STATEMENT OF JURISDICTION

Section 75 in The Information Technology Act, 2000

75. Act to apply for offence or contravention committed outside India.-

(1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply also to
any offence or contravention committed outside India by any person irrespective of his
nationality.

(2) For the purposes of sub-section (1), this Act shall apply to an offence or contravention
committed outside India by any person if the act or conduct constituting the offence or
contravention involves a computer, computer system or computer network located in India.
 ARGUMENTS ADVANCED

ISSUE I- WHETHER THE JURISDICTION CLAUSE IS VALID AND

MAINTAINABLE?

It is humbly submitted before the hon’ble court that the particular matter should not be held
maintainable before the court of law, as the matter lies outside the jurisdiction of the court.
This statement is contended in a two-fold manner- [I.A] Issue does not fall under the purview
of the ITACT, 2000 and IPC, 1860.
[1.1] ISSUE DOES NOT FALL UNDER EXTRA-TERRITORIAL JURISDICTION GIVEN
UNDER THE INFORMATION TECHNOLOGY ACT, 2000 AND THE INDIAN PENAL
CODE, 1860

Section 75 of the Information Technology Act, 2000 confers the Indian courts to exercise
extra-territorial jurisdiction to try for offences mentioned inter alia the act, that are committed
outside India. It provides that an offence or contravention committed outside India by any
person, if the act or conduct constituting the offence or contravention involves a computer,
computer system or computer network located in India 1. Pertinently, the involved computer
system or network must be located in the territory of India, for an extra territorial offence to
fall under this provision.

In the instant matter, the computer system, i.e., the server that stores the data and through
which withdrawals and deposits take place (“Server A”), is located in the USA. The alleged
offence of data breach, concerning the hackers, is connected to this server/computer system
which is clearly established to be outside the territory of India. Therefore, Section 75 cannot
be applied to invoke the jurisdiction of this Hon’ble court.

Further, any contention to try the respondent for data breech under the Indian Penal Code,
1860, (“the IPC’) would also fail. Sections 3 and 4 of the IPC deal with extra-territorial
jurisdiction to try for offences under the Act2. Section 4(3) of the IPC gives Indian courts, the

1
Information Technology Act, 2000, §75(2).
2
Rao Shiv Bahadur Singh & Another v. The State Of Vindhya Pradesh, AIR 1953 SC 394.
jurisdiction to try a person outside Indian territory for targeting a computer resource located
in India3. The essential aspect is that the computer resource must be located in India.

In the present matter, as has been proven in aforementioned contention, the concerned
computer resource is located in the USA and therefore, the court’s jurisdiction cannot fall
under the said provision of IPC.

[II.B] USA’S OVERRIDING JURISDICTION AS PER THE MOU

MOU’s or Memorandum of Understanding are essentially consensus or agreement entered
into between two or more parties defining the agreed terms of their relationship4.

They can be legally recognised and given the force of a contract, if the meeting the
ingredients to a valid contract5. Further it may also be enforced under the principles of equity
and promissory estoppel,6 as it reflects the terms of agreement and consensus between the
parties, under free will and intent.7

The respondent and Vexus Bank have entered and into a MOU, that covers aspects of
applicable laws and jurisdiction for matters concerning both the parties. on ‘Applicable laws
clause’ [ Clause no. 5], provides that private and public international laws and laws of both
India and USA will apply to settle any contractual or any other liability between the parties.
Inter alia the same clause on ‘Applicable laws’ [Clause no. 5.1] provides that prima facie
jurisdiction lies with the USA court.

Therefore, it can clearly be construed that the parties have intended and agreed to bring any
litigation or any form of liability between the parties to be heard and decided before the USA
Court. The agreed ‘forum of convenience’ in consideration of the parties, is in the USA
courts.

Moreover, the issue of data breech is directly concerned with their contractual business
relation of service provider maintained by the respondent and therefore would essentially fall
under the jurisdiction as prescribed by Clause no.5 and not, before the jurisdiction of this
Hon’ble court.

