The recent decision, in the case of Justice K S Puttaswamy & Anr v. Union of India & Ors, by the nine-judge constitutional bench of the Hon’ble Supreme Court, had held the Right to Privacy a Fundamental Right under Article 21 of the Constitution of India. Now, an individual’s right to privacy is protected as a fundamental right. But, with the decision of the Hon’ble Court as to the privacy of an individual, the demand for stringent laws for the protection of the same has come up.
The Privacy has three aspects as has been discussed in the puttaswamy case which includes: (i) spatial control; (ii) decisional control; and (iii) informational control. The spatial control means the control over the personal space; decisional control denotes the control over the choices of an individual; and the informational control connotes the use of privacy as a shield to control the personal information of an individual such as information regarding the data of an individual, etc.
There have been many hues and cry over the spatial privacy of an individual but there has been not much heed paid to the informational privacy of an individual. Informational privacy basically empowers an individual to control the personal information such as the information regarding the transactions done through online portals, etc.
As the present laws are in-efficient to protect the privacy of an individual, and there is a need for an efficient mechanism to protect the infringement of individual’s privacy with the stringent punishment mechanism. The need for a stringent mechanism is not only to protect the personal aspects of an individual but also to protect commercial aspects so as to prevent data theft, data mining, etc. The present laws, i.e. Information and Technology (Reasonable Security Practices and procedures and sensitive personal data or information) Rules, 2011 and Consumer Protection Amendment Act, 2015 are inefficient to protect the privacy of an individual.
There have been many instances where the privacy of an individual and public at large has been infringed by the unauthorized use of personal information of an individual by the state and non-state-actors. With the advancement in the Information and Communication Technological sector and with the advent of the social networking sites like Facebook, Instagram, etc there has been widespread dissemination of personal information concerning the individual. The widespread dissemination of the personal information has led to the unauthorized use of that personal information by the commercial entities. Recently, there have been many instances where there is breach in the informational privacy of an individual by way of misuse or unauthorised use of the personal information. Recently, McDonald’s Delivery App in India had leaked the personal information of about 2.2 million users; also there were hacks in the Narendra Modi’s NaMo App by which the personal information could be accessed easily; also there was case of customer information leak in HSBC by a former employee of HSBC. Also, there were claims that because of the irresponsible security practices by the Central Government Ministry and State Government may have exposed upto 135 million Aadhar numbers including details of bank account from different portals.
In order to protect the unauthorized access to the personal information of an individual and subsequent misuse of it for their commercial purpose, there is a need to regulate the dissemination and the use of personal information of an individual by the commercial entities. In India as of now under the Information Technology Act, 2000 rules have been framed so as to protect the personal information of an individual.
In this era of big data, it is very necessary to set guidelines and mechanisms protecting the personal information of an individual from being misappropriated by governmental and non-governmental entities without the consent of the individual, infringing their fundamental right of privacy. Even the Hon’ble Supreme Court had in its judgment in the Justice K S Puttaswamy & Anr v. Union of India & Ors realised the need of a robust regime for the protection of the data. And, it is also necessary that the robust data protection regime should be fair, should seek to protect the autonomy of the individual, and should be non-discriminatory on the basic that the collection of data should be carried out in a manner which does not discriminate on the basic of racial or ethnic origin, political or religious beliefs, genetic or health status or sexual orientation.
- INFORMATIONAL PRIVACY & BIG DATA
The term ‘data’ is often used in synonymous with the term ‘information’. Data is nothing but the systematic collection of the information and the storage of the same over a period of time on a particular branch of knowledge. The term ‘data’ has a very wide ambit and scope and covers not only the personal aspects of an individual but also the commercial aspects. The former aspect is protected under the right to privacy whereas the later aspect is protected under both the right to privacy and the proprietary rights. The former is violated when the personal information regarding individuals is compromised whereas the later is infringed when they are disclosed or misused without authority.
