Op EdsOP. ED.


One of the rights guaranteed under the Universal Declaration of Human Rights, 19481 is the right to seek, receive and impart information and ideas through any media and regardless of frontiers. However, the rise of nationalism and protectionism globally is leading to the internet splintering into smaller parts, each of which is governed differently and therefore referred to as the splinternet. Instead of a single global internet, this would lead to multiple national or regional networks that do not speak to each other or possibly even are unable to due to incompatible technologies. Concerns around the splinternet include fragmented online market places (making it harder for companies to reach their target audiences) and the evolution of different business and compliance standards around data management, protection, and transactions. This presents new risks and compliance challenges for companies operating in multiple countries.

A good starting point for addressing potential risks and compliance concerns is understanding the evolution of internet regulation.

The free flow of data defined the early internet. However, eventually, jurisdictions started blocking certain sites, apps, and products due to their nature of work, content hosting, or simply because they originated from a hostile nation. Businesses no longer have unfettered access to the information, and Governments are increasingly restricting online content and apps. Most recently, we have seen Russia and various western nations block each other’s content from being made available within their national boundaries.2 The calls for Russian domains to be revoked altogether, which would have effectively taken Russia off the internet, were also made to ICANN (Internet Corporation for Assigned Names and Numbers), albeit unsuccessfully.3

However, there has also generally been a rise in internet regulation globally across jurisdictions, especially concerning cross-border digital transactions, which has led to measures such as data localisation mandates. Consequently, Governments are effectively restoring the role of national borders in the digital economy.

Over 71% of jurisdictions have data privacy legislation, and another 9% are in the process of drafting one. In many countries, these legislations also govern their citizens’ data privacy. These laws can increase market entry costs for foreign businesses, making it counterproductive for business investments as the mounting compliance costs may override expected profits. Specifically, in the case of new businesses such as digital assets, the splinternet may impact how these assets are taxed, resulting in an uneven playing field for businesses and increased compliance costs for foreign entities. Further, many businesses also tend to rely upon centralised global data centres, which may particularly impact such businesses.

Source: <https://unctad.org/page/data-protection-and-privacy-legislation-worldwide>

Therefore, it is essential for businesses dealing with data across multiple regions to actively start thinking about how these upcoming trends of internet regulation may hit their operations.

Managing your operations in the splinternet era

To ascertain the risks from the splinternet to your operations, businesses should consider the following questions:

1. Does the business have an international data strategy?

2. Does the business have a streamlined process and periodic assessments to respond to global regulatory changes?

3. Does the business effectively manage data processing and storage for data related to subjects based in the EU, China, Russia and other regions which have strong regulatory policies?

4. Does the business have a position and process to respond to local law enforcement data requests, including requests regarding content moderation?

While most businesses would have a constantly evolving position on these issues, it is important to consistently and periodically take stock and assess the businesses’ international compliance and operations plan.

While businesses strive for global standards, they must consider the unique legal and compliance needs of the countries they operate in. Below are some suggestions to consider:

(a) Proactive audits: Undertake audits across key relevant geographies to assess the legal landscape and the ongoing compliance and risks.

(b) Expert legal advice: Ensure the organisation has access to experienced legal and compliance professionals in all geographies of interest who can help navigate the complexities of the law and suggest compliant business solutions.

(c) Assess business models: Be prepared to revisit business models and the supporting processes such as data collection, storage, and monetisation. This can pose particular challenges for single product/ service companies that sell on a licence basis or for businesses that are volumes driven.

(d) Consider the cost of legal due diligence and ongoing compliance: This can be done at the market entry planning stage, including market research on the current legal landscape and estimation of ongoing compliance costs.

(e) Set up local infrastructure and ops to comply with regulations: While this may dent the unique selling proposition of some enterprises as “operate-from-anywhere-businesses”, it can ensure sustenance of operations.

(f) Develop a robust risk management strategy: Appoint a dedicated compliance officer depending on the company’s size and scope of its operations.

(g) Establish clear communication channels: Effective communication between various business units is vital for awareness of and compliance with the latest regulations. MNCs, specifically, should monitor their compliance programs on an ongoing basis and leverage digital tools to aid this.

(h) Access to an ecosystem of disputes lawyers: Content/data laws can be conflicting depending on the jurisdiction of residence and where the online activity took place. Furthermore, countries have conflicting opinions on the ambit of these regulations to restrict freedom of speech or data privacy. As internet laws continue to evolve, a rise in disputes over their interpretation is likely. Therefore, building an in-house disputes team or gaining access to external counsels may nip these issues in the bud.


Dealing with the splinternet requires organisations to have a flexible and adaptable business strategy. It is important for businesses to continuously evaluate their positions and undertake the various measures outlined to ensure compliance and avoid disputes that may threaten the business itself. While businesses may not be in a position to effectively respond to widespread content takedown based on purely national interests such as the ones related to the Russia-Ukraine situation, they must adapt to regulatory changes regarding data protection, localisation and content regulations, which will only continue to see widespread adoption across more nations.

† Counsel with the Technology, Media, and Telecom Practice, Trilegal.

†† Senior Manager, Business Development at Trilegal. Author can be reached at  Akanksha.Bisen@trilegal.com.

1. Universal Declaration of Human Rights, 1948.

2. <https://www.technologyreview.com/2022/03/17/1047352/russia-splinternet-risk/>.

3. <https://www.techspot.com/news/93658-icann-rejects-request-ukraine-kick-russia-off-internet.html>.

Law School NewsLive Blogging

Greetings Everyone!

Symbiosis Law School, Hyderabad welcomes you to the  Symbiosis Law School, Hyderabad 6th National Moot Court Competition, 2022 live blog. The competition will commence on the 18th of March 2022, in collaboration with Eastern Book Company and SCC Online as Knowledge Partners, Lawctopus Law School as Educational Partner & Lawctopus as Media Partner.

This year the competition will be conducted through the virtual mode. A total number of 24 teams are participating in the oral rounds after the qualification through the memorial rounds. The event will include a total of 4 rounds i.e., Preliminary Rounds 1 and 2, Quarterfinals, Semi-Finals, and Finals.

DAY 1: 18th March,2022 (Friday)

4:00 PM– The draw of lots has begun.



4:10 PM– The organizers briefed the participants about the competition and allotted the Court Rooms for the oral rounds.


DAY-2: 19th March, 2022 (Saturday) 


The awaited day has finally started with the inaugural ceremony.  It would be followed by the Preliminary rounds-1, 2 and will be continued by the quarter finals. Stay tuned for more updates!

9:00-9:10 AM– The inaugural ceremony has begun by the Master of the Ceremony by welcoming the dignitaries and reverend judges who with their inspiring speeches have motivated our participants.



9:10-9:20 AM– Respected Director of Symbiosis Law School, Hyderabad Dr. Santosh Aghav has welcomed and addressed the Hon’ble guests. He emphasized the importance of mooting for the law students and welcomed all the enthusiastic participants for the Competition.



9:20-9:35 AM– The Chief Guest, Hon’ble Mr. Justice Sri Rao Raghunandan Rao, Sitting Judge at the High Court of Andhra Pradesh addressed the gathering wherein he emphasized on the importance of observing the body language and the mentality of the judges through the questions posed to the speakers. He further added that Moot Court Competitions are a great stepping ground for the aspiring advocates.

9:35-9:45 AM– The Guest of Honour, Prof. (Dr.) Vijendra Kumar, Vice-Chancellor of Maharastra National Law University, Nagpur addressed the gathering and asserted the significance of moot court competition and how they serve as a great learning experience for all the participants.

9:45-9:55 AM– Faculty Convenor, Dr. Anita Sable expressed the vote of thanks to all the dignitaries on board and appreciated the zealous participation.

9.55 AM– The Judges briefing has begun successfully with the proficient key team of the Moot Court Association shedding light on the key facts of the moot proposition.

The lively session has paved the path for the forthcoming sessions.

Preliminary Round 1 – 10:30 AM – 12:00 PM

Court Room-1 [TN_604_PET v. TN_614_RES]

10:30 AM-The speakers of the Petitioner’s side have begin with the oral arguments. They have been able to answer the questions tactfully asked by the judges.

12:20 PM– The judges have begun with the feedback of the participants. The judges have appreciated the speakers for putting forward their arguments with great ease.



Court Room-2 [TN_606_PET v. TN_613_RES]

11:45 AM– Judges Vijay Kumar Makyam and Manav Gecil Thomas questions the respondents about violation of section 87. He further asks them if the respondents are exploiting their power of law.


Court Room-4 [TN_609_PET v. TN_632_RES]

11:15 AM- The respondents have started with their pleadings and the Judges have begun a tough line of questioning. The Respondents are asked if they have the locus-standi to approach the very court. It does not seem that the judges are convinced with the arguments advanced.

Court Room-6 [TN_612_PET v. TN_617_RES]

11:35 AM– The respondents have started with their oral pleadings. The judges put forth questions on the reach of the post made by Tanvi and on what grounds the counsel justify how the post was against public order and sovereignty since the post had no significant implications therein.

