This article is written by Ananya Garg from Chanakya National Law University. It evaluates the effect of surveillance on the people’s right to privacy in the background of the controversial Section 69 of the Information Technology Act. The article also highlights the need for revamping the safeguards and laws regarding digital surveillance in India.

Introduction

The Supreme Court of India recognised the right to privacy as a fundamental right in the case of Justice K.S.Puttaswamy v. Union of India. This right is particularly enshrined in Article 21 of the Indian Constitution which talks about the protection of life and personal liberty. But the right to privacy is not absolute, it is subject to the limitation of the procedure established by the law. In this article, we will look at one such restriction posed by Section 69 of the Information Technology Act and closely examine the implications of such restriction to the right to privacy of the citizens. We will also examine the statutory order passed by the Ministry of Home Affairs on 20th December 2018 which authorises ten security and intelligence agencies for the purpose of monitoring, interception and decryption of information. The order incited media outrage because of the blatant violation of citizens’ right to privacy, this article will examine how far it is appropriate to consider that particular order as a violation of people’s right to privacy. In the end, the article speculates over the need for surveillance and whether this is an appropriate way to fulfill it.

Section 69 of the Information Technology Act

Section 69 of the Information Technology Act empowers the Central or State Government or any other competent authority to direct any agency of the appropriate government to monitor, intercept or decrypt any information transmitted, generated, received or stored in any computer resource. Now, the provision for interception and monitoring of data also existed in Section 5(2) of Indian Telegraph Act, but this Section provided only the following five conditions as the cases where an individual’s right to privacy could be suspended by interception, monitoring, or detention of any message or class of messages transmitted or received by any telegraph:

• In the interest of sovereignty and integrity of India
• Security of the State
• Friendly relations with foreign states
• To maintain public order
• Prevent incitement to the commission of an offence

But Section 69 of the Information Technology Act also provides a sixth condition which is the ‘investigation of crime.’ By the addition of this sixth condition, the scope of law has increased many folds. The eventualities covered by the previous five conditions are comparatively less than the eventualities covered by this sixth condition alone as there are lakhs of cases under investigation.

This is not the only reason why this Section is considered a far greater violation of the citizens’ right to privacy than any other piece of legislation concerning the monitoring and interception of data. This Section also enables the agencies to reach directly to subscribers besides through intermediaries. In case of Indian Telegraph Act, the network of Telecom Service Providers is envisaged as the location of interception but Section 69 covers intermediaries as well as the subscribers which renders it as a highly intrusive kind of surveillance.

Due to the inclusion of the provision of storing data, the reach of the agencies has increased in scope as well as time dimension. Even though the time limit for the validity of an order has been prescribed as 180 days under the rules but an agency has complete access to the information and data once stored in the system irrespective of when it was stored.

On the top of the highly intrusive provisions which lack precision, Section 69(4) makes non-cooperation or non-assistance with the investigating agency, a punishable crime with imprisonment which may extend upto seven years. Under Indian Telegraph Act, illegal monitoring and interception do allow for punishment but there is no provision for explicit imprisonment for non-cooperation. The licensing terms and conditions that are reflected in the Indian Telegraph (Amendment) Rules, 2007 are used to control Telecom Service Providers.

Statutory order of Ministry of Home Affairs

On 20th December, 2018, the Ministry of Home Affairs issued a statutory order in accordance with Rule 4 of the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009. This order authorised ten central bodies or agencies to monitor, intercept and decrypt any information generated, received, transmitted, or stored in any computer. Following are the agencies notified in the respective order:

• Intelligence Bureau;
• Narcotics Control Bureau;
• Enforcement Directorate;
• Central Board of Direct Taxes;
• Directorate of Revenue intelligence;
• Central Bureau of Investigation;
• National Investigation Agency;
• Cabinet Secretariat(RAW);
• Directorate of Signal Intelligence (for service areas of Jammu and Kashmir, North East and Assam only);
• Commissioner of Police, Delhi.

This order confers the powers according to the IT (Procedure and Safeguard for Interception, Monitoring, and Decryption of Information) Rules, 2009, thus it does not give any new powers to any security or law enforcement agency. The order in itself does not constitute a threat to the privacy of the citizens because it is issued under Section 69(1) of the Information Technology Act.

All the cases of interception, monitoring and decryption are required to be approved by competent authority, i.e. Union Home Secretary in this case. As per the rules, these powers are also given to the competent authority in the State Governments. Rule 22 of the IT (Procedure and Safeguard for Interception, Monitoring, and Decryption of Information) Rules state that a review committee headed by Cabinet Secretary must meet at least once every two months to review all such cases of interception, monitoring and decryption. In the case of the State Government, a committee headed by the concerned Chief Secretary shall conduct the review process.

This notification is analogous to the authorization which was issued under the Telegraph Act. Also, as in the case of Telegraph Act, the whole process is subject to a robust review mechanism and each individual case requires a prior approval of the Home Ministry or the State Government. Thus, we can see that no new powers have been conferred under this particular statutory order but the Government has only exercised the powers it already possessed as per Section 69 of the Information Technology Act.

