountability. This fosters
public mistrust in the government’s commitment to data security. Citizens rely on data fiduciaries
to protect sensitive information, and the government must ensure transparency to maintain public
trust.

15. Absence of Criteria Undermines Equality and Accountability The Section 17(5) grants
unfettered discretion to the government to exempt specific data fiduciaries without transparent
criteria, creating inequality. While private companies face stringent data protection standards,

41
AIR 2003 SUPREME COURT 2363, 2003 AIR SCW 2353, (2003) 2 JT 528 (SC), 2003 (2) JT 528, 2003 (2)
SLT 694, (2003) 2 KHCACJ 674 (SC), (2003) 5 ALLINDCAS 853 (SC), (2003) 2 SCR 1136 (SC), 2003 (5) SRJ
197, 2003 (2) KHCACJ 674, 2003 (3) SCALE 263, 2003 (2) LRI 13, 2003 (4) SCC 399, (2003) 3 MAHLR 797,
(2003) 3 SUPREME 93, (2003) 3 SCALE 263, AIR 2003 SUPREME COURT 2313, 2003 AIR SCW 2287, 2003
CLC 590 (SC), (2003) 5 JT 577 (SC), (2003) 7 ALLINDCAS 746 (SC), 2003 (3) SLT 236, 2003 (5) JT 577,
2003 (3) COM LJ 42 SC, 2003 (3) SCALE 638, 2003 (4) ACE 436, 2003 (9) SCC 490, 2003 (6) SRJ 278, (2003)
5 INDLD 547, (2003) 54 CORLA 207, (2003) 3 SUPREME 217, (2003) 3 SCALE 638, (2003) 114 COMCAS
664, (2003) 2 CURCC 167, (2003) 2 LACC 380

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 37

government-run entities, like Medicine. Co, may be exempt. This arbitrary classification violates
Article 14’s requirement for equal treatment and accountability.

16. State of West Bengal v. Anwar Ali Sarkar (1952) 42 The Supreme Court in this case held that
classifications under law must have intelligible differentia and a rational nexus with the law’s
objectives. Section 17(5) lacks such differentia, resulting in discriminatory treatment and clearly
violates the right to equality.

17. The Arbitrary Exemption Under Section 17(5) Creates a Discriminatory and Unjust Classification
between the between public and private sector companies when it comes to data protection
standards. Both private and public sector entities handle sensitive personal data, and there is no
inherent difference in the potential risks of data breaches. Medicine. Co., being a government-
controlled entity, should not be exempt from the requirements of the Act simply because it is
under government control. The exemption creates a discriminatory classification based on the
nature of the entity, rather than the nature of the data it processes or the risks associated with such
data. In State of Uttar Pradesh v. Chandra Prakash Tiwari, the Court held that a classification
which treats similarly situated entities differently without any reasonable or rational basis violates
Article 14. The exemption of Medicine. Co. under Section 17(5), without any objective
differentiation from private companies, amounts to unconstitutional discrimination.

18. The lack of accountability and transparency in granting exemptions under Section 17(5) severely
undermines public trust in the government’s commitment to data security and citizen protection.
By permitting arbitrary exemptions for certain data fiduciaries, the government has failed to
ensure a fair and transparent regulatory framework. This lack of oversight has directly
contributed to the harms experienced by Aman and other citizens, who reasonably expected that
all companies handling their personal data would adhere to consistent security standards. Such
42
AIR1952SC75, 1952CRILJ510, [1952]1SCR284, AIR 1952 SUPREME COURT 75, 1964 MADLW 541

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 38

exemptions, granted without clear criteria or public justification, not only violate principles of
fairness and equality but also infringe upon the fundamental right to privacy. The Supreme Court
must therefore scrutinize these exemptions to ensure they align with constitutional standards and
are applied in a way that genuinely serves the public interest, rather than compromising it.

PRAYER

Wherefore in the light of the issues raised, arguments advanced, and authorities cited, the
counsel for Petitioner most humbly and respectfully prays that this Hon’ble Court may
kindly adjudge, hold, and declare that:

1. Declare Act 22 of 2023 as unconstitutional to the extent it allows the processing of

personal data without the explicit consent of the data principal under Section 6 and
allied provisions, in violation of the Right to Privacy under Article 21 of the
Constitution.
2. Strike down Section 7 and allied provisions of Act 22 of 2023, which permit the
processing of sensitive personal data (including bank account details) for legitimate
purposes without clear and explicit consent, as it violates the Right to Privacy and
does not meet the standards of legitimate purpose.
3. Declare Section 35 of Act 22 of 2023 as unconstitutional, as it grants immunity to the
Central Government for actions taken in good faith, thereby denying the petitioners
their right to seek remedy for the breach of their personal data.
4. Declare Section 17(5) of Act 22 of 2023 as an arbitrary exercise of discretion that
violates Article 14 (Right to Equality) by providing blanket exemptions to certain
data fiduciaries, including Medicine. Co., without adequate justification.
5. Order compensation for the petitioner and other affected members for the financial
losses, emotional distress, and infringement on their privacy due to the breach of their
personal data.

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS
 P a g e | 39

Or any other relief that the Hon’ble Court may deem fit in the light of equity, justice, and
good conscience. And for this act of kindness, the Petitioner shall forever humbly pray.

Date:

Place:

Counsel for Petitioner

INDICA
WRITTEN SUBMISSION
ON BEHALF OF THE
PETITIONERS
WRITTEN SUBMISSION ON BEHALF OF THE PETITIONERS