Tuesday, February 16, 2016

Protecting citizens from the State: The case for a privacy law

by Vrinda Bhandari and Renuka Sane.

Every breath you take, every move you make 
Every bond you break, every step you take
I'll be watching you 
 
-- The Police, 1983

Most of us are familiar with the song, and might hum along. When you pause to think about it, it is about a creepy level of surveillance. Things are particularly dangerous when the watcher is the State.  Here are some facts about the Indian State:

  1. In 2011, India was ranked by Google as the third most intrusive State in terms of number of requests for data on users with 1699 (1430) user data requests being made to Google alone. In 2015, we have climbed to the second spot.

  2. The Report on surveillance in India by the Software Freedom Law Centre (SFLC) found that on average, the Central government alone taps more than 1 lakh phone calls a year, with around 7500-9000 phone interception orders being issued by it monthly. Combining this with requests from the State Government, the Report concluded that, Indian citizens are routinely and discreetly subjected to Government surveillance on a truly staggering scale.

  3. The Central Monitoring System (CMS) set up by the Government of India allows authorised security agencies to instantly intercept and directly monitor communications on mobile phones, landlines and the internet in the country (including on social media) to strengthen the security environment. The CMS will have deep search surveillance and monitoring capabilities with little requirement for authorisation. Its "direct electronic provisioning" allows automated instantaneous interception, that enables direct access by bypassing telecom service providers.

  4. NATGRID, conceived in the aftermath of the 26/11 attacks, seeks to create a centralised database streaming sensitive information from 21 data sources, including banks, travel details etc. Information infrastructure like Aadhaar may make it easier to utilise this information. In a fledgling democracy, the emergence of this new technology comes with the possibility of misuse.

The State has its reasons for surveillance. Sometimes they may even be justified, when surveillance is integral to the working of the criminal justice system. But can we, as citizens of India, demand an explanation from the State on whether a certain act of snooping was justified? Can we be sure that the information is being collected about us is not going to be misused? Do we even know what information is being collected? Do we have any say: are we citizens or are we subjects?

Understanding the right to privacy


In most jurisdictions in the world, questions on State surveillance are evaluated in the context of how the State understands, recognises, and balances the right to privacy of its citizens. Article 12 of the Universal Declaration of Human Rights, Article 8 of the European Convention of Human Rights [ECHR] and Article 17 of the ICCPR recognise privacy as the right to respect for private and family life, home and correspondence. The Fourth Amendment of the US Constitution also secures the rights of the people in their persons, houses, papers, and effects against unreasonable search and seizures, being premised on the notion that a 'person's home is their castle'. It has also been interpreted as that which underlies the dignity and autonomy of an individual by the Inter American Court of Human Rights.

The lowest common definition of privacy goes as far back as Warren and Brandeis (1890), as the right to be left alone. This views privacy as a notion that is central to our identity, dignity, and sense of self. It determines our interaction with other peers, the society and the State; and our power to control and share information selectively.

The law on privacy in India


Unlike the American Constitution or the ECHR, the Indian Constitution is silent about the right to privacy or private life or the protection against unreasonable searches and seizures. It is thus an un-enumerated right.

The development of the law on privacy began with the decision of the eight-judge bench of the Supreme Court in M.P. Sharma v Satish Chandra (1954), followed nearly a decade later in Kharak Singh v State of Punjab (1963). Both the judgments took a narrow view of the idea of privacy as they were focused on the question of search and seizure, and not really on the value of privacy per se.

After the 1970s, the Supreme Court started interpreting the right to privacy and the Article 21 right to life and personal liberty more expansively as is evident in the Gobind v State of Madhya Pradesh (1975), Auto Shanker (1994) and PUCL v Union of India (1997). The PUCL case is particularly important as the Supreme Court issued a series of guidelines on the steps the State must take before authorising surveillance.

In the most recent deliberations, the Indian Supreme Court during the Aadhar hearings in August 2015, put into question whether the right to privacy is a fundamental right at all under Part III of our Constitution and referred the following questions to a larger five judge bench:

  • Whether there is any "right to privacy" guaranteed under our Constitution.
  • If such a right exists, what is the source and what are the contours of such a right as there is no express provision in the Constitution adumbrating the right to privacy.

Understanding the surveillance architecture


As we debate the constitutional and legislative foundations of privacy, it's important to understand the surveillance architecture which has sprung up in the country.

While we debate whether privacy is a fundamental right, regulations such as Section 26 of the Indian Post Office Act, 1898; Section 5(2) of the Indian Telegraph Act of 1885 (read with Rule 419A of the Indian Telegraph Rules, 1951) along with the relevant Police Rules; and Section 69 of the Information Technology Act 2000 (IT Act) govern how authorisation is handled for interception of postal articles, interception of messages, and the internet respectively.

The India Post Office Act, and the Telegraph Act deal with targeted surveillance. For example, the Telegraph Act and Rules provide for a two-tiered threshold test, which require first, the occurrence of a public emergency, or in the interest of public safety to empower the Central or State government or any officer authorised therein to order the interception of postal/telegraphic messages; second, only if it is satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence.
 
