LAW RELATING TO CYBERSPACE

AND E-COMMERCE
AN

ASSIGNMENT PAPER SUBMITTED TO THE

UNIVERSITY INSTITUTE OF LAW, PANJAB
UNIVERSITY REGIONAL CENTRE, LUDHIANA

IN THE PARTIAL FULFILMENT OF REQUIREMENT FOR THE

DEGREE OF LLM

Topic – Laws relating to Data Protection

SUBMITTED TO:

Dr. Vaishali Thakur

SUBMITTED BY:
Yuvrajveer Singh Sandhu
Roll No. – 25
LLM [2nd SEM]

1|Page
 ACKNOWLEDGEMENT

At the outset, I wish to thank the Almighty God for his immense blessings
and pray to him to continue to guide me on the path of my committed
calling.

A sincere and heartfelt gratitude is due in the name of those writers whose
works have been borrowed and included in this project meant for academic
and scholastic pursuit of the student enrolled in One Year Postgraduate Law
programme (LLM).

I take this opportunity to extend my thanks to our teacher,.

DR. VAISHALI THAKUR, PURC, LUDHIANA, for this help, without
her assistance the compilation of this project would have been impossible.

2|Page
 TABLE OF CONTENT

SR. NO. TOPIC PAGE NO.

Acknowledgement 2

Table of Content 3

1. Introduction 4

2. What is meant by Data Protection and 5

Data Privacy?
3. Evolution of Data Protection Laws 5–7

4. Need for Data Protection and Data 8 – 10

Privacy Laws in India
5. Data Protection and Data Privacy Laws 11 – 13
in India
6. Applicability Data Protection and Data 14
Privacy Laws in India
7. Penalties for Violation of Data 15 – 16
Protection Laws
8. Important Case Laws 17 – 18

9. Conclusion 19

10. Bibliography 20

3|Page
 INTRODUCTION

“Data is the new oil.” It signifies that data is a valuable asset that is being explored by
businessmen in order to extract huge profits. It is naturally unrefined and needs to be
converted into something of value. Also, we are now a part of the biggest digital economy,
where every person is reduced to data. Data is better than opinions; it is preferred as it is
more reliable and predictable. We can predict outcomes based on existing data, get insights
for better business performance, make better strategies, etc. But it can be equally disastrous if
the data is not handled with care. Data is indeed powerful on its own, but it needs the aid of
the law to be regulated. Thus, come data protection and privacy laws and India has recently
passed its much-awaited law on the subject.

These days a term data protection has become synonymous with other rights of the citizens
which are guaranteed by the state. With the beginning of the 21st century, there has been a
sharp increase in the development of technology, which subsequently has become an integral
part of human life. Today, these technologies have connected to the day to day life of a
human being in such a way that, these technologies holds important data related to a user.
That’s why data protection has become so relevant in safeguarding the interest of an
individual.

4|Page
 WHAT IS MEANT BY DATA PROTECTION AND DATA PRIVACY

There are two aspects present here: data privacy and data protection. Data privacy means
when, how, and to exactly what extent the personal data of a consumer can be shared and
communicated to others. The personal information can be name, address, ethnicity, phone
number, marriage status, etc. With the increase in internet usage over the years, there is an
urgent need for data privacy regulations. Download Now Data protection, on the other hand,
is the legal safeguarding of data against any loss, damage or corruption. As data is now
collected at an unprecedented rate, there is a serious issue of protecting the data collected
from unauthorised sources.

EVOLUTION OF DATA PROTECTION LAWS

Data privacy is not a new concept. It has been in existence since the Semayne case of 1604,
where it was accepted that the house of everyone is to him as his castle and fortress. The
concept of privacy evolved thereafter and was again brought to attention through an article
titled, “The Right to Privacy,” written by Attorney Mr. Samuel Warren and Justice Louis
Brandeis, where protection of the right to privacy was recognised as the foundation of
individual freedom in the modern age. Later in 1984, privacy was recognised statutorily
through the Universal Declaration of Human Rights (UDHR) by virtue of Article 12(4).
Then came the Organisation for Economic Cooperation and Development (OECD)
guidelines on protection of privacy and transborder flow of personal data in 1980. Countries
started framing their data privacy laws as early as Germany in the year 1970. The landmark
General Data Protection Regulation (GDPR) came into effect on May 25, 2018,
revolutionising the data privacy and protection laws. In the Indian context, privacy has been
a matter of debate in the judicial courts, with some addressing privacy as a fundamental right
and others not admitting it as a right under Article 21 of our Constitution. Finally, in 2017,
the celebrated case of K.S. Puttaswamy v. Union of India (2018)1 pronounced the right to
privacy a fundamental right safeguarded under Article 21. We already had some broken parts
of the Information Technology Act (2000), the Indian Penal Code (1860), etc. that dealt
with the right to privacy. But there was the absence of a standalone, comprehensive law on

1 Writ Petition (Civil) No. 494 of 2012

5|Page
the subject. Eventually, after seven years of making and three attempts to pass the privacy
legislation, India adopted a full-fledged data protection and privacy law on August 9, 20232.

ROLE OF JUSTICE SRI KRISHNA COMMITTEE IN DATA PROTECTION LAWS

In the year 2017, the government of India, through its Ministry of Electronics and
Information Technology, appointed a committee of ten members under the chairmanship of
Justice B.R. Krishna (a retired Supreme Court judge). This committee was supposed to
submit a detailed report on the introduction of the data privacy law in India. The committee
finally submitted its report on the data protection framework on July 27, 2018.3

The committee recommended a clear distinction between sensitive personal data and critical
personal data and separate provisions for the collection and processing of different kinds of
data. It was suggested that the term ‘personal data’ is any kind of data that allows
identification of an individual, whether directly or indirectly. However, sensitive personal
data is in relation to more intimate matters such as caste, religion and sexual orientation of a
person. It was also made clear that the critical personal data should be processed in the
centres that are located within the country only. The reports suggested that there is a fiduciary
relationship between the service provider and individuals whose data is collected. So, the
service provider is always under an obligation to deal with the personal data of the
individuals in a fair and transparent manner and also to give the individual notice of data
collection at various points. Also, the service provider would be bound by the ‘purpose
limitation principle’, which states that personal data should be collected only for limited,
explicit and specified purposes. The law was suggested not to have any retrospective effect
and would be enforced for the future, but only in a structured manner. The committee
strongly suggested that the processing of personal data should have clear, specific and lawful
purposes alone. The data should be processed only when it’s consented to by the individual.
This consent may, at any time, be withdrawn by the individual. A special mention was made
in regard to the data on children. It said there needed to be stricter provisions for protection of
their data. It was also pointed out that there may be four situations in which non-consensual
processing of data may be allowed. These are:

2 https://www.indialawoffices.com/legal-articles/data-protection-laws-in-india
3 https://blog.ipleaders.in/data-protection-laws-in-india-2/

6|Page
 • When the processing is relevant for the state in order to do its welfare functions.

• When it’s required to comply with the law or legal orders within India.

• When the processing is necessitated by the need to act upon it promptly.

• In the scenario of employment contracts as well.

The committee also put forth the idea that all organisations and firms that collect personal
data should mandatorily appoint data protection officers. These officers would go on to
become the main point of contact for the users who face any grievance in their data collection
by the concerned company. The committee also made a key recommendation of imposing
higher penalties ranging from 2-4% of the company’s worldwide turnover or fines between
Rs. 5 crore and Rs. 15 crore, whichever is higher. Another highlight of the committee’s report
was that the data protection law enacted would have jurisdiction over the processing of
personal data when that data has been used, stored, disclosed, or collected anywhere in India;
it doesn’t matter where the data is actually processed. It was also stated by the committee that
there are certain rights of an individual, such as the right to access their data, to correct it,
withdraw their consent, right to object to the data processing, right to be forgotten, etc. As per
the report of the committee, there would be amendments needed in laws such as the
Information Technology Act, 2000; the Census Act, 1948; the Aadhar Act, 2016, Right to
Information Act, 2005. After receiving the recommendations of the committee and a draft
privacy law bill, the bill remained in limbo. Its first draft was made public in July 2018 and
then revised again in December 2019. The Bill was then referred to a joint parliamentary
committee for its report, which submitted its report two years later, that is, in December
2021. Later, the government decided to withdraw the bill as there were too many proposed
changes to be incorporated. Later in November 2022, the Ministry of Electronics and
Information Technology released a draft bill for public consultations. Finally, in August
2023, the government introduced the Digital Personal Data Protection Bill, 2022. After much
consultation and amendment, the Digital Personal Data Protection Bill of 2023 was finally
passed and it received the President’s assent after six years.4