11:50 AM–  The second speaker from the Respondent’s side has taken over to proceed with the remaining issues. The judges asked the counsel to provide legal backup to the contentions raised in light of the facts. The counsel having satisfied the questions of the bench proceeds with the arguments advanced.

12:05 AM– The rebuttals and surrebuttals have begun after the conclusion of the Arguments Advanced.



Court Room-7 [TN_610_PET v. TN_618_RES]

11:20 AM– The judges asked the Respondent speaker 1 for 3 facts from their fact sheet support their argument. Further, Speaker seems a bit hesitant to answer the various tricky questions asked by the Judges.

12:30 AM– The judge ask the counsel representing the Respondents to draw parallels between the cited case and the factual matrix of the present case.



Court Room-8 [TN_609_PET v. TN_632_RES]

10:30 AM- The petitioners have started with the oral pleadings. With her eloquent speech backed up with legal precedents, Speaker 1 has seemed to capture the attention of the Judges.

11:38 AM– Round-1 has been finally concluded.



Court Room-9 [TN_620_PET v. TN_602_RES]

11:20 AM-The speakers from the Respondents side have begin with their arguments. They are a giving tough competition to the other side.



Court Room-11 [TN_631_PET v. TN_625_RES]

11: 40 AM– The judge questioned the applicability of the SEBI Act and seek clarifications. However, the counsel for the Respondent pleads ignorance.

12:00 PM– The proceedings have been ended successfully. Overall, it was a peaceful session and the judges were pleased with the arguments pleaded by the Counsels.



12:38 PM– Preliminary Round-1 has ended. Let’s have a quick break and get back with another intense round. Stay Tuned!

Preliminary Round 2 – 1:30 PM – 3:00 PM

Court Room-1 [TN_613_PET v. TN_603_RES]

1: 50 PM: The Petitioners have started with their oral pleadings. The judges ask the counsel to brief them with the facts of the case.

2:00 PM: The judge insists the Counsel to provide for a concise explanation on the “Writ of Habeas Corpus”. The judge asks the counsel to state how the case laws pose relevance to the facts of the instant matter.

2:15 PM: Petitioners plead for right to privacy and refer to article 14,19 and 21 of constitution of India. Judges have begun to question them extensively based on their contradictory statements in the memorial.

3:35 PM: The judges posed multiple questions to the counsel representing the Respondents which were answered by the counsel in a convincing manner.

3:55 PM– Despite the ups and downs, the participants successfully completed their round. The participants were advised to pay attention to the Court Room Manners.


Court Room-2 [TN_616_PET v. TN_627_RES]

1:35 PM: The Speaker – 1 from the petitioners have started their oral pleadings. The judges pose questions testing the knowledge and the research done by the counsels. Until now, the counsel has seemingly been able to keep his composure and answer the posed questions.

1:45 PM: The judge insists the counsel to stick to the facts of the case.

1:50 PM: “Can Fundamental rights be curtailed by following due process of law?”, Hon’ble Judge Vijay Kumar Makyam Sir asks.

2:30 PM: The rounds have commenced and the judges are giving their feedback.



Court Room-3 [TN_608_PET v. TN_615_RES]

1:50 PM: The arguments presented by petitioners were supported by strong legal precedents. The researcher of the team stole the show by sharing the memorial and fact sheet on the screen, thereby effectively helping the speakers in their arguments. Their Arguments ended with a line of questioning by the judge Adnan Alam to which the speaker responded satisfactorily.

2:06 PM: The speaker -1 for respondent seeks permission from the bench to present her arguments advanced.

2:15 PM: After a heated rebuttal and surrebuttal, the rounds have commenced. The judges are currently presenting their feedback. Speaker 2 representing the Respondent was praised for his eloquence and ability to comprehend the questions posed and provide satisfactory answers.



Court Room-4 [TN_633_PET v. TN_612_RES]

2:41 PM- Judge Prahastha asks Counsel-2 of the Respondent the various facts justifying the arrest of CEO. The speaker has supported her arguments with the help of various sections of the IPC.

2:50 PM– The arguments advanced have been concluded with the beginning of the rebuttal and surrebuttals.

2:56 PM– The judges provided a positive feedback and appreciated the research work done. All the participants were advised to pay attention to minor details.

Court Room-6 [TN_610_PET v. TN_609_RES]

1:40 PM– The session has begun with the Petitioners’ side. The judges have put forth questions to the speaker since the beginning of issue- 1 relating to the various facts of the problem and the Data Protection Law.

2:07 PM– The judges have been testing the knowledge of the speakers by posing various questions to the Speaker related to the facts of the case.


Court Room-7 [TN_632_PET v. TN_620_RES]

1:40 PM: The Petitioners begin with their Oral Pleadings and look confident to establish their case before the Bench.

2:10 PM: The rounds were a rocky road for the petitioners who had to face several hurdles during advancing their arguments. They were also subjected to extremely tough questioning.

2:45 PM: The Petitioners have concluded their pleadings with their Prayer and the Respondent take on the stage to present their arguments advanced.

3:12 PM: The judges test the knowledge of the counsel representing the Respondents on the “Principles of Natural Justice”.

3:40 PM: The rebuttals have started and it seems the Respondents are confident to answer the questions posed.


Court Room-10 [TN_625_PET v. TN_611_RES]

1:45 PM: The Oral Rounds have started with the Speaker -1 representing the petitioners strongly putting forth his contentions.

2:15 PM: The judges insist the counsel to establish the concept of unconstitutionality of the provisions in contention and asked them to substantiate the same with legal precedents.

3:10 PM: The Judges tested the knowledge of counsel representing the Respondents by posing multiple questions related to various provisions under the I. T. Act.

3:20 PM: The Judges provided feedback to the participants and advised them what better recourse they could have taken to present their case.

4:00 PM: We have come to the conclusion of the Preliminary Rounds- 1 & 2.  The results to the Preliminary Rounds and the Draw of lots for the Quarter-finals are scheduled from 5:00PM to 5:30PM.



5:30 PM: We are thrilled to inform you that we have completed the Draw of Lots for Quarter Finals and we present you the top 8 teams entering into the next round. The teams are ranked in order of the cumulative scores they received in both Preliminary Rounds 1 & 2.

I – TN_633

II – TN_603

III – TN_606

IV – TN_608

V – TN_611

VI – TN_620

VII – TN_619

VIII – TN_610


5:35 PM: The teams are matched up in the following order:

I TN_610 TN_633
II TN_619 TN_603
III TN_620 TN_606
IV TN_608 TN_611

Quarterfinals – 6:00 PM – 8:00 PM

6:00 PM: We are glad to announce the commencement of the Quarter Finals Round.


Court Room-1 [TN_610_PET v. TN_633_RES]

6:30 PM: The rounds have commenced. The Hon’ble bench comprises Mr. Kingshuk Halder, Mr. EVVS Ravi and Ms. Tashee Gyanee. The Speaker 1 representing the Petitioners seeks permission of the bench to present her arguments on the first and second issues.

6:40 PM: Till now the first speaker has been able to keep her composure throughout the pleadings. With the citing of landmark cases, the counsel seems to have convinced the bench.

7:00 PM: The Respondents are asked to clarify the bench whether the Right of Opinion falls under the scope of  Fundamental Right of Freedom Speech and Expression.

7:25 PM: The counsel through her pleadings draws parallels between the cases cited and the facts of the instant matter.

7:40 PM: The counsel is asked to elucidate on the arrest of the CEO of FriendsBook and to provide the provisions which mandate the same.

7:45 PM: The rebuttals and surrebutals have commenced. The respondents are convincingly answering the questions put forth by the Petitioners. Hon’ble Judge Kingshuk Halder advices the participants on appropriate use of authority.

7:55 PM:  The round has come to an end!



Court Room-2 [TN_619_PET v. TN_603_RES]

6:30 PM: The rounds have commenced. The Hon’ble bench includes Ms. Srutha Mandatha, Ms. Raveena Sethia and Mrs. Sandeep Shankar The Speaker 1 representing the Petitioners has begun with the oral pleadings with first discussing the jurisdiction of the Hon’ble Court.

6:40 PM: The speaker elaborates on Article 14 of the Constitution and how the same has been infringed. Further, the speaker has used various provisions of the Data Protection Act to support the arguments.

6:50 PM: The Judges with the questions posed test the knowledge of the Speaker – 2 on the various rights protected under the Data Protection Act.

7:00 PM: The Counsel humbly puts the contention that the Doctrine of Separation of Power has been violated. The Counsel further asserts that the Data Protection Authority should be an independent authority capable of taking its own decisions and with this the counsel concludes with the prayer.

7:10 PM: The Speaker – 1 representing Respondents asserts that he provisions of the Data Protection Act doe not violate Articles 14 and 21 of the Constitution. The counsel with the assistance of multiple case laws and international convention has reinforced her argument.

7:20 PM: Speaker-2 representing the Respondent proceeds with the pleadings for Issue 2. The speaker humbly puts forth the contention that Section 86 of the Act is arbitrary and shall be struck down.

7:30 PM: The Judge seek clarification from the counsel on matters pertaining to Data fiduciary, Data Protection Officer and other related provisions of law.

