Data Privacy

This article has been written by Pratik Shandilya, pursuing the Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho. The article has been edited by Prashant Baviskar (Associate, LawSikho) and Zigishu Singh (Associate, LawSikho).

Introduction

Encryption is the process that is used in digital gadgets which makes a file or any message unreadable except for the person who is in possession of the password or key to decrypt. Encryption is the best safeguard to protect information from interference, both when travelling through the internet and rest. (In our emails and devices) Encryption basically converts the message into a coded format and then the message is decoded when it is actually received by the person who is intended to receive such a message. In such a method, no one else can access the message.

Encryption protecting rights

Freedom of expression is a fundamental right. Encryption is a manifestation of the mechanism to protect opinion and belief. In the digital world, it is a precursor to the fulfilment of human rights, including the freedoms of expression, opinion, the press and the right to privacy.

Download Now

According to the Inter-American Commission on Human Rights, the rights of freedom are not any concession or subsidies provided by the states but they are the fundamental rights to which every individual is entitled.

At the most basic level, encryption provides data confidentiality along with other functions such as: 

  1. Confidentiality – encodes and hides the message.
  2. Authentication – verifies the message’s origin.
  3. Integrity – Means there is no unauthorized manipulation of data.
  4. Non-repudiation – means the sender of the message cannot deny that he sent the message.

Many of our activities are covered under encryption such as: 

  1. ATMs –each time the user uses ATM, the data is protected by encryption.
  2. Online payments – users’ payment details used in online transactions are protected by encryption.
  3. Encrypted web traffic – many websites encrypt web usage by default. If a user is using a website with ‘https’ (the ‘s’ represents ‘secure’), the user’s data is encrypted.
  4. Messaging apps – WhatsApp have enabled end-to-end encryption. If cybercriminals breach WhatsApp, they won’t be able to decrypt your messages.
  5. Digital rights management systems – prevent the reproduction and unauthorized use of copyrighted content and protect software against reverse engineering.
  6. Data ‘at rest’ – responsible organizations always encrypt the data they store. 

However, no technology is 100% secure and even encryption safeguards are susceptible to hackings, although such occurrences are rare. To summarize, encryption to some extent protects our privacy rights. It prevents data breaches, however, it is also not 100% assuring, and is very much exposed to cyber criminals’ activities. 

Whether the law is sufficient to protect privacy rights?

The subject of encryption policy and protection of privacy has remained an unresolved issue, mainly because the government has to create a law that balances the privacy of individuals, the digital infrastructure security and rights of the government in demanding access to personal data. 

Till today, formulating a law to achieve the balance has only become harder. The Indian Government had introduced a National Encryption Policy in 2015, which was abandoned on the grounds that the policy was more than an Encryption policy. In February 2021, RBI issued Master Direction on Digital Payment Security Controls, requiring multi-factor authentication, encryption, digital certifications etc for encryption. However, it does not provide any specific parameter to protect privacy rights or personal data. Certain instances prompt suspicion on the effectiveness of the available laws or regulations, for example, VpnMentor, (Israel based company) released some financial information, Aadhar Card information and other personal details of the users of the BHIM app. In another instance, a mobile payment app information was leaked due to some unsecured mechanism in the associate partner entity. 

There has been a conflict of interest between the privacy rights of the individual and the government’s right to command access to the encrypted data for investigation purposes. The government wants to reserve the right to trace and prosecute individuals who spread wrong information or use digital platforms in such a manner as to cause fear, instigate or breach of peace, hate-rate, disharmony in the society by disturbing the law and order, national security issues etc. There have been incidents that show that the government had to trace the offenders using the encrypted platforms who caused disharmony in society. In 2019, the Indian Encryption Brief highlighted an incident where a mob committed lynching crimes on minorities which were instigated, preplanned on WhatsApp. Immediately thereafter Government India demanded WhatsApp to dilute its end-to-end encryption. Several other petitions before the Supreme Court requested direct social media platforms to keep the authentication process using PAN card or Adhaar Card to wipe out all the fake and cloned online profiles on platforms such as Facebook, Twitter, Instagram. In 2020, the Ad hoc Committee of Rajya Sabha recommended permitting breaking (E2E) End-To-End encryption in cases involving child sexual abuse material.

Another development towards formulating law is the Personal Data Protection (PDP) Bill, which was placed before the Lok Sabha in December 2019. The PDP Bill, if passed, will become the overarching legislation regulating Data Protection related aspects. The Act would also establish a Data Protection Authority (DPA). As per Section 24 (1) of the bill, any entity that stores the data of any individual must implement necessary measures such as integrity, methods to prevent de-identification, and Encryption of personal data.

However, the same draft also provides for a controversial Section 35 which provides for power to exempt any Government agency from the act. However, this bill received criticism from civil societies. Justice B.N. Srikrishna termed the Bill as “dangerous” and also added that this bill will turn India into an Orwellian State.

All these concerns were consolidated by the intermediary guidelines (2021) which state that in case any judicial order passed under Section 69 of the IT Act, the concerned intermediary (social media Platform) must be able to trace the first originator of the information. This will help investigation agencies to successfully complete the investigation.

