Call for Applications – Civil Liberties

The Centre for Communication Governance at the National Law University Delhi (CCG) invites applications for research positions in its Civil Liberties team on a full time basis.

About the Centre

The Centre for Communication Governance is the only academic research centre dedicated to working on the information law and policy in India and in a short span of four years has become a leading centre on information policy in Asia. It seeks to embed human rights and good governance within communication policy and protect digital rights in India through rigorous academic research and capacity building.

The Centre routinely works with a range of international academic institutions and policy organizations. These include the Berkman Klein Center at Harvard University, the Programme in Comparative Media Law and Policy at the University of Oxford, the Center for Internet and Society at Stanford Law School, Hans Bredow Institute at the University of Hamburg and the Global Network of Interdisciplinary Internet & Society Research Centers. We engage regularly with government institutions and ministries such as the Law Commission of India, Ministry of Electronics & IT, Ministry of External Affairs, the Ministry of Law & Justice and the International Telecommunications Union. We work actively to provide the executive and judiciary with useful research in the course of their decision making on issues relating to civil liberties and technology.

CCG has also constituted two advisory boards, a faculty board within the University and one consisting of academic members of our international networks. These boards will oversee the functioning of the Centre and provide high level inputs on the work undertaken by CCG from time to time.

About Our Work

The work at CCG is designed to build competence and raise the quality of discourse in research and policy around issues concerning civil liberties and the Internet, cybersecurity and global Internet governance. The research and policy output is intended to catalyze effective, research-led policy making and informed public debate around issues in technology and Internet governance.

The work of our civil liberties team covers the following broad areas:

  1. Freedom of Speech & Expression: Research in this area focuses on human rights and civil liberties in the context of the Internet and emerging communication technology in India. Research on this track squarely addresses the research gaps around the architecture of the Internet and its impact on free expression.
  2. Access, Markets and Public Interest: The research under this area will consider questions of access, including how the human right to free speech could help to guarantee access to the Internet. It would identify areas where competition law would need to intervene to ensure free, fair and human rights-compatible access to the Internet, and opportunities to communicate using online services. Work in this area will consider how existing competition and consumer protection law could be applied to ensure that freedom of expression in new media, and particularly the internet, is protected given market realities on the supply side. We will under this track put out material regarding the net neutrality concerns that are closely associated to the competition, innovation, media diversity and protection of human rights especially rights to free expression and the right to receive information and particularly to substantive equality across media. It will also engage with existing theories of media pluralism in this context.
  3. Privacy, Surveillance & Big Data: Research in this area focuses on surveillance as well as data protection practices, laws and policies. The work may be directed either at the normative questions that arise in the context of surveillance or data protection, or at empirical work, including data gathering and analysis, with a view to enabling policy and law makers to better understand the pragmatic concerns in developing realistic and effective privacy frameworks. This work area extends to the right to be forgotten and data localization.

Role

CCG is a young and continuously evolving organization and the members of the centre are expected to be active participants in building a collaborative, merit led institution and a lasting community of highly motivated young researchers.

Selected applicants will ordinarily be expected to design and produce units of publishable research with Director(s)/ senior staff members. They will also be recommending and assisting with designing and executing policy positions and external actions on a broad range of information policy issues.

Equally, they will also be expected to participate in other work, including writing opinion pieces, blog posts, press releases, memoranda, and help with outreach. The selected applicants will also represent CCG in the media and at other events, roundtables, and conferences and before relevant governmental, and other bodies. In addition, they will have organizational responsibilities such as providing inputs for grant applications, networking and designing and executing Centre events.

Qualifications

The Centre welcomes applications from candidates with advanced degrees in law, public policy and international relations.

  • All candidates must preferably be able to provide evidence of an interest in human rights / technology law and / or policy / Internet governance/ national security law as well. In addition, they must have a demonstrable capacity for high-quality, independent work.
  • In addition to written work, a project/ programme manager within CCG will be expected to play a significant leadership role. This ranges from proactive agenda-setting to administrative and team-building responsibilities.
  • Successful candidates for the project / programme manager position should show great initiative in managing both their own and their team’s workloads. They will also be expected to lead and motivate their team through high stress periods and in responding to pressing policy questions.

However, the length of your resume is less important than the other qualities we are looking for. As a young, rapidly-expanding organization, CCG anticipates that all members of the Centre will have to manage large burdens of substantive as well as administrative work in addition to research. We are looking for highly motivated candidates with a deep commitment to building information policy that supports and enables human rights and democracy.

At CCG, we aim very high and we demand a lot of each other in the workplace. We take great pride in high-quality outputs and value individuality and perfectionism. We like to maintain the highest ethical standards in our work and workplace, and love people who manage all of this while being as kind and generous as possible to colleagues, collaborators and everyone else within our networks. A sense of humour will be most welcome. Even if you do not necessarily fit requirements mentioned in the two bulleted points but bring to us the other qualities we look for, we will love to hear from you.

[The Centre reserves the right to not fill the position(s) if it does not find suitable candidates among the applicants.]

Positions

Based on experience and qualifications, successful applicants will be placed in the following positions. Please note that our interview panel has the discretion to determine which profile would be most suitable for each applicant.

