Personal Data Protection Bill & The Surveillance Framework In India
Sudhanshu Pathania
27 July 2021 9:14 AM IST
Over the past few days, online news portal The Wire along with 16 other global media organizations have revealed that over 1500 phone numbers across 10 countries have been snooped upon by using a surveillance tool 'Pegasus' made by NSO who have clarified that they sell it only to 'vetted governments. Out of these 1500 numbers, The Wire has confirmed that at least 150 were Indians who...
Over the past few days, online news portal The Wire along with 16 other global media organizations have revealed that over 1500 phone numbers across 10 countries have been snooped upon by using a surveillance tool 'Pegasus' made by NSO who have clarified that they sell it only to 'vetted governments. Out of these 1500 numbers, The Wire has confirmed that at least 150 were Indians who were potential targets of this hack.[1] This is not the first time that Pegasus has come in news, in November of 2019 WhatsApp had confirmed that a similar attempt was made to snoop over Journalists and Activists in India.[2] The government through IT minister has issued a clarification that, "only lawful interception of electronic communication is being carried out".[3] If the government has not sanctioned this, then it would amount to hacking which is a punishable offence under Section 43 of IT Act, 2000. However, the fact that NSO, the seller of Pegasus has stated that they sell this surveillance tool only to vetted governments coupled with no clear denial by the IT minister in the parliament raises a strong suspicion that the government could be involved in this snooping scandal.
Even if we give the government the benefit of doubt, yet we have been slowly moving towards a surveillance state. In 2014, in a response to an RTI to SLFC, Home Ministry disclosed that on an average 7500-9000 telephone interception orders are given each month and since then it can be safely assumed that this number must have risen.[4] With the advent of big data, it has become easier for the state to monitor citizen and at the fraction of the cost. This incident has sparked a debate for urgent reforms in the surveillance framework that gives unbridled power to the state to surveil on the citizens without any checks except those by the executive and to make state more accountable.
Puttaswamy Challenge To Surveillance
The surveillance framework in India hinges on two provisions, Sec 5(2) of the Telegraph Act and Sec 69 of the Information Technology Act 2000 and subsequent rules framed within them. They empower the state to intercept and monitor communication. This power lies with the secretary of Ministry of Home Affairs. There is a provision of oversight but that is by the executive as well instead of independent judicial oversight, which goes against the principle of Nemo judex in causa sua.
Surveillance in itself is an encroachment on personal liberties and runs amok both Art 14 and Art 19 of the Constitution. Such an intrusion has a chilling effect on the population and causes people to do self-censorship for an outside chance that the government might be listening. To put this in other words, surveillance puts psychological restraints on the citizens and impedes on intellectual privacy of people and prevents exchange of opinions which may be unpopular for the fear of consequence. The state often justifies this as a necessity for national security, however we need to remember that an unpopular opinion need not be an illegal one. In an ideal world there would be no surveillance, but such an argument is quixotic and would be facile as we live in a dangerous world where the state is tasked with providing security to its citizens. But these two competing claims needs to be balanced through checks and which is absent in the present surveillance regime.
It is not that this surveillance regime has never been challenged before, in 1997 it was challenged by People Union for Civil Liberties about how sec 5(2) of Telegram Act that enables the state to tap into telephones.[5] Supreme Court declined to strike down the provision in question and instead put in safeguards which have been ineffective. One of the safeguards was that put in by the court was that an order for phone tapping can be given only for 2 months but there is no limit on the number of such orders for a particular phone number so in theory a phone number can be tapped by the state for perpetuity and the only hindrance is a mere clerical need of a fresh order every 2 months. However, the rules which were codified later post PUCL did put a cap on total period pf interception to 180 days. The procedural safeguards would have been sufficient had court agreed to the plaintiff's demand for mandatory judicial scrutiny of every surveillance order, but court declined it on a technicality that no such provision is present in the statute. Absence of any meaningful oversight in the Telegraph Act, enabled government to enact IT Act giving the state even broader powers of digital surveillance without any prerequisite requirement of "Public Emergency" or "Public Safety" that were present in the Telegraph Act.
