Abstract
Surveillance in terms of interception and storage of electronic communication is governed by the Information Technology Act, 2000, and the relevant rules are framed there. Section 69 of the IT Act empowers the appointed officer to issue directions for the interception, monitoring, or decryption of information through a computer resource. He or she must be satisfied, providing reasons in writing, that the same is necessary and expedient in the interests of, inter alia, the security of the State. Under the IT (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules 2009, authorization is a necessary prerequisite for interception or monitoring. The interplay between e-surveillance, privacy, and security begs the question: Do India’s laws governing the surveillance of electronic communications strike the right balance between cyber security and the right to privacy? After the Pegasus attack in India, the ruling government was accused of installing spyware under the name of surveillance because most of the targets included the most important opposition faces. The pegasus controversy has shown a mirror to those experts and other stakeholders to tend to take the internet and cyber security for granted. The objective of this paper is to study the crucial aspect of cyber law which is the governance of surveillance and the protection of privacy rights from cyber-attacks. It is a very pertinent study in recent times when cyber security is taken for granted in India, although the world has grown to be a frequent adapter of cyberspace and AI. The data protection laws in other nations help immensely to examine what kind of laws are needed in India to protect the data and privacy of individuals, from being exploited and attacked, by government agencies.
In India, the right to privacy is being put to the test. Not only is the government pursuing plans to construct national databases of personal information[1], but the Supreme Court has overturned one of the most expansive interpretations of privacy in Naz Foundation v. NCT[2]. The changing form of state monitoring is complementary to this narrowing of the constitutional scope of privacy. We are witnessing a paradigm shift: from focused monitoring to widespread surveillance.
The Information Technology Act of 2000[3] and the rules enacted under its control electronic communication surveillance in terms of interception and storage. The designated officer can make orders for the interception, monitoring, or decryption of information using a computer resource under Section 69 of the IT Act. He or she must be convinced, in writing, that the same is essential and expedient in the interests of the State’s security, among other things. Authorization is required for interception or monitoring under the IT (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules 2009. An official not below the level of Joint Secretary may, nevertheless, provide such authorization in the event of unavoidable circumstances.[4] Each directive must be accompanied by justifications, which must be presented to the Review Committee.[5] Interception is a last resort under the Rules, and authorization can only be given if there are no other options for obtaining the information. This authorization is only valid for sixty days, but it may be extended for up to 180 days.[6] The ability to allow the monitoring and gathering of traffic data or information for security purposes is outlined in Section 69B. The IT (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009[7] identify justifications for collecting traffic data, including predicting potential cyber risks and tracking cyber security breaches.
An intermediary is obligated[8] to cooperate with such a request after such authorization has been issued. Rule 3(7) of the IT (Intermediaries Guidelines) 2011 states that the intermediary must submit information to the properly authorized government agencies for the purpose of prosecuting violations when needed by lawful order. Similarly, Rule 6(1) of the IT (Reasonable Security Practices and Procedures for Sensitive Personal Data or Information) Rules, 2011 specifies how information should be disclosed to third parties. While prior consent is required for disclosure, there is an exemption for government agencies that are legally required to gather information. Anyone who fails to furnish the authorities with the necessary information faces fines under Section 44 of the IT Act.[9]
The regime established by the IT Act and Rules is one of targeted surveillance, as it requires appropriate authorization prior to any interception. The Indian government has now widened the ambit of the surveillance regime through various surveillance schemes and networks,[10] such as the Central Monitoring Scheme (CMS), the Crime & Criminal Tracking Network & Systems, and NATGRID.[11] The CMS, in particular, exemplifies the new regime. It has been introduced surreptitiously,[12] without any legislation or executive notification, and thereby its exact contours and safeguards are unknown.[13] Not only does it enable the interception of all communication, voice, and data transmitted via telephones and the internet, too, from and within India,[14] but also does away with the requirement of authorization for service providers to disclose sensitive personal information. The relationship between the CMS and the IT Act is unclear. Equally unclear is the effect of the Telegraph Act mechanism evolved by the Supreme Court in PUCL[15] on the wide powers envisaged under the CMS. Commentators have noted this apparent clash, but the mysterious nature of the CMS has created an atmosphere of complete uncertainty as to its regulation and manner of implementation. Indeed, by covertly equipping the State with unfettered powers of mass surveillance, the CMS has earned a popular perception as India’s very own PRISM.[16] The introduction of the CMS and allied schemes marks a tectonic shift from the earlier regime of targeted surveillance to one of blanket surveillance. The sheer scale of these surveillance schemes is such that State-owned telecom operators have had to update their hardware in order to meet the increasing demands for data.[17]
The interplay between privacy, surveillance, and the ‘Security Defence’
The secrecy of these plans runs counter to the widely held belief that surveillance legislation must be open and accessible. As a result, India’s new monitoring system poses a serious danger to the already weak battle for privacy in the country. Attempting to create security by widespread monitoring has an inherent contradiction, even if such tactics are frequently justified by security rhetoric. Terrorists see such a vast data pool as a “honey pot,” and it is very vulnerable to assault. There are also concerns about the national infrastructure’s ability to operate such a complicated web of monitoring networks.[18] The interaction of e-surveillance, privacy, and security raises the question of whether India’s laws governing electronic communications monitoring strike the correct balance between security and the right to privacy.
As a result, even after five decades as a constitutional right,[19] the right to privacy appears to be dormant, with judges regurgitating the idea that “privacy-dignity claims may be dismissed where a significant balancing interest is proven to be superior.”[20]
SURVEILLANCE UNDER INTERNATIONAL LAWS
The leaks by Edward Snowden about the breadth and depth of electronic surveillance conducted by the US National Security Agency (NSA), the United Kingdom’s Government Communications Headquarters (GCHQ), and other states’ intelligence apparatuses have been one of the most significant geopolitical developments in recent years. Many state officials, elites, and foreign residents who have been subjected to this surveillance have been upset by these revelations. One cause of their fury is their view that the spying governments have broken fundamental privacy standards. Another issue is that international law, the most obvious source of control, has nothing to say about overseas monitoring. States have a tendency to restrict domestic surveillance more strictly than that foreign persons. However, as nations’ technological capacities to collect electronic intelligence in far-flung geographies quickly improve, the lack of oversight of international surveillance becomes increasingly dangerous.