As already discussed that with the advancement of the information and communication technology (ICT) there has been wide dissemination of personal information regarding individuals through different means like social networking websites, payment gateways, etc. Nowadays the internet has become all pervasive and individuals spend more and more time online each day of their lives. Individuals browse the web in order to search for information, to send e-mails, buy goods and services, etc. With the advancement in the ICT usage, the right to privacy is getting more attention as the ICT offers unprecedented possibilities of surveillance of internet users.
The gathering of the data through veillance practices of the ordinary citizens finds its way to the state-sponsored surveillance mechanisms through the corporations that hold that data. There are three types of veillance: (i) the classical ‘surveillance’ when a person is being watched from above, (ii) ‘sousveillance’, when the person themselves is doing the watching (iii) and, co-veillance (or mutual watching).
In this era of ICT, owing to the advancement in technology, there is virtually no limit to the amount of information that can be recorded; there is no limit to the scope of analysis that can be done of the information, and the information may be stored virtually forever. This new phenomenon of the assembling of the data concerning an ordinary individual is considered as the ‘big data’. There are a number of key features of big data that can be identified including, the huge volume of data, the speed at which it is collected, the variety of data, its relational nature (allowing linkages to made to other data sets), and potentially exhaustive scope.
This gathering of information concerning individuals can be related back not only to the state entities but also to the non-state actors. And, with the advancement in the ICT, it has become very easy to gather information about an individual. Every transaction of an individual and every activity of him on any website that he visits leave an electronic track of him without his knowledge. These electronic tracks contain a good source of information and can help determine the sort of the person the user is and the interests and disinterests of the user. The electronic tracks individually do not provide much information as related to the user, but when they are read in aggregate they disclose the nature of the personality of the user, food habits, sexual preferences, language, friendships, political affiliations, etc. In aggregation, the information provides the picture of the being, of things which matter and those that don’t. This information regarding an individual can be accessed, stored and disseminated without notice; information can travel at the speed of light and it is very difficult to trace the access of that data. Information collection is considered as the swiftest theft of all.
The information is considered as recombinant i.e., data output can be used as an input to generate more data output. With the developing applications such as Knowledge Discovery and Data Mining process, data from an individual can be combined to “create facts” about an individual. The creation of new knowledge with the help of data mining process and such other tools complicates the privacy laws as it involves such information which the individual does not possess and could not disclose, knowingly or otherwise.
Through the data mining and knowledge discovery process, the personal information of an individual gathered by the state and non-state actors are being misused by both state and non-state actors. When the personal information is gathered there are chances of serious abuse to it, as it opens the way for the data to be used for a purpose quite different from its intended use. In order to protect such unauthorized use of the data gathered it is necessary to have efficient and effective laws protecting the personal information of an individual.
The nine-judge constitutional bench of the Hon’ble Supreme had in the case of Justice K S Puttaswamy & Anr v. Union of India & Ors held that the informational privacy is protected under Article 21 of the Constitution. The Hon’ble Court held that:
“Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. We commend to the Union Government the need to examine and put into place a robust regime for data protection.”
With the decision of the Hon’ble the informational privacy, which is considered as a facet of privacy, was recognized as a fundamental right under Article 21 of the Constitution. But, giving informational privacy status of a fundamental right is not enough to protect it, in order to protect the individual from any authorized use of their personal data it is also necessary that proper measures should be taken by the government to protect the personal information of an individual.
Also, it is very easy to say that an individual’s personal information should be protected at all cost, and the government should take all necessary steps to prevent the same. But it is not as easy as it is said. In order to understand the problems faced by the government in taking preventive measures, it is necessary to understand the challenges to the informational privacy in this era of ‘Big Data’. Understanding the challenges to the informational privacy will help in dealing with the misuse of the same.
