This article deals with the surveillance regime in India. Beginning with a description of what surveillance mechanisms exist in India (CMS, NETRA etc) to the related legal framework for the same, we analyze the evolution of the concept of ‘privacy’ in Indian courts. The article also examines the need for a strong data protection law and legal and administrative developments related to the same.

Introduction

Let us begin with an understanding of what data surveillance is: it involves closely observing some individual or activity with a certain purpose in mind. The ‘data’ collected by such monitoring is then later used for purposes such as marketing, security or maybe just for hacking into your system and then later demanding a hefty ransom. As scary as it sounds, not all of what comprises surveillance is contrary to the public interest: policy formation by the government, or say a space programme or health scheme, utilize surveillance as an instrument for the greater welfare of the society.

Why is ‘data surveillance’ making news in India all-of-a-sudden? Post the Snowden disclosures in May 2013, the topic has been one of great public interest worldwide.[1] But even in India, people are now more interested in knowing how and when the government exercises its surveillance powers. This anxiety was observed post the notification issued by the government recently.

On December 20, 2018, the Union Ministry of Home Affairs issued a notification enabling ten agencies to intercept, monitor and decrypt ‘any information generated, transmitted, received or stored in any computer resource’. This was stated to be ‘in the exercise of the powers conferred by sub-section (1) of section 69 of the Information Technology Act, 2000 (21 of 2000) read with rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009’.[2] The notification took the country by storm as people began to think that data in their phones or computers was under constant threat of surveillance by the government. While such concerns are not unexpected, it is first important to note the history of data surveillance in India, the past legal framework behind the order and what is the constitutional validity of the same.

History of Data Surveillance in India

There are currently eight programmes (of which the public knows) being used for state surveillance in India.[3] These have been rolled out to expand and ensure effective application of the law enforcement apparatus, under threat from forces such as terrorism and Naxalist communist insurgency.[4] They are also inter-linked to fulfil multiple objectives. Some of these programmes are the Central Monitoring System (CMS), National Intelligence Grid (NAT-GRID), Network Traffic Analysis System (NETRA), New Media Wing (Bureau of New and Concurrent Media).

In addition to these, there have also been concerns regarding India’s flagship identity project called UID or Aadhar, which provides to every citizen a unique identification number and is used as a link between multiple government services.

Different surveillance programmes have different roles: while the CMS is to be used for the ‘collection, storage, access and analysis’ of lawfully intercepted data from across the country, the NETRA is primarily used by spy agencies to monitor internet activity. Surveillance methods have been used back since the 1970s; when the Indira Gandhi government was found to be illegally tapping phones of Opposition party members. This was yet again observed under Rajiv Gandhi’s rule and then again when VP Singh came to power.[5] Hence, there has been a history of surveillance being employed for illegal purposes in India. The question which hence arises is: are there no existing checks and balances to ensure the lawful application of surveillance technology? To answer this, we must examine the legal framework in place.

Legal Framework related to Surveillance

In India, there are no laws which permit ‘mass surveillance’ as such.[6] The two laws which deal with interception are the ‘Telegraph Act, 1885’ and the ‘Information Technology Act, 2000 (amended in 2009)’.

Section 5(2) of the Telegraph Act, also known as the ‘wire-tapping clause’ allows the ‘government to take possession of any licensed telegraphs in case of a public emergency or in the interest of public safety’. This possession is subject to five reasons: ‘interests of the sovereignty and integrity of India, the security of the state, friendly relation with foreign states or public order or for preventing incitement to the commission of an offence’.[7] The IT Act (amended in 2008) borrows much of its substance from the Telegraph Act but extends the power also for ‘investigation of any offence’.[8]

As arbitrary as these provisions may sound, the information can only be intercepted after a separate lawful authorization by the competent authority. [9]

The surveillance powers of the state have been repeatedly challenged in the Supreme Court. These petitions emphasize the need for an unambiguous demarcation of what constitutes an individual’s privacy.

The first case pertaining to this controversy was MP Sharma v. Satish Chandra in 1954. In this judgment, the court held that since the Constitution makers did not deem it fit to introduce regulations with respect to ‘search and seizure for documents’, there is no justification to import it.[10] The court hence outrightly dismissed the need for citizens’ right to privacy.

