Not only is the Indian legal framework not equipped to deal with potential privacy violations arising from ever-present CCTVs, we also don’t know if it will actually reduce crime.
By Parul Sharma and Kritika Bhardwaj
This post first appeared on the Wire on October 5, 2016
The soaring popularity of app-based taxi platforms has radically transformed the face of transportation in several Indian cities. These companies have resisted licensing requirements imposed on their traditional counterparts. They argue that they are merely cab aggregators and do not own taxis or hire drivers. This tussle between the platforms and regulators reached a peak in 2014 when a passenger was sexually assaulted by the driver of one such taxi service. Since then, concerns regarding passenger safety have only grown.
Earlier this month, the Chandigarh administration invited stakeholders to discuss the draft rules framed to regulate app-based transport aggregators. These draft rules require that every taxi must install a CCTV to monitor activities inside the taxi in real time. While passenger safety is a vital consideration, mandatory installation of CCTVs is excessive and creates a host of privacy and (ironically) security concerns.
Interestingly, the draft rules are based on an advisory titled ‘Licensing, Compliance and Liability of On-demand Information Technology based Transportation Aggregators’ issued by the Ministry of Road Transport in 2015. Neither the Central advisory nor similar rules framed by Delhi and Karnataka include an obligation to install CCTVs in taxis. West Bengal remains the only state to have imposed a similar obligation. To ensure that CCTVs are not just a short-sighted solution to a systemic problem, it is necessary to look at the limitations of this technology as well as any additional risks.
Less privacy, less security
CCTVs are intrusive and have the potential to make passengers uncomfortable due to real-time surveillance. The draft rules require the aggregators to set up a control room to monitor the footage from these cameras as well as the movement of taxis. This real-time monitoring is likely to have a ‘chilling effect’ on passengers by making them conscious of their attire and mannerisms.
The counter-argument that there can be no expectation of privacy in public transport lacks nuance. It overlooks the fact that most individuals perceive taxis as a private space for the duration of their ride. Further, the draft rules mandate that footage from CCTV cameras must be stored for ‘at least’ a month and do not fix an upper time limit for storage. They are silent on who can access this footage and how it is stored. This leaves the surveillance footage open to misuse and can facilitate profiling or voyeurism. In combination with phone numbers, which these companies possess, this data can easily lead to stalking and other harms. In addition to the privacy and security risks, the draft rules lack clarity in terms of what they seek to achieve. If intended as a deterrent, they fail to incorporate safeguards against tampering of the camera by drivers.
Even if appropriate safeguards are introduced, it is difficult to establish a correlation between CCTVs and crime reduction. Some studies suggest that CCTV surveillance has had no impact in reducing crime rates. Further, real time-surveillance is likely to be ineffective in preventing crime. The rules require each aggregator to maintain a minimum fleet of 100 taxis, making it virtually impossible for individuals in the control room to monitor all taxis at once. Alternate methods such as GPRS tracking and tamper proof panic buttons may be equally or even more effective in ensuring safety.
Limitations of the Indian legal framework – A comparative analysis
The privacy and security concerns highlighted are exacerbated in the absence of a comprehensive legal framework for privacy in India. There are no rules or guidelines to regulate the use of CCTVs. Data protection is governed by the Information Technology Act and the rules framed under it. Under these rules, most safeguards extend only to ‘sensitive personal information’, which does not include CCTV footage. In case of a privacy breach, there is no requirement to inform passengers, let alone provide any compensation. In the absence of specific rules, there is no obligation on private corporations collecting and storing the video footage to respect the privacy of passengers.
However, mandatory installation of CCTVs in taxis is not unique to Chandigarh or West Bengal. Similar rules exist in the state of Victoria in Australia and New Zealand among other places. But unlike India, these countries mitigate the risk of abuse with extensive privacy and data protection safeguards. For instance, vehicle security cameras in New Zealand are governed by the guidelines set out by the transport department, the Privacy Act 1993 and the Privacy and CCTV guidelines. Similar guidelines exist in London and Edinburgh, where the use of CCTVs in taxis is optional. These regulations incorporate multiple safeguards to ensure privacy of passengers. These safeguards include setting up of a data protection authority and penalties for breach of privacy. In order to limit tampering, operators and installers of CCTVs are required to follow specific privacy and security standards. There is also a provision for regular checking of CCTVs by designated authorities. The underlying purpose of these safeguards is to put passengers in control of their data by limiting its use and giving them the right to access it. The Indian legal framework lacks similar protections.
Balancing privacy and security concerns
Without the safeguards outlined above, the mandatory installation of CCTVs is an excessive intrusion into the private space of individuals. If Chandigarh does decide to adopt such a rule, a comprehensive framework is needed to limit the scope for abuse. Any such framework must incorporate stringent privacy safeguards specifically designed to ensure limited intrusion by CCTVs. These may include restrictions on audio recordings and activation of the camera only in certain conditions – such as if a panic button is triggered. Measures such as routing data only to particular locations, and adoption of encryption standards also need to be put in place. Additionally, data stored must be automatically deleted after a specified time period. Access to data even by law enforcement agencies must be subject to procedural safeguards. Most importantly, passengers should have the option to enforce their rights and have a remedy in case of breach. Only a combination of data protection safeguards and limitations on collection, storage and use of video footage can ensure a balance between public safety and the right to privacy.
It is also important to remember that the issue of incorporating safeguards only arises once the need for mandatory CCTVs in taxis has been established. In the Indian context, state transport authorities have done little to justify such a measure. Security of passengers is a crucial concern, but real-time surveillance through CCTVs is an ill thought-out solution to the problem.
Kritika Bhardwaj is a Project Officer and Parul Sharma is an Analyst at the Centre for Communication Governance at National Law University Delhi