- CHALLENGES TO INFORMATIONAL PRIVACY
As has been discussed earlier that in this era of big data where the gathering of data concerning an individual is easy and there is no limit to the amount of information that can be gathered, and the process of knowledge discovery and data mining had made it very easy for business entities to create facts about individuals that they might also not know. These facts depict the interest of the individual, his political affiliations, food habits, sexual preferences, etc with the help of these process business entities can transgress into the life of an individual and can substantially influence the individual interest, choices, etc. These facts can be used further to develop more facts about the individual accumulating the big amount of data concerning an individual; these facts are used by business entities to do market research, by way of understanding the consumer pattern their behavior, etc.
In order to prevent misuse and unauthorized use of personal information, there has been mechanism given under different legislation and set of Rules formed by the Parliament. But, the measures taken are not sufficient because of the challenges faced by the informational Privacy. It is very difficult to build up a robust data protection regime as; it will have to take into consideration not only the individual aspect but also the market, state security, and various other factors. In order to have a robust data protection regime, we have to take into consideration the challenges to the informational privacy.
There are many challenges to the informational privacy; the first challenge to the data protection today is the ubiquity of ‘volunteered data’. The foundation of this challenge can be attributed to the social networking sites such as Facebook, Instagram, Twitter, Hike, Snapchat, etc. The growing population of the world is getting fond of these social networking websites and it is forming an important part of an individual’s lifestyle.
Now-a-days the commercial surveillance coupled with the state sponsored surveillance rely vastly on social networking websites. Data from the social networking websites such as Facebook, Twitter, etc is generally referred as ‘volunteered data’ as the users of social networking websites generally gives out information on social networking websites. The best example that could be given for the volunteered data is of the surveillance practices revealed by the Snowden, and it also revealed how the government with other corporations engaged in mass surveillance by using data derived from the use of devices such as cell-phones or geo-locating social media sites. On these sites the users unknowingly disclose usable data for national security and political purpose, while using phones.
The second challenge to the data protection is the mass surveillance, which is considered as a means to prevent future crimes, such as terrorist attacks and cyber-attacks. Arguments have been made from different securities agencies like National Security Agency (NSA) that big data may hold the answer to keep us safe from terrorism, etc. Big Data holds substantial potential for future, and large dataset analysis has important uses today not only for keeping safe the citizens but other also. But, we also have to take the caution of Big Data’s potential threat to an individual in his/her ordinary day to day life. Neil M. Richards & Jonathan H. King in his paper titled ‘Three Paradoxes of Big Data’ highlighted the three paradoxes that surround the ‘Big Data’.
Neil M. Richards & Jonathan H. King talked about the Transparency, Identity and Power Paradox surrounding the ‘Big Data’. In the era of ‘Big Data’ where, by the use of sophisticated analytics to mine large data sets for awareness as to the solutions to many of our problems; these data-driven decisions can give us better predictions in varied areas. But, with the growing data-driven market which promises transparency as to the data collection, it has become difficult to determine the collector of the data. Now the tools and techniques used to collect data are very opaque, it has become very difficult to maintain transparency in data collection especially for common persons who are not much aware of the data collection.
Also, the Big Data surrounds with the identity paradox i.e. ‘Big Data’ basically seeks to identify the threats to the society or identify the solutions but, it is also threatening the identity of an individual. Every individual has the right to identify himself/herself i.e. they can say “I am”, “I like”, etc. But, with the data collection and process of data mining and knowledge discovery, the individual’s right to identify him/herself is getting threatened. Now, business entities through the abovementioned processes determine individual likings, hobbies, preferences, affiliations, etc. Big Data in a way threatens the right to identify.
Also, the Big Data suffers with the power paradox, i.e. the Big Data with the help of data collection determines the winners and losers. The social networking websites now-a-days plays a crucial role in shaping any revolution, be it strike or any movement. The very first thing that any government does in case of any threat is blocking the social networking websites as it plays a crucial role in shaping the winners or losers in an election ,movement, or be it any strike. So, all the big enterprises, which hold the data in huge amount, can shape the winner or loser taking into account their interest.
