The concept of privacy as a legal right was envisioned by Warren and Brandeis in 1890 and has evolved greatly from then on. The post-globalized world has increasingly found itself amidst raising concerns of privacy and surveillance. With an alarming increase in technological advancements, surveillance into an individual’s activities, in reality, and virtually, is being resorted to by the State. This action of the State is an inherent violation of the citizens’ right to privacy.
The unanimous decision of the Supreme Court in the case of Justice K.S. Puttaswamy & Anr v. Union of India & Ors (2017) holds that Right to Privacy is a Fundamental Right read under Article 21 of the Constitution of India. Justice Chandrachud in his judgment states that privacy is a constitutionally protected right which emerges primarily from the guarantee of life and personal liberty in Article 21 of the Constitution.
Private information, if stored in unmonitored set-ups poses a huge risk to this fundamental right to privacy of the individuals, as this data can be manipulated and used for illegal and unwanted activities. It is thus important to ensure safeguards against government surveillance. It is the State’s primary duty to act as a guardian to its citizens, but the involvement of the State can be limited and problems can be managed even with effective strategies and policies.
Objectives and Key Principles
Public policy with respect to the management of information must embrace three main objectives, which are:
- Freedom of expression
- Personal privacy
- Public’s right to know
In a free society, these three objectives are always in contention, and the challenge to any public policy is to strike a proper balance between them.
In our country, at present, there is no comprehensive law on the protection of personal information and data of an individual collected by various organizations. Also, given the highly dynamic nature of personal data, there is a dire need to legislate a statue to regulate such data or information.
The following are the key principles of such policy:
- Reliability: Policymakers will provide reliable, well trained and highly qualified technology and personnel for collecting personal information of individual and this information will be stored and kept safe with reliable sources.
- Accuracy through advanced technology: Technology is the only way to achieve reliable and trustworthy information of an individual and this bill will incorporate the latest technology in order to achieve and store accurate, reliable, efficient information.
- Dynamism and Adaptiveness: This bill will also incorporate and adapt to changes through time and with the dynamic environment, this change is inevitable. Constantly improving the dynamic organization of privacy protection based on new knowledge from the communities and from national and international knowledge partners is designed.
The elements of privacy arise in varying contexts from the other facets of freedom and dignity recognized and guaranteed by the Fundamental Rights contained in Part III. The privacy judgment also added that informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but also from non-state actors.
There is a need on the part of the Union Government to examine and put into place a strong system for data protection. The creation of such a system requires a careful and sensitive balance between individual interests and legitimate concerns of the state. The legitimate aims of the state would include, for instance, protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge and preventing the dissipation of social welfare benefits.
The Personal Data Protection Bill of 2018
Personal Data Protection Bill, 2018 was released along with the report by the Committee of Experts under the chairmanship of Justice B. N. Srikrishna. The Bill is broadly based on the framework and principles of the General Data Protection Regulation and on the foundation of the landmark judgement of the apex court in Justice K.S. Puttaswamy (Retd.) & Anr v Union of India & Ors. This Bill would replace both Section 43A of the Information Technology, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
In order to ensure that data principals have more control over their own data, the bill gives them certain rights, such as the right to confirmation and access, right to correction, right to data portability and right to be forgotten. It also provides for mechanisms to address the grievances of data principals in an effective manner. The also has certain drawbacks, such as;
- The right to be forgotten under the proposed bill is not the same as the right to erasure proposed under global privacy standards and laws.
- The proposed bill is silent on individual rights around processing activities involving automated profiling and decision making.
- The right to portability is a key step towards enabling consumers to freely choose and move their data across service providers and this bill allows fiduciaries to charge a reasonable fee and restricts the scope of such requests to personal data obtained consensually and processed using automated means.
The Aadhaar Act (Targeted Delivery of Financial and other Subsidies, benefits and services), 2016
This Act was enacted to provide good governance, efficient, transparent, and targeted delivery of subsidies, benefits and services, the expenditure for which was incurred from the Consolidated Fund of India to individuals residing in India through assigning of unique identity numbers to such individuals and for matters connected therewith or incidental thereto.