Privacy concerns

In the case of People’s Union for Civil Liberties v. Union of India (1996), the Supreme Court upheld that telephone tapping violated the fundamental right to privacy and thus, the court created safeguards against the vagueness of the surveillance powers of the State. These safeguards laid down by the Supreme Court cast a long shadow over the surveillance laws in India. In this case, the right of an individual to hold a telephone conversation in the privacy of one’s office or home without any interference was recognised as a right to privacy, such principle can now be applied to the online communications as well.

The basic essentials of the safeguards laid down by the court were: appointing an authority for issuing of telephone tapping orders, establishing five basic grounds where an order for tapping phones is recognized as justified, necessitating the consideration of other means through which the required information could be acquired if possible, establishing review committees, direction for maintaining the records of what was intercepted, and establishing a validity period for the order. The guidelines issued by the court in the case were eventually codified, in a somewhat modified form, as Rule 419-A of the Indian Telegraph Rules 1951.

The regime of interception of digital communications was created by the Information Technology Act 2000. The effect of the guidelines laid down by the Supreme Court in the abovementioned case have casted a long shadow on the prospective legislations regarding surveillance by the State. Its effects are also visible in the similarities between the Rule 419-A and the procedures and safeguards relating to the State’s surveillance powers of the digital communications specified in the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

The Indian Government has deployed mass surveillance projects such as National Intelligence Grid (NATGRID), Network Traffic Analysis (NETRA), Centre for Artificial Intelligence and Robotics (CAIR), Defence Research and Development Organisation (DRDO), etc. but the details of these projects, as well as the safeguards in place for privacy protection, are not clear. There has been a significantly increased rate of interpersonal communication being conducted digitally, this has given rise to the need for the development of a whole new set of privacy protection laws specifically designed to govern the surveillance power of the State in cyberspace.

Need for re-designing India’s surveillance law

The present safeguards for citizens’ privacy can easily be circumvented or violated with the new mass surveillance technologies. The contemporary forms of communication including e-mail, social media, VoIP, Google searches, etc. also deserve the constitutional guarantee of privacy and freedom, and this can only be achieved through restructuring of the existing privacy and surveillance laws in India. Today, virtually all the communications on IP networks and telephones can be monitored in a blanket fashion in India, i.e., by using keywords. This type of mass surveillance, because of not being contemplated by the law, is being carried out in a legal vacuum with no regards for people’s right to privacy. Thus, in order for the surveillance programs to continue, there is a need for mandating the authorization by specific acts of the Parliament which have the provisions for more robust safeguards than the existing law. In the present age we are talking about a kind of surveillance which is fundamentally different in nature from the kind of surveillance conducted via telephone tapping and interception. Keeping this in mind, we can derive the need for following in the new laws for surveillance:

• Strict time limits on data retention,
• Liability for unauthorised access to, or disclosure of intercepted communications, and
• Difference between the interception of metadata and content.

The above-mentioned safeguards must be implemented along with a strengthened version of the existing safeguards about the circumstances when an interception order may be issued, the authority who may issue it, and the information which must be mandatorily contained. Another problem with the existing surveillance law regime which needs to be addressed is the concentration of power with the executive branch of the government. Currently, the executive wing of the government is responsible for the surveillance of the target individual and it is also responsible for determining if such surveillance violates the privacy and rights of such individual. This creates a conflict in the principle of separation of powers.

Also, it is imperative to work on the enforcement of the safeguards because the people who violate these laws do not face appropriate consequences. Judiciary’s expertise in evaluating the interception requests against the individual’s privacy rights must be brought in.

Conclusion

With the transnational corporations controlling the communication arenas in the digital age police have been facing difficulties in tracing the offenders as the intermediaries refuse to cooperate with the law enforcement. There is no doubt in the fact that in this new age of digitization it is very important for proper surveillance to be in force in order to stop large scale misuse of the internet and communication networks for organised crimes and terrorism. The era of communication being limited to just telephones is gone and thus, there is a need to advance reach of the laws with the advancement in technology. But it must be kept in mind that to protect the citizens from misuse of cyberspace, the government itself does not become the offender and no citizen’s right to privacy is violated. The overly broad contours of the existing legislation regarding the surveillance laws in the state confers unchecked powers on the executive. An example of such arbitrary power has been seen in the famous case of Sreya Singhal. Such power not only results in a disproportionate restriction on the fundamental right to privacy of the citizens but also have far-reaching consequences for other freedoms.

References

• http://www.zuccess.in/uploads/news/DECEMBER-2018/1545968358174.pdf

• https://sflc.in/faq-surveillance-india

• https://scroll.in/article/906764/centres-order-on-computer-surveillance-is-backed-by-law-but-the-law-lacks-adequate-safeguards
• http://www.lawjournals.org/download/112/3-3-19-325.pdf 

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: