Supreme Court of India has issued notice in a public interest litigation petition filed by Pallav Mongia, an Advocate-on-Record at the Supreme Court which seeks a direction “to prohibit transfer of data pertaining to citizens of Union of India outside the territory of Union of India other than when the data is adequately protected.

Notice was the issued by a constitution bench of the Supreme Court of India consisting of Chief Justice of India Dipak Misra and Justices AK Sikri, Amitava Roy, AM Khanwilkar and M Shantanagoudar. Petitioner was represented by senior advocate Mahesh Jethmalani along with advocates Ravi Sharma, Abhinav Goyal, Pankaj Kumar Singh and Gunjan Mangla.

Petitioner has also challenged the constitutional validity of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (Privacy Rules)and clarification dated 24 August 2011 issued by the Ministry of Communications and Information Technology.

Case No. Writ Petition (C) No. 347 of 2017
Case Title Pallav Mongia v. Union of India & Ors.
Parties Petitioner:

Pallav Mongia


  1. Union Of India (Ministry Of Electronics And Information Technology)
  2. Telecom Regulatory Authority Of India
  3. Facebook India Online Services Pvt Ltd
  4. Facebook, Inc.
  5. Twitter Communications India Private Limited
  6. Twitter Inc
  7. Twitter International Co.
  8. Google India Private Limited
  9. Google, Inc.

The petition was heard along with the appeal against Delhi High Court’s order in the petition challenging the privacy policy of WhatsApp – Karmanya Singh Sareen And Anr. v. Union of India And Ors. Petitioner had filed the petition on 2 June 2017 and the same came to be tagged along with the Karmanya Singh Sareen case by virtue of order dated 15 May 2017 of the Supreme Court.

Petitioner has also sought a direction to the Union of India to devise effective mechanism for serving foreign respondents in the petition through their Indian arms or subsidiaries so that the Indian litigants or the authorities have affordable, effective and adequate protection of their rights.

Referring to the aforesaid clarifications dated 28 August 2011, petitioner has submitted:

A bare reading of the clarification clearly shows that the privacy rules do not apply to body corporates outside India like Facebook, Twitter and Google. The situation is alarming because the Indian arms of these body corporates have stated that they have no control over the content/data/information generated from India and pertaining to Indian users. The content, the website and the data/information generated on, and is controlled by Facebook Inc, Twitter Inc and Google Inc which are all body corporates outside India and are exempt from Privacy Rules 2011.

Petitioner has contended that Rule 7 of the Privacy Rules does not grant adequate protection against cross-border flow of data from India and therefore it is arbitrary and in violation of Article 14, 19(1)(a) and 21 of the Constitution of India.

Petitioner has submitted that he gained personal information of the issues arising in the petition while appearing for the plaintiffs in CS (OS) 487/2016 ‘M/s Intex Technology (India) Ltd.  & Anr v. Ashok Kumar & Ors’ before High Court of Delhi. The case pertained to defamatory tweets preferred against the Plaintiffs by unknown persons operating a fake twitter handle. In the said case, the plaintiff had filed a suit for defamation with a prayer that Twitter Communications India Pvt. Ltd. be ordered to reveal the identity of users operating the fake twitter handle. Petitioner has asserted that during the hearing, Twitter Communications India Pvt. Ltd. made a categorical statement that it does have any control over the information pertaining to twitter handles originating in India which is reflected in the order of the High Court dated 26 October 2016.

Petitioner has asserted that the service providers which hold the lion’s share in internet traffic and provide services to millions of Indians are not only located outside India but are also outside the purview of Indian laws. Mongia claims that the omission made by the Privacy Rules read with the clarification is glaring and ominous to the rights and protection of Indian citizens. He has contrasted the Privacy Rules with the protection granted to the citizens of the European Union as reflected in the judgment dated 6 October 2015 of the Court of Justice of the European Union in Schrems v. Data Protection Commissioner, Case C-362/14.

Other grounds raised by the petitioner include:

…Right to Internet, which entails that all people must have access to broadband Internet so they can exercise their right to freedom of opinion and speech, is fast becoming a basic right of citizens all over the world. The Hon’ble Court in its order dated 13.04.2017 in Sabu Mathew George v Union of India &Ors., WP (C) No. 341/2008 has held that citizens of India have a right to have internet access and the fundamental right of expression includes “the right to be informed and the right to know and the feeling of protection of expansive connectivity” that the Internet offers on the click of a button.

…Clarification dated 24.8.2011 nullifies the very intent of Section 43A and the Privacy Rules, 2011 i.e. to grant protection to Indian citizens by regulating the internet companies and other service providers which are handling data in form or the other belonging to Indian users.

…Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (Privacy Rules 2011) formulated by the Central Government in exercise of the powers conferred by clause (ob) of sub-section (2) of section 87 read with the Clarification dated 24.8.211 read with section 43A of the Information Technology Act, 2000 are – (i) not applicable to body corporates outside India (ii) highly inadequate, arbitrary and limited; and (ii) virtually unenforceable in cases where data/ information is located outside the boundaries of India.

…Under Privacy Rules 2011, the onus of protecting data/ information is put on a ‘body corporate’, which has been defined under section 43A of the IT Act 2000 meaning “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities” . It evident from the above definition of a ‘body corporate’ that an entity which deals with data/ information does not necessarily have to be situated in India. Also, there is no specific provision under the IT Rules 2011 mandating a ‘body corporate’ to store the data/ information in India.

…Rules create an illegal classification between the ‘body corporate in India’ and ‘body corporate outside India’. Rules 5 and 6 of the Privacy Rules clearly mandate a certain level of protection of data by the collector and handler of data and Rule 7 prescribes norms for transfer of data to third parties. The same will not be applicable to service providers located outside India even when they are collecting, storing, handling and transferring data pertaining to Indian users.

Read Order:

Image from here.