Another reason that Sec 5(2) of Telegraph Act survived the constitutional challenge is because it met the bare minimum standard of Maneka Gandhi[6], however this won't be enough now that privacy has been declared as a Fundamental Right by the Supreme Court in Puttaswamy v. Union of India.[7] In this case, Supreme Court not only declared Privacy as a Fundamental Right but have raised the standards to be met by the state to put restrictions on it. To better understand the test that has been laid down, we need to look at the Puttaswamy judgement as well as Puttaswamy v. Union of India (II)[8] (hereinafter written as the Aadhar Judgement to avoid confusion).
Puttaswamy has moved beyond the test of arbitrariness that was laid down in Maneka Gandhi and has laid down a stringent test that a law must pass to be considered 'fair, just and reasonable'. It said–
- The restraint must be through an enacted legislation.
- The restraint must be necessary and must serve a legitimate state aim. To access this, a three-prong test was given-
- There must be a legitimate government aim;
- The restraint must have a rational relationship to the aim;
- The restriction must be least intrusive;
- There must be proportionality between the intrusion and the state aim.
- To check abuse, there needs to be procedural guarantees in place.
From legislative backing to test of proportionality and least intrusive mode of achieving the legitimate state aim, this is a very strict standard to meet. In its very first application in the Aadhar Judgement, Supreme Court watered down the proportionality test by moving towards Professor Blichitz's test of proportionality. Under this test, a list of all alternatives had to be made and then consequently all these alternatives need to be tested as to check their ability to fulfill the state's aim as well as to check their intrusiveness. And then after completing the above exercise it needs to be checked if any of these alternatives could replace the method that state is using. Main criticism of this test is that it is very much fact oriented and calls for a balancing act at the fourth stage of test rather than asking the state to use the least intrusive method.
Nonetheless, despite this watered-down test, the current surveillance regime is so intrusive that it cannot survive it. The test calls for a list of possible alternatives, one of them could be that warrants needs to be approved by a Judicial Officer before a person could be placed under surveillance. Another possible alternative is that the person who is surveilled upon is given a notice of surveillance after cession of surveillance, this would allow them to challenge it in courts and at the same time will keep all surveillance activities of the state in public view. Another possible challenge is that there are almost negligible procedural safeguards in place and all the power is vested with the executive. This can be removed by adding a layer of judicial scrutiny. These laws have been challenged in Court by Internet Freedom Foundation and have yet to be taken up by the court. This case would be the litmus test for the proportionality principles if they become what they had promised to become or as Gautam Bhatia puts it, "becomes a rhetorical lodestar, a beautiful and an ineffectual angel, beating in the void its luminous wings in vein".
Data Protection Bill: Possibility For Surveillance Reform
Owing to increase of Indians on the internet there has been a need for a robust Data Protection law in India, post Puttaswamy the process was sped up and a committee was constituted in 2017 to deliberate on data protection framework. In July 2018 a report along with a draft bill was submitted to the government.[10] On the lines of this draft bill, Personal Data Privacy Bill[11] was made, currently it is being discussed by Joint Parliamentary Committee.[12] Although both the draft bills are steps in the right direction for protecting personal data, but both the draft bills have missed this opportunity for introducing surveillance reforms.
It was a golden opportunity to put a separate chapter in the bill that dealt with surveillance reforms and corrects the current surveillance regime by introducing judicial oversight. Instead, the Data Protection Bill that was tabled by the government has used every opportunity to create an exception for the government to access personal data. For the bill to be holistic, it needs to be applied to the state as well, but we have a bill that further extends governments' powers for surveillance.