7:40 PM: Rebuttals and surrebuttals have begun in response to the arguments presented.

7:45 PM: The round has successfully come to an end!



Court Room-3 [TN_620_PET v. TN_606_RES]

6:35 PM: The rounds have commenced. The round is being adjudicated by Mr. Devesh Ratan, Mr. Rohit Maheshwary and Ms. Kyra Dcunha. The Speaker 1 representing the Petitioners having taken permission of the bench and has proceeded with the jurisdiction of the Court.

6:45 PM: Here comes the first question from the Bench’ “Whether the petitioners have approached the the court or it is a suo moto case.” The counsel answers the question confidently and proceeds with her arguments.

7:00 PM: The counsel elucidates on the spirit of the Constitution and humbly contends that this Hon’ble Court shall therefore preserve the same spirit in its verdict.

7:15 PM: It seems the judges are just getting started and they have a lot of questions in their arsenal. Nevertheless, the counsel properly phrased the arguments and satisfactorily answered the questions.

7:25 PM: The Respondents have begun with their pleadings. The Speaker- 1 presents argument on the constitutionality of the new Act. Also, the counsel provides legal backup to the contentions raised by citing landmark cases. The counsel concludes by explaining the validity of S.35 of the Data Protection Act.

7:40 PM: The bench seeks elucidation on how a post uploaded in FriendsBook has led to jeopardize the sovereignty, integrity and security of the State. The counsel keeping his composure presents answers to the same.

7:50 PM: With the conclusion of the arguments by Speaker – 2 of the respondents, the bench allows the parties to proceed with the rebuttals and surrebutals.

8:00 PM: In the feedback session, the judges stressed on the importance of time-management advised the participants to comprehend the questions posed before answering. With this we come to the end of the round.



Court Room-4 [TN_608_PET v. TN_611_RES]

6:35 PM: The rounds have commenced. The Hon’ble Bench includes Mr. Vishal Soni, Ms. Shilpa Margaret and Mr. Anmol Awasthi. The Speaker – 1 representing the counsel seeks permission to present her arguments.

6:45 PM: The bench questions the counsel whether only the provisions in contention shall be held unconstitutional or the whole Act in its totality. The counsel contends that only the relevant provisions in contention shall be held unconstitutional.

7:00 PM: The counsel elucidates on the spirit of the Constitution and humbly contends that this Hon’ble Court shall therefore preserve the same spirit in its verdict.

7:05 PM: The Petitioners are asked to present their Prayer for Relief. The round proceeds with the pleadings of the Respondents.

7:15 PM: The counsel is asked to clarify the ambiguity of the data protection principles.

7:35 PM: The Speaker is asked to provide clarification on how the cited authorities are attracted to the relevant case and how  the same supports their case. The bench takes note of the speaker’s ignorance.

7:45 PM: The rebuttals have started wherein the Petitioners pose questions on the safeguards of public policy under data protection. The Respondents in their surrebutal justified their contentions satisfactorily answered the same.

7:50 PM: The round has come to a satisfactory end.


8:30 PM: After the conclusion of the exhilarating Quarterfinal rounds, we are excited to announce the top 4 teams that have qualified to the Semi-Final Rounds. Post the Draw of Lots, the teams are matched up in the following manner:










DAY-3: 20th March 2022 (Sunday) 

Semi-Finals – 10:30AM-1:00PM

You’re a Fighter. Look at everything you’ve overcome. Don’t give up now.”

~Olivia Benson


10:30 AM: We are finally on the last day of the three-day-long National Moot Court Competition. We are all excited, to begin with, our Semi-Final Rounds.

Court Room-1 [TN_619_PET v. TN_620_RES]

10:40 AM: The rounds have commenced in courtroom 1. The round shall be adjudged by the Hon’ble Bench comprising Ms. Anwesh Sinha, Mr. Vadeendra Joshi, and Mr. Kumar Prem Anand. The counsel seeks permission to present his oral pleadings.

10:50 AM: The Bench insists the counsel to elucidate on the very sections, the Petitioners in their submission would be challenging. The counsel keeps his composure and answers the questions posed satisfactorily.

11:00 AM: The bench has been putting forth multiple questions to the counsel on whether the commission is a quasi-judicial authority or not. The counsel tries to answer the question to the bench’s satisfaction but finally concedes.

11:10 AM: Does the Data Protection Authority become the Fourth branch of the Constitution? Hon’ble Judge Vadeendra Joshi adds that it has the power to only take cognizance for investigation, the power does not extend to adjudication and punishment.

11:20 AM: The counsel asserts that even though the Data Protection Authority is not an independent body, the proceedings undertaken are mandated by the statute. The bench does not seem to be convinced and asks if the counsel could provide legal precedents to substantiate the contention.

11:30 AM: The Petitioners have concluded their submissions and stated their Prayer. The Respondents have started their oral pleadings.

11:40 AM: The counsel asserts that when there Government acts under unguided discretion, the citizens have a right to approach the Courts via Writ Petition. The counsel reinforces her assertion by citing case laws. The counsel seeks permission to proceed with the arguments for the second issue.

11:50 AM: The bench seeks clarification on the question if the remedies available to citizens under Art. 226 provides the Government with a free hand and use its powers and discretions arbitrarily. The Speaker – 1 concludes her pleadings. The co-speaker seeks permission to present his submissions.

12:00 PM: The counsel proceeds with his pleadings by summarizing the issues he shall be dealing with. Further, the counsel contends since the statute mandates that the Data Protection Authority shall comprise persons of capability, integrity, and standing, and any allegation of the authority being arbitrary is outrageous.

12:10 PM: The Bench seeks the counsel to answer the question of whether the Data Protection Authority is a Quasi-Judicial Body. The counsel contends that the DPA is an Executive while the Appellate Tribunal is Quasi-Judicial in nature. The Bench finds such contention highly unlikely and asked the counsel to elaborate.

12:20 PM: The Bench has a lot of questions for the Counsel. Further, the counsel is asked to establish what negligence on the part of the CEO of FriendsBook justifies his arrest.

12:25 PM: The Respondents conclude their oral submissions. The rebuttals and surrebutals begin.

12:30 PM: The rounds have come to conclusion. The judges are providing the participants with the feedback.


Court Room-2 [TN_611_PET v. TN_633_RES]

10:40 AM: The rounds in courtroom 2 have also begun. The Hon’ble Bench includes Mr. Sumantra Bose, Mr. Suplalab Chakraborty, and Mr. Mohan Krishna. After addressing the bench, the counsel representing Petitioners proceeds with the arguments advanced.

10:50 AM: The counsel puts her contention humbly that S.35 of the Data Protection Act fails to provide substantial safeguards to the people. She further asserts that the Fundamental Right of the petitioner guaranteed under Art. 14 of the Constitution has been violated. The bench seeks for legal precedents to substantiate her contentions.

11:00 AM: “Is data Portability a statutory right or a judicial precedent?” asks Hon’ble Judge Sumantra Bose. The counsel though flusters in the beginning, convincingly answers the query of the bench. The Bench seeks clarification from the counsel for referring international Conventions when there is an umpteen number of national precedents.

11:10 AM: The Speaker – 1 concludes with her arguments and the Co-speaker speaks permission to present the pleadings.

11:20 AM: The counsel humbly contends that the appointment of Data Protection Authority is mandated by the statute and corroborates the same with judicial precedents.

11:30 AM: The Petitioners conclude their oral submissions with the prayer for relief. The Respondents now take the virtual stage to present their case before the Bench.

11:40 AM: The bench puts forth the question of whether it is the Government has the authority to impose absolute restrictions on agencies from publishing data. The Speaker claims that though the Government can impose reasonable restrictions, such powers shall not be used arbitrarily.

11:50 AM: The counsel humbly contends that the Government has been provided with the power to impose reasonable restrictions on the Right to Privacy of the Citizens. The counsel presents the arguments in a three-fold manner.

12:00 PM: The first speaker concludes her submissions and the co-counsel seeks permission to present her arguments.

12:10 PM: The counsel asserts that the DPA is a lawfully established authority and further elaborates the same.

12:20 PM: The counsel in light of the issue puts forth the contention that removal of content shall be absolute and not partial. The counsel provides case laws to reinforce her contentions.

12:30 PM: The Respondents have completed their oral submissions. The rebuttals and surrebutals have started.

12:35 PM: With the end of the rebuttal and surrebutal rounds, the session has come to conclusion. The judges are presenting their feedback to the participants.



1:45 PM: The wait is finally over as we announce the top 2 teams who would be competing in the Final Round of the Symbiosis Law School, Hyderabad 6th National Moot Court Competition, 2022. The teams are:







Finals – 2:15 PM – 4:45 PM

“Taste the relish to be found in Competition – in having put forth the best within you.”

~Henry Kaiser


2:10 PM: We provide you with the opportunity to be a part of the proceedings! Join the link for the live stream of the Final Round.

2:15 PM: The Oral Rounds for the Finals will commence shortly. The same shall be adjudged by the Hon’ble Bench comprising Mr. Supratim Chakraborty, Dr. Cyril, Mr. Sampath Baluchu, Prof. (Dr.) M.V.Shiju, and Prof. Ambrose.

