An article exploring the Legal Development of State’s Right to Intercept Personal Data.

Introduction

The Indian State has always had the upper hand when dealing with private communication (i.e. communication between private entities not intended for public consumption or interference). Despite maturing into a democracy, the fondness of the Indian state to revert back to colonial methodology does not seem to have diminished, aided to an extent by inadequate legal protections and redressal mechanisms along with an indifferent citizenry. The Indian state did not even accept the idea that the right to privacy was fundamental to human existence until the intervention of the Supreme Court.

This article explores the intersectionality between the Indian State’s power and proclivity to interfere with and intercept private communication, and the legal concepts and mechanisms which are intrinsically tied-in with such concepts. The article will also examine the current status quo, with specific focus on the adequacy of the Personal Data Protection Bill, 2019 and conclude with the way forward in that regard.

An enduring legacy of India’s colonial past has been the continued existence of laws and statutes drafted during British imperialism, well past independence…the proclivity towards these laws still persists, as does the corresponding British-era mind-set which still pervades through the Indian psyche…

(Law Commission of India 1957)

Historical-Legal Background

An enduring legacy of India’s colonial past has been the continued existence of laws and statutes drafted during British imperialism, well past independence (Law Commission of India 1957). Despite many of these laws having deleterious effects on the Indian economy and polity (Tripathi 1996), the proclivity towards these laws still persists, as does the corresponding British-era mind-set which still pervades through the Indian psyche governance, administration, morality and control over State machinery.

One of the first examples of the affinity of the Government to interfere with private correspondence between individuals was the Indian Post Office Act, 1898. Section 25 of this Act empowered the Government to intercept notified goods during transmission by post. This section also empowered the Government to open and search any goods which were ‘in the course of transmission’. Section 26 of the said Act went one step further, allowing the Government to intercept goods on the grounds of public emergency, interest of the public safety or tranquillity. Conveniently, the said section also allowed the State/Central Government to define the extent of these terms meaning that the State/Central Government could classify any situation as a public emergency, or an issue of public safety or tranquillity, and accordingly intercept correspondence.

This legal connivance sets the tone for the rest of the discussion in this article.

On the technological front, the springboard for the modern system of Government interception and surveillance was the Telegraph Act, 1885. Although the main object of the Telegraph Act was to give power to the Government to install telegraph lines on private and public property, the current interpretation of the Act shows just how far and how easily the Government has extended its reach into the private domain. Section 5 of this Act, as it stands today, empowers the Government to intercept messages in case of a public emergency, or in the interest of public safety, for protecting “interests of the sovereignty and integrity of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence“. Clearly, the above definition covers a myriad of circumstances and can be used to justify interceptions in almost any scenario, even with the in-built safeguards. The fact that this section is still used to justify and validate surveillance (Telegraph 2019), even in the digital era, should be of no surprise.

Modern Era

Over the years, the Telegraph Act was repeatedly amended to account for advances in technology. As mentioned earlier, Section 5 allowed the Government to intercept messages in almost any given circumstance. Only the intervention of the Supreme Court in People’s Union for Civil Liberties (PUCL) v. Union of India[1] managed to temper the appetite of an increasingly authoritarian Government. In fact, the guidelines for interception laid down in PUCL directly resulted in amendments to the corresponding Telegraph Rules, 1951[2], which then sought to lay down established legal procedure for intercepting communication.

Apart from the Telegraph Act, general criminal laws also provided sufficient scope for the Government to intercept private communication. Section 91 of the Criminal Procedure Code, 1973 (CrPC), allowed a Court/police officer to require the production of any document or ‘other thing’ for an investigation, inquiry, trial or any other proceeding under the CrPC. This provision has often been used in respect of coercive and penal action taken in the digital space. Prohibitory orders under Section 144 CrPC have also been used in conjunction with other rules/laws to track private communication (Agarwal 2019). Even special criminal laws, like the Unlawful Activities Prevention Act, 1967, allowed for the admissibility of evidence collected through interception of wire, electronic or oral communication. The Maharashtra Control of Organised Crime Act, 1999 is another example of a special criminal act which empowered the Government to intercept electronic or oral communication of a person suspected of committing a crime under the said Act.