The International Covenant on Civil and Political Rights (ICCPR), to which most nations are signatories, guarantees a right to privacy. “No one will be subjected to arbitrary or unlawful interference with his privacy, family, home, or communications, nor to unlawful attacks on his honor and reputation,” according to Article 17(1).[21] Leaving aside the important jurisdictional issue discussed below, there is little doubt that this right applies to a state’s domestic collection of data about a person when that collection constitutes “interference,” and most people would agree that correspondence includes a person’s online and telephonic communications. There is also no doubt that the right to privacy is a qualified right, susceptible to a state’s authorized and non-arbitrary intervention. Nonetheless, there is a dispute on which standards should be used to determine whether a state’s domestic surveillance is legitimate and non-arbitrary. For example, the United States thinks that states may conduct surveillance if it is done in compliance with open laws and for a legitimate purpose.
Member states of the Council of Europe (i.e., the majority of European countries) have separate and perhaps more broad human rights treaty duties, although these, too, are subject to jurisdictional limitations. According to the ECHR, nations must “secure to everyone within their jurisdiction the rights and freedoms guaranteed by the Convention.”[22] Subject to certain limits, these rights include respect for private and family life, home, and communication (such as national security, public safety, and the economic well-being of the country).[23] While the ECHR’s case law on what it means to be “within a state’s jurisdiction” is extensive and internally contradictory, one common thread is the “control and authority test,” which requires that the individual complaining of an ECHR violation was under the control and authority of the state that allegedly violated his rights.[24] Many of these cases (though not all) included confinement, in which the state had some amount of physical authority and control over the person who claimed the violation of the rights.
The sort of state control needed by the control and authority test is far different from intercepting phone calls and reading someone’s email. Several cases involving the Government Communications Headquarters of the United Kingdom and surveillance by the National Security Agency of the United States are pending before the European Court of Human Rights. In dealing with these instances, the Court is expected to try to apply the “effective control” test to electronic monitoring, which might lead to a shift in the present understanding of how much control a state must have over a person before his ECHR rights are activated.
All people enjoying diplomatic immunity must “follow the laws and regulations of the receiving State,” according to Article 41 of the Vienna Convention on Diplomatic Relations (VCDR).[25] This provision might be interpreted to mean that states parties have agreed that their ambassadors would not spy on the receiving state since doing so would be against the receiving state’s internal laws. Those having diplomatic status, on the other hand, are well-protected under the Convention. Receiving states are prohibited from eavesdropping on transmitting states’ facilities on their territory under the VCDR. Articles 22 and 24 guarantee the inviolability of diplomatic missions’ premises, as well as the mission’s records and archives.[26] As a result, one may claim that eavesdropping on that mission, even using electronic means, is illegal.
The Court began by citing its 1962 decision in Kharak Singh v. State of UP.[27] (‘Kharak Singh’), in which it considered the impact of police surveillance (in the form of ‘domiciliary visits’ involving local police constables entering the petitioner’s house at night) on the petitioner’s right to privacy. In Indian law, the Kharak Singh Court recognized a ‘right to privacy,’ but not one guaranteed by the Constitution. Subba Rao, J.’s minority judgment in Kharak Singh, which broadened the extent of the right guaranteed by Article 21 to encompass the “right of an individual to be free from restraints or encroachments on his person,” was also referenced with favor by the PUCL Court.
The PUCL Court also cited Gobind v. the State of M.P.[28] which, like Kharak Singh, is a case where the plaintiff is a woman who “dealt with real-world police surveillance and established the need for privacy-infringing laws to meet a higher standard of judicial review – the “compelling State interest” test. The Supreme Court had not yet decided whether or not the right to privacy could be considered a basic right. The PUCL Court also cited its 1994 decision in R. Rajagopal v. State of Tamil Nadu (‘Rajagopal’),[29] a case in which the right to privacy was elevated to Constitutional status by virtue of being a fundamental right “Article 21” of the Constitution guarantees citizens of this country the right to life and liberty – states “a right that may not be violated except according to procedure established by law.[30]” In that decision, the Supreme Court broadened the concept of privacy to encompass a right “to be left alone,” as well as a right to “protect the privacy of a person, his family, marriage, reproduction, maternity, child-bearing, and education, among other things.”[31]
The preceding cases, from Kharak Singh through PUCL, demonstrate the Supreme Court’s evolving view of privacy. The physical privacy of a person is defined by the right to “be free from limits or encroachments on his person,” according to the Kharak Singh Court. This idea was advanced in the case of Rajagopal, which involved the release of serial killer Auto Shankar’s autobiography, which implicated high police officers in acts of corruption and complicity. Because the right to privacy at stake here was that of police officers’ reputations, the Court’s recognition of it stretched the right to privacy beyond the physical domain. The PUCL Court expanded the definition of privacy to encompass personal communications, ruling that “the right to have a phone call in the seclusion of one’s home or workplace without interference can surely be asserted as a “right to privacy”.[32] To the modern reader, it may appear reasonable that this expanding idea of privacy has expanded to include internet conversations.
THE PRIVACY HARMS OF SURVEILLANCE
Regardless of how it is used, the very presence of a state monitoring infrastructure infringes on personal liberty and freedom of speech and expression. More than a simple negative right to privacy, Privacy establishes the circumstances for human closeness, while also allowing for the discussion of unpopular or unusual views without fear of ridicule or repercussions. A Panopticon-like digital monitoring device, on the other hand, stifles expression and openness simply because the subject is aware that she is being observed. In his dissent in Kharak Singh, Subba Rao J argued how monitoring imposes psychological limitations on our brains, limiting our ability to think and express ourselves in ways that jeopardize our personal liberty. The nine-judge panel in Puttaswamy overruled Kharak Singh and recognized Subba Rao J’s dissent as constitutionally sound. Subba Rao J was foresighted, as the government now has the ability to listen in on our private talks, read our private messages, and even follow our everyday movements. We are less inclined to discuss radical ideas or attend political gatherings if we are aware that the government may be aware of our exchanges and activities and that reprisal for dissent is a possibility.
