Karnataka High Court
Ramaditya Tiwari vs Canara Bank on 25 November, 2024
-1-
NC: 2024:KHC:47970-DB
WP No. 28476 of 2024
with I.A No.2/2024
IN THE HIGH COURT OF KARNATAKA AT BENGALURU
DATED THIS THE 25TH DAY OF NOVEMBER, 2024
PRESENT
HE HON'BLE MR. N. V. ANJARIA, CHIEF JUSTICE
AND
THE HON'BLE MR. JUSTICE K. V. ARAVIND
WRIT PETITION NO. 28476 OF 2024 (GM-RES-PIL)
BETWEEN:
1. RAMADITYA TIWARI
ADULT, INDIAN INHABITANT
R/AT NO.905, 9TH FLOOR
TOWER 25, PARAS TIEREA
SECTOR 137, NOIDA
UTTAR PRADESH - 201 305
...PETITIONER
(BY SRI DHYAN CHINNAPPA, SENIOR ADVOCATE A/W
SRI ADITYA CHATTERJEE, ADVOCATE)
AND:
Digitally 1. CANARA BANK
signed by A GOVERNMENT OF INDIA UNDERTAKING
AMBIKA H B HEAD OFFICE AT
NO.112, JC ROAD
Location: BENGALURU - 560 002
High Court
of Karnataka ALSO AT
1ST FLOOR, NAVEEN COMPLEX
14, M. G. ROAD
BENGALURU - 560 001
REPRESENTED BY ITS
AUTHORISED SIGNATORY
...RESPONDENT
(BY SRI S.S NAGANAND, SENIOR ADVOCATE A/W
SRI VIKRAM UNNI RAJAGOPAL, ADVOCATE)
-2-
NC: 2024:KHC:47970-DB
WP No. 28476 of 2024
with I.A No.2/2024
THIS WRIT PETITION IS FILED UNDER ARTICLE 226 OF THE
CONSTITUTION OF INDIA PRAYING TO ISSUE A WRIT IN THE
NATURE OF CERTIORARI, OR ANY OTHER APPROPRIATE WRIT,
ORDER AND/OR DIRECTION QUASHING THE REQUEST FOR
PROPOSAL FOR "SELECTION OF VENDOR FOR PROCUREMENT,
PERSONALIZATION, DISPATCH, TRACKING AND MANAGEMENT
SERVICES OF EMV CARDS (CONTACT CARDS AND DUAL
INTERFACT CARDS INCLUDING NCMC) AND WEARABLES FOR
CANARA BANK" ISSUED BY THE RESPONDENT BEARING RFP
NO.GEM/2024/B/5182298, DATED 19/07/2024 (ANNEXURE-A) WITH
EXPRESS STIPULATION FOR MANDATORY COMPLIANCE WITH
THE INFORMATION TECHNOLOGY ACT, 2000 (AS AMENDED TILL
DATE) AND THE INFORMATION TECHNOLOGY (REASONABLE
SECURITY PRACTICES AND PROCEDURES AND SENSITIVE
PERSONAL DATA OR INFORMATION) RULES, 2011 OR IN THE
ALTERNATIVE AND ETC,.
THIS PETITION, COMING ON FOR ORDERS, THIS DAY,
JUDGMENT WAS DELIVERED THEREIN AS UNDER:
CORAM: HON'BLE THE CHIEF JUSTICE MR. JUSTICE
N. V. ANJARIA
and
HON'BLE MR JUSTICE K. V. ARAVIND
ORAL JUDGMENT
(PER: HON'BLE THE CHIEF JUSTICE
MR. JUSTICE N. V. ANJARIA)
This petition was filed in the nature of public interest litigation
praying to set aside the Request For Proposal (RFP) dated
19.07.2024 which was for "Selection of Vendor for Procurement,
Personalization, Dispatch, Tracking and Management Services of
EMV Cards (Contact Cards and Dual Interface Cards including
NCMC) And Wearables for Canara Bank".
NC: 2024:KHC:47970-DB
2. The main plank of grievance raised by the public interest
petitioner is that the tender contract which was going to be
executed by the respondent-Canara Bank would be non compliant
of the provisions of the Information Technology Act, 2000 and the
Information Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or Information) Rules,
2011, to further submit that it would lead to breach of privacy in
respect of the banking data of the customers who deal with the
bank and therefore, against public interest.