  • Programme Officer (2-4 years’ work experience)
  • Project Manager (4-6 years’ work experience)
  • Programme Manager (6-8 years’ work experience)

A Master’s degree from a highly regarded programme might count towards work experience.

CCG staff work at the Centre’s offices at National Law University Delhi’s campus. The positions on offer are for duration of one year and we expect a commitment for two years.

Remuneration

The salaries will be competitive, and will usually range from ₹50,000 to ₹1,20,000 per month, depending on multiple factors including relevant experience, the position and the larger research project under which the candidate can be accommodated.

Where candidates demonstrate exceptional competence in the opinion of the interview panel, there is a possibility for greater remuneration.

Procedure for Application

Interested applicants are required to send the following information and materials by December 30, 2017 to ccgcareers@nludelhi.ac.in.

  1. Curriculum Vitae (maximum 2 double spaced pages)
  2. Expression of Interest in joining CCG (maximum 500 words).
  3. Contact details for two referees (at least one academic). Referees must be informed that they might be contacted for an oral reference or a brief written reference.
  4. One academic writing sample of between 1000 and 1200 words (essay or extract, published or unpublished).

Shortlisted applicants may be called for an interview.

 

Advertisements

CCG’s recommendations to the TRAI Consultation Paper on Privacy, Security and Ownership of Data in the Telecom Sector – Part III

In this series of blogposts, we discuss CCG’s responses and recommendations to the TRAI (available here), in response to their Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector. We focus on the principles and concerns that should govern the framing of any new data protection regime, whether limited to the telecom sector or otherwise. 

In our previous posts, we discussed the background against which we have provided our responses and recommendations, and the need for a separate regulatory framework for data within the telecom sector, in the context of the jurisdiction and powers of the TRAI.

In this post, we look at the basic data protection principles that we recommend form the basis for any new data protection regulation. Several of these principles are also discussed in the white paper of the Committee of Experts on a Data Protection Framework for India.

Any new data protection regulation, whether applicable across industries and sectors, or applicable only to the telecom sector, should be based on sound principles of privacy and data protection. As discussed in the Consultation Paper, the Report of the Group of Experts on Privacy[1] (GOE Report) identified 9 national privacy principles to be adopted in drafting a privacy law for India. These principles are listed below[2]:

  • Notice: A data controller, which refers to any organization that determines the purposes and means of processing the personal information of users, shall give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include disclosures on what personal information is being collected; purpose for collection and its use; whether it will be disclosed to third parties; notification in case of data breach, etc.
  • Choice and consent: A data controller shall give individuals choices (opt-in/opt-out) with regard to providing their personal information, and take individual consent only after providing notice of its information practices.
  • Collection limitation: A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection.
  • Purpose limitation: Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which they are processed.
  • Access and correction: Individuals shall have access to personal information about them held by a data controller and be able to seek correction, amendments, or deletion of such information, where it is inaccurate.
  • Disclosure of Information: A data controller shall only disclose personal information to third parties after providing notice and seeking informed consent from the individual for such disclosure.
  • Security: A data controller shall secure personal information using reasonable security safeguards against loss, unauthorised access or use and destruction.
  • Openness: A data controller shall take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data they collect, in order to ensure compliance with the privacy principles, information regarding which shall be made in an intelligible form, using clear and plain language, available to all individuals.
  • Accountability: The data controller shall be accountable for complying with measures which give effect to the privacy principles. Such measures should include mechanisms to implement privacy policies, including training and education, audits, etc.

With the growth of businesses driven by big data, there is now a demand for re-thinking these principles, especially those relating to notice and consent[3].

While notice, consent and the other principles set forth in the GOE Report have formed the basis for data protection laws for many years now, additional principles have been developed in many jurisdictions across the world. In order to ensure that any new regulations in India are up to date and effective, it will be prudent to study such principles and identify the best practices that can then be incorporated into Indian law.

Graham Greenleaf has compared data protection laws across Europe and outside Europe and found that today, second and third generation ‘European Standards’ are being implemented across jurisdictions[4]. These ‘European Standards’, refer to standards that are applicable under European Union (EU) law, in addition to the original principles developed by the Organisation for Economic Co-operation and Development (OECD)[5]. The second generation European Standards that are most commonly seen outside the EU are:

  • Recourse to the courts to enforce data privacy rights (including. compensation, and appeals from decisions of DPAs)
  • Destruction or anonymisation of personal data after a period
  • Restricted data exports based on data protection provided by recipient country (‘adequate’), or alternative guarantees
  • Independent Data Protection Authority (DPA)
  • Minimum collection necessary for the purpose (not only ‘limited’)
  • General requirement of ‘fair and lawful processing’ (not only collection)
  • Additional protections for sensitive data in defined categories
  • To object to processing on compelling legitimate grounds, including to ‘opt-out’ of direct marketing uses of personal data
  • Additional restrictions on some sensitive processing systems (notification; ‘prior checking’ by DPA.)
  • Limits on automated decision-making (including right to know processing logic)

He also notes that there are several new principles put forward in the EU’s new General Data Protection Regulation[6] (GDPR) itself, and that it remains to be seen which of these will become global standards outside the EU. The most popular of these principles, which he refers to as ‘3rd General European Standards’ are[7]:

  • Data breach notifications to the DPA for serious breaches
  • Data breach notifications to the data subject (if high risk)
  • Class action suits to be allowed before DPAs or courts by public interest privacy groups
  • Direct liability for processors as well as controllers
  • DPAs to make decisions and issue administrative sanctions, including fines.
  • Opt-in requirements for marketing
  • Mandatory appointment of data protection officers in companies that process sensitive personal data.