4 https://www.dlapiperdataprotection.com/index.html?t=law&c=IN

7|Page
 NEED FOR DATA PROTECTION AND DATA PRIVACY LAWS IN
INDIA

We cannot deny anymore that we live in a digital age where everything is on our screens.
From our data to our currency, from movies and songs to shopping, every domain has been
digitised. In such a digitalised world, information proves to be significant. In this age of
digitalisation, when everything has been transported to our digital devices, our personal and
non-personal information has also been transported. As a result, the perils to our data privacy
have increased multifold. India is an economy that’s growing spontaneously and with that
growth, the importance of our sensitive data has also been recognised. The introduction of
strong data privacy laws in India has recently assumed more significance after the
Puttaswamy decision, which held that the right to privacy is indeed a fundamental right. The
need for data protection and privacy laws can be summarised as follows 5:

1. Provides for protection of personal and non-personal information of people- The

data privacy laws are aimed at ensuring proper protection and security of the personal
and non-personal information of citizens. These laws regulate how the information is
collected and processed, the grounds of consent of the individuals, penalties in case
the companies do not protect the data as required by the law, etc.

2. Builds stronger trust and confidence– These laws are also vital as they build a
stronger foundation for trust and confidence amongst the people. When companies
prioritise privacy of their users data and use their data scrupulously, it showcases their
commitment to protecting their personal data, which in turn helps consumer build a
better and stronger relationship with the concerned company.

3. Preserves right to privacy- As we have already mentioned, the Indian Constitution

acknowledges the right to privacy of an individual as a fundamental right. This
implies that every individual has a right to their own data. It allows them to decide
how they want their data to be used and when they want to withdraw their consent or
object to the processing of their data.

5 https://blog.ipleaders.in/data-protection-and-privacy-policies-in-cyber-law/

8|Page
4. Increased digital footprints- India has a population of more than a billion people,
and it’s no surprise that a significant part of the population is now connected to the
internet. With the extensive use of social media such as YouTube, Instagram, Tik
Tok, etc., people are leaving behind digital footprints all over the internet. If not
handled correctly, this invites major digital data breaches where our personal data and
history may be made public.

5. Lack of awareness- The sheer lack of understanding of data privacy in our nation
also becomes another reason to bring up such a law. People use the internet all the
time, but they don’t really understand the law behind it. They are unable to
comprehend the consequences of their actions at the time. Once such a law is in place,
there will be more awareness about the importance of privacy on digital platforms,
and it will be easier to educate people about their rights and obligations while they are
active on digital platforms.

6. Prevents data breaches, identity thefts, etc.- With the increasing number of people
who have joined the digitisation process, there are higher chances of any offence
being committed, such as, fraud, identity theft, data breaches, etc. The data privacy
laws play a crucial role in putting such mechanisms in place that would help prevent
these offences.

7. Promotes innovation and economic growth- A country with properly regulated data
protection laws can promote a legal framework that balances the individual’s right to
privacy with digital growth. With newer companies finding a place, data privacy will
also find its pending significance. More nations and companies will consider investing
in our companies if their data protection framework is strong.

8. Maintains the children’s privacy- Children as well have become more active on all
the digital platforms, due to which the need for special laws and provisions to ensure
the protection of their data is needed. The issues concerning their consent and their
rights need special attention as they are quite different from the normal cases of data
collection. A lot of games collect diverse personal information about kids easily in
order for them to play their game and kids are unaware of the ramifications of the

9|Page
 same. A proper law in place would make sure that not only such data is protected but
also that there is more awareness about it.

9. Data ethics- These laws not only serve the purpose of data processing and collecting
but also data ethics. Data ethics are the principles that ensure that the data collection
and strong processing are all based on ethical standards, there is fair and transparent
data processing, and the processing is non-arbitrary and non-discriminatory.

10. Rights of the individuals- The data protection laws empower the individual in more
than just one way. They get a right to know about their data, its collection, storage and
transfer, and also get a right of redressal in case of any violation. They are properly
compensated for any data breach. It sets up an effective grievance redressal
mechanism and makes people aware of the rights they possess in relation to their data.

11. Facial recognition and surveillance- New technologies such as facial recognition
and surveillance have time and again raised several concerns about the privacy of
people’s data. These regulations address these concerns and ensure more responsible
data collection by individuals.

Data protection laws have assumed more and more significance throughout different
territories of the world as more people have started engaging online. They need legislation
that helps them place their trust and faith in the digital mediums. They need to know how and
what data of theirs is collected, how it will be used, transferred, stored, disposed of, etc.
Through these laws, they will be able to understand the privacy policies of the companies
they are interacting with or purchasing products from.

