With the due permission of the bench, The council seeks permission to move ahead with the third

and fourth issues.

The Third issue raises the question regarding the state's imposing necessary and restrictive conditions on data
fiduciaries.
The council claims that the state has failed to impose necessary and restrictive conditions on data fiduciaries that is
the mishappenings took place
Your lordship,

"Data fiduciary" means any person, including the State, a company, any juristic entity, or any individual who alone or in
conjunction with others determines the purpose and means of processing personal data. The law clearly states that “ No
personal data shall be processed by any person, except for any specific, clear and lawful purpose.
HERE the data of female activists and journalists were used for online auctioning. the data was uploaded on the rozdeal app
which was the part of Github community.
"personal data breach" means any unauthorized or accidental disclosure, acquisition, sharing, use, alteration, destruction of,
or loss of access to, personal data that compromises the confidentiality, integrity, or availability of personal data to a data
principal

In a recent case, Indian trading platform Upstox has openly acknowledged a breach of know-your-customer (KYC) data.
Gathered by financial services companies to confirm the identity of their customers and prevent fraud or money
laundering, KYC data can also be used by hackers to commit identity theft.

On April 11, Upstox told customers it would reset their passwords and take other precautions after it received emails
warning that contact data and KYC details held in a third-party data warehouse may have been compromised.
Upstox apologized to customers for the inconvenience and reassured them it had reported the incident to the relevant
authorities, enhanced security, and boosted its bug bounty program to encourage ethical hackers to stress-test its
systems. The case represents that the state has failed to impose necessary condn on data fiduciaries.
According to the PDP bill, chapter 2 clause 11.
(1) The personal data shall not be processed, except on the consent given by the data principal at the commencement of its
processing. (2) The consent of the data principal shall not be valid unless such consent is—

As stated in the, Para 3 of Fact Set B of the Moot Proposition, Zeenat, a Beta Tester of Castledeals while testing over the
mappings and various other features and destinations, faced harassment by the seven avatars of Tritter, present in the launch
event. She further explains that though it was virtual but still so real and raw she could feel that gang rape actually happened
with her. She tried to get away but the avatars kept assaulting by taking photos and kept on saying that ‘she is enjoying’. It
happened because the virtual reality has been designed in a manner that the mind and body can’t differentiate virtual/digital
experiences from the real world. The physiological and psychological experience was as humiliating and harassing as it
happened in reality.
Data Fiduciaries have some duties and obligations to perform. If something illegal and bad happens, then the direct
notification is given to the owner of the data fiduciary. Here, the person who owned the apps followed all the measures and
that is why the State is responsible for all the mishappenings that took place.
The State failed to take care which it would have taken. When the auctioning was happening of the prominent journalists and
female activistists on the Rozdeal, it was the duty of the owner to get notified but it didn’t got notified. They got to know it
from some other source. So, it can be inferred from the [present scenario that the State is responsible by not taking care.
The fourth issue raises the question regarding WHETHER THE DATA PROCESSOR FAILED TO DELIVER UPON THE
RESPONSIBILITIES RELATING TO CONFIDENTIALITY CONCERNS?
The council claims that the state has failed to deliver the responsibilities relating to confidentiality concern.

It is humbly submitted by the Counsel before the Hon’ble Supreme Court of Republic of Coolsberg that the Data Processor
has failed to deliver upon the responsibilities relating to confidentiality concerns because of which the individuals as
described in the moot proposition (Fact Set A and Fact Set B) faced severe problems regarding their Privacy, Confidentiality
and Safety. To understand the liability of the Data Processor, it is important to first understand the meaning of Data
Processor and what role does it play when it comes to the collection of information and data.
DATA PROCESSOR
According to the Personal Data Protection Bill, 2019, the term ‘Data Processor’ is defined as any person, including the State,
a company, any juristic entity or any individual who processes personal data on behalf of a Data Fiduciary. Here, Personal
Data means such personal data, which may, reveal be related to or constitute – Financial Data, Health Data, Official
Identifier, Sex Life, Sexual Orientation, Biometric

As stated in Para 2, Fact Set 1 of the moot proposition, Github is a platform that gives easy access to develop applications
and then shares them on the Github community. Here, Github is a data processor which collects all the information and data.
It is the duty of Github to oversee all the rules and regulations so that there is no mishappening. But in the present case, it
failed to deliver upon the responsibilities due to which the confidential information of individuals was revealed and their
privacy was breached. There was:

A) Breach of Section 66 C of the Information Technology Act, 2000 which talks about Punishment for Identity Theft. It
states, “Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique
identification feature of any other person, shall be punished with imprisonment of either description for a term which
may extend to three years and shall also be liable to fine which may extend to rupees one lakh”.

As stated in the moot proposition, the information and data which was published on the Rozdeal app about the prominent
journalists and female activists revealed about the unique identification feature through which their privacy was breached. It
is a matter of concern and that is why the punishment for identity theft will be a section 66e pplied here.

B) Breach of Section 66E which talks about the punishment for violation of privacy. It says, “Whoever intentionally or
knowingly captures publishes or transmits the image of a private area of any person without his her consent, under
circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three
years or with fine not exceeding two lakh rupees, or with both”.
As stated in the fact set B of the moot proposition, Zeenat while testing for the Castledeal app on Github cloudstream,
the virtual avatar of tritter harassed her with the sexual remarks and innuendos. It may be said that it was virtual and
not physical experience but the fact is to kept in mind that whatever happened had an impact on the mind which can
be equated same as with the impact of physical harassment.

Nowadays, virtual and digital experiences are designed in a manner that it gives a real life experience. Also, the
recording which is done by the Github cloudstream shows that when the virtual harassment was happening with
Zeenat, the data was getting recorded which means it get into system which sujected to its publishment and thus
violates section 66 e

c) BREACH OF SECTION 72
Penalty for Breach of confidentiality and privacy.–Save as otherwise provided in this Act or any other law for the time
being in force, if any person who, in pursuance of any of the powers conferred under this Act, rules or regulations
made thereunder, has secured access to any electronic record, book, register, correspondence, information, document
or other material without the consent of the person concerned discloses such electronic record, book, register,
correspondence, information, document or other material to any other person shall be punished with imprisonment for
a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.
As stated in the fact set B of the moot proposition, the entire incident got recorded in the cloudstream of the GitHub
community which breaches the privacy and confidentiality of the zeenat.

Also, In moot proposition fact set A, the data and information of female activists and prominent journalists got listed
which breached their privacy.

This is how the cinfentitality and privacy was breach of the indivahl .