Section 11 of the Act provides for the creation of the Unique Identification Authority of India. The Authority is to be responsible for the processes of enrolment and authentication and perform such other functions assigned to it. Section 23 details out the powers and functions of the Authority such as specifying demographic information and biometric information, collection and verification of such information individuals seeking an Aadhaar number.
Chapter VI outlines provisions for the protection of information. Section 28 emphasizes on the security and confidentiality of information. Section 29 imposes a restriction on the sharing of information. Section 30 regards biometric data as sensitive personal information. The provisions contained in the Information Technology Act, 2000 and the rules made there under shall apply to such information. Chapter VII deals with offences and penalties. The general penalty for any offence under the Act is imprisonment for a term which may extend to one year or with a fine which may extend to twenty-five thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees, or with both.
Human DNA Profiling (Draft) Bill, 2015
In 2015, the Central Government introduced the Human DNA Profiling (Draft) Bill. It was drafted by the Department of Biotechnology (DBT) in the Ministry of Science and Technology with the aim to expedite civil and criminal disputes where possible, to help identify the unclaimed dead persons and to track down missing persons.
Chapter III of the Bill deals with the establishment and powers of a DNA Profiling Board. Section 3 of the Bill establishes this board. Section 4 defines the composition of the Board. Section 12 outlines the functions of the Board that include advising the Central and the State Governments on matters regarding DNA laboratories, making recommendations, monitoring, regulating, conducting, certifying and auditing training programs, and many other related functions. Chapter VI deals with DNA laboratories.
Chapter V reiterates the provisions regarding Standard, quality control and quality assurance. Section 30 emphasizes on security and safety of personnel. There is to be a National DNA Data Bank and other State DNA Data Banks. Section 36 provides for retention and expunction of data.
Chapter VII elaborates on the aspect of confidentiality and access to DNA profiles. Section 37 provides that all DNA samples be kept confidential. Section 42 imposes a restriction on access to information in the Data Bank.
Chapter IX deals with offences and penalties. Penalties for unauthorized disclosure of information in DNA Data Bank, unlawful access and destruction or alteration of the DNA samples are enlisted in this part.
The Personal Data Protection Bill of 2013
This bill defines the means to regulate the collection, storage and processing of personal information. Chapter III of the Bill deals with the protection of personal data. Section 6 emphasizes on a collection of personal data with informed consent. The data subject or the owner of that information must be informed about the nature and purpose of collection. Such data collection can happen without informed consent only when there is a medical emergency, reasonable threat to national security or to prevent a cognizable crime.
Section 8 of the act lays down the regulation of personal data. Accordingly, no person shall store any personal data for a period longer than necessary to achieve the purpose for which it was collected or received. Section 11 deals with the security of personal data and duty of confidentiality. A data controller or data processor should notify the data subject if the confidentiality, secrecy, or safety of personal data in its possession is violated by theft or loss, damage or destruction or as a result of any disclosure. Section 16 provides for special provisions for sensitive data.
Chapter IV of the Bill deals with the establishment of a Data Protection Authority and its constitution and functions thereof. The Data Protection Authority may inquire, suo moto (on its own) or on a petition presented to it by any person or by someone acting on his behalf, in respect of any matter connected with the collection, storage, processing, disclosure or other handling of any personal data and give such directions or pass such orders as are necessary for reasons to be recorded in writing. It may also review any Act or policy with respect to personal data. Chapter VI of the Bill deals with offences and penalties.
The Information Technology Act, 2000
It is considered as one of the most elaborate legislations on electronic data, the Information Technology Act of 2000 deals with privacy violation with regards to electronic information. The Act gives the meaning of ‘electronic’ in Section 2(r) and the meaning of ‘electronic record’ is outlined in Section 2(t). Section 3 of Information Technology Act, states the authentication of an electronic record, but it is not relied on up by the courts. Section 43-A prescribes compensation in the event a body that possesses, deals or handles any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and consequently causes wrongful loss or wrongful gain to any person.