The third challenge to right to data protection is the conflict with the interest of international co-operation in security matters and, specifically multinational companies desire to transfer data from its operation in an EU state to one of its operation in a third country i.e. transfer of data in associated enterprises situated in different countries governed through different data protection regime. The problem in case of transfer of data among associated enterprises arises as different countries have different set of data protection regime governing the data accumulation; it becomes complicated when the transfer happens from a country with strict data protection regime to a country which has weaker standards of data protection. Even, the European Union had in 2016 formulated General Data Protection Regulation (GDPR) to catch data controllers and processors outside the EU whose processing activities relate to the offering of goods or services to, or monitoring the behaviour of, EU data subjects (within the EU).
The challenges to data protection about which we have talked about are not the challenges only faced by a single nation or society, these challenges are global also we have referred to some domestic and foreign cases of the data leak and breach of informational privacy. So, it is necessary that we refer to the data protection regime of different jurisdiction so as to see the lacunas existing in our data protection regime. The best way in which we can have a robust data protection regime is to see the data protection regime in US and EU which are considered as stringent regimes.
- SAFEGUARDING INFORMATIONAL PRIVACY
In order to build a robust data protection regime in India, it is necessary that we must first look at the data protection regime existing in USA and EU and then compare it with the existing data protection regime in India so as to find the flaws in the regime and to come up with the possible solutions to build a robust data protection regime.
- DATA PROTECTION REGIME IN EUROPEAN UNION
In EU, the right to privacy is a fundamental right which seeks to protect an individual’s dignity A right to protection of an individual private domain against interference from others and most importantly from State was first laid down in International legal instrument under the United Nations (UN) Universal Declaration of Human Rights (UDHR) in respect of recognition of private life which has been greatly followed by human rights in Europe. The Council of Europe was formed after the Second World War for which the major challenge was to integrate all European States to promote rule of law, democracy, human rights and social development. For the aforesaid reason, it adopted European Convention on Human Rights (ECHR), 1950 which inter alia talks about right to protection against the collection and use of personal data.
The Approach of European Union towards data protection is exactly opposite to that of United States of America. In European Union government has extremely moved in favor of regulating the use of personal data whereas in the United States of America government has refrained from such regulation, in fact allowing companies and association to frame their narrowly drawn regulations in order to target specific companies. This different perspective can be best explained through the existence of different cultural mores and different approaches towards the concept of privacy in general.
The detailed provisions regarding the protection of data are dealt in the directive 95/46/EC, which came into force on 25 October, 1995. The European citizen and their government treat privacy as the fundamental right therefore the Directives provides for the greater level of data protection which also extends beyond the territory of European Union by forbidding the transfer of data to the third countries unless those countries can provide for adequate level of data protection.
Background of data protection laws of European Union
The laws concerning with data protection in European Union started with the guidelines of Organization of Economic Cooperation and Development (OECD). These guidelines were the consequence of the danger of free flow of personal data across two nation. The aforesaid guidelines were not as effective because each member country has to implement the Guidelines on its own thus resulting in uncertainty. The OECD guidelines were then followed by the Convention on personal data promulgated by the Council of Europe but it was also failed because of the lack of uniformity. Then comes the directives of the European Union, these directives are also not self-implemented, before bringing these directives into force each member state has to pass its own legislation for implementation.And process for transferring of data to the third party is still being done by the working party. The primary goal of the European Commission in passing these directives is to harmonise the laws concerning with data privacy.And for this purpose they have set a minimum level of protection so that every member countries can bring them into force, however maximum limit is not fixed. With these directives the entities has to take permission from the individuals whose information they are collecting. In order to achieve effective results the commission has set up an independent body to look after the regulation of personal data and also established right of redressal to check proper implementation of the provisions. Moreover Article 25 of the above mentioned directives talks about protection in another country which says that the data would only be transferred to those countries which have adequate level of protection pertaining to certain exception whereas Article 26 of the same directive at the same time also set out these exception to an extent where firms and consumer personally contract for the protection of personal data.
The existing convention would now be replaced by the General Data Protection Regulation (GDPR) which was adopted on 8 April 2016 and will take effect on 25 May 2018. The advantage of GDPR over Convention is that it is directly applicable to all member state irrespective of being implemented in national legislation.