In summary, data protection and privacy laws are of significance as they ensure that our data
is kept safe in this digitalised world. Our data is immensely valuable and shouldn’t be
misused or, in fact, used without our express consent. If any deviance happens, action would
be taken in accordance with the data protection laws in place. However, if there’s no law in
place, the offenders would go scot-free and our personal data would be out in the open.
Moreover, the government generally possesses more of our data. Any data breach that occurs
would put a lot of data in jeopardy. With these laws in place, not only private companies but
also government departments and sectors would be bound by them.

10 | P a g e
 DATA PROTECTION AND DATA PRIVACY LAWS IN INDIA

OVERVIEW OF THE IT ACT, 2000

In India, till now there is no exclusive law pertaining to the rights of an individual’s privacy.
Only there is Information Technology act, 2000, which deals with cyber crimes and provides
remedies against the violation of the act. The act contains few provisions related to the
individual’s privacy but they are not exhaustive in nature. Under section 43A of the
Information Technology Act, 2000[3], a body corporate who is possessing, dealing or
handling any sensitive personal data or information of an individual, and is negligent in
implementing and maintaining reasonable security practices in protecting the data and results
in wrongful loss or wrongful gain to any person, then such body corporate may be held liable
to pay damages to the person so affected. It is important to note that there is no maximum
limit specified in the act for the compensation that can be claimed by the affected party in
such circumstances. 6

Information Technology (Reasonable Security Practices and Procedures and Sensitive

Personal Data or Information) Rules, 2011 deals with the protection of “Sensitive personal
data or information of a person”, which includes the personal information relating to:

• Passwords;

• Financial information such as bank account or credit or debit card or other payment
instrument details;

• Sexual orientation;

• Medical records and history; and

• Biometric information.

Under section 72A of the Information Technology Act, 2000[4], disclosure of information,
knowingly and intentionally, without the consent of the person concerned and in breach of

6 https://www.meity.gov.in/cyber-security

11 | P a g e
the lawful contract has been also made punishable with imprisonment for a term extending to
three years and fine extending to Rs 5,00,000.

Under Section 69 of the Act[5], which is an exception to the general rule of maintenance of
privacy and secrecy of the information, provides that where the Government is satisfied that
it is necessary for the interest of: the sovereignty or integrity of India, defence of India,
security of the State, friendly relations with foreign States, public order, for preventing
incitement to the commission of any cognizable offence relating to above, or for the
investigation of any offence.

Penalty for the Breach of Confidentiality and Privacy under the act Section 72 of the
Information Technology act, 2000 doesn’t specify the provision relating to the breach of
privacy by the data processor but talks about a circumstance under which any person who, in
pursuance of any of the powers conferred under the IT Act Rules or Regulations made
thereunder, has secured access to any electronic record, book, register, correspondence,
information, document or other material without the consent of the person concerned,
discloses such material to any other person, such person shall be punishable with
imprisonment for a term which may extend to two years, or with fine which may extend to Rs
1,00,000 or with both.

OVERVIEW OF THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

The DPDP Act is a recent piece of legislation for the processing of personal data in India. It
was finally adopted almost six years after the Supreme Court recognised the fundamental
right to privacy in Article 21. The DPDP Act is framed against the backdrop of privacy laws
around the world, like the European Union’s GDPR, and thus deals with privacy and
protection obligations concerning personal data. It is considered that the DPDP Act borrows
some concepts directly from GDPR and has a wide range of applicability extending outside
the territory. While on one hand, the Act imposes a stringent obligation for unlawful
processing of personal data, on the other hand, there are significant exceptions for
governmental bodies. The DPDP Act established a comprehensive framework for the

12 | P a g e
processing of personal data and has replaced the limited provisions of the IT Act. Here are
some important aspects of the DPDP Act:

• Bodies formed under the DPDP Act: The Act uses various terms, which can look
confusing on the outset. It is important to understand the difference between the terms
used like: Data processors, Data Fiduciaries, data principles, data controllers, etc. The
person whose personal data is collected is called the data principal. The data fiduciary
is body that determines the purpose and means behind processing of personal data.
Their position is equivalent to that of a data controller.

• Exceptions allowed under the DPDP Act: Exceptions in the interest of sovereignty
and integrity of India, security of state, friendly relations with foreign states,
maintenance of public order and preventing incitement to commit offences are
allowed under the DPDP Act.