We note that there exist other proposed frameworks that aim to regulate data protection and ease compliances required by businesses. Such additional frameworks may also be considered while formulating new data protection principles and regulations in India. However, it is recommended that the ‘European Standards’ described above, i.e. those set out in the GDPR may be adopted as the base on which any new regulations are built. This would ensure that India has greater chances of being recognised as having ‘adequate’ data protection frameworks by the EU, and improve our trade relations with the EU and other countries that adopt similar standards.

Professor Greenleaf’s studies suggest that the 2nd and 3rd General European Standards are being adopted by several countries outside the European Union. We note here that adoption of principles that are considered best practices across jurisdictions would also assist in increasing interoperability for businesses that operate across borders.

While adoption of these practices is likely to raise the cost of compliance, it is also likely to ensure that India remains a very competitive market globally for the outsourcing of services. In the long term, this will benefit Indian industry and the Indian economy. It will also safeguard the privacy rights of Indian citizens in the best possible manner.

[1] Report of the Group of Experts on Privacy, available at http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[2] Report of the Group of Experts on Privacy, Chapter 3, as summarised in the TRAI Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector, pages 7-9

[3] TRAI Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector, Page 9; and Rahul Matthan, Beyond Consent: A New Paradigm for Data Protection, available at http://takshashila.org.in/takshashila-policy-research/discussion-document-beyond-consent-new-paradigm-data-protection/ (last visited on November 5, 2017)

[4] Graham Greenleaf, European data privacy standards in laws outside Europe, Privacy Law and Business International Report, Issue 149

[5]OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, available at http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm (last visited on November 5, 2017)

[6] General Data Protection Regulation, Regulation (EU) 2016/679

[7] Graham Greenleaf, Presentation on 2nd & 3rd generation data privacy standards implemented in laws outside Europe (to be published and available on request).

CCG’s recommendations to the TRAI Consultation Paper on Privacy, Security and Ownership of Data in the Telecom Sector – Part II

In this series of blogposts, we discuss CCG’s responses and recommendations to the TRAI (available here), in response to their Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector. We focus on the principles and concerns that should govern the framing of any new data protection regime, whether limited to the telecom sector or otherwise.

In our previous blogpost, the first of the series, we discussed the background against which we have provided our responses and recommendations. In this post, we look at whether there is a need for a separate regulatory framework for data within the telecom sector, and the jurisdiction and powers of the TRAI.

We note that the Consultation Paper makes several references to stakeholders / players in the digital / telecommunications eco-system that are not traditional telecommunication service providers. These include online content / application service providers, device manufacturers, and providers of online communication services, operating systems, browsers. The Consultation Paper poses several questions about the regulation of data use and processing by such stakeholders.

In this context, we have examined the role and responsibilities of the TRAI beyond the regulation of traditional telecommunication service providers.

The preamble to the Telecom Regulatory Authority of India Act, 1997 (TRAI Act) states that the law is meant to “provide for the establishment of the Telecom Regulatory Authority of India and the Telecom Disputes Settlement and Appellate Tribunal to regulate the telecommunication services, adjudicate disputes, dispose of appeals and to protect the interests of service providers and consumers of the telecom sector, to promote and ensure orderly growth of the telecom sector and for matters connected therewith or incidental thereto”.

Telecommunication services have been defined to mean “service of any description (including electronic mail, voice mail, data services, audio tax services, video tax services, radio paging and cellular mobile telephone services) which is made available to users by means of any transmission or reception of signs, signals, writing, images and sounds or intelligence of any nature, by wire, radio, visual or other electromagnetic means”[1]. Broadcasting services have been excluded from the definition of telecommunication services[2].

Service providers means either the government as a service provider, or a licensee[3] – which refers to any person licensed to provide telecommunication services under the Indian Telegraph Act, 1885[4].

Section 11 of the TRAI Act describes the functions of the TRAI. These functions are divided into two broad areas: (i) making recommendations of certain matters, and (ii) regulatory functions. The regulatory functions largely deal with monitoring compliance with the telecom licenses, and other functions of service providers.

The TRAI’s powers to make recommendations extend to the following matters:

  • need and timing for introduction of new service provider;
  • terms and conditions of licence to a service provider;
  • revocation of licence for non-compliance of terms and conditions of licence;
  • measures to facilitate competition and promote efficiency in the operation of telecommunication services so as to facilitate growth in such services;
  • technological improvements in the services provided by the service providers;
  • type of equipment to be used by the service providers after inspection of equipment used in the network;
  • measures for the development of telecommunication technology and any other matter relatable to telecommunication industry in general;
  • efficient management of available spectrum

We note that most of the above matters deal specifically with functions of service providers. However, as mentioned above, telecommunication services do include some services beyond those provided by traditional telecommunication service providers – such as electronic mail and voice mail among others.

In this context, we would argue that the functions and powers of the TRAI would not extend to making recommendations regarding, or regulating online content and application providers, device manufacturers or other businesses that do not provide communication services.