Sec 35 of the draft bill gives the government sweeping powers to exempt any agency to from the purview of the bill, thereby giving unbridled power to the government to access personal data. In the bill drafted by Srikrishna committee had a similar exception, but the exemption could only be granted under very limited circumstance of national security and that too only based on proportionality principles. This section would give the government powers to indulge in dragnet surveillance and this section would not stand the test of proportionality as has been laid in Puttaswamy.
Another problematic provision in the bill is Sec 91(2) which allows the government to direct data fiduciaries to share anonymized personal and non-personal data. This seemingly innocuous provision can upend all the positive work done previously in the bill to protect data privacy as research has shown that it is not difficult to deanonymize this data when combining it with various data points and in such a scenario there is no recourse available with the person whose personal data has been deanonymized as there are no safeguards built in this provision.[13] Lack of any judicial member in the Data Protection Authority further dilutes this bill.
However, not all is lost yet and as this bill still is under consideration and all the above mentioned lacunas can be addressed if a separate chapter on Surveillance and Interception is introduced and following basic principles are present to it.
- All provisions that apply to data fiduciaries should apply to the state as well.
- Any act of surveillance and interception to be authorized by a competent authority with Judicial oversight.
- There shall be limited duration of interception
- After cessation of surveillance, the person under surveillance to be duly informed.
- Destruction of intercepted communication after a specific time.
- Bar on surveillance except under the provisions of this chapter.
Unless massive reforms are done, we are well on our way to become an Orwellian state as is shown by Pegasus reports. Without any Judicial oversight, the current surveillance regime gives carte blanche to the state to put anyone under surveillance without any consequence. Puttaswamy has given us multiple dimensions of privacy to engage with impact of surveillance and has given us a framework to challenge these surveillance structures. In the present essay I have attempted to give ways to tear down the current surveillance regime and build a new one using Personal Data Protection law that is based on principles of 'necessity', 'proportionality' and 'Due process'. The law in its current state is egregious and if passed would add another panopticon in the sky.
Author is a PhD scholar at NALSAR Hyderabad. Views are personal.
[1] Pegasus Project: 136 Names Revealed By The Wire On Snoop List So Far, Available At https://thewire.in/rights/project-pegasus-list-of-names-uncovered-spyware-surveillance , Visited on July 21 2021
[2] WhatsApp hack: Pegasus scandal highlights India's self-destructive lack of oversight over its intelligence services, Available At https://www.firstpost.com/india/whatsapp-hack-pegasus-scandal-highlights-indias-self-destructive-lack-of-oversight-over-its-intelligence-services-7584271.html Visited on July 21 2021
[3] Full text: Government's response on Pegasus Project Available At, http://timesofindia.indiatimes.com/articleshow/84531197.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst Visited on July 21 2021
[4] Reply from MHA, Available at https://sflc.in/sites/default/files/wp-content/uploads/2014/09/RTIreply_MHA_419A.pdf Visited on July 21 2021
[5] PUCL v Union of India ,(1997) 1 SCC 301
[6] Maneka Gandhi v. Union Of India, (1978) 2 SCR 621
[7] Puttaswamy v. Union Of India, (2017) 10 SCC 1.
[8] Puttaswamy v. Union Of India, (2019) 1 SCC 1.
[9] Gautam Bhatia, 'The Privacy Judgement', in DISSENT ON AADHAR 149 (1st ed 2019).
[10] Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, Available At, https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf Visited on July 21 2021
[11] Personal Data Protection Bill, 2019, Available At, http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf Visited on July 21 2021
[12] Joint Committee on the Personal Data Protection Bill, 2019, Available At http://loksabhaph.nic.in/Committee/CommitteeInformation.aspx?comm_code=73&tab=1 Visited on July 21 2021
[13] Researchers Spotlight the lie of 'Anonymous Data', Available At, https://techcrunch.com/2019/07/24/researchers-spotlight-the-lie-of-anonymous-data/ Visited on July 21 2021.