India: Right to Privacy: The Next Step Supreme Court on Data Privacy on Social Media

October 3, 2017

Patanjali ayurved


What is Data Privacy?

Data privacy is suitably defined as the appropriate use of data. When companies and merchants use data or information that is provided or entrusted to them, the data should be used according to the agreed purposes[1]. The necessity of maintaining strict data privacy is applicable most stringently to collected personal information, such as medical records, financial data, criminal records, political records, business related information or website data, but in an age when most personal information is voluntarily shared and accessible over broad-based social media platforms, the stringency of data privacy has become more relevant than ever in the context of shared personal data.

Why is Data Privacy Important?

With systematized digitisation of data, and modes of communications and transactions transitioning online, users are obliged to divulge personal details at every step in order to avail essential services. All of this information gets stored in huge databanks, reservoirs of the world’s personal data, and the user can never be sure who has or does not have access to these reservoirs of information. The only thing standing between a user and the unscrupulous exploitation of her/his divulged personal details is by governments, corporations or even criminal elements, is the nebulous world of data protection law.

As early as the 1960’s and 70’s, governments, government-affiliated, as well as private organizations had started tapping the resource that was the personal information of a large majority of the population of the world. This led to alarming questions about the collection and storage of such great quantities of personal data- Who had access to it? Was the information stored accurate? Was it being distributed without the knowledge of the persons involved? Could it be used for discriminating against them, or for abusing their rights?

From these concerns, data protection laws started getting formulated in the developed nations. Data protection laws now exist, in some form or other, in over 100 countries worldwide. But with the growing rise in online threats, such as hacking, ransomware, identity theft, e-commerce fraud, cyber-stalking, cyber-bullying, to name just a few, data privacy measures have become a priority security concern for the international community.

Data Privacy and Social Media

While the very idea of social media may seem like anathema to data privacy- social media relies on motivating users to voluntarily divulge and sharing personal information and media among diffuse groups of people- it is for this very reason that the need for data protection and privacy is becoming the greatest concern in this field.

Recently, widespread hacking and the compromising of user accounts across social media platforms have raised fears that the largest internet giants, prominently social networks, may be mining user information and selling them to third party entities to generate revenue and to promulgate targeted advertising.

Supreme Court’s Notice to Major Social Media Players

In Special Leave Petition 804/2017, more popularly called “the WhatsApp Case”, two students have challenged WhatsApp’s new privacy policy after it was acquired by Facebook. They claim that WhatsApp divulged user data to Facebook which violates the fundamental right to privacy, as recently pronounced by the nine-judge Constitution Bench of the apex court in the August 24 judgement in
Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors[2] . The five-judge bench presiding over this case issued notices to Google and Twitter, along with the Government of India, seeking their legal opinion on data sharing with cross-border corporate entities, which is currently not governed by any law in force in India. Facebook and WhatsApp, in the meantime, have been ordered to file sworn affidavits, testifying to not sharing user information with third parties. The two matters are to be heard in conjunction and have been listed for November 20, 2017.

The impact of the Right to Privacy judgement was keenly felt in the proceedings of the case which took place on September 6, with Ms. Madhavi Divan and Addl. Solicitor-General Tushar Mehta referring to the relevant paragraphs of the landmark judgement dealing specifically with protection of user data privacy, and the constitution of an expert committee, headed by former Supreme Court Justice, Shri B.N. Srikrishna, to deliberate upon the position of data protection law in India and present its recommendations. Senior counsel K.V. Vishwanath, appearing on behalf of one of the impleaded parties in the case, also stressed on the necessity of the apex court to create guidelines in the interim, before dedicated legislation is passed on the issue of data protection.

By means of this petition, petitioner Advocate-on-Record Pallav Mongia has challenged the constitutional validity of the Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 as well as the clarification in this regard as issued by the Ministry of Communications and Information Technology on August 24, 2011.

The situation as it stands in India at present is that existing Indian data privacy laws do not apply to entities situated outside the country. This is worrisome as user data collected by major social media platforms are stored on servers and databanks located outside India, and therefore fall outside the purview of Indian jurisdiction. Moreover, the content, website and data generated on websites such as, or is controlled by the principal entities, Facebook Inc., Twitter Inc. and Google Inc., which are body corporates instituted and existing outside the reach of Indian law.

The user is caught in a trap, in such a situation. Privacy policies formulated by websites tend to be “take it or leave it” affairs, leaving the user facing the dilemma of completely surrendering her/his privacy, or not being permitted to use social media at all. Thus, while technically such user consent does constitute “informed consent”, it is extracted without leaving the user much room in terms of choice.

Recently, the problem of data leakage to cross-border international entities took on the scope of a national security concern when, in the apprehension of a possible war with China, the Ministry of Electronics and Information Technology doubled down on its scrutiny of Chinese smartphone manufacturers such as Oppo, Vivo, Xiaomi, Lenovo, Gionee as well as global players such as Apple and Samsung.


Patanjali logo


In conclusion, given that more than 2.5 quintillion bytes of data are consumed every day, the risk of breaches in data privacy are higher than ever before and just as significant. It is becoming more and more imperative that the government treat this matter with as much seriousness as the Supreme Court has done and take active legislative steps to protect the data privacy of its citizens.

Additional References:

[1] , as accessed on September 13, 2017.

[2]WP (Civil) No. 494 of 2012.

For more information please contact us at :