3
The Indian Penal Code, 1860, § 4(3).
4
Jai Beverages Pvt. Ltd. v. State of Jammu and Kashmir and Ors., 2006 (4) SCJ 401.
5
Indian Contract Act, 1857, § 10.
6
Subimalchandra Chatterji v. Radhanath Ray, AIR 1934 Cal 235.
7
Jyoti Brothers vs Shree Durga Mining Co., AIR 1956 Cal.280.
 ISSUE II - WHETHER THE RESPONDENT IS LIABLE UNDER THE IT ACT AND
CRPC, 1973

It is humbly submitted before the Hon’ble court that the Respondents should not be held
liable for the breach of data caused in Vexus bank by the hackers as, the Respondents have
followed all the due diligence protocols required by them and the same was caused due to the
negligence of Vexus bank itself. This statement is contended in a two-fold manner- [II A]
Liability under sec 43 (a) of the IT ACT, 2000 and [II B] Liability under Criminal Law

[II.A] LIABILITY UNDER SEC 43 (A) OF THE IT ACT, 2000

It is humbly submitted before this hon’ble court that the Respondents should not be held
liable under sec 43 (a)8 and Sec. 72 of the IT Act, 20009 as there is no legally binding
evidence pointing towards the fact that there was a breach of data on the Respondent’s part.

The statements made by the investigative officer Mrs. Morya were unofficial statements and
were not legally binding with evidences.10 Furthermore the statements made by Mr.
Bhagwan, an employee of Vexus bank, cannot be held as a legally binding evidence as it was
a mere claim made by him on the national television, without any appropriate evidence. 11

Thus for, the Respondent to be held liable for such breaches of data, the Petitioner needs to
bind it with substantial pieces of evidence under sec 102 of the Indian Evidence Act, 1872. 12
The same was reiterated in the case of – M.S. Reddy v. State Inspector of Police, A.C.B.,
Nellore,13 “it was held that the initial burden of proof is on the prosecution. It cannot take
advantage of the weaknesses and inconsistencies of the defence. It must base its proof on its
own evidence that it has acquired.”

Furthermore, for sec 43 (a) and sec 72 of the IT act to be applicable, in the present matter
there needs to be a body corporate who is possessing, dealing or handling any sensitive
personal data or information, and is negligent in implementing and maintaining reasonable
security practices resulting in wrongful loss or wrongful gain to any person, then such body
corporate may be held liable to pay damages to the person so affected.

8
sec 43 (a) of the IT ACT, 2000
9
sec 72 of the IT ACT, 2000
10
Moot proposition Pg 2, Para 7
11
Moot proposition Pg 2, Para 5
12
sec 102 of the Indian Evidence Act, 1872
13
M.S. Reddy v. State Inspector of Police, A.C.B., Nellore, 1993 Cr LJ 558 AP.
However, the said section is silent on the liability of internet service providers or network
service providers, as well as entities handling data. As a result, the entities responsible for
safe distribution and processing of data like the vendors and outsourcing service providers are
out of the purview of this section.

The liability of the entities/Companies is further diluted in Section 79 14 by providing the

criteria of “knowledge” and “best efforts” before determining the quantum of penalties. This
means that the network service provider or an outsourcing service provider would not be
liable for the breach of any third-party data made available by him if he proves that the
offence or contravention was committed without his knowledge, or that he had exercised all
due diligence to prevent the commission of such offence or contravention.

In this particular matter since the Respondent was a registered IT service provider, having no
knowledge of the data leak as well as having no proven negligent behaviour, the respondents
should not be held liable. This is also a proven test under data protection laws in the US,
which states that the plaintiffs cannot sue unless they have suffered real and tangible harm
from the Respondents. In the U.S. Supreme Court in the case of Clapper v. Amnesty
International, 133 S. Ct. 1138 (2013) a surveillance case, held that plaintiffs could not
establish standing based on allegations of speculative or hypothetical injuries. Rather, they
must allege “certainly impending” harm. If this impending harm is not directly proven to be
due to the negligence of the data repository, then in those cases the matter will be dismissed.15
Thus it is humbly contended before the court that the same principle is also applied in India
where the burden of proof to show damage and negligence in data protection matters is
necessary for the claim of the plaintiff to sustain and not be dismissed under sec 79 of the IT
ACT, 200016 and sec 102 of the Indian Evidence Act. 17 Since Vexus bank was unable to
produce sufficient proof to show the negligence of the Respondent in the matter at hand, the
particular suit should not be held maintainable.