• Applicability of the DPDP Act: The Act has extra-territorial application and has no
restriction on international data transfers

• Grounds for lawful processing of personal data: Consent is the primary source for
lawful processing of personal data. Also, Data Fiduciaries can identify a legitimate
claim for lawful processing of data.

• Data subject rights and obligations: There are rights for the data principles, like the
right to access, right to erasure, and the right to object and then there are also
obligations, non compliance of which leads to fines and punishment. 7

7 https://infosecawareness.in/cyber-laws-of-india

13 | P a g e
 APPLICABILITY OF DATA PROTECTION AND DATA PRIVACY
LAWS IN INDIA

The DPDP Act will apply to those organisations that meet the following conditions:

• The organisation processes digital personal data that is capable of identifying the data
principal to whom the collected data belongs.

• The data being processed is collected by the organisation in digital form

• The organisation is processing personal data within the Indian territory, or if

processing of personal data is done outside India but processing is in connection with
an activity offering the goods or services to individuals in India.

Data protection authorities under the DPDP Act

There are various terms used under the Act, which can be confusing. So, let’s understand the
meaning of these terms:

1. Data fiduciary: Defined under Section 2(i) as any person who, alone or in
conjunction with other persons, determines the purpose and means of processing
personal data.

2. Data Principal: Defined under Section 2(j) as individual to whom the personal data
relates and where such individual is- A child, includes parents or lawful guardians of
such a child A person with a disability includes their lawful guardian acting on their
behalf

3. Data Processor: Defined under Section 2(k) as any person who processes personal
data on behalf of a data fiduciary

4. Data Protection Officer: Defined under Section 2(l) as an individual appointed by

the Significant Data Fiduciary under Section 10(2)(a).

14 | P a g e
 PENALTIES AND FINES FOR VIOLATING DATA PROTECTION
LAWS

Chapter 8 of the DPDP Act deals with penalties and adjudication. Section 33 provides that
the Board will impose a monetary penalty after concluding an inquiry on the breach of
provisions of this Act and after giving the person concerned a reasonable opportunity of
being heard. In order to decide the amount of the monetary penalty, the Board shall consider
the following factors: Nature, gravity and duration of the breach. Type and nature of the
personal data affected by the breach. Repetitive nature of the breach. Whether the person, due
to consequences of such breach, has gained or avoided any loss. Whether the person
concerned took any action in order to mitigate the effect and consequences of the breach, and
timeliness and effectiveness of such action. Whether the monetary penalty to be imposed is
proportionate and effective considering the need to ensure observance of provisions and to
have a deterrent effect. Considering the likely impact of the imposition of a monetary penalty
on the person concerned. Further, the amount of compensation is provided under Schedule 1,
as follows:

Section of the
Subject matter Penalty
DPDP Act

Failure to take reasonable security

safeguards to prevent personal data Section 8 (5) May extend to Rs. 250 crores
breach

Failure to notify the board and affected

Data Principals of a personal data Section 8 (6) May extend to Rs. 200 crores
breach

Non- fulfilment of additional

obligations in relation to processing of Section 9 May extend to Rs. 200 crores
data of children

15 | P a g e
Non- fulfilment of additional
Section 10 May extend to Rs. 150 crores
obligations of significant data fiduciary

Violation of user duties Section 15 May extend to Rs. 10,000

Up to an extent applicable for beach in

Breach of any term of voluntary
Section 32 respect of proceedings were instituted
undertaking accepted by the board
under Section 28

For all other non compliance under the Every other

May extend to Rs. 50 crores
Act section

16 | P a g e
 IMPORTANT CASES

Though now we recognise the right to privacy as the bedrock of our democracy, it wasn’t
always the case. The Indian jurisprudence has developed a lot throughout the years. The
Supreme Court of India, through a slew of landmark decisions, has allowed the organic
growth and expansion of the right to privacy. Let’s take a look at the legal development of the
right throughout the years:

• M.P. Sharma v. Satish Chandra8: It is one of the first cases in India that dealt with
the right to privacy in India. An eight judge bench of the highest court of the land sat
down to decide upon the constitutionality of the search and seizure provisions of the
Code of Criminal Procedure. The Court here doesn’t recognise any right to privacy
and held that the search and seizures weren’t, in fact, violative of the right to privacy.
As there is no provision in the Indian Constitution that deals with the right to privacy,
it can’t be violated as well.