3. At the time of initial hearing, after considering the rival
submissions, the Court had occasion to pass order on 25.10.2024,
the relevant part thereof is extracted herein,
"2. The subject matter grievance involved in this
public interest petition raises an important issue
about the protection of personal data and banking
details of customers of the Bank inasmuch as it is
the case of the petitioner that in floating the
Request For Proposal (RFP) for "Selection of
Vendor for Procurement, Personalization,
Dispatch, Tracking and Management services of
EMV Cards (Contract Cards & Dual Interface
Cards including NCMC) and Wearables for Canara
Bank" issued by the respondent-Canara Bank on
19.07.2024 does not contain the stipulations for the
mandatory compliances of the provisions of the
Information Technology Act, 2000 and the
Information Technology (Reasonable Security
NC: 2024:KHC:47970-DB
Practices and Procedures and Sensitive Personal
Data or Information) Rules, 2011.
3. In other words, the case and the grievance is
that in not incorporating and in not providing for the
requirement of compliance of the aforesaid statutory
provisions relating to protection of personal data, the
entire aspect of safety of such personal data has
been discarded and is given a go-by, by the
respondent-bank.
3.1 The petitioner happens to be a practicing
advocate. It is stated that he appears in different
courts and tribunals and that he carries interest in
data privacy laws. He is stated to be a public spirited
individual. While researching and working on legal
issues on data privacy and protection in connection,
the petitioner came to know about the said RFP
issued by the respondent-Bank, which has omitted
any reference to the binding statutory data privacy
provisions. It is stated that having come to know
about the same, the petitioner was led to file the
present public interest petition.
4. Learned Senior advocate for the petitioner
invited attention of the Court to Section 43A, more
particularly, Explanation (ii) and (iii) of the said
Section of the Information Technology Act, 2000.
The said sub-clauses conceptualises and defines the
"Reasonable Security Practices And Procedures" and
"Sensitive Personal Data Or Information". It was
submitted that incorporation of those stipulations in
the tender of such nature is mandatory, but according
to the petitioner, the same has been completely
disregarded and discarded by the respondent-Bank.
4.1 Further relied on was Rule 3 of the
aforementioned Rules. The said Rules deals with
Sensitive Personal Data Or Information and such
sensitive personal data or information would inter alia
include financial information such as Bank account or
NC: 2024:KHC:47970-DB
credit card or debit card or other payment instrument
details as well as Biometric information, along with
other kinds of information mentioned in Clauses (i) to
(viii) of the Rules. Also pressed into service in
support of the submission was Rule 4 dealing with
body corporate to provide policy for privacy and
disclosure of the information.
4.2 Learned Senior Advocate further submitted
that the tender document of the respondent-Bank in
its paragraph 19 under the title "Protection of Data"
mentions in sub-paragraph 19.4 that the service
provider/vendor/bidder shall comply with the
guidelines issued by the regulatory bodies on Digital
Data Protection Act, 2023 and to submit that this
statute has not been brought in to force, yet the
Canara Bank has proceeded to mention it for its
compliance. Be that as it may.
4.3 A copy of tender document issued by the
State Bank of India to submit with juxtaposition that
all banks provide scrupulously for data privacy
statutory compliances while issuing the tenders of
such kind.
4.4 Learned Senior Advocate for the petitioner
submitted that the tender process is already
underway and that if the credit cards or debit cards
are permitted to be dealt with by the proposed service
provider, it will have the effect of revealing the
sensitive personal banking data of the customers.
4.5 On the other hand, learned Senior Advocate
for the respondent-Bank questioned locus standi of
the petitioner that he is a busybody. It was then
submitted that the RFP was floated as back as on
19.07.2024 and thereafter steps have been
exhausted in the process of tender, that technical bid
was opened on 11.09.2021 and the evaluation is also
finalised on 15.10.2024. He submitted that reverse
action process is being undertaken, at the end of
NC: 2024:KHC:47970-DB
which the bidder would be selected. He orally
submitted on merits that there is no leakage of data in
the process inasmuch as the information would be in
encrypted form, which none would be able to read.
5. The Court is not impressed with the
submission of learned Senior Advocate for the
Canara Bank about the locus of the petitioner. The
petitioner will have the locus standi in the capacity of
an advocate to flag the issue which are arising or
potent to be arising from the process of inviting
tender by the Bank for the manufacturing of credit
and debit cards which allegedly having the effect as
above.