The next important case in line was Kharak Singh v. State of UP. The petition challenged the UP Police Regulations which gave surveillance power to the Police, over ‘history sheeters’.[11] These powers included secret picketing of the suspect’s house, visits at night, an enquiry into habits and associations etc. The court held that unauthorized intrusion into a person’s home would be violative of his/her personal liberty. Even though the right against unreasonable search and seizures was upheld, the right was not extended to protect suspects from ‘shadowing’ outside their homes; this was because they were unaware of the same. What we can conclude from this case is that, since the surveillance in such cases was targeted at individuals who were suspected of anti-social behaviour, the court upheld the legality of the same. [12]

It was Justice Subba Rao who gave a dissenting opinion: ‘when a citizen is shadowed, her movements are as a result constricted and hence not free’. This is what the judiciary now accepts as a part of privacy.

Later in 1975, the landmark case Gobind Singh v State of MP made the news. The facts of the case were somewhat similar to those in Kharak Singh, but the court here agreed to a limited right to privacy, which it stated would develop on a case-by-case basis. But since the disputed Madhya Pradesh Police Regulations dealt with the wider aim of ‘prevention of crime’, the court dismissed the petition.[13]

An excerpt from the judgment:

“Depending on the character and antecedents of the person subjected to surveillance as also the object and the limitation under which surveillance is made, it cannot be said surveillance by domiciliary visits would always be an unreasonable restriction upon the right of privacy. Assuming that the fundamental rights explicitly guaranteed to a citizen have penumbral zones and that the right to privacy is itself a fundamental right that fundamental right must be subject to the restriction on the basis of compelling public interest. As regulation 856 has the force of law it cannot be said that the fundamental right of the petitioner under Article 21 has been violated by the provisions contained in it: for, what is guaranteed under that Article is that no person shall be deprived of his life or personal liberty except by the procedure established by ‘law’.”[14]

In the emergency era, the country witnessed various government excesses, also including cases of phone tapping. This misuse of surveillance power continued in India’s political history. In the early 1990s, political leader Chandra Shekhar publicly accused the VP Singh government of tapping the telephones of 27 politicians, including his own. Culminating into a CBI inquiry, this later gave way to a PIL in the Supreme Court, filed by People’s Union for Civil Liberties.[15] The question raised was the validity of S. 5(2) of the Telegraph Act, 1885. Not only did the court decline to strike this provision down, it emphasized the need to adhere to the two pre-conditions mentioned in the Act: public emergency and interest of public safety. It laid down certain guidelines to prevent arbitrariness in executive orders. These were later codified (not exactly in the same manner) as Rule 419-A of the Indian Telegraph Rules, 1951.[16] What these guidelines did was introduce multiple procedural safeguards against issuing of erratic orders.

Change in interpretation

What understanding we can draw from all these developments is that courts in India have been sceptical in reading the ‘Right to Privacy’ into Article 21, which is, the Right to Life. From the government’s end, we see an extension of, as well as an introduction of novel surveillance techniques without any statute to support them, i.e., these programmes, have been brought in without any debate or discussion on the same in the Parliament.

But time changes, and with it changes the interpretation of the laws.

In the last few years, India has witnessed remarkable judgements by the higher judiciary: either abolishing or transforming some long-disputed practices. One of these landmark judgments was Justice K S Puttaswamy (Retd.) v Union of India wherein, a nine-judge bench of the Supreme Court held that the Right to Privacy is a constitutionally protected right and reads into the Right to Life under Article 21.[17] It was also held that the right is integral to, and emerges from various provisions of Part III of the Constitution. The bench overruled the court’s decisions in MP Sharma v Satish Chandra and Kharak Singh v State of UP. It also laid down that the right to privacy, just like other fundamental rights, was not absolute and subject to reasonable restrictions. The ‘just, fair and reasonable test’ included:

• Requirement of law
• Legitimate state aim
• Test of Proportionality

How does this landmark judgment then relate to data surveillance?