As per the guidelines it is mandatory for the social media platforms to appoint a nodal officer who shall be available 24×7 to assist, coordinate with law enforcement agencies in India. It is also the observation made by a Software Freedom Law Center that Section 69 of the Information Technology Act under which the tracing orders are issued does not provide for enough measures.  The decryption request grounds under Section 69 as well as under Section 35 of the PDP bill are very broad.

In conclusion, the PDP Bill contemplates, on one hand, stringent provisions for data protection, including permission to private data fiduciaries to encrypt the data of the public and on the other hand makes provisions whereby Central Government exempt agencies from deviating from the data privacy measures. These guidelines additionally grant powers to Government authorities to order intermediaries i.e the social media platforms such as Facebook, WhatsApp, Twitter to make data accessible to investigative agencies.

Right to privacy vis-à-vis encryption and law enforcement

Privacy is a matter of Universal right and is well recognized internationally. Article 12 of the Universal Declaration of Human Rights (“UDHR”) states that there shall not be any arbitrary interference in the privacy rights of the individuals and that each individual is entitled to protect his/her privacy. Article 17 of the International Covenant on Civil and Political Rights (“ICCPR”) declares privacy as a human right. India is a signatory to both UDHR and ICCPR.

Domestically, the Supreme Court of India recognized privacy as a fundamental right within the ambit of Article 21 of the Constitution of India. In the Case of Justice K.S. Puttaswamy vs Union of India (2017), the Supreme Court took cognizance of data protection stating that it is an integral part of informational and communicational privacy which is itself a component of privacy.

Justice R.F. Nariman mentioned different facets of the rights to privacy in an Indian context and observed that Informational privacy does not deal with a person’s body but it deals with his mind and therefore it can be recognized that the individual may have control over the distribution of such personal information. Therefore, it would be an infringement if such personal information is leaked in an unauthorized manner. 

Encryption is nothing but a logical extension of the right to privacy which facilitates anonymity on the internet. Such anonymity is essential to protect whistleblowers or any individual who wishes to remain untraced. Right to privacy and encryption also reduce the fear factor in genuine web browser searchers (internet users). Encryption of confidential information is necessary for the profession of journalism for e: keeping the sources of information confidential.  

However, on the other hand, the Supreme Court has time and again repeated and reiterated that no fundamental right under Indian Constitution is absolute, and are subject to limitations only if such limitations are in consonance with the due process of the law. The court has recognized that restriction of a right must be in accordance with due procedure. This creates a balance between the Right of Privacy of an individual and the State’s right to interfere in the privacy rights and enforce decryption. 

In a petition challenging Part II of the Intermediary Liability Rules, 2021, it has been prayed that the right to encrypt must be declared as a subset of the right to privacy. However, the case is yet to be taken up for hearing.

Conclusion

In conclusion, we can safely confirm that although the right to privacy is a fundamental right, no fundamental rights are not absolute and subject to some limitations. These limitations are included only to create a deterrent effect and provide a safeguard against the phrase “absolute power corrupts absolutely”. It simply means that an unfettered fundamental right (unfettered power) to any individual can lead to chaos and lawlessness and victimization of multiple genuine people. Law is meant to guide and provide reasonable restrictions on individuals in respect of the scope of the fundamental rights which can be exercised by the individual.  

In my view, the government must not unnecessarily interfere and demand decryption at per whims and fancies but should claim such decryptions only in genuine and exceptional circumstances to facilitate investigation and to help uphold the rule and spirit of the law in the country.

References

  1. (Verónica Ferrari, 8 October 2021) What is encryption and why is it key to protect your rights? Let’s share some highlights on #GlobalEncryptionDay #MaketheSwitch | Association for Progressive Communications (apc.org)
  2. (Mary Atamaniuk, Nov 03, 2021), What Is Data Encryption and How to Use It for Digital Security available at https://clario.co/blog/what-is-encryption/
  3. (Mohanty) “The Encryption Debate in India.”
  4. (Master Direction on Digital Payment Security Controls,” February 18)  Reserve Bank of India, February 18, 2021, 
  5. (Harshit Rakheja,  January 3, 2021 )“Data Of 10 Cr Digital Payments Transactions Leaked After Attack on Juspay’s Server,” 
  6. Mohanty, “The Encryption Debate in India.”
  7. Report of the Adhoc Committee of the Rajya Sabha to Study the Alarming Issue of Pornography on Social Media and Its Effect on Children and Society as a Whole,” Rajya Sabha, tabled February 3, 2020.
  8. Megha Mandavia, “Personal Data Protection Bill can turn India into ‘Orwellian State’: Justice BN Srikrishna,” Economic Times, December 12, 2019, https://economictimes.indiatimes.com/news/economy/policy/personal-data-protection-bill-can-turn-india-intoorwellian-state-justice-bn-srikrishna/articleshow/72483355.cms 
  9. http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf.
  10. Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
  11. Maneka Gandhi vs Union of India, 1978 AIR SC, 597
  12. Praveen A. vs. Union of India, WP(C) 9647 of 2021.

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

https://t.me/joinchat/L9vr7LmS9pJjYTQ9

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

LEAVE A REPLY

Please enter your comment!
Please enter your name here