The first modern legislation to specifically engage with the digital ecosystem was the Information Technology Act, 2000 (for short ‘the IT Act’). Unsurprisingly, several provisions of this Act enabled the Government to intercept and view personal communication.

The first modern legislation to specifically engage with the digital ecosystem was the Information Technology Act, 2000 (for short ‘the IT Act’). Unsurprisingly, several provisions of this Act enabled the Government to intercept and view personal communication. Section 28 empowered Government officials investigating contraventions under the Act to access any electronic data. Section 29 allowed the Government to access computers and the data thereon if a reasonable cause existed to suspect contravention of the Act. Since there was no framework for the access of computers and data within this Section, Section 29 could very easily and wrongfully be invoked to access private user information (Software Freedom Law Centre 2015). Section 69 (which was based on Section 5 of the Telegraph Act) allowed the Government to intercept, monitor or decrypt any information generated, transmitted, received or stored in any computer resource. This was shorthand for conducting surveillance (Software Freedom Law Centre 2019). Even the scope for intercepting under Section 69 – on grounds of the interest of sovereignty, integrity or defence of India, security of the State, friendly relations with foreign States, public order, enhancing cyber security etc. – was vastly inflated as compared to Section 5 of the Telegraph Act.

Section 69B of the IT Act was even more insidious, since it allowed for interception of “traffic data or information” (i.e. metadata, providing information about other data). Metadata has been shown to be just as critical as data, if not more, in helping governments conduct large-scale surveillance. Similarly, multiple Rules created under the IT Act also enhanced the Government’s capability to intercept and monitor digital information[3]. Just as in the case of the Telegraph Rules, the PUCL judgment also resulted in procedural changes to the IT Act[4] (Ramachandran 2014).

Puttaswamy Judgments

[In Puttaswamy] the larger discussion began revolving around the need for robust data protection. This conversation was hastened by the introduction of Aadhaar, more crucially, the regular and serious leaks of citizens’ data which flowed from Aadhaar…

The IT Act had a direct effect on the increase in surveillance and interception of private communication, and also precipitated a shift towards digital infrastructure. In that context, the larger discussion began revolving around the need for robust data protection. This conversation was hastened by the introduction of Aadhaar, more crucially, the regular and serious leaks of citizens’ data which flowed from Aadhaar and other public infrastructure. By some estimates, more than a billion records were leaked from the Aadhaar database in 2018 alone (Business Line 2018) and continued to leak at alarming rates even thereafter (Firstpost 2019). Inevitably, a legal challenge arose to the constitutionality of the Aadhaar infrastructure. In the same case, and as a precursor to deciding the validity of Aadhaar, the Supreme Court had the opportunity to decide on an issue of immense Constitutional and jurisprudential importance, namely, whether the right to privacy was a fundamental right. Thus, in Justice Puttaswamy v Union of India[5] (‘Puttaswamy 1’) the Supreme Court upheld the right to privacy as a fundamental right. In Puttaswamy 1, the Court went into great detail about various aspects of privacy, which would have a corresponding effect on the eventual decision on Aadhaar, as well as other aspects of data.

This judgment elaborated on the concept of digital privacy, and interestingly, also analysed the classification of data, including ‘personal’ and ‘confidential’ data. This jurisprudence set the foundation for the decision in the second Justice Puttaswamy v Union of India & Ors. case  (‘Puttaswamy 2’) where the Court upheld the validity of Aadhaar, but struck down certain sections, including Section 57 which allowed private entities to use Aadhaar for verification purposes of individuals, as violative of the right to privacy. The Court also espoused principles of data protection, including data minimisation, security and retention, while determining the legality of Aadhaar vis-à-vis the right to privacy.

Both the Puttaswamy judgments played a significant role in India’s jurisprudential journey towards data protection.

