ISSUE 1:

1. Whether there was infringement of right to privacy as envisaged under Article

21?
 It is humbly submitted before Hon’ble High Court that the writ petition is
maintainable as there is violation of fundamental right to life and personal liberty
enshrined under Article 21 of the Constitution of India. Article 21 of the
Constitution guarantees every citizen the fundamental right to personal liberty
which includes the right to privacy and by extension private data not available in
public domain.

1.1 Judicial Developments on Right to privacy.

‘Right to Privacy’ in Indian Jurisprudence can be traced back to the late 1800s
when it was upheld by the British local court that the privacy of a pardanashin
woman to go to her balcony without any fear of anyone gazing at her from the
neighbourhood. This jurisprudence has evolved ever since the right to privacy
was read under Article 21, though the Constitution of India does not recognize
it specifically. Article 21 states that “No person shall be deprived of his life or
personal liberty except according to the procedure established by law.” 1

The Supreme Court of India deduced the Right to Privacy from Article 21
wherein the court held that personal liberty means life free from any
encroachments that are unsustainable in law.” The court in a landmark
judgment held that “the concept of liberty in Article 21 was comprehensive
enough to include privacy and an unauthorized intrusion into an individual’s
home and thus disturbance caused violates his personal liberty.” “In People’s
Union for Civil Liberties (PUCL) v Union of India,2 the court explained the
right to privacy to be under Article 21 in consonance with Article 17 of
International Covenant on Civil and Political Rights, 1968. The gross violations
of the right to privacy encouraged the Judiciary to take a proactive role in
protecting the right and providing the affected person adequate compensation
and damages.”

The Supreme Court in Puttaswamy overruled its previous judgments of M.P.

Sharma v. Satish Chandra (M.P. Sharma)3 and Kharak Singh v. State of Uttar
Pradesh (Kharak Singh)4 which appeared to observe that there was no
fundamental right to privacy enshrined in the Constitution of India. By doing
so, it upheld several precedents following Kharak Singh, which had recognised
a right to privacy flowing from Article 21 of the Constitution of India.5

The Supreme Court in M.P. Sharma examined whether the constitutionality of

search and seizure of documents pursuant to a FIR would violate the right to

1
Judicial interpretation of data protection and privacy in India - iPleaders
2
People’s Union for Civil Liberties (PUCL) v. Union of India and others: AIR 1982, SC 1473.
3
M.P. Sharma v. Satish Chandra, (1954) SCR 1077.
4
Kharak Singh v. State of Uttar Pradesh, (1964) 1 SCR 332
5
For illustrative examples see, Gobind v. State of Madhya Pradesh, (1975) 2 SCC 148; R. Rajagopal v. State of Tamil Nadu, (1994) 6
SCC 632; People‟s Union for Civil Liberties v. Union of India, (1997) 1 SCC 301.
 privacy. A majority decision by an eight-judge Constitution bench observed that
the right to privacy was not a fundamental right under the Constitution.

Subsequently, in Kharak Singh, the issue at hand was whether regular

surveillance by police authorities amounted to an infringement of
constitutionally guaranteed fundamental rights. A Constitution bench of six
judges analysed this issue in the backdrop of the validity of the regulations
governing the Uttar Pradesh police which legalised secret picketing,
domiciliary visits at night and regular surveillance., The Supreme Court struck
down night-time domiciliary visits by the police as violative of ordered
liberty’6. Further, the Supreme Court held that Article 21 of the Constitution of
India is the repository of residuary personal rights and it recognised the
common law right to privacy. However, the Court observed that privacy is not a
guaranteed fundamental right. It must be noted though, dissenting judge,
Justice Subba Rao, opined that even though the right to privacy was not
expressly recognised as a fundamental right, it was an essential ingredient of
personal liberty under Article 21 and thus fundamental.

Following this approach of Justice Subba Rao, the nine-judge bench of the
Supreme Court in Puttaswamy recognised the right to privacy as an intrinsic
part of the fundamental right to life and personal liberty under Article 21 of the
Constitution of India in particular, and in all fundamental rights in Part III
which protect freedoms in general, and overruled the aforementioned
judgments to this extent.7

The bench, headed by chief justice JS Khehar, comprises justices J

Chelameswar, SA Bobde, RK Agrawal, RF Nariman, AM Sapre, DY
Chandrachud, SK Kaul and S Abdul Nazeer.

Key conclusions from the judgment:8

1. Privacy includes at its core the preservation of personal intimacies, the
sanctity of family life, marriage, procreation, the home and sexual orientation.
Privacy also connotes a right to be left alone.
2. Personal choices governing a way of life are intrinsic to privacy.
3. ...privacy is not lost or surrendered merely because the individual is in a
public place.
4. Privacy has both positive and negative content. The negative content
restrains the state from committing an intrusion upon the life and personal
liberty of a citizen. Its positive content imposes an obligation on the state to
take all necessary measures to protect the privacy of the individual.
5. The right of privacy is a fundamental right. It is a right which protects the
inner sphere of the individual from interference from both State, and non-State
actors and allows the individuals to make autonomous life choices.