The GDPR has certain features like:- expanded the territorial reach, now also includes activities related to offering of goods and services, Designation of Data Protection Officers who would have sufficient expert knowledge and would be responsible for all the processing activities, consent should be freely given, imposes a fine of 4% higher annual worldwide turnover and EUR20 million for infringement, binding corporate rules on all the member states involved in joint economic activity, bolster data subject rights etc.
- DATA PROTECTION REGIME IN USA
As already been discussed, the US law regarding the data protection is extremely different. European Union specifically uses the word data protection in the directives for the protection of data whereas US generally uses the word privacy which tend to include every matter comes with the purview of private sphere.
The law regarding data privacy in US starts with its Constitution itself which especially does not allow government interference in the private affairs, thus also promotes transparency of Government simultaneously. This concept basically makes the US constitution different from the European Union. The First Amendment’s free speech circumscribes the government from regulating the flow of information including personal data. Thus it gives importance to one form of privacy over other form of privacy.
The US legislation does not have significant legislation dealing with data privacy, each federal state has its own law dealing with the particular subject. The law on different subject matter are as follows:- the Video Privacy Protection Act of 1988, also known as the Bork Bill, strictly regulates the use of individuals videotape-rental data, and the Cable Television Consumer Protection and Competition Act of 1992 regulates disclosure of personally identifiable information on cable subscribersetc. meaning there is no single legislation which deals with the privacy as the same existing in the European Union. Similarly unlike European Union there is no single agency prevailing in the US which look after or supervises privacy protection. There are multiple of agencies like Department of Commerce (DOC), the Federal Trade Commission (FTC) and the office of management and budget (OMB).
As already been stated Article 25 of the Directives of the European Union requires countries to have adequate level of protection where their data is being transferred. So in order to avail the data from the European Union it is necessary for the United States to comply with the adequate level of protection laid down in the directives of the European Union although there are certain exceptions to it as the same also laid down in Article 26 of the Directives of the European Union. Article 26 provides for both self regulatory and contractual measures to ensure adequate data protection whereas the DOC and EU agreed on the third alternative which is not mentioned in the Directive but at the same time provides adequate level of protection.
- DATA PROTECTION REGIME IN INDIA
The Supreme Court in Puttaswamy overruled its previous judgments of M.P. Sharma v. Staish Chandra and Kharak Singh v. State of Uttar PRadesh which appeared to observe that there was no fundamental right to privacy enshrined in the Constitution of India. The nine judge bench followed the approach of Justice Subba Rao and recognised the right to privacy as an intrinsic part of fundamental right to life and personal liberty under Article 21 of the Constitution of India.
Though Puttaswamy judgment is a landmark legal development in the discourse on privacy, especially informational privacy; prior legislative attempts have been made to secure informational privacy in various sectors in India. These includes the general data protection rules under the Information Technology Act, 2000 (IT Act) as well as various sector specific laws on data protection.
When it comes to sharing information with Government agencies, then the consent of the provider is not required and such information can be shared for purposes such as verification of identity, prevention, detection and investigation including of cyber incidents, prosecution, and punishment of offences. The SPDI Rules apply only to corporate entities and leaves the government and government bodies outside its ambit; the rules are restricted to ‘sensitive personal data’, which includes attributes like sexual orientation, medical records and history, biometric information etc., and not to the larger category of personal data
The primary legal instrument that address data protection in the financial sector include: the Credit Information Companies (Regulation) Act, 2005 (CIC Act), the Credit Information Companies Regulation, 2006 (CIC Regulations) and circulars issued by the Reserve Bank of India (RBI). Further, the SPDI Rules recognise financial information such as credit card, debit card and other payment instrument details as sensitive personal data, thus to that extent regulating their use, collection and disclosure.