5.1 On merits, the submission of learned Senior
Advocate for the Bank is noted without expressing
any opinion on the merits thereof. However, the bank
is directed to place on record its stand by filing a
detailed affidavit to meet with the case and the
allegations in the present public interest petition.
5.2 As to the request of the petitioner regarding
grant of interim order, it was vehemently contended
by learned Senior Advocate for the respondent-Bank
by filing statement of submissions, that the
respondent-Bank had already spent substantial time,
efforts and money on the present RFP which pertains
to procurement of cards, which will be used by the
Banks to the customers to conduct transactions. It
was submitted that any interference at this stage
would affect the smooth functioning of the operations
of the Banks.
5.3 It cannot be gainsaid that if the case of the
public interest petitioner is found to have substance in
its ultimate analysis, it will have a serious and
cascading effect on the data privacy rights of the
customers of the bank. Protection of the data of the
nature which would be included in the debit or credit
cards, the banking details and any other such data is
NC: 2024:KHC:47970-DB
necessary limb of right to privacy under Article 21 of
the Constitution. In an appropriate case, it has to be
protected. The Court is to decide as to whether the
action complained of in the petition will have the
effect of breach of such rights.
5.4 It could not be overlooked that tender process
had started in July 2024 and it has progressed
considerably. Therefore, the Court is not inclined to
hold or arrest the tender process.
5.5 At the same time, as noted above, the issues
are of seminal importance about the protection of
privacy data and privacy rights on that score of the
bank customers, who would be lakhs in numbers.
The petitioner has seriously complained of about the
breach of statutory provisions in that regard in the
floating of the tender by not incorporating the
requisite statutory stipulation. Therefore, in course of
hearing and dictation of the order, specific query was
put to learned Senior Advocate for the Canara Bank
as to within what time the reverse tender process
would be over and within what time there is likelihood
of selection of final bidder.
6. In response to these queries of the Court,
initially, learned Senior Advocate stated that he is not
able to precisely tell about the time limit within which
the process are over to culminate into the award of
the contract since the decision is to be taken by E-
Data Market Place.
7. In light of the above operative facts and the
circumstances obtained from the rival submission
made, the following order is passed.
(i) There shall be notice to the respondent-Bank
returnable on 14.11.2024.
(ii) The respondent-Bank shall file its reply to the
present petition dealing with the merits.
NC: 2024:KHC:47970-DB
(iii) The process initiated pursuant to the Request
For Proposal/Tender dated 19.07.2024 bearing
No.GEM/2024/B/5182298 may continue, if the bank
so opts.
(iv) If the tender process is continued, it is
provided and directed that the respondent-Bank shall
not award the final contract and shall not finalise the
contract without the approval of the Court.
(v) This interim order shall operate till the next date
subject to further orders which may be passed by the
court."
3.1 After the aforesaid order, the petition was adjourned from
time to time.
3.2 When the petition comes up for consideration today, the
record of the petition accompanies an application being I.A.No.2 of
2024 filed by the respondent-Canara Bank, whereby the
respondent-Bank has produced on record the revised draft of the
Contract Agreement which would be executed with the successful
bidders.
3.3 It is stated in the interim application that the draft contract
agreement clearly provides that the vendor/service providers shall
ensure compliance with any modifications/changes in the
applicable law and the contract shall be subject to applicable law.
NC: 2024:KHC:47970-DB
It is sought to be highlighted that the RFP already contained
various detailed clauses regarding security and protection of data.
3.4 It is further stated that,
"... However, having regard to the contentions
raised by the Petitioner and the order dated
25.10.2024 passed by this Hon'ble Court, the
Respondent Bank has made suitable modifications
to the Draft Contract Agreement by requiring
specific compliance with the provisions of the
Information Technology Act, 2000 and the
Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal
Data or Information Rules), 2011. Copy of the
revised draft of the Contract Agreement is produced
herewith as Annexure-1."
3.5 The respondent-Bank has further stated that the reverse
auction process has concluded on 25.10.2024 and as per the
clause of the RFP, the award of the contract is likely to be given to
the three service providers in the ratio 50:30:20 among L1, L2 and
L3. It is stated that three bidders named, M/s. Versatile Card
Technology Private Limited, M/s Madras Security Printers Private
Limited and M/s. IN-Solutions Global Limited have been selected in
that order as successful bidders. A specimen copy of the draft
contract agreement is produced on record along with the
application at Annexure-1.
- 10 -
NC: 2024:KHC:47970-DB
4. Learned Senior Advocate Mr. S.S. Naganand invited
attention of the Court to certain Clauses which are now
incorporated in the draft supplementary agreement.
5. Clause 23.4 ensures that there would be compliance of all
applicable laws including the provisions of the Information
Technology Act, 2000. It reads as under,
"Vendor/Service Provider shall ensure compliance
with all applicable law in relation to the services
under this agreement, including but not limited to
the Information Technology Act, 2000 and Rules
thereunder concerning or in relation to rendering
of Services of by Vendor/Service Provider and
any modifications/ changes in the applicable Law
by Legislators and/or regulators during the
currency of the agreement."
5.1 As per clause 23.5, the compliance of Data Protection Laws
is mandated for the services providers,
"Vendor/Service Provider shall comply with all
Data Protection Laws applicable in relation to the
services under this agreement and shall ensure
that any data provided by the Party under this
Agreement is treated as confidential."
5.2 The idea of "Data Protection Laws" is given in clause 23.6,
"For the Purpose of this clause, "Data Protection
Laws" means all directives, statutes, regulations,
orders, decrees, decisions, or any other like legal
- 11 -
NC: 2024:KHC:47970-DB
instrument (whether enacted in India or any other
relevant jurisdiction) which pertain to the protection
of privacy and confidentiality of Personal Data
including Digital Data Protection Act, 2023 (upon
its provisions being notified) along with Rules
framed thereunder as well as Information
Technology Act, 2000, along with Rules framed
thereunder and specifically, the Information
Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or
Information) Rules, 2011, as amended from time to
time."
5.3 Learned Advocate Mr. Aditya Chatterjee appearing for
learned Senior Advocate Mr. Dhyan Chinnappa however insisted
that the supplementary agreement now proposed though takes into
consideration compliance of the provisions of the Information
Technology Act, 2020 by the services providers, the agreement
does not contain data processing agreement.
5.4 The Court finds that in the draft agreement, a specific clause
is provided regarding Data Process Agreement, which is clause 24
"Vendor/Service Provider shall be required to
execute Data Processing Agreement as per the
format furnished in Annexure ..... that complied
with requirements of the current legal framework
in relation to data processing and with the
Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to
the processing of personal data and on the free
movement of such data and repealing Directive
- 12 -
NC: 2024:KHC:47970-DB
95/46/EC (General Data Protection Regulation)
and any other data protection and privacy laws
applicable to the Services.
Once the provisions of the Digital Data Protection
Act, 2023 are notified, Vendor/service Provider
shall be required to execute an addendum to Data
Processing Agreement that complies with the
legal provisions envisaged under the Digital Data
Protection Act, 2023."
5.5 Not only that, all the 3 successful bidders L1, L2 and L3,
above named, have filed their affidavits identically worded which
read as under,
"I state that the modifications to the Draft
Contract Agreement requiring specific
compliance with the provisions of the Information
Technology Act, 2000 and the Information
Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or
Information Rules), 2011, are acceptable to M/s
Madras Security Printers Pvt Ltd. I state that
M/s Madreas Security Printers Pvt Ltd would
comply with all applicable laws including but not
limited to Technology Act, 2000 and the
Information Technology (Reasonable Security
Practices and Procedures and Sensitive
Personal Data or Information Rules, 2011."
6. In view of the above, the Court is of the view that nothing
further would survive in this public interest petition, the contentions
sought to be raised by the petitioner, even after the above
developments, would amount to hair-splitting the issues and the
- 13 -
NC: 2024:KHC:47970-DB
clauses of the agreement, which shall not to be undertaken by the
Court.
6.1 The Court is satisfied that this public interest litigation is no
longer required to be continued.
7. The writ petition is disposed of accordingly.
In view of disposal of the petition, the interlocutory
application, would not survive and it stands accordingly disposed
of.
Sd/-
(N. V. ANJARIA)
CHIEF JUSTICE
Sd/-
(K. V. ARAVIND)
JUDGE
AHB