This judgment gives us a framework to examine the constitutional validity of the existing data surveillance mechanisms in India. The Supreme Court initiated this process with the examination of the constitutionality of Aadhar. Receiving a basis in law with the passing of the Aadhar Act in 2016, the Aadhar is a 12-digit identity number given to Indian citizens or residents in India based on their biometric (fingerprints, iris scans and facial photograph) and demographic information (address, name, DoB etc).[18] The challenge to this identification system was subjected to the three-stage test laid down in the Puttuswamy judgment. The court in the Aadhar judgment held that the Unique Identification System satisfies all three requirements of the test: there is an existing law, there is a legitimate state aim of ensuring that the benefits under the Act actually reach the populace, and there is proportionality between the aim and the means of furthering the same.

Even though the majority judgment upheld the constitutionality of Aadhar, it is pertinent to note that the court also called for a strong data protection law as soon as possible. This shows an attitude of deep concern for the protection of the citizens’ data, which has been for long under jeopardy. One example is phone interception: according to one RTI application, the Union Home Ministry approves around 7500-9000 pleas for phone interception every month.[19] This is a humungous number. What this tells us is that the procedural safeguards under Rule 419-A of the Indian Telegraph Rules is being blatantly misused. There is no judicial or parliamentary committee to examine these sanctions and such interception can hence be secretly allowed for purposes other than those enlisted in the relevant statutes.

Apart from telephonic interception, emails and social media content can be monitored with sanction under Section 69 of the IT (Amendment) Act, 2008. This allows the central and state governments to issue directions to intercept, monitor and decrypt, or cause to be intercepted or monitored or decrypted, any information generated, transmitted, received or stored in any computer resources. [20]

Recent Developments

This takes us back to the start of the article: the MHA order issued in December. How do we go about examining its constitutional validity? Going by the precedential value of the Puttaswamy judgment, the three-stage test must be applied in this case as well. But before that, it is important to note that this order grants surveillance power to agencies such as the Intelligence Bureau, CBI, the Delhi Commissioner of Police, CBDT etc. These agencies have a wide jurisdiction and can hence extend surveillance to a large section of the populace.

Now we need to examine the constitutionality of this order. Beginning with the identification of law, it is understood that the recent order is merely a reproduction of powers given to the government under the IT Act. Hence, step one is cleared.

Secondly, we need to look at the ‘aim’. The Ministry of Home Affairs states that the order is aimed at the country’s security. Section 69 of the IT Act incorporates reasons such as sovereignty and integrity of India, the security of the state etc. These reasons indicate that the order addresses the wider national interest and the aim is hence legitimate.

Lastly, we need to look at the test of proportionality. Is the aim of national security best extended through the recent order and the related provisions of the IT Act? This is one question which merits judicial scrutiny. Is granting of such wide surveillance powers to the Central government (and now the ten agencies) proportional to ensuring the protection of the country? Is this no less than snooping? Will the provisions be reduced to mere approval of ‘interception-requests’ without any substantive deliberation on the same?

The recent order has been challenged in the Supreme Court of India as ‘violative of articles 14, 19(1)(a) and 21 of the Constitution of India and/or ultra vires Section 69 of the Information Technology Act 2000 and Rule 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009.’[21] The court has now sought the Centre’s response on the same within six weeks.

Conclusion

To conclude, we can say that data surveillance in India has branches extending all around. To examine the constitutional validity of the same, we will have to look at the related legal provisions such as the IT Act and the Telegraph Act. Since surveillance programmes do not derive their base from legal statutes, an analysis of the mentioned laws in a court of law would decide the future of surveillance programmes in India.

But it can also be safely said that India now needs a strong data protection law. The ‘Personal Data Protection Bill 2018’, based on the report of the BN Srikrishna committee is the first step in this direction.[22] Yes, the bill tries to propound data protection and privacy byways such as demanding that companies collect personal data in “a fair and reasonable manner,” and respect people’s privacy by taking clear consent for sensitive personal data.