It could be clearly seen that the data protection laws in India only covers body corporate handling personal information and the state is completely exempted under these rules. The state can gather any personal information without the consent of the individual. Furthermore, the present rules suffer from the lack of suitable enforcement mechanisms such as establishment of an independent supervisory authority, such as privacy commissioners, etc. Also, it suffers from the fact that consent should be made an important factor before collecting personal information.
In this era of ‘Big Data’ where with the advancement in the Information & Communication Technology (ICT), and with the growing use of internet by individual it has become easy for both the state and commercial entities like big multinational companies to do surveillance on individual. And, growing number of users of at social networking sites like Facebook, Instagram, Twitter, etc which serves as a platform for individuals to disseminate about themselves on the sites has made mass surveillance even easy for the state and commercial entities. Now, with the huge amount of data accumulated over a long period of time and by using knowledge discovery and data mining process, certain facts could be created regarding an individual which the individual him/herself might not know, the data generated can be further used as input to generate more data.
These data are used by commercial entities by using data analytics so, as to know the interest of the individual and by using the available data they can alter it. So, in this way personal information regarding an individual can be used by commercial entities without even the consent of the individual and it can be misused also. Also, it is not only the commercial entities but also the state which is indulging in the collection of vast amount of data from individuals through various platforms like social networking websites, etc. The threat that it possess is that there are possibilities of the leak of data from the state or commercial entities, which can result in misuse of unauthorised use of that information.
In order to guarantee right of informational privacy, it is necessary that a robust data protection regime should be there so as to protect informational privacy. By the analysis of the data protection regimes in European Union and USA we could say that they have made considerable efforts to formulate strict data protection laws protecting the informational privacy. Even in India there are data protection laws but the problem is that they are not effective so as to protect informational privacy like take the recent examples of data leak from Aadhar, etc where even state had failed to protect the information of individuals.
It is necessary that with the technological advancements we also have to formulate a robust data protection regime which should not only protect the personal information of individuals but also it should be fair, should seek to protect the autonomy of the individual, and should be non-discriminatory on the basic that the collection of data should be carried out in a manner which does not discriminate on the basic of racial or ethnic origin, political or religious beliefs, genetic or health status or sexual orientation as has been held in the puttaswamy case.
This article is written by Shubham S Bhadouriya. Shubham is a student at TNNLS, Tiruchirappalli. This article secured 6th position in the RostrumLegal Essay Competition, 2017.
 Justice K S Puttaswamy & Anr v. Union of India & Ors, Writ Petition (Civil) No. 494 of 2012.
 Anuj Srivas, McDonalds India Allegedly Exposes Personal Data of 2.2 Million Users, The Wire (18/03/2017), available at https://thewire.in/117281/mcdonalds-india-allegedly-exposes-personal-data-2-2-million-users/, last seen on 03/12/2017.
 Srinivas Kodali, The NaMo App Non-Hack is Small Fry-the Tech Security on Government Apps is worse, The Wire (03/12/2016), available at https://thewire.in/84148/tech-security-namo-api/, last seen on 03/12/2017.
 HSBC admits huge Swiss bank data theft, BBC News (11/03/2010), available at https://news.bbc.co.uk/2/hi/business/8562381.stm, last seen on 03/12/2017.
 130 Million Aadhar Numbers were made Public, says New Report, The Wire (01/05/2017), available at https://thewire.in/130948/aadhaar-card-details-leaked/, last seen on 03/12/2017.
 Section 43A, Information and Technology Act, 2000.
 Information and Technology (Reasonable Security Practices and procedures and sensitive personal data or information) Rules, 2011.
 Supra 1 at 260-61.
 Supra 1 at 252-253.
 Praveen Dalal, Data Protection Law in India: The TRIPS Perspective, 11, Journal of Intellectual Property Rights, 125,125 (2006), available at https://nopr.niscair.res.in/bitstream/123456789/3561/1/JIPR%2011%282%29%20125-131.pdf, last seen on (02/12/2017).