State surveillance, especially with respect to e-information, is given legislative backing in the form of Section 69 and Section 69B of the Information Technology Act, 2000 which provide for surveillance on internet data, including the contents of websites browsed, chat logs and so on, and on internet metadata which includes other related information like the date, time, location and duration of transmission.
The Indian Telegraph Act, 1885
The other legislation dealing with electronic data is the Indian Telegraph Act, 1885. Section 26 (b) of the Indian Telegraph Act provides for 3 year imprisonment for persons held for telephone tapping. The person(s) can also be prosecuted for authorized tapping but sharing of the data in an authorized manner.
Article 12 of the UN Declaration of Human Right (UDHR) reads as follows-
“No one shall be subjected to arbitrary interference with his privacy, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of law against such interference and attacks.”
Article 17 of the International Covenant on Civil and Political Rights, 1996, reads as follows-
“No one shall be subjected to unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour or reputation. Everyone has the right to protection of the law against such interference or attacks.”
Internet Surveillance Systems in India
The concept of privacy is recognized as a fundamental right under the Universal Declaration of Human Rights (Article 12), the International Covenant on Civil and Political Rights (Article 17) and several other treaties and conventions. Many countries such as Argentina, France and Japan recognize privacy as a fundamental right and have express statutes protecting the same.
However, the post-globalized world has increasingly found itself amidst raising concerns of privacy and surveillance. With an alarming increase in technological advancements, surveillance into an individual’s activities, in reality, and virtually, is being resorted to by the State. With Edward Snowden revealing classified documents of the NSA, publicizing its surveillance programs and data, the world was exposed to a scary prospect of the Big Brother, the USA, snooping on their private data and activities. Ever since privacy regimes of different countries have been widely debated to make laws more stringent and protect this inherent right of individuals.
In India, there is a huge lacuna in the privacy laws. There is no express legislation that recognizes the concept of privacy. The judiciary, in several landmark cases like the Maneka Gandhi v. Union of India, the People’s Union for Civil Liberties (PUCL) v Union of India and the case of Kharak Singh v. State of Uttar Pradesh, interpreted the right to privacy to be a sister right under Article 21, the right to life and included it within its scope. Thus, in India, privacy remains merely that, and not a well-recognized right, subject to varied interpretations and making it all the more difficult to deal with privacy issues through the course of law.
It is a widely accepted practice by law enforcement agencies to set up surveillance on suspicious activities and individuals in the name of security. State surveillance, especially with respect to e-information, is given legislative backing in the form of Section 69 and Section 69B of the Information Technology Act, 2000 which provide for surveillance on internet data, including the contents of websites browsed, chat logs and so on, and on internet metadata which includes other related information like the date, time, location and duration of transmission.
In India, government departments involved in ensuring and overseeing cybersecurity are often also involved in some aspect of surveillance. The key Government departments apart from the security agencies that play a role in ensuring India’s cybersecurity and overseeing and regulating surveillance in India are the Department of Telecommunications and the Department of Electronics and Information Technology.
They set up Lawful Intercept and Monitoring (LIM) systems which are legally established surveillance and interception systems, public or private, which operate in a particular area for a certain period of time. They are also the interception and monitoring systems installed in the networks of Telephone Service Providers (TSP) and Internet Service Providers (ISP) under license agreements with the government. The LIMs perform the task of intercepting phone calls and internet calls, providing real time data of the entire network traffic of India and also of maintaining and providing access to meta-data.
Several such lawful internet surveillance projects have been proposed and set up by the government, the most popular two of which will be discussed further.
Central Monitoring System (CMS)
The CMS is a centralized system to automate the process of lawful interception and monitoring on phones and the internet in the country. The CMS was planned by the UPA government as far back as 2009, notified through a press release by the Press Information Bureau, where the objectives of the system were to monitor communication on phones, landlines and internet in the country.
The CMS was prepared by the Telecom Enforcement, Resource and Monitoring (TREM) and by the Centre for Development of Telematics (C-DoT) and is being manned by the Intelligence Bureau. As of 2016, it has undergone several trial runs and is being progressively implemented, and has been allocated a budget of Rs 400 Crores. Prior to the CMS, all service- providers were to have LIMs installed to carry out targeted surveillance by the State. However, after the establishment of the CMS, they are required to integrate Interception Store & Forward (ISF) servers with their pre-existing Lawful Interception Systems. These ISFs are further connected to the Regional Monitoring Centers (RMC), which are part of the CMS. The C-DoT also aims to connect ISFs in the regions of Delhi, Maharashtra, Kolkata, Kerala and Gujarat and several other states.
The system aims to overcome the defects of manual intervention and create a more secure and protected internet sphere. Without any manual intervention from telecom service providers, the CMS will equip government agencies with Direct Electronic Provisioning, filters and alerts on the target numbers.
Coming to the privacy concerns of the systems, the government claims that the CMS will better protect an individual’s privacy. Their first argument is that the CMS merely automates the existing process of interception and monitoring, and therefore is not per se, a surveillance system. It seems like the proposers of this system seem to assume that the system of LIMs was necessary or good. As such, it is emphasised that the process of interception and monitoring will “just” be automated while posing no real threat. This raises serious questions about the assumption itself, considering the fact that the existing privacy laws and regulations in India are hardly sufficient or effective enough in safeguarding the rights of citizens. Also, several laws such as the IT Act 2000, are under high scrutiny and subject of debates, which means that the pre-existing laws itself are ambiguous and vague. Therefore, the guarantee of the protection of the privacy of the individual seems to be far-fetched.
The second argument is that the CMS authority will provide the interception requests from law enforcement agencies and hence, a complete check and balance will be ensured since the provisioning entity and the requesting entity will be different and the CMS authority will not have access to content data. Although there is differentiation with regard to the provisioning and requesting entity, the CMS lacks adequate legal backing, as well as a framework which would ensure that unauthorized requests are not provisioned.
Thus, the recommended chain of custody of issuing interception requests does not necessarily guarantee privacy protections, especially since a legal mechanism for ensuring checks and balances is not in place. Furthermore, this argument states that the CMS authority will not have access to content data, but does not specify if it will have access to metadata. What’s concerning is that metadata can potentially be more useful for tracking individuals than content data. As such, metadata can potentially be more “harmful” than content data, since it can potentially provide concrete patterns of an individual’s interests, behavior and interactions. Thus, the fact that the CMS authority might potentially have access to metadata appears to tackle the argument that the provisioning and requesting entities will be separate and therefore protect the privacy of an individual.
The final argument is that a non-erasable command log of all provisional activities will be maintained, which can be examined for misuse anytime. While this provides some sort of relief, there is no clarity regarding what authority maintains the log, who will have access to it and what the penalties are in case of breaches. Without an independent body to oversee the process and without laws which predefine strict penalties for instances of misuse, maintaining a command log does not necessarily safeguard anything at all.
Network Traffic Analysis (NETRA)
The NETRA is an exclusive internet surveillance system which is developed by the Centre for Artificial Intelligence & Robotics (CAIR), a lab under Defense Research & Development Organization (DRDO). It was brought into the spotlight in 2013 by several newspapers which published reports on the project. According to the reports, the system is capable of detecting words like bomb, attack, kill and blast from internet sources like tweets, blogs, emails, internet phone calls and status updates.
NETRA will essentially be a surveillance system designed specifically to monitor the nation’s internet networks including voice traffic passing through software such as Skype or Google Talk. Various news reports have also stated that an inter-ministerial group comprising officials of the Cabinet Secretariat, Home Ministry, Defence Research and Development Organization, CAIR, Intelligence Bureau, Center for Development of Telematics and Computer Emergency Response Team that recently discussed the deployment strategy of NETRA favoured allocation of 300 GB of storage space to a maximum of three security agencies, including the IB and Cabinet Secretariat, for intercepted internet traffic, with an extra 100 GB assigned to the remaining Law Enforcement Agencies.
However, there are no official reports published by the government with regard to the project, due to which there is very little or scanty information on it. Again, similar to the CMS, the cons of such a project include ambiguity in the what, how and whys of the system, and that combined with the void in privacy laws in India, could prove to be disastrous to an individual’s privacy.