2:40 PM: The first speaker from the petitioner side has begun with her oral submissions. The Bench insists the counsel to enlighten them with the facts of the case.

2:50 PM: The counsel humbly puts forth that the provisions in contention are unconstitutional and the Hon’ble Court shall therefore strike down the very sections. The Bench seeks the counsel to provide legal backup to her contentions. The counsel cites the landmark case of Anwar Ali vs State of West Bengal. The bench asks the counsel to provide them with the brief facts of the case.

3:00 PM: The counsel relying on the case of Sharma Transport vs. Govt. of Andhra Pradesh contends that even though the Data Protection Act provides for the provision for the data fiduciaries to process data citing reasonable purposes, the Act does not define the word reasonable purposes and therefore, it becomes highly likely that such data can be used to malign the data principles.

3:05 PM: Hon’ble Judge David Ambrose insists the counsel to focus on Information Privacy and not on General Privacy. The counsel humbly contends that the Fundamental Rights of individuals cannot be taken without reasonable justifications and thus S.87 of the Act shall be struck down for being arbitrary and ultra vires the Constitutional provisions.

3:10 PM: The first speaker of the Petitioners concludes her submissions and the second speaker takes over seeking permission to present the arguments advanced for the remaining issues.

3:20 PM: The Speaker 2 humbly puts forth the contention that the appointment of the Data Protection Authority has not been done properly with the Cabinet Minister as the Chairman as against the mandated appointment of Cabinet Secretary provided under S.42 of the Data Protection Act. Hon’ble Judge Ambrose asks whether the above irregularity is a substantial or a procedural one.

3:30 PM: The Bench seeks the Counsel to provide with legal precedents wherein an action taken by the authority has been struck down for being illegally constituted. The counsel pleads ignorance. The counsel further presents his oral submissions for the last issue. The counsel contends that FreindsBook shall not be held liable since FriendsBook complied to the rules provided u/s 9 of the IT Act. The counsel with the Prayer for Relief submits his case before the Bench.

3:40 PM: The Speaker – 1 representing the Respondents have begun with the oral pleadings. The counsel enlightens the Bench with the facts of the case. The counsel puts her contention that the Data Protection Act is a legislatively competent statute. The counsel further asserts that provisions have been drafted for the welfare of the citizens.

3:50 PM: The Bench needs the Counsel to elucidate on how the post made by Tanvi jeopardizes the security of the State.

4:00 PM:  The Bench puts forth a series of questions and follow-up questions to the counsel and insists on clarifying how intermediary players like social-media platforms come under the purview of the Data Protection Act. The counsel tries her best to convince the Bench.

4:10 PM: The Speaker – 2 representing the respondents started his oral pleadings. He presents his contention that according to the provisions as u/s 42(4) of the Data Protection Act, the Chairman shall be a member of capability and shall have standing. Since the Cabinet  Minister fulfills the mentioned criterion, his appointment shall be held valid. The bench seeks clarification on the matter if the appointment is in contravention of statutory provisions.

4:20 PM: The Bench asks the counsel to justify why Tanvi shall be held liable when the information circulated, allegedly threatening the security of the State, was by Tanvi’s followers. The counsel in order to answer the query of the judge draws the attention of the Bench to Paragraph – 5 of the Moot Proposition.

4:30 PM: The Respondents have presented their case before the Bench. The rebuttal and surrebutal rounds have begun.

4:35 PM: We have finally come to the conclusion of the Final Round. We will be announcing the results shortly!


Declaration of Prizes and Valedictory Ceremony(5:00 PM – 6:00 PM)

5:15 PM: The Valedictory Ceremony has commenced. Subhrotosh Banerjee, the President of the Moot Court Association welcomes the virtual gathering to the Valedictory Ceremony of the Symbiosis Law School, Hyderabad 6th National Moot Court Competition.

5:25 PM: Respected Director of Symbiosis Law School, Hyderabad, Dr. Santosh Aghav addresses the virtual gathering. He acknowledges the presence of our Chief Guest, Hon’ble Justice P Naveen Rao, Judge of the High Court of Telangana, our Guest of Honour, Mr. Sridhar Acharyulu M, Professor and Dean of the Mahindra University. He appreciates the efforts put in by the Judges, Dr. Anita Sable, faculty-in-charge of the Moot Court Association, members of the Moot Court Association, the volunteers to make this event a success.

5:35 PM: Our Guest of Honour, Dr. Sridhar Acharyulu M addresses the virtual gathering with his inspiring words. He enlightened the participants about the intricacies of the Moot Court Competitions and emphasized that the ability to convince the learned Bench with their oral submissions is success in itself.

5:45 PM: The Chief-Guest of the Ceremony, Hon’ble Justice P Naveen Rao, Judge of the High Court of Telangana addresses the virtual gathering. He enlightens the participants on the three essentials of advocacy which are researching, drafting, and pleading. He advises the students to avail themselves of all the resources available to them.

6:00 PM: The Special Guest, Mr. Supratim Chakraborty, Partner in Khaitan & Co. announces the results of the 6th National Moot Court Competition. And here, we present you with the winners:

Winner: TN_611 [National Law University, Jodhpur]

Runners-Up: TN_620 [Faculty of Law, University of Lucknow]

Best Speaker: TN_602 Speaker 2 [Shreya Singh, Dharmashastra National Law University, Jabalpur]

Honorable mention for Speaker: TN_607 Speaker 2 [Fariya Sharaf, Amity University, Patna]

Best Memorial: TN_633 [Symbiosis Law School, Noida]

Honorable mention for Memorial: TN_611 [National Law University, Jodhpur]

6:10 PM: With this, we have come to the conclusion of the 6th National Moot Court Competition organized by Symbiosis Law School, Hyderabad. We extend our heartiest congratulations to the winners and appreciate all the diligent efforts put in by all the participants.

We are elated that all the efforts of the organizing committee have made this event a resounding success. As we come to the end of this competition, we once again want to extend our heartfelt gratitude to all our dignitaries



Foreign LegislationLegislation Updates

On September 24, 2021, the National Centre for Documents and Archives Royal Court published the new Personal Data Protection Law (‘PDPL’), implemented by Royal Decree M/19 of 17 September 2021 in the Official Gazette.


It is applicable to the processing of personal data by companies or public entities, by any means, that takes place in the Kingdom of Saudi Arabia, including the processing of personal data relating to residents of the Kingdom by companies located outside the Kingdom.


Data Protection Authority:

The Saudi Data & Artificial Intelligence Authority (‘SDAIA’) will be in charge of supervising and enforcing the implementation of the PDPL for the first two years, after which it may consider transferring the supervisory role to the National Data Management Office, the regulatory arm of SDAIA.

Effective date:

Article 43 of the PDPL provides that the law shall take effect 180 days after the date of its publication in the Official Gazette i.e. it will come into effect  from 23 March 2022.

Note: The effective date shall be delayed for a period of up to five years, and as determined by SDAIA, for companies located outside the Kingdom that process personal data of Saudi Arabian residents.

Duties of Data Controller:

Controller is required to do the following:

  • implement a privacy policy,
  • ensure impact assessments,
  • breach notification to authority and data subject,
  • maintenance of data processing records;

Rights of Data subject:

  • right to be informed,
  • update, correct, or request destruction of their personal data,
  • withdraw consent at any time;


Penalties for breach of the law, including imprisonment for up to two years and/or fines of up to SAR 5 million (approx. €1.1 million).


Law is available in Arabic HERE

Foreign LegislationLegislation Updates

On September 01, 2021, the House Bill (‘HB’) 3746 relating to certain notification required following a breach of security of computerised data entered into effect. The Act amends the state’s data breach notification laws under Texas Business and Commerce Code §521.053.

Key Highlights:

  • Provision has modified to include new notification requirement i.e. organisations are required  to include the number of affected residents that have been sent a disclosure of the breach by mail in their notifications;

Notification must include the following:

    1. a detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach;
    2. number of residents of this state affected by the breach at the time of notification;
    3. number of affected residents that have been sent a disclosure of the breach by mail or other direct method of communication at the time of notification;
    4. measures taken by the person regarding the breach;
    5. measures the person intends to take regarding the breach after the notification under this subsection; and
    6. information regarding whether law enforcement is engaged in investigating the breach.

  • Provision inserted requiring the Attorney General (‘AG’) to post on their website a listing of the notifications received by their office, which must be updated no later than 30 days after the AG receives the notification of a new breach of system security; and
  • Provision inserted to require AG to remove the notification no later than one year after the AG first published if the person who provided the notification has not notified the AG of any additional breaches during that period.

You can read the bill here

Law made Easy

[Disclaimer: This note is for general information only. It is NOT to be substituted for legal advice or taken as legal advice. The publishers of the blog shall not be liable for any act or omission based on this note]

Note: This article aims at discussing the domestic laws in EU countries which implement GDPR and various guidelines released by data protection authorities to align with the respective country’s legal regime with GDPR.