But no, it does not address the issue of mass surveillance. The bill does not call for any requirement of law enforcement agencies to submit reports to the Parliament about surveillance activities carried out by them. Similarly, the bill also allows for surveillance under certain exemptions, such as that it should be ‘authorized by law made by the Parliament or the State Legislature’: this means that the current framework under the IT Act and Telegraph Act satisfy this requirement. [23]

What the bill however also does is, question the legal validity of existing surveillance mechanisms such as the CMS and NETRA, which have been rolled out without adequate legal sanction.

The question remains: Is our data ours in the real sense? or is India on the way to become a surveillance state?

– Tanishka Goswami

National Law University, Delhi

---

Sources:

[1] Gautam Bhatia, “State Surveillance and the Right to Privacy in India: A Constitutional Biography” (2014) 26 NLSI Rev 127

[2] Mishi Choudhary, ‘MHA Notification: When Governments create systems of surveillance, we have everything to lose’ (Firstpost, December 27, 2018) < https://www.firstpost.com/tech/news-analysis/mha-notification-when-govts-create-systems-of-surveillance-we-have-everything-to-lose-5797991.html> l

[3] ‘The Design and Technology behind India’s surveillance programmes’ <https://cis-india.org/internet-governance/blog/the-design-technology-behind-india2019s-surveillance-programmes#_ftn7>

[4] ibid

[5] Apar Gupta, “Is India becoming a Surveillance State”, (BloombergQuint, December 23, 2018) <https://www.bloombergquint.com/opinion/is-india-becoming-a-surveillance-state#gs.vF5NJjlS>

[6] Pranesh Prakash, “How Surveillance works in India”, (The New York Times, July 10 2013) < https://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/>

[7] Section 5(2), Indian Telegraph Act, 1885

[8] Section 69, IT Amendment Act, 2008

[9] Sruthisagar Yamunan, “Home Ministry order on computer surveillance is not new – UPA introduced provisions in 2008” (Scroll, December 2018) <https://scroll.in/article/906579/home-ministry-order-on-computer-surveillance-is-not-new-upa-introduced-provisions-in-2008>

[10] MP Sharma v Satish Chandra (1954) AIR 1954 SCC 300

[11] Kharak Singh v State of UP (1964) AIR 1963 SCC 1295

[12] Chinmayi Arun, “Paper-Thin Safeguards and Mass Surveillance in India” (2014) 26 NLSI Rev 105

[13] ibid

[14] Govind Singh v State of MP (1975) 2 SCC 148

[15] PUCL v Union of India (1997) 1 SCC 301

[16] Chaitanya Ramachandran, “PUCL v. Union of India Revisited: Why India’s Surveillance Law must be Redesigned for the Digital Age” (2014) 7 NUJS L Rev 105

[17] Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1

[18] “Initial analysis of Indian Supreme Court decision on Aadhaar” (Privacy International, September 2018) <https://privacyinternational.org/feature/2299/initial-analysis-indian-supreme-court-decision-aadhaar>

[19] Nandini Chami and Jai Vipra, “MHA Notification: Debate on Digital Surveillance must move beyond privacy and data protection laws” (December 2018) <https://www.firstpost.com/tech/news-analysis/mha-notification-debate-on-digital-surveillance-must-move-beyond-privacy-and-data-protection-laws-5777761.html>

[20] Section 69, IT Amendment Act, 2008

[21] The Wire Staff, “Why Five Petitions Are Challenging the Constitutional Validity of India’s Surveillance State” (The Wire, January 2019) <https://thewire.in/law/supreme-court-pil-centre-snooping>

[22] David Gilbert, “India’s New Data Protection Law could create a massive surveillance state” (VICE News, 2018) <https://news.vice.com/en_us/article/qvmw4p/indias-new-data-protection-law-could-create-a-massive-surveillance-state>

[23] Vrinda Bhandari, “Data Protection Bill: Missed Opportunity for Surveillance Reform” (The Quint, 2018) <https://www.thequint.com/voices/opinion/personal-data-protection-bill-2018-draft-srikrishna-committee-loopholes-surveillance>

___________________________________________________________________________________________

Click Here for more Articles.

Click Here to write your own Blog/Article on Legal Bites.

_________________________________________________________________

We hope you found this useful. Support us by Sharing Your Knowledge or any information. Every contribution toward a goal is valuable, regardless of how small it may be.