There have been various discussions and debates on what constitutes as privacy, since the foundation of the concept is philosophical. It becomes increasingly difficult, especially in the globalized, digitalized world, to define privacy. Various dimensions of privacy are mentioned following:
- Information privacy – It deals with the protection and security of data or electronic information. It also talks about rules and mechanisms governing the collection, storage, processing and access of data or information
- Bodily Privacy – This aspect of privacy deals with the physical self of a person, against collecting bodily samples against his consent, use of physical force and so on.
- Privacy of Communications – According to this facet, privacy also includes security of telephones, email communications and other forms of electronic communication. It also pertains to surveillance and monitoring devices, and their regulation.
Any policy which is proposed must involve the following 5 areas for consideration. These areas are necessary to be discussed depending on the need of the current socio-economic, political and legal system.
- Aadhaar – The Unique Identification Number (UID) scheme, also termed ‘Aadhaar’, was launched in 2009 by the Government of India with the aim of assigning 12-digit identification numbers to all residents of India. This scheme was introduced to create an efficient Public Distribution System and other social welfare programs, ensure instant identity verification and prevent identity frauds. The Unique Identification Authority of India (UIDAI) was set up by the government as part of the Planning Commission to lay down the plans and policies of the scheme, operate the databases for storage, for updation and maintenance of information and to set up infrastructure and mechanisms for generation, distribution and validation of Aadhaar cards. Critics of the Aadhar scheme claim that in spite of multiple assurances by the Government to safeguard the information, steps have not really been taken to do the same and prevent confidential and sensitive information from reaching the wrong hands. There is also the concern that storage of such huge amounts of personal information on servers has potential for misuse or unauthorized access. There are also no specific protocols on what information can be shared with whom and to what extent.
- Internet surveillance – In the highly globalized world of today, the Government often resorts to internet surveillance systems to monitor individuals and their activities. It is a widely accepted practice by law enforcement agencies to set up surveillances on suspicious activities and individuals in the name of security. State surveillance, especially with respect to e-information, is given legislative backing in the form of Section 69 and Section 69B of the Information Technology Act, 2000 which provide for surveillance on internet data, including the contents of websites browsed, chat logs and so on, and on internet metadata which includes other related information like the date, time, location and duration of transmission. The Government has set up Lawful Intercept and Monitoring (LIM) systems, such as the Central Monitoring System and the Network Traffic Analysis, which are legally established surveillance and interception systems, public or private, which operate in a particular area for a certain period of time.
- DNA collection and the DNA Bill – In 2015, the Narendra Modi government introduced Human DNA Profiling (Draft) Bill. It was drafted by the Department of Biotechnology (DBT) in the Ministry of Science and Technology with the aim to expedite civil and criminal disputes where possible, to help identify the unclaimed dead and to track down missing persons. The Deoxyribose Nucleic Acid (DNA) analysis of body substance is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between the two individuals, living or dead without any doubt. However, once misuses, it can cause detrimental effects to the subject of the DNA. Therefore, any proposed policy should seek to introduce sufficient security mechanisms for the collection, storage and access of such sensitive data.
- Telephone tapping – Phone tapping means secretly listening/recording communication in the telephone in order to get information about any activity, it is also referred to as wire-tapping. It is a serious invasion of an individual’s privacy. With the growth of highly sophisticated communication technology, the right to intercept telephone conversation, in the privacy of one’s home or office without interference, is increasingly susceptible to abuse. It is understood that the government, howsoever democratic, exercises some degree of control over such operations as a part of its intelligence outfit but at the same time citizen’s right to privacy has to be protected from being abused by authorities of the day. There are several scattered legislations that provide for security against telephone tapping. However, this policy seeks to provide a comprehensive system that regulates the same.
- Video Surveillance – Video Surveillance is a system of monitoring an area or locality. Digital video surveillance systems, such as CCTV, IP, etc are used for any type of monitoring. The potential of video surveillance especially with the advancement in the technological front had spiked the interests of the Indian government and has led to the new era of video monitored public arenas. The issue in this comes from the fact that surveillance will lead to the generation of a lot of sensitive information and the keeping, protection and destruction of such information is a very important responsibility. This raises the question that whether the state has the right to monitor people and gather such personal information. Current laws in India that allow for surveillance have a lot of scope for abuse, as the country is lacking sufficient privacy safeguards. A privacy law is necessary in such a scenario to ensure that data is not retained indefinitely, that data is not shared and disclosed to unauthorized third parties and that unauthorized parties do not have access to collected and intercepted data.