Due to violations of privacy attributable to the misuse of data by large and even some well-known organizations, a Data Protection Law/Data Privacy Law has become imperative. This need has been felt across the globe. Concerns over loss of privacy and misuse of data led to the enactment of the General Data Protection Regulation (“GDPR”) which came into force on May 25, 2018, as plausibly one of the toughest laws governing online privacy.  GDPR is considered to be a milestone and is an essential step to strengthen an individual’s right in the digital age. It is designed to protect the personal information of individuals and to restrict organisations using personal data of their consumers. The Regulations reflects a paradigm shift in the understanding of the personal data and collection of data by controllers.

GDPR provides number of ways to protect the data such as rectification, deletion etc in case the data subject[1] fears misuse of its data. It has a direct effect across all EU member States and covers all EU “established” entities and certain non-EU “established” entities. Under the former, if an entity is operating in the EU through one of its establishments, and is processing the information of EU data subjects, irrespective of whether the processing is occurring in the EU or not, such entity is covered under the ambit of the GDPR. Till now, around 28 countries have passed the national legislation in line with GDPR.


GDPR provides strict data protection principles that are to be complied by the Data Controller and Processor[2], while dealing with personal data. The Controller[3] must make sure that the personal data is:

  • used fairly, lawfully and transparently;
  • used for specified, explicit purposes;
  • used in a way that is adequate, relevant and limited to only what is necessary;
  • accurate and, where necessary, kept up to date;
  • kept for no longer than is necessary; and
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.





Federal Act concerning the Protection of Personal Data (DSG)


Supervisory Authority:

Austrian Data Protection Authority

Act No. 110/2019 Coll. on the Processing of Personal Data


Supervisory Authority:

Office of Personal Data Protection (UOOU)

Act of 1st August on the Organization of the National Data Protection Commission and General Data Protection Framework

 Supervisory Authority

National Data Protection Commission





Protection of Natural Persons regarding the Processing of Personal Data


Supervisory Authority: Gegevensbeschermingsautoriteit


Law on Implementation of the General Data Protection Regulation


Supervisory Authority: Croatian Data Protection Personal Agency



Law n°2018-493 of June 20, 2018


Supervisory Authority:

CNIL (Commission nationale de l’informatique et des libertés_






Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG)


Supervisory Authority: The Federal Commissioner for Data Protection and Freedom of Information


Data Protection Act 2018


Supervisory Authority: The Data Protection Commission


Danish Data Protection Act


Supervisory Authority: The Danish Data Protection Agency (Datatilsynet)






Data Protection Act – ‘HE 9/2018 vp


Supervisory Authority: Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)


Legislative Decree No. 101/2018


Supervisory Authority: Italian Data Protection Authority (Garante per la protezione dei dati personali)


Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming)


Supervisory Authority: Dutch Data Protection Authority (Autoriteit Persoonsgegevens )








Personal Data Protection Act


Supervisory Authority: President of the Office for Personal Data Protection


Protection of Personal Data (Act No. 18 of 2018)


Supervisory Authority: Office of Personal Data Protection


Organic Law 3/2018 of December 5


Supervisory Authority: Spanish Data Protection Agency (Agencia Española de Protección de Datos)









Data Protection Act (2018:218)

Supervisory Authority: Swedish Data Protection Authority


Swiss Federal Data Protection Act

Supervisory Authority: Information Commissioners Office



Data Protection Act 2018


Supervisory Authority: Information Commissioners Office






Law no. 190/2018

Supervisory Authority: National Supervisory Authority for Personal Data Processing



Law no. 58/2019, of 08 of August

Supervisory Authority: National Data Protection Authority (CNPD)


The Information Commissioners Office (“ICO”) is the body responsible for implementing the Data Protection Act and providing further guidance’s to create awareness regarding rights, role and responsibilities under the Act. Some of the important guidance’s released by ICO are discussed below:The Data Protection Act 2018 is the implementation of the GDPR which came into effect on May 25, 2018. The Act makes the data protection laws fit for the digital age in which an ever-increasing amount of data is being processed. It also empowers people to take control of their data and supports businesses and organisations in the United Kingdom through the change.

  1. Guidance on Contracts: The guidance discusses contracts and liabilities between controllers and processors. It provides the provisions in a contract which can be included in contract between controllers and processors. It also helps processors to understand their new responsibilities and liabilities under the GDPR.
  2. Guidance on Controllers and processors: The Guide provides a ready reckoner checklist that helps controllers, processors and joint controllers to easily identify their roles. Additionally, it also outlines some of the responsibilities of the controllers when using a processor. In addition to its contractual obligations to the controller, a processor has some direct responsibilities under the GDPR and makes a processor liable in case of failure in meeting any of the obligations mentioned in the contract.
  3. Encryption: The ICO has updated its GDPR guidance in order to provide an advice on compliant use of encryption to protect personal data. This guidance helps in understanding the importance of encryption as an appropriate technical measure for protecting the personal data an organisation holds whether as a controller or a processor. Following things which are required to be taken into consideration while implementing encryption:
  • choosing the right algorithm;
  • the right key size;
  • the right software; and
  • keeping the key secure.
  1. Passwords : The ICO has updated the guidance on the use of passwords in order to protect data. The Guidance talks about the use of Passwords and the level of security which is required while choosing a password. It recommends using a suitable hashing algorithm or other mechanism offering similar protection.
  2. Exemptions: The GDPR and the Data Protection Act, 2018 (‘DPA’) sets out certain exemptions for some of the rights and obligations. Relying on exemptions depends on case-to-case basis but it cannot be routinely followed. The exemptions in the DPA relieve one from some of their obligations under the Act, such as:
  • the right to be informed;
  • the right of access;
  • dealing with other individual rights;
  • reporting personal data breaches; and
  • complying with the principles.
  1. International transfers : The guidance provides clarification regarding
  • where a transfer of personal data is considered a ‘restricted transfer’; and
  • which mechanisms can be deployed in this case to transfer personal data.
  1. Personal Data Breaches : The Guidance outlines breach notification requirements under the GDPR, including what information needs to be included in a notification, and when organizations are required to notify supervisory authorities and those affected.

On September 5, 2018, the Law of 30 July 2018 on the Protection of Natural Persons regarding the Processing of Personal Data (the “Act”) entered into force and abolished the Law of 8 December 1992 on privacy protection which regulated processing personal data in Belgium. The Act applies to the processing of personal data in connection with the activities of an establishment from a controller or processor on Belgian territory, whether the processing on Belgian territory takes place or not. The Act significantly broadens the scope for data processing related to criminal offences and convictions. It determines that associations and foundations for which the processing of sensitive data is necessary for the purposes of achieving their statutory objectives can make an exception for processing of such data.

The Data Protection Authority (Gegevensbeschermingsautoriteit) is supervisory authority that monitors the protection of privacy and the use of personal data in the country.


The Law on Implementation of the General Data Protection Regulation (the ‘Act’) provides for the implementation of GDPR on the protection of individuals regarding the processing of personal data and on the free movement of such data. The Act is not applicable to the processing of personal data carried out by the competent authorities for preventing, investigating, detecting or prosecuting criminal offenses or carrying out criminal sanctions, including protection against public safety threats and their prevention, as well as in the area of ​​national security and defence.

As per the Act, the processing of employees’ biometric data is permitted for recording working hours and controlling access to premises where the employees have provided their consent. The Act also restricts processing of personal data of employees through a video surveillance system and provides that it may only be carried out if the conditions laid down by the regulations governing occupational safety are met, and if the employees have been adequately informed in advance of such measure.

Croatian Data Protection Personal Agency is responsible for carrying out administrative and professional tasks related to personal data protection.


The Danish Data Protection Act has been passed by the Danish parliament. The Act supplements and implements GDPR on the protection of individuals with respect to the processing of personal data and on the free exchange of such data. The law and GDPR is applicable to all processing of personal data made wholly or partly by automatic data processing and for other non-automated processing of personal data which is or will be contained in a register. According to the Act, the processing of personal data is permitted in the employment context if the data subject consented or the processing is necessary for certain purposes.

The Danish Data Protection Agency (Datatilsynet) exercises surveillance over the processing of data to which the Act applies. The Agency primarily deals in specific cases on the basis of inquiries from public authorities or private individuals or cases taken up by the agency on its own initiative.


Law n°2018-493 of June 20, 2018 on the protection of personal data was promulgated on June 20, 2018 and was published in the Official Journal on June 21, 2018.

The purpose of the Law was to adapt Law n° 78-17 of January 6, 1978 on information technology, data files and liberties (‘French Data Protection Act’) following the GDPR that entered into force on May 25, 2018  and Directive  2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties that ought to be transposed into domestic law.

The CNIL is the responsible authority for informing individuals of their rights accorded to them by the French Data Protection Act. Some of the guidance’s issued by CNIL in furtherance of Data Protection Act are discussed below:

  1. CNIL Guidance on Collection and Transmission of Data to Data Brokers: Many companies collecting data directly from individuals, whether on online or paper forms, transmit this information to “commercial partners” or more generally to other organizations, so that they send out prospection through SMS or email. This transmission must comply with a series of conditions, including those posed by the RGPD, to be valid and allow people to maintain control over their personal data.