 Francois Nawrot, Katarzyna Syska and Przemyslaw Switalski, “Horizontal application of fundamental rights – Right to privacy on the internet”, 9th Annual European Constitutionalism Seminar (2010) University of Warsaw, available at https://en.zpc.wpia.uw.edu.pl/wp-content/uploads/2010/04/9_Horizontal_Application_of_Fundamental_Rights.pdf, last seen on (02/12/2017).
 Yvone McDermott, Conceptualising the right to data protection in an era of Big Data, Big Data & Society 1, 4 (2017), available at https://journals.sagepub.com/doi/10.1177/2053951716686994, last seen on (03/12/2017).
 Steve Mann, Big Data is a big lie without little data: Humanistic intelligence as a human right, Big Data & Society 1, 1-5 (2017), available at https://journals.sagepub.com/doi/pdf/10.1177/2053951717691550, last seen on (03/12/2017).
 Supra 7.
 Supra 7.
 Supra 6.
 Supra 1 at 247-248.
 Christina P. Moniodis, Moving from Nixon to NASA: Privacy’s Second Stand-Aright to Informational Privacy, 15 Yale Journal of Law and Technology 139, 153 (2012), available at https://digitalcommons.law.yale.edu/yjolt/vol15/iss1/1, last seen on (03/12/2017).
 Supra 13 at 153-154.
 Michael McFarland, SJ, Unauthorised Transmission and Use of Personal Data, Markkula Centre for Applied Ethics, https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/unauthorized-transmission-and-use-of-personal-data/, last seen on 03/12/2017.
 Supra 1 at 264-265.
 Supra 1 at 264.
 Supra 7.
 Supra 8.
 Supra 13.
 David Lyon, Surveillance, Snowden, and Big Data: Capacities, Consequences, Critique, Big Data & Society 1, 5 (2014), available at https://journals.sagepub.com/doi/pdf/10.1177/2053951714541861, last seen on 04/12/2017.
 Ibid at 2-3.
 Supra 13.
 Neil M. Richards & Jonathan H. King, Three Paradoxes of Big Data, 66 Stanford Law Review Online 41, 41 (2013), available at https://review.law.stanford.edu/wp-content/uploads/sites/3/2016/08/66_StanLRevOnline_41_RichardsKing.pdf, last seen on 03/12/2017.
 Ibid at 42.
 Supra 28.
 Supra 28 at 42-43.
 Supra 28 at 43-44.
 Supra 28 at 44-45.
 Supra 13 at 4.
The EU General Data Protection Regulation, Allen & Overy, available at https://www.allenovery.com/SiteCollectionDocuments/Radical%20changes%20to%20European%20data%20protection%20legislation.pdf, last seen on 04/12/2017.
 Avner Levin and Mary Jo Nicholson, Privacy Law in the United States, the EU and Canada: The Allure of the Middle Ground, University of Ottawa Law & Technology Journal 357, 376 (2005), available at https://pdfs.semanticscholar.org/81d9/9707ef360d45e5d0869fd8c963ee8a1dc32f.pdf, last seen on 09/12/2017.
 Article 12, Universal Declaration of Human Rights (UDHR), 1948.
 Philippe Boillat & Morten Kjaerum, Handbook on European data protection laws, 14 (3rd ed., 2014).
 Article 8, European Court of Human Rights, 2010.
 Paul M.Schwartz & Joel R. Reidenberg, Data Privacy Law: A Study Of United States Data Protection, 5 (1996).
 Peter P. Swire & Robert E. Litan, None Of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive 153 (1998).
 Directive 95/46/EC, The European Parliament and of the Council, 1995.
 Ibid Article 25.
 OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 20 available at https://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf, last seen on 05/12/2017.
Rosario Imperiali d’Afflitto, European Union Directive on Personal Privacy Rights and Computerized Information, 41 Vill. L. Rev. 305, 305, available at https://digitalcommons.law.villanova.edu/cgi/viewcontent.cgi?referer=https://www.google.co.in/&httpsredir=1&article=2951&context=vlr, last seen 05/12/2017.