To put it another way, surveillance has an influence on the right to privacy, particularly intellectual privacy (the ability to explore ideas without being watched) and informational privacy (the concepts of secrecy, control, and anonymity). The fear of having personal information about one’s lifestyle and choices disclosed has an experimentally established “chilling effect”[33] on free speech and association, prohibiting or deterring individuals from reading and discussing unconventional, unpopular, disputed, or offensive views. The Puttaswamy verdict in 2017 was the first time these principles were explicitly included into India’s constitutional articulation of privacy.” Puttaswamy broadened the vocabulary accessible to Indian courts in dealing with surveillance cases in this way, by explaining on why privacy matters and may be perceived to be infringed in monitoring instances.
Puttaswamy implicitly recognizes the dangers posed by the secret nature of State surveillance, which ensures that individuals have no way of knowing they have been placed under surveillance (as in the dissenting opinion in Kharak Singh), by acknowledging the psychological restraints flowing from surveillance (as in the dissenting opinion in Kharak Singh). The fear of being watched by the government is enough to change people’s behavior and limit their capacity to engage in ‘critical subjectivity,’ which is an important aspect of democracy. In the era of technology, the dangers of surveillance to one’s privacy are amplified. Technology has permitted and increased the State’s comprehensive GPS tracking, data mining, and profiling capabilities, as well as the simplicity with which information may be collected and analyzed.” The ability of the state to intrude into the private sector has exacerbated the asymmetric power imbalance between people and the state,’ and this concentration of power is harmful to a constitutional democracy.
In his concurring opinion in Puttaswamy, Kaul J accurately captured the dangers that technology poses to privacy, noting that “the growth and development of technology have created new instruments for the possible invasion of privacy by the State, including surveillance, profiling, and data collection and processing.” Surveillance is not new, but technological advancements have enabled surveillance in previously inconceivable ways.[34]
This is similar to the situation in other jurisdictions. In the United States, for example, concurring views in US v Jones[35] noted that ‘in the pre-computer period, the strongest privacy safeguards were neither constitutional nor legislative, but practical.’[36] This is due to the fact that old monitoring tactics took time and money, were difficult to scale, and relied on limited police resources. Modern surveillance tactics, on the other hand, provide more information, particularly when used over a lengthy period of time.[37] These damages acknowledge the societal purpose provided by the right to privacy and its relevance in a constitutional democracy, as well as in defending the rights of the marginalized. When it comes to the constitutionality of unlawfully obtained evidence and the lack of judicial control over surveillance measures, they will be crucial.
Even in the most democratic and liberal countries, such as the United States, the United Kingdom, and India, there have been instances of the government abusing its surveillance capabilities and breaching people’s privacy. The Pegasus snoop gate scandal of 2021 was a global spyware scandal that targeted several journalists, political dissenters, members of the opposition, activists, and students. It was one of the first cases to highlight the importance of data protection and privacy in protecting free press and healthy democratic practises from the ruling government’s authoritarian motives.
Pegasus is a trojan/script (spyware) that may be remotely deployed on Apple’s iOS and Google’s Android operating systems. NSO Group, an Israeli technology company, created and commercialised it. The NSO Group provides Pegasus to “vetted nations” for “lawful interception,” which is often assumed to imply battling terrorism and organised crime, as the company says, but there are concerns that it is used for other purposes.[38] Pegasus is a modular virus that may start comprehensive surveillance on the targeted device and harvest data such as calls, contacts, messages, emails, images, files, locations, and passwords. Even if the call is not answered, the Spyware penetrates the phone and erases the call record information. Pegasus is meant to never utilise more than 5% of the spare space on your phone, ensuring that it is never discovered.[39]
The original iteration of Pegasus used a “mobile-first” technique, in which targeted people began to receive text messages that seemed to be from family members, with links to their bank accounts, location, and so on. The upgraded Pegasus malware employs “zero-link” technology, which exploits zero-day vulnerabilities without requiring the user to click on any links.[40] Newly found vulnerabilities in operating software that the developer is still ignorant of are referred to as zero-day vulnerabilities. There are no fixes or updates available since the vulnerability is currently in its “day zero” stage. Using these flaws, NSO Group, the Israeli company that owns and created Pegasus, distributes the spyware to the target’s phone through text message or phone call. Because the user is not needed to take any action, the virus automatically instals itself on the phone. Pegasus grants access to the target’s smartphone to NSO’s “government clients” once installed, circumventing even encrypted messaging applications like Signal, WhatsApp, and Telegram.[41]
Pegasus was initially detected in 2016 through a botched effort to hack an investigative journalist’s iPhone. It gained a lot of media attention when it was uncovered because of its advanced monitoring tactics that had never been seen before. Pegasus was reported to be capable of breaking into an iPhone 12 operating on a fully patched IOS version 14.6 in July 2021.[42] This demonstrates that malware can infect even the most protected gadgets on the market. In 2019, WhatsApp, the world’s most popular messaging service and a Facebook subsidiary, disclosed that malware delivered via Pegasus had infected over 1400 phones, using a zero-day vulnerability.[43] In India alone, 121 people were targeted, according to the study.[44]
Residents Lab, a Canadian research organisation, disclosed in 2018 that NSO group classified its operator clients, and that these customers had to be vetted by the Israeli government before the software was sold, to guarantee that the programme was not used against Israeli citizens. A few of these classifications were revealed, with countries from the Indian subcontinent being labelled as “GANGES.” Similarly, Middle Eastern countries were labelled as “MIDDLE.” Operators in the Ganges category were linked to popular telecommunications providers from India, Pakistan, and Bangladesh, according to citizen lab findings. “Bharti Airtel, Mahanagar Telephone Nigam Limited (MTNL), and Hathway Cable Internet” were among the companies listed in the study as being linked to the malware.[45]