  1. Standards for DPO certification : In order to identify the skills and know-how of the Data Protection Officer (DPO), the CNIL adopts two standards for DPO certification.
  • a certification reference system that sets the conditions for the admissibility of applications and the list of 17 skills and know-how expected to be certified as a DPO;
  • an accreditation framework that sets out the criteria applicable to organizations wishing to be authorized by the CNIL to certify the DPO’s competencies based on the certification framework developed by the CNIL.
  1. Deliberation n ° 2018-326 of 11 October 2018: CNIL adopted guidelines on data protection impact assessments (DIPs) provided for in the GDPR.
  • The Guidelines describe three examples of processing operations requiring a DPIA provided by Article 35(3) of the GDPR. The Guidelines also list nine criteria of the Article 29 Working Party identified as useful in determining whether a processing operation requires a DPIA, if that processing does not correspond to one of the three examples provided by the GDPR;
  • The Guidelines provide that an AIPD must be conducted before the implementation of a treatment presenting a high risk for the rights and freedoms of the natural persons concerned; it must be reviewed regularly, in any case every three years, to ensure that the level of risk remains acceptable;
  • The Guidelines specify that data controllers may rely on the CNIL’s industry standards, compliance with a standard will allow to consider that there is no high residual risk while the processing is In the case of dismissal, it will be necessary to lead the controller concerned to, at least, question the level of residual risk that may require the mandatory consultation of the board.

On 13 November 2018 the Finnish Parliament approved the Data Protection Act – ‘HE 9/2018 vp (the ‘Act’). The Act supplements GDPR and repealed the old Finnish Personal Data Act (Henkilötietolaki 523/1999).

The Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) remains the national data protection authority under the GDPR, supervising data protection in Finland. However, in e-privacy matters, the Finnish Communications Regulatory Authority continue to act as the supervisory authority. The new legislation also introduces an internal advisory board in the Data Protection Ombudsman’s office. The board is given power to issue advisory statements on data protection legislation upon the Data Protection Ombudsman’s request.


Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) entered into force on May 25, 2018. The Act is applicable to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system unless such processing is conducted by natural persons during a purely personal or domestic activity.

The Federal Commissioner for Data Protection and Freedom of Information is the authority responsible for supervising Data Protection activities. Some of the guidance’s released by the Authority are discussed below:

  • Guidance on the privacy requirements of app developers and app providers: The orientation aid is aimed at developers and providers of mobile applications (apps). It reveals data protection and technical requirements and makes them understandable by means of striking examples.
  • Cryptographic methods: Based on the realization that absolute data security cannot be achieved in practice, the principles of “adequacy” and “necessity” have been enshrined in data protection laws. This means that appropriate security measures must be taken depending on the need for protection of the personal data concerned. The present guidance on the use of cryptographic procedures has been developed by a Working Group on Technical and Organizational Data Protection Issues of the Conference of Federal Data Protection Officers.

Data Protection Act 2018 was signed into law on 24 May 2018, to coincide with the GDPR. The Act implements derogations permitted under the GDPR and represents a major overhaul of the regulatory and enforcement framework.

The Data Protection Commission is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. The DPC is the Irish supervisory authority for the GDPR, and has functions and powers related to other important regulatory frameworks including the Irish ePrivacy Regulations (2011) and the EU Directive.  The Commission recently released certain responsibilities for the Organisations to carry out under GDPR.

  1. Responsibilities of Organisations under the General Data Protection Regulation : The Authority provided information about organisational obligations under data protection legislation and the General Data Protection Regulation, including transparency with service users and how to respond to an individual who is exercising their data protection rights. More detailed information provided regarding:
  • your obligations under data protection;
  • how to respond to an individual exercising their rights;
  • how to make a notification to the Data Protection Commission in cases where your organisation or business has breached personal data.

Italy adopted Legislative Decree No. 101/2018 which came into effect on September 4, 2018, concerning the provisions for the adaptation of the national legislation to the GDPR on the protection of individuals regarding the processing of personal data and rules to the free movement of such data.

The Decree sets the minority threshold in relation to the offer of information society services to 14 years. For children under that age, the processing of their data still requires parental consent. The Decree provides the specific conditions for the lawful processing of genetic data, biometric data or data concerning health. The Italian Supervisory Authority is tasked with such adoption, at least every two years. As per the Decree, existing practices in relation to the subject rights of deceased persons remain primarily unchanged. These rights can be exercised by those who have a proper interest or who act to protect the data subject or relevant family interests.

The Italian Data Protection Authority (Garante per la protezione dei dati personali) is an independent administrative authority established by Privacy Law. It is the supervisory authority responsible for monitoring application of the General Data Protection Regulation and the national legislation.


Code of Ethics and Conduct in Processing Personal Data for Business Information Purposes : This Code of conduct sets out the adequate safeguards and arrangements to process personal data by protecting data subjects´ rights that must be in place in pursuing business information purposes; this is aimed to ensure, on the one hand, certainty and transparency in business relations along with adequate knowledge and circulation of business and economic information and, on the other hand, quality, relevance, accuracy and topicality of the processed personal data.


The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) applies in the Netherlands from 25 May 2018.

Dutch Data Protection Authority [Autoriteit Persoonsgegevens (‘AP’)] is the independent administrative body that has been appointed by law as the supervisory authority for regulating the processing activities of personal data. Some of the publications of AP are discussed below:

  1. AP’s Recommendations for Register of Processing : On 28th November 2018, the Netherlands Authority for the Protection of Personal Data (AP) provided 5 concrete recommendations that organizations should consider when maintaining their registers of processing.
  • Organizations must state the duration and the purpose of processing personal data. Under European privacy legislation, it is not allowed to store personal data longer than necessary for the purpose with which they were collected. Organizations must also be able to explicitly mention the purpose why they collect this data.
  • Contact details of the controller must be included in the register.
  • Organization should provide a well-organized file of all processing activities carried out in relation to personal data, thereby enabling the users to easily navigate through it.
  • Location or the place where personal data is stored must be stated clearly in the register. This information is relevant when people submit a request for access or deletion.
  • Organizations must specify the goal of each processing activity. Only a mere enumeration of the processing activity, department wise, in combination with a summary of the various purposes of the processing is not sufficient
  1. Policy rules prioritization complaints investigation Authority Personal Data : The Dutch Data Protection Authority published policy rules regarding the prioritization of the investigation of complaints. Pursuant to the GDPR, every data subject has the right to lodge a complaint with the Dutch Data Protection Authority if it is violative of their rights provided in GDPR. It also follows from the GDPR that the Dutch Data Protection Authority must in principle investigate and respond to each complaint. The Dutch Data Protection Authority is free to make an assessment regarding the intensity of the investigation of a complaint.

The Personal Data Protection Act entered into force on 25 May 2018 to help the implementation of the GDPR in Poland.

The President of the Office for Personal Data Protection is a competent authority for the protection of personal data on the territory of Poland, created by the Act of 10 May 2018 on the protection of personal data. Some of the guidelines adopted or released by the Authority are discussed below:

  1. Guideline 1/2018 regarding certification and determination of certification criteria in accordance with Article 42 and 43: The EU guidelines on certification have been adopted by Poland. The Guidelines explore the rationale for certification as an accountability tool; It also explains the key concepts of the certification provisions in Articles 42 and 43 and the scope of what can be certified and the purpose thereof.
  2. Protection of personal data at the workplace : The Guide indicates how to process personal data both during recruitment and during the whole period of employment. It is not limited to employment based on an employment relationship. It also treats other, more and more popular forms of employment, such as civil law contracts.
  3. Tips for data controllers – how to apply the GDPR: The Personal Data Protection Office prepared 10 tips for data controllers to help them to apply the GDPR rules on a daily basis such as:
  • Establish the proper basis for collecting and using personal data;
  • Comply with the information obligation in accordance with the new rules;
  • Communicate in a transparent way;
  • Always respect the rights of people;
  • Remember that consent can be withdrawn at any time;
  • Data breaches should be reported to the President of the Personal Data Protection Office and when necessary, to the persons whose data have been violated;
  • Do not create unnecessary documentation;
  • You have the right to profile, but remember about limitations;
  • Invest in a professional DPO;
  • Watch out for cheaters.

The Protection of Personal Data (Act No. 18 of 2018) regulates the protection of the rights of natural persons against wrongful interference with their private data. The Act regulates the rights, duties and liabilities in connection with personal data processing and establishment, scope of powers and organization of the Office for Personal Data Protection of the Slovak Republic.