6
Kharak Singh v. State of Uttar Pradesh, (1964) 1 SCR 332. Also discussed: Per S.A. Bobde, J. at paragraph 6; Per Chelameswar, J.
at paragraph 9; Per D.Y. Chandrachud, J. at paragraph 27.
7
Per S.A. Bobde, J. at paragraph 6; Per Chelameswar, J. at paragraph 9; Per D.Y. Chandrachud, J. at paragraph 27.
8
Full text of Supreme Court’s judgment on Right to Privacy | Latest News India - Hindustan Times
 6. The privacy of the home must protect the family, marriage, procreation and
sexual orientation which are all important aspects of dignity.
7. ...in a country like ours which prides itself on its diversity, privacy is one of
the most important rights to be protected both against State and non-State
actors and be recognized as a fundamental right.
8. ...right of privacy cannot be denied, even if there is a miniscule fraction of
the population which is affected. The majoritarian concept does not apply to
Constitutional rights...

The right to privacy was grounded in rights to freedom under both Article 21
and Article 19 of the Constitution of India encompassing freedom of the body
as well as the mind. It was held that ― “privacy facilitates freedom and is
intrinsic to the exercise of liberty” 9, and examples of the freedoms enshrined
under Article 25, Article 26 and Article 28(3) of the Constitution of India were
given to show how the right to privacy was necessary to exercise all the
aforementioned rights.10 The approach of the Supreme Court in Kharak Singh
and A.K. Gopalan v. State of Madras11 of putting the freedoms given under Part
III of the Constitution of India under distinct compartments was also rejected.
Instead, it was held that that these rights are overlapping and the restriction of
one freedom affects the other, as was also held previously in the Maneka12 and
Cooper13 judgments. Therefore, a law restricting a freedom under Article 21 of
the Constitution of India would also have to meet the reasonableness
requirements under Article 19 and Article 14 of the Constitution of India.

1.2 That the Right to Privacy is infringed.

From the Judicial interpretations and previous judgments, it is concluded that
the Right to privacy is the part of the Article 21 of the Constitution of India.

In the instant matter, the research cell of the local university headed by Prof.
Suryakanth Shinde shared the agreement with the Think Data as per the
agreement without the knowledge and consent of the people being surveyed.
The data collected include the personality traits, locations, taste and
preferences, habits and their political affiliations of the users which is
considered as the sensitive personal data [1.2.1].

1.2.1 What is sensitive information?

Sensitive personal data can be understood as that information which may
cause damage to an individual in case it is disclosed or mishandled. Following
are few examples of Sensitive personal data: Racial or ethnic origin, Political or
religious beliefs, Trade union membership, Physical or mental health, Sex life
or sexual orientation, Criminal offences and court proceedings, Voice
recording, Health records, Political affiliations, Biometrics.

9
Per D.Y. Chandrachud, J. at paragraph 169
10
Per S.A. Bobde, J. at paragraph 32
11
A.K. Gopalan v. State of Madras, AIR 1950 SC 27
12
Maneka Gandhi v. Union of India, (1978) 1 SCC 248.
13
Rustom Cavasji Cooper v. Union of India, (1970) 1 SCC 248.
 Thus, apart from the harm of intrusion of one ‘s privacy, as pointed out
by the Supreme Court, such data, if revealed, may also be the basis of
discriminatory action.14

1.3 That the requirement of consent is mandatory

Government of India notified a new set of rules named the Information
Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules, 2011 under the Information Technology
Act with an objective to ensure reasonable security practices and procedures.
The Companies and other body corporates and other organizations have to
follow and comply with these Rules while handling sensitive personal data.
15
Collection of information. -
(1) Body corporate or any person on its behalf shall obtain consent in writing
through letter or fax or email from the provider of the sensitive personal data or
information regarding purpose of usage before collection of such information.
(2) Body corporate or any person on its behalf shall not collect sensitive
personal data or information unless-
(a) the information is collected for a lawful purpose connected with a function
or activity of the body corporate or any person on its behalf; and
(b) the collection of the sensitive personal data or information is considered
necessary for that purpose.
(3) While collecting information directly from the person concerned, the body
corporate or any person on its behalf shall take such steps as are, in the
circumstances, reasonable to ensure that the person concerned is having the
knowledge of -
(a) the fact that the information is being collected;
(b) the purpose for which the information is being collected;
(c) the intended recipients of the information; and
(d) the name and address of -
(i) the agency that is collecting the information; and
(ii) the agency that will retain the information.

1.4 International data protection and privacy laws

1. European Union
The EU GDPR provides that there are six grounds on the basis of which
personal information can be processed.16 These include: consent,
performance of contract, compliance with a legal obligation, protection of

14
See also Article 29 Data Protection Working Party, ‘Advice paper on Special Categories of Data (“sensitive data”)‘, European
Commission (20 April 2011), available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/other-
document/files/2011/2011_04_20_letter_artwp_mme_le_bail_directive_9546ec_annex1_en.pdf (last accessed 2 November
2017); ICO, ‘Guidance note on Special Categories of Data‘, available at: https://ico.org.uk/fororganisations/guide-to-data-
protection/key-definitions/, (last accessed 2 November 2017), ‘The presumption is that, because information about these
matters could be used in a discriminatory way, and is likely to be of a private nature, it needs to be treated with greater care than
other personal data.‘
15
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules,
2011 (indiankanoon.org)
16
Regulation EU 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data.
 vital interest, public interest, and legitimate interest pursued by the
controller.17

2. United Kingdom
The UK DPA also requires the data subject to provide consent for the
processing of her personal data.18 The UK DPA follows the EU GDPR
approach by making consent only one of the six grounds for lawful
processing.