• Kharak Singh v. State of UP 9 : Another case where the Apex Court decided in
relation to privacy rights. The Court examined the wide powers of police surveillance
and its overarching powers in relation to privacy. Here, the Court for the first time,
was faced with issues pertaining to the right to privacy as a part of Article 21. The
court didn’t explicitly recognise any right to privacy, but J. Subba Rao stated in his
dissent that the right to privacy is inherent in our Constitution. This famous dissent
helped initiate the growth of the right to privacy.

• Unique Identification Authority of India v. Central Bureau of Investigation10:

The court in this fascinating case decided on the issue of whether collection of
biometrics by the UIDAI without the consent of the person violated the right to
privacy. The court upheld the constitutionality of the Aadhar but also imposed certain
restrictions on the data collection to allow people to safeguard their privacy. The
decision assumes even more significance as it tries to maintain a delicate balance
between the aim of the government with that of an individual’s privacy rights.

8 1954 AIR 300

9 1963 AIR 1295
10 SC, in SLP (CRL) 2524/2014

17 | P a g e
 • The significance of the right to privacy can also be seen in the decision of Joseph
Shine v. Union of India11, where the Apex Court decriminalised adultery mentioned
in Section 497 of the IPC. Justice Chandrachud, writing the concurring opinion on the
subject matter, stated that Section 497 criminalises adultery that was put in place to
reinforce the idea that in marriage, a woman loses her autonomy and agency. She
loses her own identity and is restricted to the patriarchal norms of society. J.
Chandrachud employed the concept of right to privacy in deciding to decriminalise
adultery as an offence.

• In a recent case of X v. The Principal Secretary, Health and Family Welfare

Department, Govt. of NCT of Delhi & Anr.12, rendered by the Apex Court, the
reproductive autonomy of an unmarried woman was upheld. As per the facts of the
case, the Bench permitted a 25 year old woman to undergo abortion as her right to
bodily autonomy is guaranteed in Article 21 of the Constitution. The right to privacy
enables a person to exercise bodily autonomy under Article 21.

• In a case, more popularly titled as, the Hadiya marriage case 13, the Apex Court
noted that an individual’s right to marry a person of one’s choice is a part of her
privacy and that the state has no role and no power in interfering with the right. It was
held that the right to privacy also includes an essential aspect of making decisions on
close matters of one’s life.

• Internet Freedom Foundation v. Union of India 14 : Considered to be another

landmark decision in the realm of the right to privacy, the case dealt with the issue of
internet shutdowns and how they impact the right to privacy. The Supreme Court held
that the suspension of internet services is against our fundamental rights and must not
be permitted unless they adhere to the principles of necessity and proportionality.

11 AIR 2018 SUPREME COURT 4898

12 Special Leave Petition (Civil) No 12612 of 2022
13 (2018) 16 SCC 368, AIR 2018 SC 1933
14 (2020) 3 SCC 637

18 | P a g e
 CONCLUSION

With the skyrocketing development in the field of technology, interference of it in the life of
human beings has been increasing. It is well known that data is becoming the “New Oil” and
Data protection is becoming the “New Pollution Control”. The implementation of the GDPR
has provided, in a real sense, many rights to the Europeans pertaining to protect their personal
data from any unlawful processing by the data controller. With the increase in the digital
population of a country like India, data protection and data privacy are key issues at the
moment. Every internet user intentionally or unintentionally leaves her/ his digital footprint
in the form of personal data when browsing the internet. In such a scenario it becomes utmost
important to have exclusive legislation like GDPR to regulate data protection and data
privacy. It is also important for the business to craft such a privacy policy, which not only
protects the rights or interests of a user/ client but also fulfils the requirement of a business.
The business should consider the formation of terms of use and privacy policy as an art rather
than just a long-form.

19 | P a g e
 BIBLIOGRAPHY

Books

1. Pavan Duggal, Cyber Law - An exhaustive section wise Commentary on The

Information Technology Act along with Rules, Regulations, Policies, Notifications
etc, 2023
2. S R Bhansali, Commentary on the Information Technology Act-An Exhaustive
Section-wise Commentary on the Information Technology Act, 2000, 2015
3. Justice Yatindra Singh , Cyber Laws , 2016

References

https://www.indialawoffices.com/legal-articles/data-protection-laws-in-india

https://blog.ipleaders.in/data-protection-laws-in-india-2/

https://www.dlapiperdataprotection.com/index.html?t=law&c=IN

https://blog.ipleaders.in/data-protection-and-privacy-policies-in-cyber-law/

https://www.meity.gov.in/cyber-security

https://infosecawareness.in/cyber-laws-of-india

20 | P a g e