“Amnesty International and Forbidden Stories”, a media non-profit organisation located in Paris, France, released a list of approximately 500000 names categorised as “People of Interest” by Pegasus software clients in 2020. Under the umbrella term “project Pegasus”, the names on this list were given on to 17 different media groups.[46] The only Indian news source to obtain the list, which included the names of 174 Indian targets, was The Wire. The whole list was made public in July 2021, eliciting outrage from all sides of the political spectrum as well as the general population.[47]
The Supreme Court of India took notice of the case and agreed to consider the petitioners’ claims of wrongdoing on the part of the government. The claims were “serious if press reports are genuine,” according to the highest court. At the same time, it recommended that petitioners refrain from engaging in online disputes and instead wait for the court to hear the case.[48]
The central government filed an affidavit with the court on August 16, 2021, stating that it will appoint an expert committee to investigate the matter. The administration did not specify who will make up the committee or when it will begin its inquiry. The court was dissatisfied with the affidavit since it did not state whether or not the government deployed Pegasus spyware.[49] The Centre’s Solicitor General Tushar Mehta said the situation may have “national security ramifications” if it was investigated based on unfounded accusations, and that it couldn’t be handled by asking for an affidavit or other documents.[50]
The Supreme Court established a technical expert group (“Technical Committee”) on October 27, 2021, to investigate claims of illegal monitoring using the Pegasus Spyware. Justice R.V. Raveendran, a former Supreme Court judge, will lead the technical committee. He will be assisted by Alok Joshi, a former IPS officer, and Dr. Sundeep Oberoi. Dr. Naveen Kumar Chaudhary, Dr. Prabaharan P., and Dr. Ashwin Anil Gumaste make up the Technical Committee.[51]
The Court has directed the Technical Committee, among other things, to enquire, investigate, and determine whether Pegasus was acquired by the Union Government or any State Government, and whether the spyware was used on phones or other devices owned by Indian citizens to access stored data, listen in on conversations, intercept information, and/or for any other purpose. The Committee has also been requested to offer suggestions on the enactment or reform of current surveillance legislation to protect citizens’ right to privacy, as well as the development of a system for individuals to file complaints about suspected illegal surveillance of orders. To accomplish these goals, the Committee has been given the freedom to create its own method, conduct investigations as it sees proper, take statements from everyone involved in the probe, and, most importantly, ‘ask for documents of any authority or person’.[52]
The Technical Committee contacted many policy experts and legal practitioners on March 9, 2022, and asked them to respond to a list of 11 questions by March 31.[53] The case is still ongoing and will be heard in the near future.
CASE LAW ANALYSIS
Background
The Aadhaar debate dates back to 2009, when the Indian government announced for the first time a plan for national identification in which every citizen of the country would be given a unique identity card with all of their biometric data. The major goal of implementing the plan was to deliver direct benefits from various schemes to individuals and to decrease the red-tapism that they must deal with in order to do their tasks. However, the results have been negative for over seven years. The two primary points of disagreement raised by those who oppose the Aadhaar system are data management and data protection. There have been cases where the personal information of multiple people has been exposed online, posing a risk to their privacy. Following that, the government planned to link Aadhaar to everything else, including one’s account number and cellphone SIM card. The right to privacy was declared a fundamental right by a nine-judge court in 2017, reigniting the debate. People argued that because Aadhaar holds all of an individual’s information, it is a possible danger to his privacy, and hence a violation of his basic rights. A five-judge panel was convened to discuss the matter, and the following decision was reached.
The Indian government launched the Aadhaar project in 2009 as a “universal identification system” to track the “disbursement of services” it provides. The Aadhaar project, which began with an executive order in 2009, entails the collection of biometric data from individuals for the purpose of “identifying and authentication of service delivery.” When the Aadhaar Act was approved in 2016, it gave legal underpinning to the Aadhaar programme. The Aadhaar project, on the other hand, received enormous criticism, and the Supreme Court ruled that both the Aadhaar Act and the administrative action violated the Constitution, particularly the right to privacy. The first writ petition in the matter of “K.S. Puttaswamy and Anr. vs. Union of India[54]” was filed in 2012, however questions regarding whether the right to privacy a fundamental right is or not, were raised, prompting the establishment of a nine-judge panel (Puttaswamy I). Following the Court’s declaration of the right to privacy as a fundamental right in Puttaswamy I, a final hearing before a five-judge Constitution Bench was planned for 2018.
- Whether the Aadhaar Project has the potential to establish a surveillance state and, as a result, is unlawful?
- Whether the Aadhaar Project infringes on citizens’ right to privacy and is thus unconstitutional?
The ruling was 4:1 favouring Aadhaar, with Justice D.Y Chandrachud writing the lone opposing opinion. All of the provisions of the Aadhaar Act that were in dispute were briefly reviewed, and the Judges stated their different opinions, with Justice A.K Sikri writing the final judgement. The following are some of the key points from the decision:
- The court, in reviewing Section 2(d) of the Act, stated that the provision does not meet the regulations set out in Section 26(c) of the same Act, and hence is struck down; however, the court did provide liberty to make changes to the current provision.
- No Aadhaar cards should be issued to illegal immigrants, and the definition of “resident” under 2 must be strictly followed (b).
- The government has the ability to store data for a term of five years under Section 27 of the Act, but the permitted limit is just six months, thus this provision is deemed illegal.
- Section 29 allows for a reasonable restriction on the government’s ability to disclose data in relation to a specific regulation; but there is no such legislation at this time, thus there is no invasion of privacy.
- When it comes to the revelation of personal information, the learned court believes that section 33(1) should be expanded and that the individual should be given an option as to whether or not he wants the information disclosed, and if at any point he wishes to desist from doing so.
- Section 33(2) is repealed since no right meaning can be derived as to who will judge whether or not the disclosure is in the public interest.
- With regard to section 47, the court believes that the current provision needs to be amended since its scope should be expanded to include complaints submitted by people as well.
- Section 57, which requires that information be disclosed to persons or other entities for authentication purposes, may be thrown down since such a contract would violate an individual’s privacy.