3. South Africa
The POPI Act also recognises that processing of personal data should only
takes place with the consent of the data subject. It follows the EU GDPR
and the UK DPA approach by making consent one of the other grounds for
lawful processing of personal data.19

4. Canada
Under Canada’s PIPEDA, organisations are required to obtain an
individual‘s valid consent to lawfully collect, use and disclose personal
information in the course of commercial activity.20

5. USA
legislations such as the GLB Act21, which governs the financial services
industry, places certain obligations on financial institutions to seek the
consent of consumer prior to collecting non-public financial institution and
does not permit the disclosure of any non-public financial information to a
third party in the absence of the consumer‘s consent (obtained by way of
notice).22

1.5 Data Protection and Right to privacy

The ‘data protection’ and ‘right to privacy’ has much more similar to each
other. The ‘data protection’ can only be possible if the encroachment of privacy
is being stopped. Privacy law in general, and informational privacy in
particular, have always been closely linked to technological development. 23

The idea of ‘Data Protection’ has its different aspects. The different aspects of
data protection as a right like, the right of access to data banks, the right to
check their exactness, the right to bring them up to date and to correct them, the
right to the secrecy of sensitive data, the right to authorize their dissemination:

17
Article 6(1)(a), EU GDPR provides with respect to consent that: ―Processing shall be lawful only if and to the extent that at
least one of the following applies- the data subject has given consent to the processing of his or her personal data for one or
more specific purposes.
18
Section 4, read with Schedule 1 (Principle 1), Schedule 2 (Condition 1) and Schedule III (Condition 1) of the UK DPA
19
Section 11(1)(a)-(f), POPI Act.
20
Principle 4.3, Schedule 1, PIPEDA
21
15 U.S.C. Sections 6801-6827.
22
Section 502, GLB Act.
23
Graham Greenleaf and Sinta Dewi Rosadi, “Indonesia’s data protection Regulation 2012: A brief code with data breach
notification,” Privacy Laws & Business International Report, Issue 122, (2013): 24-27.
 all these rights together today constitute the new right to privacy.24 Hence in
this matter the linkage of ‘Data Protection’ and ‘Privacy’ status are very much
appropriate as a right based approach.

In another landmark case25, the Supreme Court of India further developed the
law of privacy by holding that domiciliary visit of the police and disclosure of
the information. This disclosure of the information approaching the modern
data protection concern. In R Rajagopal v. State of Tamil Nādu26 the petitioner
was the editor, printer and publisher of a Tamil weekly magazine published in
Madras who sought an order restraining the State of Tamil Nādu from
interfering with the authorized publication of the autobiography of Auto
Shankar, a condemned prisoner awaiting the death penalty which was based on
public records. In this case Jeevan Reddy, J reaffirmed that the right to privacy
is implicit in the right to life and liberty guaranteed in Article 21 of the
Constitution. The Court also affirmed that the ‘right to be let alone’ for every
citizen of this country to safeguard their privacy.

Therefore the ‘right to privacy’ has its own way to develop the matter of ‘data
protection’. In the same way both the idea has been come under the matter of
right under the Constitution of India.

Therefore, here the sensitive personal data is shared as per agreement without
the knowledge and consent of the user is infringement of right of privacy.

ISSUE 2:
2. Whether the accused are guilty of criminal breach of trust r/w section 34 of
Indian Penal code, 1860?
 It is humbly submitted before this Hon’ble High Court that to constitute a
criminal breach of trust three essential ingredients are required:
1. The accused must be entrusted with the property or with dominion over it,
2. The person so entrusted must use that property, or;
3. The accused must dishonestly use or dispose of that property or wilfully
suffer any other person to do so in violation,
a. of any direction of law prescribing the mode in which such trust is to be
discharged, or;
b. of any legal contract made touching the discharge of such trust.

A research cell led by Prof. Suryakanth Sindhe collected data for the research
using the platform known as DOST with the consent and knowledge of the user
in the present case. However, all of the information was eventually shared with
the company known as Think Data without the consent and knowledge of the
user, resulting in a breach of trust.

24
I. N. Walden and R. N. Savage, “Data Protection and Privacy Laws: Should Organizations Be Protected? “The International and
Comparative Law Quarterly, Vol. 37, No. 2 (1988): 337-347
25
Govind v. State of Madhya Pradesh, AIR 1975 SC 1378
26
(1994) 6 SCC 632.
 2.1 That the personal data is considered as the property

2.1.1 Definitions and salient features of property

Section 3 (26) of the General Clauses Act, 1897 defines "immovable
property" to include land, benefits to arise out of land, and things
attached to the earth, or permanently fastened to anything attached to
the earth. 27
Section 3 (36) of General Clauses Act, 1897 defines "movable
property" to mean property of every description, except immovable
property. 28
Section 2 (11) of the Sale of Good Act, 1930 defines property to mean
the general property in goods, and not merely a special property.29
Section 22 of Indian Penal Code, 1860 ("IPC") defines moveable
property to include corporeal property of every description, except
land and things attached to the earth or permanently fastened to
anything, which is attached to the earth.30

2.1.2 What is Personal Data?

The Information Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or Information) Rules, 2011
("SPDI Rules") define 'personal information' as any information that
relates to a natural person, which, either directly or indirectly, in
combination with other information available or likely to be available
with a body corporate, is capable of identifying such person.31