At best, the TRAI may derive powers to make recommendations regarding based on questions posed in the Consultation Paper, under sub-section (iv) which provides the TRAI with the authority to make recommendations on improving efficiency of telecommunication services.

In our next posts in this series, we will discuss principles that we believe any data protection regulation, irrespective of the sector it applies to, should address. We also note that as Indian businesses grow and adopt new technology, they are increasingly beginning to function across sectors. In this context, we recommend that a basic data protection law that is applicable horizontally across sectors and regions, to cope with these cross-sectoral business models.  Where required, additional regulations may be made applicable to collection and processing of sector specific sensitive personal data.

[1] Section 2(1)(k) of the Telecom Regulatory Authority of India Act, 1997

[2] Section 2(1)(k) of the Telecom Regulatory Authority of India Act, 1997

[3] Section 2(1)(j) of the Telecom Regulatory Authority of India Act, 1997

[4] Section 2(1)(e) of the Telecom Regulatory Authority of India Act, 1997

CCG’s recommendations to the TRAI Consultation Paper on Privacy, Security and Ownership of Data in the Telecom Sector – Part I

TRAI published a Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector (Consultation Paper) on August 9, 2017.

Since then, the Supreme Court of India has affirmed that the right to privacy is a fundamental right under the Indian Constitution, in a detailed judgment in Puttaswamy v. Union of India[1]. The Ministry of Electronics and Information Technology (MEITY), Government of India has also set up a Committee of Experts (COE) to identify key data protection issues in India and recommend methods of addressing them[2]. The COE was also expected to suggest a draft data protection bill.

The COE has now drafted a white paper to solicit public comments on the shape that India’s data protection law must take.

With so many discussions on the state of the right to privacy and data protection laws in India, it is clear that there is an immediate need for better laws and regulations on privacy and data protection in India, in the telecom sector as well as other sectors.

The Centre for Communication Governance (CCG) responded with comments to the TRAI Consultation Paper earlier this month (see our full response here or here).

In this series of blogposts, we discuss CCG’s responses and recommendations to the TRAI, in response to their Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector. We focus on the principles and concerns that should govern the framing of any new data protection regime, whether limited to the telecom sector or otherwise. We also highlight those sections of our responses and recommendations that relate to issues and questions discussed in the COE’s white paper.

In today’s post, the first of the series, we highlight the background against which we have provided our responses and recommendations.

1.     Privacy as a Fundamental Right

The Supreme Court in Puttaswamy v. Union of India[3] has affirmed and recognised that the right to privacy is a fundamental right under Article 21 of the Constitution. It may also be drawn as a fundamental right under any of the other fundamental rights recognised under the Constitution. Accordingly, the Court has observed that although the right is not absolute, any restrictions imposed by the State on the right to privacy must be ‘reasonable restrictions’. These reasonable restrictions must meet the various tests for limitations / violations of the right, applicable in relation to the relevant fundamental rights. At the same time, the Court has also noted that there is a positive obligation for the state to create a regulatory environment that allows individuals to enjoy their right to privacy.

In recognising privacy as a fundamental right, J. Chandrachud, J. Chelameswar, J. Kaul and J. Nariman have, in their various opinions have observed that informational privacy is an important aspect of such privacy in this day and age. J. Chandrachud has noted the setting up of the Committee of Experts, and recommended that the central government puts in place a robust data protection regulation in place in order to protect this right.

In the observations that lead up to his conclusions, J. Chandrachud has also noted that data protection regulation is a complex issue which needs to address many aims[4]. The first of these aims is the individual’s right to be left alone. Second and more importantly, the regulation needs to ensure that the individual’s identity is protected. Third, the individual’s autonomy in making decisions about the use of data about them, and their right to know how this data is being used must be protected. Fourth, data protection regulation should ensure that data is not collected in a manner that is discriminatory towards anyone.

2.     Current data protection laws

Our assessment is that the current data protection rules are insufficient to protect the interests of data subjects, including telecom subscribers.

The Consultation Paper has at various points referred to the report of the Group of Experts, headed by (Retd.) Justice A. P. Shah, in 2012 (GOE Report)[5]. We note that this GOE report found the various data protection rules that are currently applicable, inadequate[6]. The GOE Report has examined best practices and principles of data protection laws across the world, and recommended the incorporation of a set of 9 national privacy principles in any proposed privacy law[7]. The GOE Report has then gone on to find that the existing data protection regulations do not meet the requirements set forth in these principles[8].

The existing data protection laws, including particularly the provisions under the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under the IT Act (IT Rules) have also been criticised by industry and civil society members alike[9]. The IT Rules are ambiguous and do not properly define the roles and responsibilities of data controllers and processors[10]. There is no clarity on the nature of the data that the rules are applicable to. Further, the provisions under the IT Act do not provide for penalties or consequences for failure to comply with the IT Rules, and provide only a compensation mechanism that is difficult to enforce[11].

We are in agreement with the part of Consultation Paper which points out that some of the principles set out in the GOE Report may need to be reformulated in today’s age of big data[12]. However, we note that the data protection regulations fall short even of the outdated standards set forth in the principles listed by the GOE Report. More work will be necessary to define new standards and develop strategies to ensure that data protection framework meets these standards.