Apart from this, the Act’s other sections were found to be constitutionally legitimate. It was also held that the linkage of PAN cards is fully legal because it intends to prevent fake transactions, and Aadhaar’s goal is to offer a benefit state rather than a surveillance state, hence it is legal and legally legitimate. The court stated that the linking of mobile sim cards to Aadhaar is legal and constitutes a breach of privacy. In addition, when it comes to minors’ Aadhaar information, the court ruled that all minors have the right to obtain an Aadhaar card with their parent’s approval and that once an individual reaches the age of majority, the choice switches to him.
Justice Chandrachud’s Dissenting Opinion:
Justice D.Y. Chandrachud wrote the lone dissenting opinion. He expressed the necessity to declare the Aadhaar Act illegal in his 174-page judgment. The key issue, according to his perspective, was privacy concerns. Citing famous jurists and other legal experts, he stressed how this legislation has veered away from its fundamental goal and is failing to provide what it promised. Here are a handful of the opinion’s main points:
- Although the first legislation was approved as a Money Bill, it does not meet the qualifications of a Money Bill as defined by Article 110. (1).
- There is no provision in the first statute for an opt-out option or for a certain time limit for retention.
- Section 29 clause 4 grants the involved authorities extraordinary authority to disseminate data about any individual without their agreement, as long as the act’s requirements are followed.
- Aadhaar holds an individual’s data, but he or she is not authorized to view his or her own records under section 28(5) of the act, which takes away the ownership rights that every person should have.
- The Act’s structure is such that if there is a mistake during the verification process, data may be leaked, and that data may be sold to unauthorized parties, jeopardizing an individual’s personal identity.
- The courts have the ability to take cognizance under Section 47(1) of the Act, but they can only do so once a complaint has been made by any member or an authorized officer of UIDAI. This clause is arbitrary since it fails to respect an individual’s right to privacy.
- Section 7 contains terms like “services and benefits” with no specific full-stop, implying that the government has unrestricted ability to put anything inside this, removing the individual’s freedom to self-determination of service utilization.
- The strategy of integrating SIM cards with Aadhaar poses a serious threat to individual privacy; if we go back to the Puttuswamy case, where the proportionality test was proposed, this approach is arbitrary and illegal.
The decision has the most immediate and significant repercussions for private businesses or corporations that rely on Aadhaar-based customer authentication. This is a particular issue for fintech companies that are obliged to comply with KYC standards by sectoral authorities such as the Reserve Bank of India. “Aadhaar-based e-KYC” was considered as a solution to accomplish KYC compliance in a paperless and efficient manner under the Aadhaar Act. Alternative procedures, which must be as effective in identifying people, are expected to be implemented by the government or sectoral authorities in the near future.
In this regard, the Employee Provident Fund Organization (“EPF”) issued a circular mandating employer to link all eligible employees’ Aadhaar IDs to their EPF accounts. Companies are no longer permitted to get workers’ Aadhaar numbers in order to link them to their EPF accounts after the Supreme Court declared that “Section 57 of the Aadhaar Act” is unlawful. Employers that fail to comply with the Supreme Court’s decree will face contempt charges. Finally, the judgement examined the Bill, which featured a number of innovative data protection principles inspired by the European Union’s General Data Protection Regulations (the “EU GDPR”).
Despite the fact that the Supreme Court admitted that the Bill may be improved, it was observed that we are not far from a comprehensive data protection framework that protects both information and data. These perspectives, together with the European Union’s extensive exposition of jurisprudence, suggest that Indian courts would depend heavily on the principles enshrined in the “EU GDPR” in future cases, albeit the exact ideas that will be imported are uncertain.
The opinions of this decision are mixed. While there may be situations when information leaking is a concern, we must remember that, thanks to this card, we have created a system that allows deserving persons to participate in government programmes. The government’s plan is to establish a welfare state with the primary purpose of bringing everyone together under one roof. We must, however, understand Justice Chandrachud’s concerns and seek amendments to the Act’s provisions, since, in the end, privacy is an inalienable right that everyone must respect in order to preserve a peaceful society.
In India, in the case of Gobind v. State of MP[55], the Supreme Court evaluated the validity of a regulation requiring the surveillance of repeat offenders.[56] The judge’s discomfort is evident in this case because since they are aware of the necessity of the right to privacy, in this case, they also understand the undetermined precedential importance of Kharak Singh v. Union of India[57], and are fearful of establishing a right not specifically stated in the constitution.