Srikrishna Committee

The Government had been avoiding its obligation to provide a Data Protection law for the longest time. But in light of the challenges made to Aadhaar, the Government found itself backed into a corner. The Srikrishna Committee, set up in July 2017, was given the mandate to create a foundation for data protection in the country. With the passage of Puttuswamy 1 and 2, this foundation was supplemented by judicial pronouncement. Amongst other literature, the Committee was also influenced by the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (2013). These guidelines, inter alia, directed Member countries to remove or avoid creating, unjustified obstacles to transborder flows of personal data, to co-operate in the implementation of such Guidelines and to agree on specific procedures of consultation and co-operation for the application of such Guidelines.

The Draft Bill [2018] had certain limited checks and balances against surveillance and interception by the Government…criticism flew fast and thick that the Draft Bill [2018], for the most part, had practically ignored the threat of Government interception and surveillance…sensitive information like passwords, genetic data, and even financial data could be accessed, without consent, in certain instances like breakdown of public order…

A draft bill was published by the Srikrishna Committee in July 2018 (‘the Draft Bill’). The Draft Bill was made applicable to processing of personal data within the territorial limits of India, by an Indian (State, citizen, or company incorporated in India), in connection with any business carried on in India where goods or services were offered to people in India. The Draft Bill also envisaged a Data Protection Authority of India (‘DPAI’) and a new Appellate Tribunal where decisions against DPAI could be appealed. The Draft Bill had certain limited checks and balances against surveillance and interception by the Government which, although insufficient, were nevertheless a positive step. This included defining surveillance as a ‘harm’ which was not reasonably expected and which directly or indirectly restricted speech, movement or any other action (Section 2) and classifying certain behaviours as offences – such as obtaining, transferring or selling personal data (Sections 90 and 91), re-identification of personal data that has been de-identified (Section 52) amongst others. Criticism flew fast and thick that the Draft Bill, for the most part, had practically ignored the threat of Government interception and surveillance (Software Freedom Law Centre 2018). In fact, the Draft Bill was so loosely worded on the issue of ‘informed consent’ while sharing data that the DPAI could allow processing of personal data (for purposes including prevention and detection of unlawful activity, whistleblowing, mergers and acquisitions, network and information security, credit scoring, recovery of debt, in times of breakdown of public order etc.) without consent. This meant that sensitive information like passwords, genetic data and even financial data could be accessed, without consent, in certain instances like breakdown of public order (Sections 12, 15, 16, 17 and 21).

Personal Data Protection Bill, 2019

The final version of the Draft Bill, after being subjected to Ministerial scrutiny, was ready in December 2019 and introduced in Parliament as the Personal Data Protection Bill, 2019, (‘the Bill’). While introducing the Bill in the Lok Sabha, the Minister of Information and Technology rejected the concerns raised by other members of the House on surveillance and privacy, proclaiming that data was important for development of the economy (Lok Sabha 2019). Amongst other things, the Bill gave several crucial definitions on types of data (personal, sensitive personal and critical[7]). It stipulated that all “sensitive personal data” be stored in India and that “critical personal data” not be transferred out of India. The Government was empowered to compel businesses to share non-personal data. Businesses were also compelled to protect data by acquiring consent from users on whether they objected to their data being collected, keeping in mind privacy-by-design principles. Users have the right to control their data, including the right to be forgotten, and are also empowered to withdraw such consent if and when they desired.

The chief culprit [against Right to Privacy] was Section 35 of the Bill [2019], which empowered the Central Government to exempt any agency of the Government from application of the Bill, in the interest of sovereignty and integrity of India…

These positive steps however belied the lack of care taken towards protecting privacy and preventing surveillance. The chief culprit was Section 35 of the Bill, which empowered the Central Government to exempt any agency of the Government from application of the Bill, in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order or for preventing incitement of any cognizable. The only oversight in such instance was left to the whims of the State. The Government got to decide what kind of safeguards it would impose in the future. One cyber security expert commented, ‘Section 35 puts power in the hands of the central government and specifically made it a party, judge and adjudicator of its own cause’ (quoted in Business Today 2019). In comparison, Section 42 of the Draft Bill expressly prohibited processing of personal data in the interests of the security of the State, unless authorised by law and in accordance with procedure established by such law, and unless such processing was necessary for, and proportionate to, the interests being achieved. This safeguard of procedure, and requirement for authorisation by law, was completely missing from the Bill.