 Data Protection: Background Information,supra note 5
 Julia M. Fromholz, The European Union Data Privacy Directive, 15, Barkeley Technology Law Journal 461, 468 (2000), available at https://scholarship.law.berkeley.edu/btlj/vol15/iss1/23, last seen 07/12/2016.
 Supra 38 at 376-378.
 Rosario Imperiali d’Afflitto, Recent Development: European Union Directive On Personal Privacy Rights and Computerized Information, 41 VILL. L. REv. 305, 305 (1996).
 Supra 43 Article 7.
 Article 28, Directive 95/46/EC, The European Parliament and of the Council, 1995.
 Article 22-24, Directive 95/46/EC, The European Parliament and of the Council, 1995.
 Article 26(2), Directive 95/46/EC, The European Parliament and of the Council, 1995.
 Supra 37.
 M. Gellman, Can Privacy Be Regulated Effectively on a National Level? Thoughts on the Possible Need for International Privacy Rules, 41 VILL. L. REV. 129, 138 (1996), available at https://digitalcommons.law.villanova.edu/cgi/viewcontent.cgi?article=2946&context=vlr, last seen 07/12/2017.
 Supra 41 at 6-7.
 U.S. West, Inc. v. Federal Communications Comm’n, 182 F.3d 1224 (1999, United States Court of Appeals Tenth Circuit).
 Supra 49 at 55.
 18 U.S.C. § 2710 (United States).
 Cable Television Consumer Protection and Competition Act of 1992 (United States).
 Supra 43 at 43.
 Elements of Effective Self Regulation for the Protection of Privacy and Questions Related to Online Privacy, Dapartment of Commerce, available at https://www.ntia.doc.gov/legacy/ntiahome/privacy/6_5_98FEDREG.htm, last seen on last seen on 09/12/2017.
 15 U.S.C. § 45(a)(1) (United States).
 Peter Swire Home Page (visited Dec. 1, 1999) (https://www.acs.ohio-state.edu/units/law/ swirel/pshomel.htm); see also The Standard: News Briefs (visited Dec. 1, 1999) (https://thestandard.com/article/display/0, 1151,3748,00.html).
 Article 25(1)Directive 95/46/EC, The European Parliament and of the Council, 1995.
 Supra 49.
 Supra 1.
 M.P. Sharma v. Satish Chandra, (1954) SCR 1077.
 Kharak Singh v. State of Uttar Pradesh, (1964) 1 SCR 332.
 White Paper of the Committee of Experts on a Data Protection Framework For India, 15 available at https://meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_18122017_final_v2.1.pdf, last seen on 09/12/2017.
 Section 43A, Information & Technology Act, 2000.
 Rule 5(1), Information Technology (Reasonable Security Practices and Sensitive Personal Data or Protection) Rules, 2011
 Rule 5(2), Information Technology (Reasonable Security Practices and Sensitive Personal Data or Protection) Rules, 2011.
 Rule 4, Information Technology (Reasonable Security Practices and Sensitive Personal Data or Protection) Rules, 2011.
 Rule 5(4), Information Technology (Reasonable Security Practices and Sensitive Personal Data or Protection) Rules, 2011
 Rule 5(6), Information Technology (Reasonable Security Practices and Sensitive Personal Data or Protection) Rules, 2011
 Rule 6, Information Technology (Reasonable Security Practices and Sensitive Personal Data or Protection) Rules, 2011
 Rule 6(1), Information Technology (Reasonable Security Practices and Sensitive Personal Data or Protection) Rules, 2011
 Supra 83.
 Rule 3, Information Technology (Reasonable Security Practices and Sensitive Personal Data or Protection) Rules, 2011
 Rule 3(ii), Information Technology (Reasonable Security Practices and Sensitive Personal Data or Protection) Rules, 2011
 Apporva Mandhani, Indian Data Protection Norms Inadequate, The Wire (21/01/2017), available at https://www.livelaw.in/indian-data-protection-norms-inadequate-vidhi-report-read-report/, last seen on 11/12/17.
 Supra 1.