As a result, two justifications were given by the court for the right to privacy. Firstly, the court said that individual activities at home deserve protection since it does not harm others. Secondly, the court further said that “individuals need a place of sanctuary where they can…drop the mask, desist for a while from projecting on the world the image they want to be accepted as themselves.”[58] The court established two different perspectives on privacy. The first is that of protection against search and seizure, which is broadly equivalent to the Fourth Amendment’s doctrine in the United States. The second asserts a right to privacy based on an individual’s dignity, which is echoed in the European perspective.[59]
While they are not different binary, they have a significant impact on how privacy is regarded in e-surveillance instances, because determining the legality of monitoring requires evaluating and balancing these two arguments. In other words, the Court must decide which of the two justifications shall take precedence.[60]
The Information Technology Act of 2000 is the first step in establishing a legal framework for the information technology sector. NASSCOM is attempting to modify the legislation even further. This legislation establishes legal recognition for electronic transactions, offers legal definitions for most IT-related terms, and makes any electronic crime illegal. The Indian Information Technology Act of 2000 gives legal protection to businesses that conduct business through the internet.[61]
In the Data Protection Committee Report headed by Justice B. N. Srikrishna, it is mentioned, “The right to privacy has been recognized as a fundamental right emerging primarily from Article 21 of the Constitution, in Justice K.S. Puttaswamy (Retd) v. Union of India[62]. To make this right meaningful, it is the duty of the state to put in place a data protection framework which, while protecting citizens from dangers to informational privacy originating from state and non-state actors, serves the common good.” Mr. Ravi Shankar Prasad, Minister of Electronics and Information Technology, presented the Personal Data Protection Bill, 2019 in the Lok Sabha on December 11, 2019. The Bill’s major purpose is to protect individuals’ personal data and to establish a Data Protection Authority to do so. Parliament has not yet approved the bill.[63]
In India, there are certain laws that can substitute for the lack of a single statute. The Information Technology Act and the Telegraph Act give some oversight of data protection and privacy problems, but they are insufficient in the current situation. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, were enacted by parliament on February 25, 2021, to improve security and privacy issues on online platforms by creating a Chief Compliance Officer and Grievance Compliance Officer. The Information Technology (Reasonable security procedures and sensitive personal data or information) Rules, 2011, were superseded by these rules. When individuals began to use drones more often, the Drone Rules, 2021, were established, requiring drones to be classified according to their weights and the pilot to obtain permission to fly a drone from the Directorate General of Civil Aviation (DGCA). According to a report from the United Nations Conference on Trade and Development, India does not have any explicit consumer protection legislation.[64]
In the US scenario, The Fourth Amendment of the U.S. Constitution recognizes “the right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures”[65], thereby establishing a right to privacy that emphasizes the value of liberty, free from governmental control. It also emphasises the management of and access to personal information distribution.[66] This control-centric premise is the foundation of several philosophies that assert that when an individual loses control over personal information, he or she loses his or her privacy. In United States v. Miller[67], the Supreme Court of the United States held that when an individual discloses information to a third party, he “takes the risk…that the information will be conveyed by such third party to the Government”. This is also called the third-party principle. This argument has been used in a number of cases to dismiss claims of privacy in emails and other online content, such as tweets because the information has already been shared with the service provider or ISP.[68]
The Health Insurance Portability and Accountability Act (HIPPA)[69] incorporates security and privacy clauses and offers universal protection for any health-related information that is kept and transmitted electronically. All entities must assure the confidentiality, integrity, and availability of all electronic records under these conditions. Without the approval of all affected parties, healthcare practitioners are prohibited from disclosing any health-related information.
The Gramm-Leach-Bliley Act (GLBA)[70] protects the financial services industry’s privacy. It guarantees that customers’ personal and financial information is protected, as well as safeguarding against risks and dangers to consumer data. It contains safeguards against unauthorised access to sensitive data.
Individual financial records are protected by the Right to Financial Privacy Act (RFPA)[71]. Prior to revealing any records to governmental authorities, the client must be notified. Customers have specific rights to contest such disclosures. Furthermore, it mandates that all concerned governmental institutions.
The Securities and Exchange Commission is in charge of enforcing the Sarbanes-Oxley Act[72] of 2002, which establishes deadlines for compliance and publishes guidelines on its requirements. This statute does not establish a set of business practices or dictate how a company should maintain documents. It specifies which records should be kept and for how long. All company documents, including electronic data and messages, must be kept for “not less than five years,” according to this law. Non-compliance can result in fines or jail, or both. Companies have the problem of establishing and maintaining a corporate records archive that is both cost-effective and compliant with legal obligations.
The California Consumer Privacy Act[73] (CCPA) came to effect on June 28, 2018, and it is a state-wide data privacy law that strengthens privacy rights and consumer protection for California citizens. The California Privacy Rights Act[74] (CPRA) was enacted by Californian voters on November 4, 2020, revising the California Consumer Privacy Act’s industry standards, consumer privacy rights, and enforcement procedures. The CPRA will replace the CCPA and will take effect on January 1, 2023.
Singapore scenario
In 2012, Singapore passed the Personal Data Protection Act[75] (PDPA), which regulates the collection, use, and disclosure of personal data for purposes that a reasonable person would judge acceptable in the circumstances. The Personal Information Protection and Electronic Documents Act[76] (PIPEDA) governs the acquisition, use, and disclosure of personal data by any Canadian organization.
UK scenario
While the United States has sector-specific regulations to address data security and privacy concerns, the United Kingdom’s Data Protection Act serves as an umbrella protection statute for all public and private data. It encompasses all aspects of personal data collection, storage, processing, and distribution. Individuals can use the legislation to gain access to their personal information. When misleading information is discovered, the statute empowers individuals to seek compensation from required entities.[77]
The Regulation of Investigatory Powers Act of 2000[78] (RIPA) expressly prohibits the interception of electronic communications without the express or implicit permission of both the sender and the recipient. In the telecommunications business, the Privacy and Electronic Communications Regulations 2003[79] (EC Directive) assure the protection of rights and freedoms linked with the processing of personal data and the right to privacy.
The General Data Protection Regulation[80] (GDPR) was implemented by the European Union (EU) on 25th of May, 2018. The objective was to regulate the personal data that is being transferred outside the European Union and European Economic Areas and to provide the EU citizens with more control over personal data.
Article 8 of the European Convention on Human Rights[81], on the other hand, bases its understanding of privacy on the concept of dignity and its role in developing human relationships. As a result, even in the situation of disclosure to a third party, such dignity is an acceptable rationale for maintaining privacy. As a result, in the absence of a contrary expectation, a reasonable expectation of privacy exists. In Copland v. U.K.[82], the European Court of Human Rights expressly stated that “there is a legitimate expectation of privacy attached to emails. The same exists even though acts are done in public or revealed to a third-party intermediary and in cases of systematic storage.”[83]
International law has a critical role to play in beginning to resolve this dilemma, and the pressures are there for it to do so. Adopting a number of procedural norms to regulate foreign surveillance would help states and their citizens begin to balance the competing equities of privacy and security in concrete and observable ways. This approach strikes a middle ground between the cynics, who are unduly optimistic in predicting that regulatory pressures will subside in short order and those in the human rights and civil liberties communities who seem confident that states quickly will retreat from foreign electronic surveillance to a posture that is far more protective of individual privacy. The technological architecture of digital communications implies that communications of interest to nations are heavily intertwined with irrelevant communications of regular persons. This creates a major legal and policy quandary.
International law has a key role to play in resolving this quandary, and there are strong incentives for it to do so. Adopting a set of procedural standards to control foreign monitoring would assist nations and individuals in balancing the opposing interests of privacy and security in tangible and observable ways. This approach strikes a balance between cynics who predict that regulatory pressures will subside quickly and those in the human rights and civil liberties communities who believe that states will quickly retreat from foreign electronic surveillance to a posture that is far more protective of individual privacy.