Another bone of contention was the vast scope of powers handed to the DPAI by the Bill. Section 94 empowered the DPAI to make regulations consistent with this Act. Unlike other statutes which limited such kinds of powers to procedural aspects, the scope of power afforded to the DPAI by the Bill included crucial legislative powers like determining the manner in which personal data retained by the data fiduciary had to be deleted, safeguards for protecting the rights of data principals, the manner of submission of privacy by design policy, the circumstances or classes of data fiduciaries where data protection impact assessments had to be made, and even in defining critical personal data. Each one of these aspects was a substantive and crucial aspect of data protection and power to legislate over the same should ideally have rested with the legislature, not a delegated authority, since the legislature was directly accountable to the people whereas the DPAI was accountable to the Executive.

The Bill also allowed a copy of sensitive personal data to be retained in India. This drew heavy criticism since the purpose of data localisation was to provide access of such data to law enforcement and mandatorily keeping a copy within Indian jurisdiction only served to assist the Indian Government, neither the citizen nor the judiciary. Per contra, the Draft Bill subjected sensitive personal data to a tight regulatory mechanism, like explicit consent, contractual clause, and approval of DPAI and central government permission, all of which was missing from the Bill.

Conclusion and Way Forward

History has shown us that Governments cannot be trusted with wide discretion. Greater the power, the greater the tendency to abuse it. The only way forward is to ensure that the interception process envisaged in Section 35 [Personal Data Protection Bill, 2019] is subject to judicial oversight.

In the immediate aftermath of the introduction of the Bill, Justice Srikrishna termed the Bill as ‘dangerous’, with the potential to turn India into an Orwellian State. His primary grouse was the removal of safeguards around accessing private data. This meant that the government could access private data or government agency data on grounds of sovereignty or public order, whereas Justice Srikrishna was clear on having judicial oversight over government access (Mandavia 2019).

Since surveillance and interception of private communication is here to stay, the balance which must be struck is between safety and security on one hand and fundamental and human rights on the other. Taking a cue from Justice Srikrishna, the need of the hour is to reduce the scope for government discretion in initiating surveillance. History has shown us that Governments cannot be trusted with wide discretion. Greater the power, the greater the tendency to abuse it. The only way forward is to ensure that the interception process envisaged in Section 35 is subject to judicial oversight. Similar to oversight mechanisms provided in other legislations, any attempt to intercept communication, directly or indirectly, must get approval from a district magistrate, at the very least, and at the High Court level in cases of intrusion on fundamental rights. Greater stakeholder involvement will also be required as the Bill passes through the legislative process.

(Currently pursuing his Master’s in Public Policy at NLSIU, Neel is a qualified advocate, having practised before the Bombay High Court and has also been a Law Clerk in the Supreme Court of India. His areas of interests include the intersectionality of law, governance and policy, Constitutionalism, and societal and ecological inequality. In his spare time, Neel enjoys quizzes, debates, classical music and the theatre. Neel can be reached at neeldsouza@nls.ac.in)

Notes:

[1] (1997) 1 SCC 301

[2] Amended Rule 419-A lays down an extensive procedure by which Government can intercept messages/class of messages between persons.

[3] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011; Information Technology (Intermediaries Guidelines) Rules, 2011; Information Technology (Guidelines for Cyber Cafe) Rules, 2011 etc.

[4] Using its power under the IT Act, to make Rules, the Government passed The ‘Safeguards for Interception, Monitoring, and Decryption of Information Rules, 2009’ in the aftermath of the PUCL judgment.