Office of Personal Data Protection is the supervisory authority responsible for the implementation of the Act. Some of the guidelines released by the authority are discussed below:

  1. Methodological Guideline no. 2/2018: Office for Personal Data Protection of the Slovak Republic issued the guideline on legality of processing. The principle of legality also expresses the requirement for fair and lawful processing and must be in accordance with the law of the Union, the law of the member the State and good morals, so as not to be violative of the fundamental rights and freedoms of the persons concerned.
  2. Methodological Guideline no. 3/2018: Office for Personal Data Protection of the Slovak Republic issued the guideline on the obligations of the e-shop operator from the point of view of personal data protection. The obligations are as follows:
    • to allow the operator to legally process the customer’s personal data, it must have an appropriate legal basis;
    • customers have the right to be informed about the terms of processing, how they are processing their applications for the exercise of the rights of the persons concerned, etc.;
    • data obtained should be processed by the operator only for a specific, expressly stated and legitimate purpose, furthermore they cannot be processed in a manner which is not compatible with such a purpose;
    • operator should process only the personal data that is necessary to achieve a specific purpose of processing;
    • operator must process correct and up-to-date personal data;
    • operator must keep personal data only for the necessary time to achieve the purpose of processing;
    • operator must guarantee the adequate security of the processed personal data; and
    • operator must be able to show compliance with the previous one the principles of processing.

The Organic Law 3/2018 of December 5 guarantees the digital rights of citizens and employees, beyond the GDPR. The law includes some specifications about data subjects’ rights. The new rule recognises a set of “digital rights” (or rights in the context of the Internet) to every individual, starting with the net neutrality right (or the right to be granted with Internet access without being discriminated for technical and/or economic reasons) and ending with the right to a digital testament.

Spanish Data Protection Agency (Agencia Española de Protección de Datos) (AEPD) is the public law authority overseeing compliance with the legal provisions on the protection of personal data and enjoying an absolute independence from the Public Administration. The guides released or adopted by the Agency are discussed below:

  1. Practical Guide of risk analysis for the treatment of personal data: The guide is aimed at data controllers/processors for the processing of personal data and which may affect data security breaches. It provides the interpretation of the RGPD regarding the obligation to notify the competent authority through appropriate channel. It aims to cover the wide range of Spanish business, small, medium or large companies of all kinds, companies with large data treatments and companies with reduced treatments and that, in the same way, can be of help to those in charge and in charge of treatments of the Public Administrations involved in the tasks of management of the gaps of security.
  2. Guide for the Person responsible for the processing of personal data: The guide presents systematically the main issues that organizations should be considered for the application of the RGPD. It is designed to help those responsible and those in charge to adapt the new obligations during the transition period. A ready recknor Checklist is included which organizations can use to determine if they have given the necessary steps to be able to make a correct application of the RGPD.
  3. Guide for the management and notification of security breaches: The guide aims to be useful for anyone who wants or needs to familiarise themselves with the issues regarding the management and notification of security breaches. It is designed for different data controllers processing personal data who could be affected by data security breaches, with the aim of enabling understanding of the GDPR regarding its requirement to notify the competent authority and, when relevant, the data subjects, so that the competent authority is notified through the correct channel, with useful and accurate information for statistical and monitoring purposes, and the new GDPR demands are met.

The Data Protection Act (2018:218) entered into force on May 25, 2018. It provides for the processing of social security numbers and processing of data pertaining to criminal offences. The Act is applicable to the processing of personal data carried out within the framework of activities carried out at the premises of the personal data controller or personal data assistants in Sweden. The law is also applicable to the processing of personal data carried out by personal data controllers who are not established in Sweden, but in a place where Swedish law applies according to international law.

The Swedish government has designated the Swedish Data Protection Authority to be the supervisory authority under the GDPR.


The Swiss Federal Data Protection Act (‘Act’) and the Data Protection Ordinance (‘Ordinance’) regulate data processing activities across the country. The Act is applicable in any of the following circumstances:

  • The data subject has its habitual residence in Switzerland, provided that the data processor can anticipate that damage may be sustained in Switzerland.
  • The data controller or processor (as the potentially infringing party) is a Swiss resident.
  • Damage resulting from a data breach is sustained in Switzerland, provided that the data processor can anticipate that damage may be sustained in Switzerland.

The Federal Data Protection and Information Commission is the Authority responsible for supervising the data protection activities. The Commission recently released a guide for technical and organisational measures for the introduction of data protection risks and measures which can be taken to ensure protection for personal data.

  1. Guide for technical and organizational measures – This guide is an introduction to the data protection risks that can arise in connection with modern IT systems. It intends to help the reader implementing measures and ensuring optimum and appropriate protection for personal data. The guide is primarily intended for IT systems managers and those who are directly involved in the management of personal data, whether they are technicians or not. The guide is structured around four main topics – data access, data lifecycle, data transmission and right to information.

The Federal Act concerning the Protection of Personal Data (DSG) has considerably amended the Data Protection Act 2000 in order to implement GDPR. The Act regulates processing of personal data, appointment of data protection officers, maintaining confidentiality of data, investigation or prosecution of criminal offenses and rights of data subject in order to modify, rectify or delete.

Based on Art 8 GDPR, the Act provides that children may consent to data processing in the course of information society services starting with 14 years – instead of 16 years as stipulated by the GDPR. Art 10 GDPR generally provides that criminal data may only be processed “under the control of official authority”, unless otherwise authorised by the Member States. The Austrian legislator closed the potential gap by providing that criminal data may also be processed based on legitimate interests pursued by the controller.[4]


Czech Republic enacted the Act No. 110/2019 Coll. on the Processing of Personal Data incorporating the provisions of GDPR. The law came into effect on April 24, 2019. It replaces the older Personal Data Protection Law (Act No. 101/2000 Coll., as amended) and regulates personal data processing within the scope of GDPR and also processing of the data by competent authorities for preventing, searching for and detecting criminal activity, ensuring safety and public order.

The Office for Personal Data Protection published various Guidance material for the implementation of the Law. Some of them are mentioned below:

  1. Data Breach Notification Guidance[5]: The Office for Personal Data Protection (‘UOOU’), published a guidance on data breach notifications. Key features of the guidance are provided below:
  2. outlines that any breach of personal data security that may result in a risk to the rights and freedoms of individuals must be reported;
  3. provides examples of such incidents, including an attack on a computer in which personal data is processed which results in the leakage of personal data, as well as the loss of paper documents containing personal data that was a part of manually kept records;
  • provides that where an infringement is unlikely to result in a high risk to the rights and freedoms of data subjects, such as if it becomes impossible to trace a paper document that was or should have been part of a manually kept record, no notification must be made;
  1. lists what should be included in the notification, as well as the exceptions to the obligation to report data breaches to affected individuals.
  2. DPIA Methodology[6]: The Office for Personal Data Protection (‘UOOU’) published a methodology for conducting Data Protection Impact Assessments (‘DPIAs’). Key points discussed in Methodology are:
  3. contains questions and answers, information on who needs to carry out a DPIA and when this is required, and outlines the four stages of a DPIA;
  4. provides that the data controller needs to ascertain whether a DPIA needs to be carried out with respect to the personal data obtained, the legal basis for processing, data retention periods, and data transfers;
  • highlights that the data controller should, when carrying out a DPIA, provide a systematic description of the intended processing activities, follow a risk assessment procedure through identifying assets, vulnerabilities, and threats related to the processing of personal data, and determine the level of risk following a DPIA;
  1. includes examples of vulnerabilities such as insufficient maintenance of supporting information and communication technologies, and insufficient physical protection of personal data.

 On 16 August 2018, the Luxembourg Government adopted and published the Law of 1 August 2018 on the organisation of the National Commission for Data Protection and implementation of GDPR and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

The Law repeals the law of 2 August 2002 on the protection of persons regarding the processing of personal data.


The Parliament of Romania adopted Law No. 190/2018 implementing the General Data Protection Regulation. The Law regulates special rules for the processing of certain categories of personal data, derogations from the GDPR, provisions regarding data protection officers (‘DPO’) and certification bodies, as well as provisions on the applicable sanctions for public and private entities. 

Conclusion: Critique of GDPR

As is evident from the EU countries’ domestic laws, GDPR is a privacy legislation that serves as a guideline for the upcoming laws on data privacy. GDPR strengthens individual privacy rights and increases the obligations of companies towards personal data. Also, it has uncurbed power that is also to say that like most of its counterparts, it is not toothless, since it not only provides for obligations towards the organisations but also has provisions to impose heavy penalties on breach of any of the obligations of organizations.

The largest sanctions have been imposed under privacy laws by CNIL where the restricted committee imposed a heavy financial penalty of around €50 million[7] against the company GOOGLE LLC, for lack of transparency, inadequate information and lack of valid consent regarding the ads’ personalization. The decision by the CNIL came like a warning that tough enforcement actions are not just in the theory and therefore, the organizations must take the privacy laws seriously.

Recently, some of the major fines were imposed in the year 2020, such as:

  • In April 2020, the Dutch Data Protection Authority imposed its largest fine €725,000 (US$ 821,600 million) to date to an unknown company for illegally using employees’ fingerprint scans for its attendance records over the period of 10 months. As per the GDPR, biometric data is classified as sensitive information and subjected to stringent protections.[8]
  • On December 07, 2020, the French Data Protection Authority issued two fines totalling €100 million against Google LLC, Google Ireland Limited and Amazon for cookie violations. In an audit, it was revealed that cookies, many of which were used for marketing purposes, were automatically placed on user equipment without affirmative action.[9]
  • On December 07, 2020, the Norwegian Data Protection Authority (‘Datatilsynet’) sent a notice of an infringement to the Norwegian Sports Confederation (‘NIF’) and imposed fine amounting to NOK 2.5 million (approx. €236,000) following the disclosure of the personal data of 3.2 million Norwegians after an error that took place when testing a cloud solution.[10]

Also, since the digital environment across the world has granted access of private data on a single click, privacy laws have become the talk of the town and its breach could mean heavy penalty for the data controller and processors. The borderless nature of the Internet raises several jurisdictional issues in data protection, therefore, gradually, even non-EU members are bringing in the supplementing laws in line with GDPR to protect the personal data of consumers. India and China have introduced Data Privacy Bills and on the other hand, China has also included data privacy principles in China Civil Code.

The emergent necessity of all the organizations to review their privacy policies and make them in compliance with the national legislation of their respective countries and GDPR, only reflects on the growing acceptance of GDPR, transcending beyond the EU.

† Consultant at Ernst and Young | Data Privacy and Occupational Health and Safety Compliance Professional

[1] Data subjects as “identified or identifiable natural person[s].” In other words, data subjects are just people—human beings from whom or about whom you collect information in connection with your business and its operations.

[2] Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

[3] According to Article 4 of the EU GDPR, a data controller is the entity (person, organization, etc.) that determines the why and the how for processing personal data. A data processor, on the other hand, is the entity that actually performs the data processing on the controller’s behalf.

[4] https://www.dorda.at/en/publications/new-austrian-data-protection-act-implementing-gdpr-passed-austrian-parliament Last accessed on December 11, 2020.

[5] https://www.uoou.cz/vismo/zobraz_dok.asp?id_org=200144&id_ktg=5020&n=poruseni-zabezpeceni

[6] https://www.uoou.cz/vismo/dokumenty2.asp?id_org=200144&id=46497

[7]Deliberation of the restricted formation n ° SAN – 2019-001 of January 21st, 2019 pronouncing a financial penalty against the company GOOGLE LLC

[8] https://cisomag.eccouncil.org/four-biggest-gdpr-fines-of-2020/ Last accessed on December 11, 2020.

[9] https://www.cnil.fr/en/cookies-financial-penalties-60-million-euros-against-company-google-llc-and-40-million-euros-google-ireland Last accessed at December 14, 2020


Op EdsOP. ED.

We are living in a digital age, much more so after the onset of Covid-19. Business, meetings, interaction, banking, even education has shifted to online mode. Every person is accessing and sharing so much of data that it is very scary as one never knows who hands your data lands up in.

With this, concerns about data privacy have become more important than ever before in everyone’s mind.

Data can be classified into two categories as personal and non-personal. With the advancement of digital technology, there is a tremendous upsurge in storage, handling and processing of data by companies and humans in digital format.

It reflects the need to establish distinct regulatory mechanism for handling and processing of personal and non-personal data to preserve the confidentiality and secrecy of such data.

The Central Government is on course to develop a mechanism for regulating the collection, storage and usage of personal data and non-personal data separately.

Work on the non-personal data bill is going in parallel with the Personal Data Protection Bill, 2019. The Central Government had constituted a panel to develop a draft report on non-personal data governance.

The prime job of panel is to perform extensive research and to study all vital aspects associated with governance and regulation of non-personal data.

According to the draft report, non-personal data means data which is not personal. The panel has submitted its report to Central Government for review. The Central Government has invited comments from general public along with all stakeholders concerned by 13-8-2020 in this regard.

The idea of seeking comments from public is to give final shape to draft in progress to address all concerns and issues related to non-personal data in a comprehensive method.

An interesting outcome of the research by panel is that companies with largest data pools are unbeatable and have techno-economic advantages over small-medium companies.

According to available statistics, few startups established during the period (1990-2000) has emerged as larger corporations with economic capacity of USD 1 trillion market due to their stronghold in collection and analysis of users’ data.

Some interesting facts about larger corporations:

(a) 60% of internet advertising market in the United States is being dominated by Google and Facebook.

(b) 37% of online e-commerce market controlled by Amazon in United States.

These statistics reflects the power of right collection and processing of data.

According to the draft report, companies which are gathering and collecting data beyond certain limits will come under the ambit of a “data business” and have to register as “data business” in India. Such companies need to report the method of data collection and mode of data usage to regulatory authority.

Development of a data sharing framework is critical to:

(a) address and resolve privacy concerns in a timely manner;

(b) condense the side effects related to non-personal data processing; and

(c) generate social, public and economic value creation.

Establishment of data sharing platform reflects in transparency in data usage and handling, quantify efficiencies and better quality services.

It is expected that sharing of non-personal data could encourage companies to come up with new and innovative services and products to cater the needs of public at large.

Establishment of regulatory authority is a decisive connection in non-personal data governance – such authority should be empowered with the right set of legal and administrative tools to monitor data sharing acts of companies, collection and reviewing of data from companies and to resolve data privacy-related disputes.

Certain companies are misusing the data for their benefit causing considerable data privacy issues to the users — it is about time to develop distinct laws and mechanism for handling, processing and usage of personal and non-personal data to curb misuse of personal and non-personal data by companies.

Inception of separate laws for regulation of personal and non-personal data along with right implementation would result in:

(a) streamline the process of data handling and collection;

(b) make companies collecting and processing data more accountable and responsible;

(c) improve transparency standards in collection and usage of data; and

(d) provide more control to users on the aspect of collection and usage of their data.

*Bhumesh Verma is Managing Partner at Corp Comm Legal and can be contacted at bhumesh.verma@corpcommlegal.in. **Paruchuri Baswanth Mohan, Research Associate and can be contacted at  paruchuribaswanthmohan@gmail.com

Hot Off The PressNews

Supreme Court: While hearing Facebook Inc’s petition asking Supreme Court to hear all cases related to demands for linking Aadhaar to social media accounts and tracing the source of WhatsApp messages, the Court said that there has to be a balance between privacy and how to govern. The court, hence, issued notice to Facebook, Twitter, Google, YouTube, the centre and Tamil Nadu asking for their response by September 13 on whether the petitions should be transferred from high courts across India to the Supreme Court. Various cases are being heard by the high courts of Madras, Bombay and Madhya Pradesh and Orissa.

The Court said,

“There is a conflict between privacy and how the government should run the country when crimes are committed. There has to be a balance… under what condition information can be given and to whom,”

Facebook and WhatsApp, asking that all petitions be transferred to the top court, said it was a matter of high magnitude and affected the privacy of the entire nation.

On Monday, the Tamil Nadu government had told the Supreme Court that social media profiles of users need to be linked with Aadhaar numbers to check the circulation of fake, defamatory and pornographic content as also anti-national and terror material. However, Facebook Inc resisted the state’s suggestion on grounds that the sharing of the 12-digit Aadhaar number, the biometric unique identity, would violate privacy policy of users.

Facebook Inc said it cannot share the Aadhaar number with a third party as the content on its instant messaging WhatsApp was end-to-end encrypted and no one can access it.

The Tamil Nadu government, which is deep into a case related to the deadly Blue Whale game, argued that the centre was struggling to find out who the creator of the game was and who gives directions. Attorney General KK Venugopal, representing Tamil Nadu, said,

“Someone says he is a young person from Russia. A number of people have died in India playing the Blue Whale. Let the Madras High Court continue with its hearing,”

The Supreme Court said,

“We are aware of Blue Whale. What is happening in dark web is worse than Blue Whale. The idea of the Madras High court expanding the issue was that if need be, shouldn’t the intermediary inform the police about details of person for crime detection? We are not examining the merits of the case, only dealing with the transfer of the cases to the Supreme Court.”

(Source: NDTV)

Case BriefsSupreme Court

Supreme Court: In the light of the data privacy concerns raised before the Court in the matter relating to Whatsapp data sharing with it’s parent company Facebook, the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, Amitava Roy, AM Khanwilkar and MM Shantanagoudar, JJ asked Senior Advocates Kapil Sibal and Arvind Datar, appearing for Whatsapp and Facebook, to file affidavits with regard to the assertions made by the petitioners within 4 weeks.

Additional Solicitor General Tushar Mehta brought to the Court’s notice that a committee headed by Former Supreme Court judge, Justice B N Srikrishna, was being formed to deliberate on a data protection framework for India keeping in mind the need to ensure growth of the digital economy while keeping personal data of citizens secure and protected. He further submitted there was a possibility that the law shall be passed regulating the data protection once the committee submits it’s report. Arvind Datar also submitted that the 9-judge bench, in Justice KS Puttaswamy v. Union of India, 2017 SCC OnLine SC 996, had expressed the view that there should be a law with regard to data protection.

Refusing to pass any interim order restraining the respondent from sharing the data with the third party, the Court said that it will consider passing interim order after the affidavits are filed and if the assertions made in the affidavit would not require any kind of intervention by this Court, this Court may not pass any interim order. The matter will next be taken up on 20.11.2017. [Karmanya Singh Sareen v. Union of India, 2017 SCC OnLine SC 1051, order dated 06.09.2017]