India’s technology sector is growing every day, so it has become inevitable that we need technology legislation to regulate the environment and to secure people from any kind of harm. Most of the population has access to the internet which is a good development, like every action has a reaction, technology has its advantages and disadvantages. Convenience is the new drug; people receive the things they want at their doorsteps or where they are. While most developments enhance the lives of people, small human errors which eventually happen can be rectified in the course of the post-release developments. Indian Legislations also have seen a lot of amendments with respect to the situation and time. Now, India is in need of legislation that focuses on data protection, consumer privacy, and rights desperately because of the growing technology sector.
[1] Bhairav Acharya, ‘The CMS: Some Questions to be raised in Parliament, THE CENTRE FOR INTERNET AND SOCIETY’ (cis-india.org, 19 Sept 2013) <The Central Monitoring System: Some Questions to be Raised in Parliament — The Centre for Internet and Society (cis-india.org) > accessed 26 April 2022
[2] Naz Foundation v Govt of NCT and Ors 2010 CrLJ 94
[3] The Information Technology Act, 2000, No. 21, Acts of Parliament, 2000 (India)
[4] Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009, Gen. S. R. & 0. 780 (E), Rule 3, (India)
[5] ibid Rule 7
[6] ibid Rule 8
[7] Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009, Gen. S. R. & 0. 782(E) (India)
[8] The Information Technology Act 2000, s 2(w)
[9] The Information Technology Act 2000, s 44
[10] Maria Xynou, ‘Why ‘Facebook’ is More Dangerous than the Government Spying on You, THE CENTRE FOR INTERNET AND SOCIETY’ (cis-india.org, 19 Nov 2013) < Why ‘Facebook’ is More Dangerous than the Government Spying on You — The Centre for Internet and Society (cis-india.org) > accessed 19 April 2022
[11] AJIT PRAKASH SHAH, GOVERNMENT OF INDIA PLANNING COMMISSION, REPORT OF THE GROUP OF EXPERTS ON PRIVACY 3 (2012)
[12] Shalini Singh, ‘Govt. Violates Privacy Safeguards to ‘secretly monitor’ Internet Traffic’ (The Hindu, 8 Sept 2013) <Govt. violates privacy safeguards to secretly monitor Internet traffic – The Hindu> accessed 19 April 2022
[13] Ministry of Communications & Information Technology, Centralised System to Monitor Communications, PRESS INFORMATION BUREAU (26th November 2009)
[14] Acharya, supra note 1
[15] People’s Union for Civil Liberties v Union of India AIR 1997 SC 568
[16] Anjan Trivedi, ‘In India, PRISM-Like Surveillance Slips under the Radar, THE CENTRE FOR INTERNET AND SOCIETY’ (cis-india.org, 3 July 2013) < In India, Prism-like Surveillance Slips Under the Radar — The Centre for Internet and Society (cis-india.org) > accessed 20 April 2022
[17] Sandeep Joshi, ‘BSNL Failure Handicaps Phone Tapping Mechanism’ (The Hindu, 21 Dec 2013) < BSNL failure handicaps phone tapping mechanism – The Hindu > accessed 20 April 2022
[18] Trivedi, supra note 16
[19] Kharak Singh v Union of India 1964 SCR (1) 332
[20] Gobind v State of MP (1975) 2 SCC 148
[21] International Covenant on Civil and Political Rights, art 17(1), adopted 16 December 1966, 999 UNTS 171 (ICCPR)
[22] Convention for the Protection of Human Rights and Fundamental Freedoms, art 1, 4 November 1950, 213 UNTS 221 (ECHR)
[23] Ibid art 8
[24] Fact Sheet, European Court of Human Rights, Extra-Territorial Jurisdiction of States Parties to the European Convention on Human Rights (Nov 2014)
[25] Vienna Convention on Diplomatic Relations, art 41(1), opened for signature 18 April 1961, 23 UST 3227, 500 UNTS 95 (VCDR)
[26] VCDR, supra note 25, arts 22, 24
[27] Kharak Singh v State of UP AIR 1963 SC 1295
[28] Gobind v State of MP (1975) 2 SCC 148
[29] R Rajagopal v State of Tamil Nadu (1994) 6 SCC 632
[30] The Constitution of India 1950, art 21
[31]R Rajagopal v State of Tamil Nadu (1994) 6 SCC 632, 26
[32] People’s Union for Civil Liberties v Union of India (1997) 1 SCC 301, 18
[33] C-293/12 and C-594/12 Digital Rights Ireland Ltd v Minister for Communications, Maine and Natural Resources (8 April 2014) (Court of Justice of the EU)
[34] KS Puttaswamy v Union of India (2017) 10 SCC 1, 585
[35] US v Jones 565 US 400 (2012) (Sotomayor J and Alito J concurring) (US Supreme Court)
[36] ibid 963
[37] ibid 964
[38] Ajay Chawla, ‘Pegasus Spyware – ‘A Privacy Killer’’ (2021) SSRN <https://ssrn.com/abstract=3890657> accessed 9 April 2022.
[39] Dr. C.F.Mulimani, Manjugouda R Patil, ‘Pegasus: Transforming Phone Into A Spy’ (2019) 22 (14) Think India Journal <https://thinkindiaquarterly.org/index.php/think-india/article/view/14936/10099> accessed 9 April 2022.
[40] Ajay Chawla, ‘Pegasus Spyware – ‘A Privacy Killer’’ (2021) SSRN <https://ssrn.com/abstract=3890657> accessed 9 April 2022.
[41] Mayank Agrawal and Others, ‘Pegasus: Zero-Click spyware attack – its countermeasures and challenges’ (2022) ResearchGate <Pegasus: Zero-Click spyware attack – its countermeasures and challenges > accessed 9 April 2022.
[42] Amnesty Insternation, ‘Forensic Methodology Report: How to Catch NSO Group’s Pegasus’, (2021) Amnesty International <https://www.amnesty.org/en/documents/doc10/4487/2021/en/> accessed 9 April 2022.