[II.B] LIABILITY UNDER CRIMINAL LAW

It is humbly contended before this hon’ble court that no criminal appeal lies on the
Respondents under sec 403 of IPC18 as no criminal misappropriation or theft of data occurred
under the IT Act, 2000, as stated in the issue above. It needs to be stated that The Indian

14
sec 79 of the IT ACT, 2000
15
Clapper v. Amnesty International, 133 S. Ct. 1138 (2013)
16
sec 79 of the IT ACT, 2000
17
sec 102 of the Indian Evidence Act, 1872
18
Section 403 of The Indian Penal Code, 1860
Criminal law does not specifically address breaches of data privacy. Under the Indian Penal
Code, liability for such breaches must be inferred from related crimes. For instance, Section
403 of the India Penal Code19 imposes criminal penalty for dishonest misappropriation or
conversion of “movable property” for one’s own use. Thus, for criminal misappropriation to
be proved under sec 403 of the Penal code, there needs to be an act of theft or
misappropriation of the movable property in the matter at hand.

It is humbly contended that Rubal Pvt. Ltd. is a registered company and is only a third-party
repository for holding and managing data for the petitioners. As stated in the facts, it can be
observed that the Respondents only store the data and conduct other menial functions related
to sending messages. It is contended that the respondents should not be held liable for the
crimes committed by the hackers, as there is no legally binding evidence which shows that
Rubal Pvt. Ltd. had any involvement in the siphoning of the money by the hackers.
Statements made by the investigation officer were all unofficial and cannot be used as
admissible evidence under the court of law. Since the burden of proof lies on the Applicants
under sec 102 of the Evidence act, to sufficiently prove that there has been certain
infringements leading to the crime, which was not provided for in the matter at hand.

It is submitted that application of Section 403 of the IPC would amount to colourable
legislation. The Doctrine of Colourable Legislation is a widely established principle of law
that states what cant be done directly, cannot be done indirectly. Application of the Indian
Penal Code to issues of Data Privacy is a far and wide reach, and a backhand-way of
maliciously attempting to implicate the Respondents.

The Supreme Court upheld the applicability of this principle in the case of SKC Gajapti
Narayan Deo and Oth. Vs The State of Orissa20 wherein the court validated and upheld the
doctrine of Colourable Legislation and its applicability in India. The court stated that an
ulterior motive cannot be achieved by stretching the competence of the legislature.

It is submitted, that the Petitioner in the present case is desperately seeking to apply a statute
the jurisdiction, applicability and utility of which do not reach far and wide enough to cover
data privacy laws. The IPC does not offer any protection or any provision for breach of data
privacy, which signifies the intent of the legislature behind drafting the code which did not
intend on including provisions for Data Protection.

19
Section 403 of The Indian Penal Code, 1860
20
SKC Gajapti Narayan Deo and Oth. Vs The State of Orissa AIR 1953 Ori 185
Thus, it is humbly submitted before the hon’ble court that since there are no particular laws
under the Penal code for stealing data or the breach of privacy along with the fact that section
403 of IPC, will not be held applicable in the matter at hand due to the conditions for criminal
misappropriation have not been satisfied, the particular matter will not be held maintainable
before this hon’ble court.

[ISSUE III] WHETHER STAEMENTS MADE BY THE PETITIONERS WERE

DEFAMATORY

It is humbly submitted before the Honourable court that the petitioners have tarnished the
reputation of the Respondents, by their statements in the media and different news outlets and
should be held liable for defamation, which will be contended in a two-fold manner- [III.A]
Statements made by petitioner are defamatory in nature under IPC [III.B] Petitioners’
liability to pay compensation

[III.A] STATEMENTS MADE BY PETITIONER ARE DEFAMATORY IN NATURE

UNDER IPC

According to the definition of defamation, a person's reputation is harmed when untrue

statements are published about them. Publication or utterance of a false and untrue statement
with the aim to injure the reputation of another person constitutes defamation.