This is not true of the IT Act. There are three notable distinctions that make surveillance easier under the IT Act.

  1. Section 69 does away with the pre-requisites of "public emergency" or "public safety" for the appropriate government to "intercept, monitor or decrypt" internet data.

  2. The Act widens the second-tier of the test under the Telegraph Act by providing for two additional grounds when it is considered necessary or expedient to intercept in the interest of the "defence of India" and the "investigation of any offence".

  3. The Act imposes an additional obligation on all internet service providers (the intermediaries), the subscriber and the person in-charge of the computer resources to "extend all facilities and technical assistance" to the intercepting agency, or face imprisonment up to seven years.

Finally, internet metadata can be monitored and collected by any government agency under the low threshold of "enhac[ing] cyber security" or for "identification, analysis and prevention of any intrusion or spread of computer contaminant in the country" under Section 69B of the IT Act, which deals with the power to authorise to monitor and collect 'traffic data' (widely defined) or information through any computer resource for cyber security.

What is ironic about the regulatory framework in India is that the same IT Act provides for extensive regulations on sharing of consumer data collected by businesses. The Indian State clearly has high standards for protecting privacy of consumers from private individuals, but not equivalent standards for itself.

Areas of concern


Consider the new world of electronic communications. It is impossible for us to even know that our privacy is being infringed, or to know what information is being held about us. The Snowden revelations have proved that data collection, retention and analysis by the State is an immutable reality and that we have literally sleepwalked into a surveillance society. This has compelled governments in the US, UK and Europe, which have a far greater recognition of the right to privacy than India, to evaluate and revise their legal framework.

As we have seen earlier, in the absence of an over-arching law, our regulatory surveillance architecture is heavily weighted in favour of the State. This is extremely problematic as mass surveillance is being carried out in a legal vacuum, with little regard for the effect on individuals' rights to privacy. In such a situation, regardless of whether the Supreme Court of India considers privacy as a fundamental right, the State must define the circumstances in which it may intervene with an individual's rights. For example, right to property is not a fundamental right. However, we still have the Land Acquisition Act and we debate ad nauseam about the circumstances in which the State may take away land and the due process for this. Why should privacy be any different?

In the face of ambiguity regarding the status of the right to privacy as a fundamental right, the absence of any statutory privacy code, and the out dated applicability of the PUCL surveillance safeguards, it is necessary to enact a privacy law. Such a law would define key terms, govern the rights of users, detail the obligations of the State, lay down privacy principles and exceptions, provide guidance on resolving privacy-security conflicts (for instance by applying a European proportionality test) and would delineate various redress and compensation mechanisms.

Inspiration could be taken from the UK Data Protection Act or the US Electronic Communications and Privacy Act (ECPA). There have been some efforts in the past in India, although with no result. For too long, there has been a lack of statutory basis for various government endeavours that affect the privacy of Indian citizens, whether it is the notification of the Aadhar scheme (enabling the collection of biometric data) or the CMS. This has to change before it is too late.

We in India are in a fledgling democracy. In the best of countries, there is an undersupply of criticism. In India, our ability to improve the working of the Republic requires more fearless people who will criticise the status quo. Privacy law should be a priority. Once greater privacy is secured, the processes of democracy in all other areas would work better.

Looking forward


There is an emerging consensus that India requires a big step up in civil liberties. We need to bring political philosophy, ethics and law into the full picture, which comprises rethinking (a) Defamation (b) Sedition and (c) Privacy.




Vrinda Bhandari is a practicing advocate in Delhi. Renuka Sane is a researcher at the Indian Statistical Institute, Delhi. The authors thank Bhargavi Zaveri and Smriti Parsheera for useful discussions.

4 comments:

  1. At the moment the warrant for interception is approved by the Home Secy of the Govt. of India and propably so in the state too? why not make it mandatory to do it from a judicial authority as done in the U.S?

    ReplyDelete
    Replies
    1. The Indian process for approving surveillance requests was built on the existing protocol in UK, which itself is now moving to judicial oversight (http://www.scmagazineuk.com/2nd-update-surveillance-bill-judicial-oversight-no-encryption-ban-archiving-browsing-data/article/451605/)

      Similar changes in the oversight and accountability mechanism are required in India.

      Delete
  2. A timely article. However, it missed mentioning the work of the committee headed by Justice A.P. Shah. The details can be seen at https://www.dsci.in/node/1218

    Subsequently, CIS put a leaked copy of the Privacy Bill, purportedly prepared by the Department of Personnel. Hopefully, things will move forward at some point of time.

    ReplyDelete
  3. The judiciary is easily coopted in the name of national security or fighting crimes.

    ReplyDelete

Please note: Comments are moderated. Only civilised conversation is permitted on this blog. Criticising me is perfectly okay; uncivilised language is not. I delete any comment which is spam, has personal attacks against anyone, or uses foul language. I delete any comment which does not contribute to the intellectual discussion about the blog article in question.

Please note: LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.