The new Personal Data Protection Bill, 2022 ("PDP Bill") proposed to
replace the SPDI Rules defines 'personal data' as data about or relating
to a natural person who is directly or indirectly identifiable, having
regard to any characteristic, trait, attribute or any other feature of the
identity of such natural person, whether online or offline, or any
combination of such features with any other information, and shall
include any inference drawn from such data for the purpose of
profiling. To summarize, any information, personal to a person,
including name, which identifies a person, is personal data.32

2.1.3 Ownership of Data

Justice K.S Puttaswami v. Union of India, AIR 2017 SC 4161,
recognized the right to privacy under Article 21 of the Indian
Constitution in August 2017. Observed by the Supreme Court,
"informational privacy" is an aspect of privacy, and an individual is in
control of the dissemination of personal information. In addition,
individuals are permitted to exploit their identity and personal
27
India Code: Section Details
28
India Code: Section Details
29
Section 2(11) in The Sale of Goods Act, 1930 (indiankanoon.org)
30
Section 22 in The Indian Penal Code (indiankanoon.org)
31
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules,
2011 (indiankanoon.org)
32
The Digital Personal Data Potection Bill, 2022_0.pdf (meity.gov.in)
 information exclusively for commercial purposes, control what
information is publicly available about them and disseminate certain
information for limited purposes.

In Chandrakant Manilal Shah v. CIT (1992) 1 SCC 76,33 while

discussing the contribution of a partner of a proprietorship firm, the
Supreme Court observed that like a cash asset, the mental and physical
capacity generated by the skill and labour of an individual, is
possessed by or is a possession of such individual. Thus, it can be
argued that collection, processing, and dissemination of personal data
by data fiduciaries, with the consent of relevant data principals, or as
may be permitted by law, and compiling such personal data into
meaningful databases, requires or is a result of skill and labour, and
such databases could be considered property.

2.1.4 Mapping Personal Data to Traditional Feature of property34

1. Comparing "consent" with a "licence"
When a data principal grants consent to a data fiduciary for the
use of his or her personal data, the data principal or owner is
granting the data fiduciary the equivalent of a licence to use
such personal data for a specific purpose. Thus, "consent" in the
context of personal data, is comparable with a "licence" over
property.
2. Comparing the right to grant or withdraw consent with
actionable claims
If a data principal gives his or her consent to a data fiduciary for
the usage of his or her personal data, such consent may permit
further transfer of such personal data by the original data
fiduciary to a data processor or to a third-party data fiduciary.
3. In the event personal data is classified as property, all the
attendant rights and obligations available, are attracted,
including offences in relation to any damage to or theft or
misappropriation of that property, under the IPC.

2.2 That the accused has dishonestly used the personal information
I humbly submit to the Hon'ble High Court that the information gathered by
users of the DOST platform is intended for research and has been dishonestly
sold to Think Data, thereby violating the law since one cannot use information
for any other purpose without the consent of the information owner, and it was
also a violation of the contract between DOST and the information provider
that they will take all necessary steps to secure the information's privacy. It is
here where the criminal breach of trust can be found.

2.2.1 Rights of information provider

33
Chandrakant Manilal Shah And Anr vs Commissioner Of Income Tax, ... on 24 October, 1991 (indiankanoon.org)
34
Exploring Property Rights In Personal Data - Privacy Protection - India (mondaq.com)
 The Information Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or Information) Rules, 2011.35
These rules are applicable to body corporate or any person located in
India and rules lay out specific provisions related to SPDI.

Any person who provides information to the body corporate is known

as the provider of information. The information provider has certain
rights, that the information which is collected by the body corporate
will only be collected after the consent of the information provider.

It is mandatory for the body corporate to take reasonable steps to

protect the information. Further the body corporate is not allowed
publishing any sensitive personal data or information. But there are
certain exceptions to this.

For transferring the information of the information provider to the

third party apart from the government agencies the body corporate
should ask for the permission of the same.

It is mandatory for the corporate body to provide privacy policy in

which it should be written very clear that what type of information is
collected, the purpose for collection such information should be clear,
details should be given for disclosure of sensitive personal information
to third party, required precaution must be taken by the organization to
protect data.

2.2.2 Liability of Intermediaries Under Information Technology Act,

2000
After an agreement was signed between Think Data and the local
university's Research cell headed by Prof Suryakanth Sindhe, the
information collected through DOST was sold to Think Data. They
also gather information and pass it on to the company in accordance
with the agreement. They act as an intermediary between the company
and the provider of information without the consent of the information
provider.

The Research cell also fails to comply with the duties of the
intermediaries as mentioned in the Information Technology
(Intermediaries Guidelines) Rules, 201136

“Intermediary” is defined in Section 2(1) (w) of the Information and

Technology Act 2000.37 "Intermediary" with respect to any particular
electronic message means any person who on behalf of another person
receives stores or transmits that message or provides any service with
35
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules,
2011 (indiankanoon.org)
36
Section 3 in The Information Technology (Intermediaries Guidelines) Rules, 2011 (indiankanoon.org)
37
Section 2(1)(ua)(w) in The Information Technology Act, 2000 (indiankanoon.org)
 respect to that message. The liability of the intermediaries is lucidly
explained in section 79 of the Act.

Intermediaries are though given immunity under section 79; they

could still be held liable under section 72A for disclosure of personal
information of any person where such disclosures are without consent
and with intent to cause wrongful loss or wrongful gain or in breach of
a lawful contract.38

2.3 As per Section 120A Criminal Conspiracy

It is humbly submitted before this Hon’ble High Court that to constitute a
criminal conspiracy three essential ingredients are required. The Supreme Court
has outlined the above-mentioned essential ingredients of criminal conspiracy
in R Venkatkrishnan vs CBI39:

1. There should be an agreement between two or more persons.

There must be an agreement between two or more persons. If the
conspirators commit several offences in accordance with the criminal
conspiracy, all of them shall be liable for the offences, even if some of them
did not actively participate in the commission of the crimes.
2. Such an agreement should be done:
To do an illegal act
To make a person liable for the criminal conspiracy, the agreement must be
to do any act which is either forbidden by law or is opposed to the law.
(b) Or to do a legal act by illegal means
When any act is done even though it is lawful but done by illegal means, it
constitutes criminal conspiracy.
3. The agreement may be expressed or implied or partly expressed and partly
implied.
4. As soon as the agreement is made, the conspiracy arises, and the offence is
committed.
5. And, the same offence is continued to be committed so long as the
combination persists.

In Kehar Singh and others v. State (Delhi Administration)40 The Hon’ble

Supreme Court, held that the most important ingredient of the offence of
conspiracy is an agreement between two or more persons to do an illegal act.
Such an illegal act may or may not be done in pursuance of the agreement, but
the very agreement is an offence and is punishable.

In Major E.G. Barsay v. The State of Bombay41 it was held that an agreement to
break the law constitutes the gist of the offence of criminal conspiracy under
Section 120A IPC.
38
Intermediaries Under The Information Technology (Amendment) Act 2008 - Telecoms, Mobile & Cable Communications - India
(mondaq.com)
39
R. Venkatakrishnan vs Central Bureau Of Investigation on 7 August, 2009 (indiankanoon.org)
40
1988 AIR 18843
41
AIR 1961 SC 1762
 I humbly submit to the Hon'ble High Court that firstly there is an agreement
between Think Data and Prof Suraykanth Sindhe, according to which the
information was sold to Think Data. As for the second point, the agreement
may have been made for a lawful purpose, but it is illegal to share the personal
information of individuals with other parties without their consent.

2.4 Section 34 of the Indian Penal Code

It is humbly submitted before the Hon’ble High Court that Section 34 of the
Indian Penal Code recognizes the principle of vicarious liability in criminal
jurisprudence. A bare reading shows that the section could be dissected as
follows:
1. Criminal act is done by several persons;
2. Such act is done in furtherance of the common intention of all; and
3. Each of such person is liable for that act in same manner as it if it were done
by him alone.42
Original section 34 as it stood original code of 1860 was “When a criminal act
is done by several persons, each of such persons is liable for that act in the
same manner as if the act was done by him alone.” Later what was observed in
Queen vs. Gora Chand Gope & Ors. 43 new words were introduced into the act,
“in furtherance of common intention.”

It is humbly submitted before the Honourable High Court that this case strongly
comes under the horizons of the new words which were introduced into the
section 34 in 1870 and intention of the accused must be studied very carefully
as stated in facts.

In Ashok Kumar v State of Punjab44, the existence of a common intention

amongst the participants in a crime is the essential element for application of
this section. It is not necessary that the acts of the several people charged with
the commission of an offence jointly must be the same or identically similar.

In Babulal Bhagwan Khandare v State of Maharashtra45, held that the acts may
be different in character, but must have been actuated by one and the same
common intention in order to attract the provision.

In Barendra Kumar Ghosh v King Emperor46, stated the true purport of section
34 as:
The words of s.34 are not to be eviscerated by reading them in this exceedingly
limited sense. By s.33 a criminal act in s.34 includes a series of acts and,
further “act” includes an omission to act, for example, an omission to interfere
in order to prevent a murder being done before one’s very eyes.

42
Ratanlal & Dhirajlal, “The Indian Penal Code”, 36th Edition, 2019.
43
Queen vs. Gora Chand Gope & Ors (1866) 5 South WR (Cri) 45.
44
Ashok Kumar v State of Punjab, AIR 1977 SC 109: (1977)1 SCC 746
45
Babulal Bhagwan Khandare v State of Maharashtra AIR 2005 SC 1460 : (2005) 10 SCC 404.
46
Barendra Kumar Ghosh v King Emperor, AIR 1925 PC 1
 Under section 34 of the Indian penal act, a crime is considered a crime if three
essential conditions are met. In this case, the breach of trust is criminal in
nature, secondly, it is committed by several individuals, and thirdly, it must be
committed with the same intent, which both where Suryakanth Sindhe and
Company Think Data wish to profit from information obtained from academic
research.

ISSUE 3:
3. Whether there exists the common intention amongst the accused?
 It is humbly submitted before the Hon’ble High Court that there is existence of
common intention between the company Think Data and the Prof. Suryakanth
Sindhe as per the Section 34 of the IPC, 1860.