[5] Judgment dated 24^th August, 2017 in Writ Petition (Civil) No. 494 of 2012

[6] The Supreme Court reproduced this table in Puttuswamy 1 from a 2017 article titled “A Typology of privacy” by Bert-Jaap Koops & Ors. The full citation for the article is: Jan-Koops, Bert et al. 2017. “A Typology of Privacy”, University of Pennsylvania Journal of International Law, Vol. 38 Issue 2. pp.566

[7] Critical personal data’s ambit is yet to be defined. It will be notified through subsequent rules.

References

Aggarwal, Nikhil. 2019. ‘Section 144 in Bengaluru today: Police keeping a tab on every social media post’. Livemint (Bengaluru), 20th December, 2019. (https://www.livemint.com/news/india/section-144-in-bengaluru-today-police-keeping-a-tab-every-social-media-post-11576814599582.html) (accessed on 20th May, 2020).

Business Line. 2018. Editorial: ‘1 bn Records Compromised in Aadhaar Breach since January: Gemalto’. 20th October, 2018. (https://www.thehindubusinessline.com/news/1-bn-records-compromised-in-aadhaar-breach-since-january-gemalto/article25224758.ece) (accessed on 21st May, 2020.

Business Today. 2019. ‘Personal Data Protection Bill 2019: Unrestrained Power to Central Government May Undermine Privacy’. 17th December, 2019. (https://www.businesstoday.in/current/policy/personal-data-protection-bill-2019-central-government-power-may-undermine-privacy-of-citizens-people/story/392186.html) (accessed on 15th May, 2020).

Firstpost. 2019. Editorial: ‘Aadhaar Data Leak: Details of 7.82 cr Indians from AP and Telangana Found on IT Grids’ Database’. 15th April, 2019. (https://www.firstpost.com/india/aadhaar-data-leak-details-of-7-82-cr-indians-from-ap-and-telangana-found-on-it-grids-database-6448961.html) (accessed on 21st May, 2020).

Mandavia, Megha. 2019. ‘Personal Data Protection Bill can turn India into ‘Orwellian State’: Justice BN Srikrishna’. Economic Times. 12th December, 2019. (https://economictimes.indiatimes.com/news/economy/policy/personal-data-protection-bill-can-turn-india-into-orwellian-state-justice-bn-srikrishna/articleshow/72483355.cms) (accessed on 23rd May, 2020)

Tripathi, Dwijendra. 1996. ‘Colonialism and Technology Choices in India: A Historical Overview’. The Developing Economies. Volume XXXIV-1. pp.1.

Law Commission of India. 1957. ‘Fifth Report on British Statutes Applicable to India’, (http://lawcommissionofindia.nic.in/1-50/Report5.pdf) (accessed on 29th May, 2020).

Lok Sabha. 2019. ‘Synopsis of Debates (Proceedings other than Questions & Answers)’. 11th December, 2019. (http://cms.neva.gov.in/FileStructure_LS/Notices/ceb7e6f9-2767-4aac-85a0-c2a07262d89d.pdf) (accessed on 25th May, 2020).

Ramachandran, Chaitanya. 2014. ‘PUCL v. Union of India Revisited: Why India’s Surveillance Law Must Be Redesigned for the Digital Age’. NUJS Law Review. Vol. 7. pp.105.

Software Freedom Law Centre. 2015. ‘Freedom in the Net’. (https://sflc.in/indias-surveillance-state-other-provisions-of-law-that-enable-collection-of-user-information) (accessed on 20th May, 2020).

Software Freedom Law Centre. 2018. ‘Brief Analysis of the Personal Data Protection Bill, 2018’. (https://privacy.sflc.in/brief-analysis-of-the-personal-data-protection-bill-2018/) (accessed on 25th May, 2020).

Software Freedom Law Centre. 2019. ‘FAQ: Surveillance in India’. (https://sflc.in/faq-surveillance-india) (accessed on 20th May, 2020).

The Telegraph. 2019. Editorial: ‘The Fight for the Right to Privacy Must be Ceaseless’. 7th May, 2019. (https://www.telegraphindia.com/opinion/the-fight-for-the-right-to-privacy-must-be-ceaseless/cid/1686302) (accessed on 21st May, 2020).