- biometric data means any data relating to the physical, physiological or behavioural characteristics of a person which allow their unique identification including, but not restricted to, facial images, fingerprints, handprints, footprints, iris recognition, handwriting, typing dynamics, gait analysis and speech recognition.
- “collect”, with its grammatical variations and cognate expressions, means, in relation to personal data, any action or activity that results in a data controller obtaining or coming into the possession or control of, any personal data of a data subject;
- “Data” for the purpose of this bill refer to data as defined under clause (o) of sub-section (1) of section 2 of the Information Technology Act, 2000;
- “data controller” means a person who, either alone or jointly or in concert with other persons, determines the purposes for which and the manner in which any personal data is processed;
- “data processor” means any person who processes any personal data on behalf of a data controller;
- “data subject” means a person who is the subject of personal data;
- “Personal Information/Data” means any data/information which relates to a natural person if that person can, whether directly or indirectly in conjunction with any other data, be identified from it and includes sensitive personal data;
- “Privacy” is the right that determines non-intervention of secret surveillance and the protection of an individual’s information. It is split into four categories- Physical (an imposition whereby another individual is restricted from experiencing an individual or a situation), Decisional (the imposition of a restriction that is exclusive to an entity), Informational( the prevention of searching for unknown information) and Dispositional (the prevention of attempts made to get to know the state of mind of an individual);
- “Sensitive Personal Information” means such personal information which consists of information related to-
- biometric data;
- deoxyribonucleic acid data;
- sexual preferences and practices;
- medical history and health;
- political affiliation
- the commission, or alleged commission, of any offence;
- ethnicity, religion, race or caste;
- financial and credit information;
The regulatory role of the Ministry of Information Technology should include regulation of establishments made for protection of databases, creation of methodology for proper collection of data, data safety, encryption technologies, classification of data, data storage, data sharing, training for all employed to use such technology, research and implementation of other data related laws need urgent and concrete steps towards reform. This will entail moving towards a more effective, rational, transparent and consistent regime.
Governance under a Policy
Role of Centre & State
One of the most important strengths and at the same time challenges of governance in the information technology sector is the distribution of responsibility and accountability between the Centre and the States. The proposed policy must recommend equity sensitive resource allocation, strengthening institutional mechanisms for the protection of such information and coordinated implementation by all parties, as the way forward. Besides, better management of such data which is procured should have a centralized mechanism for both its collection and maintenance. Such standards should be created by the Centre and followed by the states. Access to such information will be restricted and will be classified information, consent of the person will be taken to access the information.
Role of Panchayati Raj Institutions
Panchayati Raj Institutions would be strengthened to play an enhanced role at different levels for data governance, including the collection of the data and storing it in the national database. There is need to make External Monitoring of such procurement of data, so as to place people in the database of IT system and development process for effective monitoring of method of taking the data, for better accountability in the management of the information.
Accordingly, the management, administrative and overall governance structure in the IT system needs to be overhauled. Additionally, the responsibilities and liabilities of the providers, collectors, technicians, regulators and Government in the protection of the information need to be clearly spelt out. Any proposed policy while supporting the need for moving in the direction of a ‘rights based’ approach to data security, must be conscious of the fact that threshold levels of finances and infrastructure is a precondition for an enabling environment, to ensure that the information collected is used for the benefit of the society and is secure to the best possible extent.
The policy which is adopted by the government of the country must advocate a progressively incremental assurance based approach, with assured funding to create a National Database which is secure.
Implementation Framework and Way Forward
A policy is only as good as its implementation. It is important for a policy to envisage that an implementation framework is put in place to deliver on these policy commitments. Such an implementation framework would provide a roadmap with clear deliverables and milestones to achieve the goals of the policy. Its implementation must involve both the legislature as well are the executive to establish the rules.