[43] David Pegg and Sam Cutler, ‘What Is Pegasus Spyware and How Does It HACK PHONES?’ The Guradian (London, 8 July 2021) <https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones> accessed 9 April 2022.
[44] Jayant Sriram, ‘What are the surveillance laws in India?’ The Hindu (18 December 2019) <https://www.thehindu.com/news/national/what-are-the-surveillance-laws-in-india/article61605542.ece> accessed 9 April 2022.
[45] By Bill Marczak and Others, ‘HIDE AND SEEK: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries’ (2018) The Citizen Lab <https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/> accessed 9 April 2022.
[46] Shaun Walker and Others, ‘Pegasus project: spyware leak suggests lawyers and activists at risk across globe’ The Guardian (London, 19 July 2021) <https://www.theguardian.com/news/2021/jul/19/spyware-leak-suggests-lawyers-and-activists-at-risk-across-globe> accessed 9 April 2022.
[47] The Wire Staff, ‘Pegasus Project: 174 Individuals Revealed By The Wire On Snoop List So Far’ The Wire (New Delhi, 4 August 2021) <https://thewire.in/rights/project-pegasus-list-of-names-uncovered-spyware-surveillance> accessed 9 April 2022.
[48] FPJ Web Desk, ‘FPJ Legal: Refrain from ‘parallel debate on social media’ about Pegasus row, says Supreme Court; sets hearing for August 16’ The Free Press Journal (New Delhi, 10 August 2021) <https://www.freepressjournal.in/india/fpj-legal-refrain-from-parallel-debate-on-social-media-about-pegasus-row-says-supreme-court-sets-hearing-for-august-16> accessed 9 April 2022.
[49] Express Web Desk, ‘Pegasus row: SC says ‘can’t compel’ Centre to file detailed affidavit; govt to set up probe panel’ The Indian Express (New Delhi, 16 August 2021) <https://indianexpress.com/article/india/deny-all-allegations-expert-committee-to-probe-all-claims-centre-to-sc-on-pegasus-row-7455981/> accessed 9 April 2022.
[50] ibid.
[51] Krishnadas Rajagopal, ‘Supreme Court forms committee to examine Pegasus allegations’ The Hindu (27 October 2021) <https://www.thehindu.com/news/Supreme Court forms committee to examine Pegasus allegations> accessed 9 April 2022.
[52] Internet Freedom Foundation, ‘Our Response to the SC’s Technical Committee on Pegasus #SaveOurPrivacy’ IFF (New Delhi, 23 March 2022) <https://internetfreedom.in/our-response-to-the-scs-technical-committee-on-pegasus/> accessed 9 April 2022.
[53] Express Web Desk, ‘SC’s Pegasus panel seeks comments from public on 11 queries’ The New Indian Express (New Delhi, 25 March 2022) <https://www.newindianexpress.com/nation/2022/mar/25/scs-pegasus-panel-seeks-comments-from-public-on-11-queries-2434184.html> accessed 9 April 2022.
[54] K.S. Puttaswamy and Anr. vs. Union of India (2017) 10 SCC 1
[55] Gobind v State of MP (1975) 2 SCC 148
[56] Prakhar Bhardwaj & Abhinav Kumar, ‘Comparing Two Inchoate Conceptions: Balancing Privacy and Security by E-Surveillance Laws in India’ (2014) 3 Nat’l LU Delhi Stud LJ 1
[57] Kharak Singh v Union of India 1964 SCR (1) 332
[58] Gobind v State of MP (1975) 2 SCC 148
[59] Prakhar Bhardwaj & Abhinav Kumar, ‘Comparing Two Inchoate Conceptions: Balancing Privacy and Security by E-Surveillance Laws in India’ (2014) 3 Nat’l LU Delhi Stud LJ 1
[60] Prakhar Bhardwaj & Abhinav Kumar, ‘Comparing Two Inchoate Conceptions: Balancing Privacy and Security by E-Surveillance Laws in India’ (2014) 3 Nat’l LU Delhi Stud LJ 1
[61] Nipul Patel & Susan Conners, ‘OUTSOURCING: DATA SECURITY AND PRIVACY ISSUES IN INDIA’ (2008) 9(2) IIS
[62] KS Puttaswamy v Union of India (2017) SCC 1
[63] Rishi Nandhan R. B., ‘Need for Data Protection Laws in India’ (2021) 2 Jus Corpus LJ 72
[64] ‘Cyberlaw Tracker: Country Detail’ (UNCTAD) < https://unctad.org/topic/ecommerce-and-digital-economy/ecommerce-law-reform/summary-adoption-e-commerce-legislation-worldwide > accessed 26 April 2022
[65] U.S. CONST. amend. IV.
[66] Avner Levin & Mary Jo Nicholson, ‘Privacy Law in the United States, the EU and Canada: The Allure of the Middle Ground’ 2 UNIV. OF OTTAWA L. & TECH. J. 357,360 (2005)
[67] United States v Miller 425 US 435 (1976)
[68] Jacobson v United States 466 US 117 (1992)
[69] Health Insurance Portability and Accountability Act 1996
[70] Gramm-Leach-Bliley Act 1999
[71] Right to Financial Privacy Act 1978
[72] Sarbanes-Oxley Act 2002
[73] California Consumer Privacy Act 2018
[74] The California Privacy Rights Act 2020
[75] Personal Data Protection Act 2013
[76] Personal Information Protection and Electronic Documents Act 2000
[77] Nipul Patel & Susan Conners, ‘OUTSOURCING: DATA SECURITY AND PRIVACY ISSUES IN INDIA’ (2008) 9(2) IIS
[78] The Regulation of Investigatory Powers Act of 2000
[79] Privacy and Electronic Communications Regulations 2003
[80] The General Data Protection Regulation 2016
[81] European Convention on Human Rights
[82] Copland v. U.K., 2007-I Eur Ct HR
[83] Prakhar Bhardwaj & Abhinav Kumar, ‘Comparing Two Inchoate Conceptions: Balancing Privacy and Security by E-Surveillance Laws in India’ (2014) 3 Nat’l LU Delhi Stud LJ 1