In India, slander and libel are both considered offences under Section 499 of the Indian Penal
Code. The Indian Penal Code sections 499 and 500 make defamation a crime. “Words either
said or intended to be read,” “signs or visual representations,” publication or placement in the
public domain are all forms of defamatory behaviour. The Supreme Court
ruled that upholding the dignity of others is a basic obligation. According to the Supreme
Court's decision, criminal defamation statutes are legally acceptable and do not infringe on
the right to free speech.21

In the present instance, Mrs. Koliwala made a number of assertions that had an effect on the
petitioner's brand name, which led to the fall of its shares and affected the firm as a whole. In
addition, Mrs. Koliwala had no basis for making such a statement in the first place, as there
was no proof that the petitioner's carelessness caused the breach.

21
Subramanian Swamy v Union of India, (2016) 7 SCC 221
In S.N.M. Abdi v. Prafulla Kumar Mohanta, it was determined that the statement need not
show a predisposition for imputation to hurt the plaintiff in the eyes of the general public.
Even while they represent a small portion of the community as a whole, their presence is
sufficient to demonstrate that the publication tends to degrade him in the eyes of a substantial,
respectable group. Mrs. Koliwala had just spoken enough to give the world the idea that
Rubal Pvt Ltd was responsible for the leak, which did result in a significant loss of income
for the firm.

[III.B] PETITIONERS’ LIABILITY TO PAY COMPENSATION

It is submitted that the Petitioner is liable to pay damages to the Respondent in lieu of the defamatory
comments made. The latin maxim ‘Ubi jus ibi remedium’, which states that where there is a wrong,
there is a remedy.

It is submitted that in the present matter, the Petitioner has made defamatory statements towards the
Respondent, and has committed a wrong, and from this wrong arises the Petitioner’s liability to
remedy the same. It is an established principle in law that in case of a wrong, a compensation is
awarded to the aggrieved party. In the case of Times Global Broadcasting Co. Ltd. and Anr. v.
Parshuram Babaram Sawant22 the court awarded Rs. 20,000 because plaintiff’s picture was
mistakenly printed in a newspaper in such a way that it gave everyone an impression that the plaintiff
was involved in an infamous global scam, which resulted in the respondent’s defamation.

Reliance is further placed on the case of Gambhirsinh R. Dekare versus Falgunibhai Chimanbhai
Patel and others23 the Hon’ble Supreme Court has ruled down that the Editor whose name is
published in said newspaper is liable for civil and criminal liability, in case the matter published is
defamatory and the petitioner was awarded compensatory damages for the same.

It is submitted that in the present case that the statements made by Mrs. Koliwala were untrue,
defamatory, and damaging for the Petitioner, pursuant to which the Petitioner has suffered serious
financial losses and lost out on potential business.

It is submitted that the Hon’ble Court take cognizance of the flagrant apathy with which the Petitioner
had made the statement in a public forum with no regard for repercussions for the Respondent and
caused serious financial damages. Thus, the Petitioner humbly urges the court to impose Exemplary
Pecuniary Damages on the Respondent as compensation towards the Petitioner.

22
2011(113) BomLR3801
23
(2013 Criminal Law Journal 1757 SC),
 PRAYER

Wherefore, in light of the facts of the case, issues raised, authorities cited and arguments
advanced, the counsel for the Respondent most respectfully submits before this Hon’ble Court
to:

1. HOLD that the present matter will not be held maintainable

2. DECLARE that the Respondent is not liable under the IT ACT and IPC.
3. PASS an order for compensation for the defamatory statements made.

AND/OR

Render any other opinion that it deems fit in the interests of

Justice, Equity and Good Conscience.

And for this, the Respondent shall forever humbly pray.