[1] Writ petition (civil) no 494 of 2012, (2017)6MLJ267

[2] Office Memorandum No. 3(6)j2017-CLES, available at  http://meity.gov.in/writereaddata/files/MeitY_constitution_Expert_Committee_31.07.2017.pdf (last visited on November 5, 2017)

[3] Writ petition (civil) no 494 of 2012, (2017)6MLJ267

[4] Paragraphs 177 and 178, J. Chandrachud’s opinion, Puttaswamy v. Union of India (2017)6MLJ267

[5] Report of the Group of Experts on Privacy, available at http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf (last visited on November 5, 2017)

[6] Report of the Group of Experts on Privacy, Chapter 4

[7] Report of the Group of Experts on Privacy, Chapter 3

[8] Report of the Group of Experts on Privacy, Chapter 4

[9] Outsourcing: India adopts new privacy and security rules for personal information, available at https://www.lexology.com/library/detail.aspx?g=9a9b9ec0-e390-45b8-a6f1-4363e29e9af3 (last visited on November 5, 2017); and Bhairav Acharya, Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, available at https://cis-india.org/internet-governance/blog/comments-on-the-it-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011 (last visited on November 5, 2017)

[10] Smitha Krishna Prasad, Draft white paper on the IT Act and the data protection rules, (to be published, and available on request)

[11] Smitha Krishna Prasad, Draft white paper on the IT Act and the data protection rules, (to be published, and available on request)

[12] TRAI Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector, Page 9

#DelhiTechTalks | Embedding Human Rights in Cybersecurity | November 21, 2017

Embedding Human Rights in Cybersecurity

November 21, 2017

organised by

Centre for Communication Governance at National Law University Delhi

Centre for Internet and Society, India

Digital Empowerment Foundation

HasGeek

Internet Democracy Project

IT for Change

&

SFLC.in (Software Freedom Law Centre, India)

along with media partner MediaNama

at

Lecture Room II | India International Centre – Annexe | KK Birla Lane | Lodhi Road | New Delhi

Timings

Programme

6.00 – 6.30 pm Tea & Coffee
6.30 – 7.30 pm Resolving tensions between rights and security in cyberspace

Amalia Toledo, Karisma Foundation

Matthew Shears, Global Partners Digital

Serene Lim, Empower Malaysia

Prem Trivedi, Georgetown University School of Foreign Service

Lillian Nalwoga, ISOC Uganda

Moderator: Gayatri  Khandhadai, Association for Progressive Communications

7.30 – 8.30 pm Embedding human rights in India’s cybersecurity laws and policies

Dr. Anja Kovacs, Internet Democracy Project

Mishi Choudhary, SFLC.in

Chinmayi Arun, Centre for Communication Governance at National Law University, Delhi

Moderator: Nikhil Pahwa, MediaNama

 

8.30 pm onwards Dinner

SC 9 Judge Bench on the Fundamental Right to Privacy – Day II [Part II]

Yesterday, a 9 judge constitution bench of the Supreme Court of India was set up to hear arguments on whether there is a fundamental right to privacy under the Indian Constitution, following from an order of a 5 judge bench on the day before. Arguments were advanced on behalf of some of the petitioners yesterday, and the petitioners counsels continued arguments before the Court today. Our updates on the proceedings before the court on Tuesday and Wednesday are available here and here. A background to these hearings, and the larger Aadhaar case can be found here.

Our update on today’s hearings have been divided into two posts, the first post available here details the arguments made by senior counsels representing petitioners S. Raju, Aruna Roy and Nikhil Dey during the first half of the day. This post details arguments made by senior counsels representing the remaining petitioners, largely during the second half of the day.

The senior counsel representing M P Rajeev Chandrashekar, an intervenor in the matter presented his arguments before the Court next. He began arguments by observing that this is the first time (9) judges of the Supreme Court are sitting to decide on the right to privacy in the age of a digital society. He noted that while data protection is a secondary issue, a subset of the right to privacy, the recognition of an inherent fundamental right to privacy has important ramifications in the digital age. He pointed out that the landmark / important judgments that we refer to in the context of privacy and surveillance – whether Kharak Singh v. State of Punjab (Kharak Singh) in India or Katz v. United States (Katz) in the US, are all located in the physical world.

Moving to arguments on the grounding of the right to privacy under the Indian constitution, he argued that if privacy is an inherent right, and it is recognised / affected by way of its manifestation, which may be in multiple rights under the constitution. It may reside in Articles 14, 19, or 21, or in the preamble itself. He argued that as an example, liberty of thought is an essential part of the right to privacy, if this right is infringed upon, the violation of the right to privacy may manifest itself as a chilling effect on free speech under Article 19(1)(a). He also submitted that cross-application of these rights is possible.

At this stage, the bench intervened, asking about the scope for informed consent in the context of the internet and data privacy. The counsel noted that we have an increasing amount of digital communication in India – and that while the quantum of data shared may not be as much as western countries like the US, what matters is the quality of data. He argued that if there is a breach of any data, even of the smallest quantity, it is a matter of importance. He referred to the US Supreme Court judgment in United States v. Jones, pointing the bench to Justice Sotomayor’s concurring opinion in the judgment. In the concurring opinion, Justice Sotomayor has discussed how governments are increasingly capable of monitoring individuals’ movements using GPS enabled phones, enabling governments to store records about individuals that could be mined for data for many years to come.

Requesting the Court to consider the way these issues have been addressed in US v. Jones, the counsel submitted that if the Court recognises the right to privacy as a fundamental right, the manner in which such data would be treated in a similar situation in India would differ vastly.

He provided the example of the Karnataka government’s rules for online taxi aggregators, which require aggregators to provide the government with information regarding every trip taken by every user using their services. He noted that this collection of information was non-intrusive, done in the guise of regulating taxi services, and not immediately harmful. However, in certain situations, this action could manifest itself as a restriction on an individual’s right to movement. At this stage the bench asked whether this would still be of issue if the information is being collected to investigate an individual suspected of terrorist activities. The counsel submitted that if the collection was done under procedures established by law, that passed the muster of the tests under Part III of the constitution, it would be acceptable, but that in this case it was being done for an entirely different purpose.

Justice Chelameswar then asked if the issue was with the collection of information or the use of the information, and Justice Chandrachud noted that both the volume of data collected as well as the permanent nature of the data and potential for use / misuse needs to be accounted for. Justice Chandrachud proposed that it could be said that the State has to specify the purpose of collection, and then ensure the data is used for those limited purposes, as authorised under the specific law. The counsel submitted that limitations of this nature are already standard in data protection regulations applicable to private entities, and noted that a higher standard should be applied where the state is collecting data impacted by a fundamental right.

Justice Chandrachud continued to raise questions – now asking whether it made a difference if the citizens whose data is collected / used are unconcerned about such collection / its purpose, and whether there is a qualitative difference between collection and use of information between state and non-state actors. The counsel argued that this lack of concern is exactly why there is a need for the right to privacy to be recognised as a fundamental right – bringing up the highly debated question of whether providing information means surrendering the right to privacy. Justice Chandrachud was quick to point out that a constitutional right cannot be surrendered, and it would merely be a surrender of information.

The counsel agreed, arguing that in the case of a non-state actor, providing information to one actor did not mean providing the information to all, and that a contractual relationship exists to enforce this understanding. He noted that similar assurances need to be provided under law where information was provided to the State. Referring once again to Justice Sotomayor’s concurring opinion in US v. Jones, he argued that the concept of privacy can no longer be shrouded by secrecy. He argued that providing information cannot mean that there is no longer a right to privacy in relation to such information, citing Justice Sotomayor’s statement that it may be time to reconsider the premise that there is no reasonable expectation of privacy in information voluntarily provided.

At this stage, Justice Bobde posed an interesting question to the counsel, asking him how these rights apply in relation to the dark web, and new forms of digital transactions such as bitcoin based transactions, which cannot be traced. The counsel submitted that the dark web is an aberration that lies outside the purview of this right, and that it is one of the reasons law needs to develop in a manner applicable to the internet and the digital age. He also argued that it is important to ensure that the State does not become a proponent of the dark web. Noting that the State would not be able to argue that law and order cannot be maintained in a part of the country due to a lack of police resources, the State should not put itself in a position where it cannot protect the rights of citizens online after collecting their data, due to a lack of technical capability / resources. Providing the example of defence at land borders, the counsel again argued that even if the State cannot clean the internet of illegal activities, it should at least be able to protect the rights of its citizens.

Once again highlighting that often the effects of violation of privacy are not felt immediately, he argued that in such a situation, the State should not be allowed to collect and use citizens’ data without oversight. He then argued that recognition of the right to privacy is the first step to ensuring that there is oversight, and that based on this right, further frameworks can be put in place to ensure protection of this right. The counsel also cited the example of the United Kingdom’s proposed biometric project, where biometric information of citizens had been collected for years. However, upon realising that it may not be possible to protect such information, the State ensured by law that all the information is destroyed.

The counsel then moved to the question of grounding of the right to privacy in the fundamental rights, and submitted that it is not possible to limit the right to specific Articles under Part III, or define the contours of the right. The bench questioned this argument saying that with decades of privacy jurisprudence it must be possible to define some contours. However, the counsel continued to argue that such limits should not be placed, stating that technology is developing at such a rate that any such contours may well become obsolete in the future.

The counsel also highlighted to the bench that the right to privacy while not explicitly recognised in the constitution, has always been recognised in statutes in India. He mentioned examples such as the Post Office Act, 1898, the Telegraph Act, 1885 and the more recent Right to Information Act, 2005 to support this contention.

The counsel concluded by stating that we should not be disputing the nature of the right to privacy in 2017, and noting that if a 9 judge bench had decided on this right 15 years ago, the State would not have been able to collect biometric data at such a scale without putting adequate legal checks (that pass the muster of Articles 14, 19 and 21) in place.

Senior counsel Meenakshi Arora was the last to argue for the petitioners. Although she was unable to complete her arguments due to a lack of time, the counsel made several important arguments before the Court on behalf of the petitioners. The counsel began her arguments by noting that the main issue before the Court is whether the words of Kharak Singh and M P Sharma are the correct expression of the constitutional position on the right to privacy. She noted that all other aspects of the right to privacy, although discussed in some detail, were merely subsets of this questions.

She noted that both cases have been read several times before the courts. She focused on the sections of Kharak Singh that struck down the provision of the UP law in question (Regulation 236 of the U. P.  Police Regulations). She argued that the court in this judgment found the right to privacy in Article 21 and struck down the provision of the UP law on this basis. She also noted that the Kharak Singh judgment was made on the basis of two US judgments – Wolf v. Colorado and Semayne’s case, as a result of which several subsequent judgments that recognise the right to privacy as a fundamental right have cited these cases.

The counsel then noted that it is difficult to hear arguments that privacy is not a fundamental right in this day. She also argued that while the digital context was one aspect of the right, the right itself could not be limited to Articles 14, 19 and 21. She urged the court to look at Articles 17 and 25 – noting that an individual might not want to share information such as their caste details. Justice Chandrachud pointed out that without divulging such information, one may not be able to receive caste based benefits they are entitled to. The counsel agreed, but argued that while the right may be restricted in accordance with procedure established by law, the use of this information that one is compelled to provide, for a purpose other than the purpose it was provided for should be considered an infringement of rights.

Moving back to the discussion on the development of the right to privacy, she noted that English common law was developed based on practices and case law. This law was then imported into Indian and US constitutional law, and jurisprudence which developed on the basis of English common law. The counsel then noted that the Semayne’s case, referred to in Kharak Singh, had already been imported into English common law before the Indian constitution was framed. She argued that the right to privacy was therefore part of English common law at time the Indian constitution came into effect and Kharak Singh was decided.

The counsel also referred to India’s ratification of international instruments such as the ICCPR, noting that it is now too late to say that we do not have a constitutional right to privacy. Although she was unable to make full arguments due to a lack of time, the counsel also requested the Court to read the judgments in Semayne’s case, Huckle v. Money, and Roe v. Wade among others to recognise the development of the right to privacy.

The counsel submitted that history has shown us the consequences of not recognising the right to privacy, and noting the change in the German constitution, and the German emphasis on the right to privacy post the second world war. She submitted that privacy is an inherent right, and that while some contours of this right can be identified, the right itself should not be limited. She concluded her submissions by stating that it is undemocratic to not recognise the inherent right to privacy in this day.

With this the petitioners’ arguments were concluded today. The hearing will continue on Tuesday, July 25, 2017, when the Union of India will argue its case.

SC 9 Judge Bench on the Fundamental Right to Privacy – Day II [Part I]

Yesterday, a 9 judge constitution bench of the Supreme Court of India was set up to hear arguments on whether there is a fundamental right to privacy under the Indian Constitution, following from an order of a 5 judge bench on the day before. Arguments were advanced on behalf of some of the petitioners yesterday, and the petitioners counsels continued arguments before the Court today. Our updates on the proceedings before the court on Tuesday and Wednesday are available here and here. A background to these hearings, and the larger Aadhaar case can be found here.

[Our update on today’s hearings have been divided into two posts, this post details the arguments made by senior counsels representing petitioners S. Raju, Aruna Roy and Nikhil Dey during the first half of the day. The second post is available here and details arguments made by senior counsels representing the remaining petitioners, largely during the second half of the day.]

Today’s proceedings began with senior counsel arguing on behalf of S. Raju concluding his submissions. Responding to the question raise in the court’s reference to the 9 judge bench, the counsel stated once again that the ratio in the judgments in Kharak Singh v. State of Punjab (Kharak Singh) and  M.P. Sharma v. Satish Chandra (M P Sharma) do not provide that there is no fundamental right to privacy under the Indian Constitution. The bench raised the question of the right to privacy in relation to private agencies / individuals, highlighting that enforcing a right to privacy against a private person would possibly act against other rights of such private person.

The senior counsel referred to academic writings that categorise privacy into 3 broad areas:

  • physical / spatial privacy: which deals with the protection against tangible / intangible invasion of private space
  • informational privacy: dealing with an individual’s control over dissemination of their personal information
  • decisional privacy: dealing with protection of an individual’s autonomy over fundamental personal decisions.

He highlighted that the nature of privacy protections against third parties that is being discussed by the Court i.e. in the context of collection and use of data in the digital world, would fall within the category of informational privacy. The counsel further submitted that we have already seen examples of remedies by way of damages discussed in the case of enforcement of a right to privacy against a non-state actor in R. Rajagopal vs State Of T.N (Rajagopal). He further stated, that the remedies would of course depend upon the case, and that there is no simple answer to this question. He emphasised that however, in the case of a violation of the right by the State, remedies must be available under Articles 226 and 32 of the Constitution.

The bench pointed out that there is a wider regulatory issue here – if there is a violation of a constitutional right by a state actor, Article 13 of the Constitution (which provides that any law that contravenes the Part III of the Constitution conferring fundamental rights will be void) would be applicable. However, in a situation where Article 13 does not apply, the question is whether the right to privacy would then be a horizontal right, requiring the state to ensure a regulatory environment in which the right is allowed to flourish.

The senior counsel highlighted that in the context of privacy, the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 are an example of the state providing such regulatory environment. He also argued that not every horizontal right requires a regulatory framework, and that such frameworks could be put in place depending upon the requirements of public interest.

The bench directed the conversation back to the question of remedies, pointing out that in the context of privacy and data protection, often the only effective remedy is an injunction, and that damages may not be an efficient remedy. The counsel agreed, stating that different forms of remedies maybe available depending upon the facet of privacy in question and the nature of violation of the right. He pointed out that in Rajagopal there was a mixture of horizontal as well as vertical application of the right to privacy. In Mr. X v. Hospital Z, a completely different approach was adopted – by approaching a consumer forum / court for the protection of the right to privacy.

The counsel for petitioners Aruna Roy and Nikhil Dey argued next. He began by stating that in addition to the arguments already made by other counsels, the statements on privacy in Kharak Singh and M P Sharma should not be construed to be of importance, since the issue of privacy as such was never raised during arguments in these cases. The statements on privacy were merely observations made by the judges that did not have bearing on the decisions in either case. Noting that Kharak Singh has been overruled by  Maneka Gandhi v. Union of India as argued by the other petitioners, he submitted that what remained was for the specific portions of M P Sharma that have been upheld in Selvi & Ors vs State Of Karnataka & Anr (Selvi) to be overruled.

The counsel then proceeded to argue that the Constitution of India is a living document, and that this implies that the rights under the constitution must develop with time. The counsel pointed out that while our Constitution, and the Indian legal system was developed on the basis of English common law, the right to privacy was originally recognised under American jurisprudence and not English common law. English common law originally provided for tortious remedies for specific acts that may be construed as an invasion of privacy, but there was no overarching tort on the invasion of privacy as such.

The counsel then observed that on the other hand, India has several obligations under international law to recognise and protect its citizens’ right to privacy. He pointed out that the right to privacy is recognised as a basic human right under the Universal Declaration of Human Rights adopted by the United Nation General Assembly which India is a member of. India has also specifically ratified the International Covenant on Civil and Political Rights (ICCPR) which also provides for a right to privacy.

He referred to the judgment in I R. Coelho v. State of Tamil Nadu which states that “constitutional provisions have to be construed having regard to the march of time and the development of law”. The counsel argued that constitutional rights must be developed in accordance with both domestic and international developments and obligations of the state. He then discussed the fact that several judgments of the Supreme Court have also stated that the fundamental rights must be interpreted expansively, construed in a liberal manner, and not diminished.

Going back to the argument on India’s international obligations, the counsel noted that ratification of the ICCPR cannot be an empty action, and that the obligations under international instruments must be applied under domestic law. Under the ICCPR, member states have an obligation to “respect”, i.e not violate the right; “protect” i.e protect against interference by private parties and “fulfill”, i.e take steps to realise and protect the right. The counsel also highlighted the parameters accepted under international law for any legislation that derogates from human rights i.e. legality, necessity and proportionality.

The counsel then referred to the reports of the United Nations Special Rapporteur on Privacy, which raise concerns regarding mass surveillance efforts by various governments across the world. He also pointed out that the United Nations General Assembly has voiced concerns on the issue of privacy as well, and adopted resolutions to promote the protection of privacy.

He also referred to the Indian Protection of Human Rights Act, 1993, and several case law, including Bachan Singh vs State Of Punjab, Francis Coralie Mullin vs The Administrator, Union Territory of Delhi and the landmark judgments in Vishaka & Ors vs State Of Rajasthan & Ors and NALSA v. Union of India (NALSA) to note the established position under Indian law that international law and India’s international obligations are to be imported into Indian law, either by way of legislation or directly (in the absence of legislation). On the basis of these arguments, the counsel submitted that the provisions of the ICCPR should be read into the fundamental rights under the Indian constitution, and the right to privacy recognised as a constitutional right.

Moving to the issue of defining the right to privacy, the counsel referred to the Supreme Court’s judgment in Gobind vs State Of Madhya Pradesh And Anr, noting that the judgment describes the difficulties in defining the scope of this right, and provides some indicators. Justice Chandrachud observed at this stage that 40 years later, the reading of privacy under this judgment seemed narrow and dated. He mentioned that in today’s digital age, questions of identity and the ability to maintain individual anonymity are of importance. The counsel agreed, noting that this is also of specific importance in some communities such as the transgender community. The counsel and Justice Chandrachud discussed the different facets of privacy in this context, and the need to identify how much information an individual could be compelled to provide the state, and restrictions on the manner in which this information could be used. Justice Chandrachud provided an example of the state maintaining a database of all individuals convicted of a crime, and then using the meta data in this database to profile potential criminals and communities / individuals that are pre-disposed to commit criminal activities. He highlighted that maintaining the database may be acceptable, especially if it was used to provide citizens with socio-economic benefits, but the use of the database to profile individuals without any evidence would be a transgression.

The senior counsel highlighted that as long as a right to privacy exists, the tests for violation of this right could be determined on a case to case basis. The Chief Justice proposed that perhaps a good test would be whether an individual is asked to provide information that bothers / affects their dignity. The senior counsel agreed, submitting that the preamble could be read to say that dignity underlies every right granted under the constitution. He also argued to privacy is essential to dignity, and is the bulwark of the right to personal liberty, citing Suchita Srivastava & Anr vs Chandigarh Administration, Selvi, and NALSA. Noting that privacy depends upon various factors and cannot be categorised easily, the counsel concluded his arguments submitting that (i) the failure to protect privacy as a constitutional right violates dignity, and is therefore a violation of the fundamental rights, and (ii) that privacy is pervasive, like dignity, and is applicable across fundamental rights. He submitted that the right to privacy maybe located in Articles 14, 19 and 21 as previously argued, but that it could not be restricted to these fundamental rights alone.