3.1 Section 34 of Indian Penal Code, 1860

The Section 34 of the Indian Penal Code, 1860 states, “When a criminal act is
done by several persons in furtherance of the common intention of all, each of
such persons is liable for that act in the same manner as if it were done by him
alone.” 47

This section is intended to meet cases in which it may be difficult to distinguish

between the acts of the individual members of a party or to prove what part was
exactly taken by each of them in furtherance of the common intention of all. 48
The reason why all are deemed guilty in such cases is that the presence of
accomplices gives encouragement, support and protection to the person actually
committing an act.

The essential ingredients of Section 34 of Indian Penal Code as stated and

restated by law Courts in plethora of cases are:

1. Common intention to commit a crime, and

2. Participation by all the accused in the act or acts in furtherance of the
common intention. These two things establish their joint liability. 49

This provision is only a rule of evidence and does not create a substantive
offence. It lays down the principle of joint liability. To charge a person under
this section, it must be shown that he shared a common intention with another
person or persons to commit a crime and subsequently the crime was
perpetrated.50 The Apex Court held in a case51, that in the case of section 34 it is
well establish that a common intention presupposes prior concert. It requires a
pre-arranged plan because before a man can be vicariously convicted for the
criminal act of another, the act must have been done in furtherance of the
common intention of them all.
47
Section 34, Indian Penal Code
48
Mepa Dana, (1959) Bom LR 269.
49
Shaik China Brahmam v. State of A.P., AIR 2008 SC 610.
50
Garib Singh v State of Punjab, 1972 Cr LJ 1286
51
Pandurang v. State of Hyderabad, AIR 1955 SC 216
 To constitute common intention, it is necessary that the intention of each one of
the accused was known to the rest of them and was shared by them. The test to
decide if the intention of one of them is common is to see whether the intention
of one of them is common is to see whether the intention of one was known to
the other and was shared by that other. In drawing the inference, the true rule of
law which is to be applied is the rule which requires that guilt is not to inferred
unless that is the only inference which follows from the circumstances of the
case and no other innocuous inference can be drawn. 52

Each can individually cause a separate cause a separate fatal blow. Yet, there
may not exist a common intention if there was no prior meeting of the mind. In
such a case, each would be individually liable for the injuries, he causes. 53

3.1 In furtherance of common intention

The Supreme Court referred to the Oxford English Dictionary where the word
“furtherance” is defined as an “action of helping forward.” Rusell, in his book
on Criminal Law adopted this definition and said:
It indicates some kind of aid or assistance proceeding an effect in future and that
any act may be regarded as done in furtherance of the ultimate felony if it is a
step intentionally taken for the purpose of effecting the felony.” The Supreme
Court has also constructed the word “furtherance” as “advancement or
promotion.” 54

3.1.1 ‘Common intention’

In Bengai Mandal v State of Bihar55, Courts, in most cases, have to infer the
intention from the act(s) or conduct of the accused or other relevant
circumstances of the case. However, an inference as to the common intention
shall not be readily drawn; the criminal liability can arise only when such
inference can be drawn with a certain degree of assurance. In most cases it has
to be inferred from the act or conduct or other relevant circumstances of the
case in hand.56

Before a court can convict a person for any offence read with section 34, it
should come to a definite conclusion that the said person had a prior concert
with one or more persons, named or unnamed, for committing the said the
offence.57

52
Oswal Danji v State. (1960) 1 Guj LR 145.
53
Nandu & Dhaneshwar Naik v. The State, 1976 CriLJ 250
54
Parasa Raja Manikyala Rao v State of A.P, (2003) 12 SC 306 : AIR 2004 SC 132 : 2004 Cr Lj 390, citing Shankarlal Kacharabhai,
AIR 1965 SC 1260 : 1965 (2) Cr LJ 226.
55
AIR 2010 SC 686 : (2010) 2 SCC 91
56
Maqsoodan v State of Up, 1983 Cr LJ 218 : AIR 1983 SC 126 : (1983) 1 SCC 218; Aizaz v State of UP, (2008) 12 SCC 198 : 2008 Cr
LJ 4374, Lala Ram v State of Rajasthan, (2007) 10 SCC 225 : (2007) 3 SCC Cr 634, Harbans Kaur v State of Haryana, AIR 2005 SC
2989 : 2005 Cr LJ 2199 (SC), Dani Singh v State of Bihar, 2004 (13) SCC 203 : 2004 Cr LJ 3328 (SC)
57
Krishna Govind Patil v State of Maharashtra, AIR 1963 SC 1413 : 1964 (1) SCR 678 : 1963 Cr LJ 351 (SC); State of Maharashtra v
Jagmohan Singh Kuldip Singh Anand, (2004) 7 SCC 659 : AIR 2004 SC 4412, the prosecution is not required to prove in every case
a pre-arranged plan or prior concert. Preetam Singh v State of Rajasthan, (2003) 12 SCC 594, prior concert can be indered,
common intention can develop on the spot.
 3.1.2 Act is done in furtherance of common intention
In view of the phraseology of section 34 existence of common intention is not
enough, the criminal act impugned to attract section 34 must be committed in
furtherance of common intention. The section operates only when it is found
that the criminal act done by an individual is in furtherance of the common
intention and not without it.58 The words ‘in furtherance of the common
intention of all’ in section 34, IPC do not require that in order that the section
may apply, all participants in the joint acts must either have common intention
of committing the same offence or the common intention of producing the same
result by their joint act be performed.

It is true that no concrete evidence is required to prove a common intention

between two people to commit an act. It is however key here to understand that
such evidence must be such that it does not leave any room for doubt against
such an intention.59

Moreover, to sustain a charge under section 34, active participation in the

commission of the criminal act is required which is clearly present in the
present case.

It is humbly submitted that to honourable court that the accused-1 can be

punished under the principle of joint liability because he had intention to breach
the trust of the information provider or even knows that he is selling the
information without the consent of the information provider.

Hence, it is humbly submitted that there was presence of common intention on

the part of Think Data in the act of breaching the trust of the information
provider and hence the Prof Suryakanth Sindhe and the company Think Data
can be charged under section 34 the counsel submits that since the
aforementioned all essential conditions have been met in the present case. It is
further submitted that the accused must be held liable under section 34 of IPC.

In this case, the breach of trust is criminal in nature, secondly, it is committed

by several individuals, and thirdly, it must be committed with the same intent,
which both where Suryakanth Sindhe and Company Think Data wish to profit
from information obtained from academic research. Hence the common
intention is present between the accused.
ISSUE 4:
4. Whether there was infringement of right to privacy in cyber space with
reference to the Information technology act, 2000?
 It is humbly submitted before this Hon’ble High Court that there was the
infringement of right to privacy in reference to the Information Technology Act,
2000.

58
State of Bihar v Lala Mahto A.I.R 1955 pat. 161.
59
Dharam Pal v State of Haryana, AIR 1978 SC 1492
 Information Technology Act, 2000 (“IT Act”) was amended in the year 2008 to
bring in new provisions such as Section 43-A and Section 72-A. Section 43-A
of the IT Act primarily deals with the compensation for negligence in
implementing and maintaining ‘reasonable security practices and procedures’ in
relation to ‘sensitive personal data or information’ (“SPDI”) while Section 72-A
of the IT Act mandates punishment for disclosure of ‘personal information’ in
breach of lawful contract or without the information provider’s consent.60

On 13 April 2011, the Information Technology (Reasonable Security Practices

and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI
Rules”) were issued under section (2) of section 87 read with section 43-A of
the IT Act. SPDI Rules only apply to bodies corporate and persons located in
India and in few cases the rules only apply to relations between an individual
and a body corporate, and not between two body corporates.

4.1 Data Privacy: Key Features of the SPDI Rules:

SPDI is defined under rule 361. The following data is termed as SPDI:
– Passwords;
– Financial information,
– Physical, physiological and mental health condition;
– Sexual orientation;
– Medical records and history;
– Biometric information;
– Any detail relating to the above as provided to body corporate for providing
service; and
– Any information received under the above by body corporate for processing,
stored or processed under lawful contract or otherwise

Under rule 562, a body corporate is required to obtain prior consent from the
information provider regarding the purpose of usage of the SPDI. Here in this
case the information collected by the user of the dost platform is obtained by
saying that the particular information is for the academic purpose but eventually
sold to the third party without even taking consent or giving information
regarding the third party agreement.

Such information should be collected only if it is essential and required for a

lawful purpose connected with the functioning of the body corporate. In the
present case although the purpose was legal but it was after used for the
different purpose. The body corporate is also required to take reasonable steps
to ensure that the information provider has knowledge about the collection of
information, the purpose of collection of such information, the intended
recipients and the name and address of the agency collecting and retaining the
information.
60
Data Privacy Regime in India: IT Act and SPDI Rules (previewtech.net)
61
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules,
2011 (indiankanoon.org)
62
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules,
2011 (indiankanoon.org)
 A “body corporate” is defined under Section 43A of IT Act as a company or a
partnership firm, sole proprietorship or other association of individuals engaged
in commercial or professional activities.63

The SPDI Rules further mandate that a body corporate handling SPDI shall
provide a comprehensive privacy policy containing details such as the type of
information collected, the purpose for collection of information, the disclosure
policy, the security practices, and procedures followed etc. The privacy policy is
required to be clearly published on the website of the body corporate and made
readily available to the information providers.

Under rule 8, a body corporate is required to implement ‘reasonable security

practices and procedures’ in relation to SPDI. One such standard is IS/ISO/IEC
27001 on “Information Technology – Security Techniques – Information
Security Management System – Requirements”.64

Hence, it is humbly submitted that here the information collected from the
information provider is sensitive in nature hence the Information Technology
(Reasonable Security Practices and Procedures and Sensitive Personal Data or
Information) Rules, 2011 (“SPDI Rules”) is applicable.

4.2 Section 43A of Information Technology Act, 2000

The principal law governing internet use in India is the Information Technology
Act, 2000, that contains some provisions, which are relevant to protection of
privacy in India. Various provisions of the Information Technology Act and the
Rules there under provide for protection to the information shared on the
internet by the user. The protection can be summarized65 as follows:

1. These provisions require the corporate bodies to implement and maintain

reasonable security practices concerning the information that they receive, store,
deals, transfers etc.

2. It is mandatory for the corporate bodies to declare their privacy policy to the
user and obtain their consent to the same.66

3. It is necessary to obtain consent of the users before collecting any sensitive

information and to state the lawful purposes for which the same shall be used by
the corporate body.67

63
A2000-21_0.pdf (legislative.gov.in)
64
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules,
2011 (indiankanoon.org)
65
Based on the information sourced from India Telecommunications Privacy Report referred on
https://www.privacyinternational.org/reports.
66
Section 43A of the Act and Rule 4 of the Information Technology (Reasonable security practices and procedures and sensitive
personal data or information) Rules, 2011
67
Section 43A of the Act and Rule 5(1) of the Information Technology (Reasonable security practices and procedures and
sensitive personal data or information) Rules, 2011
 4. It is also provided that any failure on the part of corporate body in this regard
shall attract a penalty in the form of compensation to the person affected by any
such failure and may also result in incurring a criminal liability if the
consequence of any such failure is wrongful loss or gain.68

Mphasis BPO Fraud: 2005 In December 2004, four call centre employees,
working at an outsourcing facility operated by MphasiS in India, obtained PIN
codes from four customers of MphasiS’ client, Citi Group. These employees
were not authorized to obtain the PINs. In association with others, the call
centre employees opened new accounts at Indian banks using false identities.
Within two months, they used the PINs and account information gleaned during
their employment at MphasiS to transfer money from the bank accounts of
CitiGroup customers to the new accounts at Indian banks.

By April 2005, the Indian police had tipped off to the scam by a U.S. bank, and
quickly identified the individuals involved in the scam. Arrests were made when
those individuals attempted to withdraw cash from the falsified accounts,
$426,000 was stolen; the amount recovered was $230,000.

Verdict: Court held that Section 43(a) was applicable here due to the nature of
unauthorized access involved to commit transactions.69

Hence, it is submitted before the honourable HC that the accused are liable
under section 43A of the Information Technology Act, 2000 as firstly the
information was sold to Think Data without the consent and knowledge of the
user of Dost platform.

4.3 Section 72A of Information Technology Act, 2000

It provides that “Punishment for disclosure of information in breach of lawful
contract. Save as otherwise provided in this Act or any other law for the time
being in force, any person including an intermediary who, while providing
services under the terms of lawful contract, has secured access to any material
containing personal information about another person, with the intent to cause
or knowing that he is likely to cause wrongful loss or wrongful gain discloses,
without the consent of the person concerned, or in breach of a lawful contract,
such material to any other person, shall be punished with imprisonment for a
term which may extend to three years, or with fine which may extend to five
lakh rupees, or with both”

Thus, every person who is possessing or dealing with personal data or

information as an obligation to be not to be negligent and as an obligation to
have reasonable security practices and procedures thereby no wrongful Laws or
wrongful gain takes place to any person.70
68
Under Section 43A, any body corporate who fails to observe data protection norms may be liable to pay compensation if : it is
negligent in implementing and maintaining reasonable security practices, and thereby causes wrongful loss or wrongful gain to
any person. "Wrongful loss" and "wrongful gain" have been defined by Section 23 of the Indian Penal Code
69
IT Act 2000 – Penalties, Offences With Case Studies - Checkmate (niiconsulting.com)
70
Data Protection Laws In India - iPleaders
 Hence, it is submitted before the honourable HC that the accused are liable
under section 72A of the Information Technology Act, 2000 because the Dost
platform an prof suryakanth sindhe has breach the trust of the user of the dost
and Think Data is being negligent regarding the fact about the consent and
knowledge of the information provider.

In R. Rajagopal v. State of T.N71, the Supreme Court held that the petitioners
have a right to publish what they got as information regarding the concerned
person, from the public records or public domain. This may be without his
consent or authorization. But if they go beyond that and publish his life story,
they may be invading his right to privacy.

Hence, doing something beyond the consent or the agreement between the user
is infringement of right of privacy of the user.

4.4 Highlight of Data Protection Bill, 202172

India's proposed data protection law has been a long time in the making. In
2018, a committee of experts constituted by the Indian government issued a first
draft of a proposed law on data protection. In late 2019, a revised version of the
draft, titled the Personal Data Protection Bill, 2019 (the "PDPB"), was
introduced in the Indian Parliament.

This bill mentions some obligation of data fiduciaries and grounds for data processing:
1. Purpose and Collection Limitation:

Personal data may only be processed in a fair and reasonable manner that
will ensure the privacy of data principals. It can be collected only to the
extent necessary for the purposes of processing.
2. Privacy Notice:

Data fiduciaries are required to provide data principals with a notice that
details specific information, including purposes of processing, nature and
categories of personal data being collected, and the basis of processing. This
notice must be clear, precise, and easily comprehensible to an individual and
in multiple languages to the extent necessary and practicable. Notably, no
notice is required where the provision of such notice would prejudice the
processing of personal data for Public Interest

GROUNDS FOR DATA PROCESSING

1. With Consent: Consent is the primary ground for processing personal data under the
Bill.

71
R. Rajagopal @ R.R. Gopal v/s State of Tamil Nadu Writ Petition (C) No. 422 of 1994 Decided On, 07 October 1994
72
A Guide To The Data Protection Bill, 2021 - Privacy Protection - India (mondaq.com)
a. Personal data can only be processed by a data principal providing free,
informed, specific, and clear consent that is capable of being withdrawn, at the
commencement of processing.
b. Sensitive personal data can only be processed with the explicit consent of data
principals.
c. The burden of proving if consent of a data principal has been sought vests with
data fiduciaries.
d. Data fiduciaries can only process personal data for purposes that are consented
to by the data principal or purposes which are incidental to or connected to such
purpose and where the data principal would reasonably expect the processing in
regard to the purpose, and in the context and circumstances in which the
personal data was collected.