Guest Post: Vinit Kumar v CBI: Admissibility of evidence and the right to privacy

This post was authored by Sama Zehra

The Bombay High Court (‘HC’) in Vinit Kumar v CBI was faced with a situation familiar to the constitutional courts in India. The HC was called upon to decide whether telephone recordings obtained in contravention of section 5(2) of the Telegraphs Act, 1885 (‘Act’) would be admissible in a criminal trial against the accused. Before delving into the reasoning of the HC, it will be instructive to refer to the facts of the case and an overview of India’s interception regime. 

Section 5(2) of Telegraph Act, permits interception (or ‘phone tapping’) done in accordance with a “procedure established by law” and lays down two conditions: the occurrence of a “public emergency” and in the interests of “public safety”,under which such orders may be passed. Moreover, the order must be “necessary” for reasons related to the security of the state, friendly relations with other states, sovereignty or preventing the commission of an offense. The Apex Court in PUCL v. UOI (‘PUCL’) stated that telephone tapping without following the appropriate safeguards and legal process would infringe the Right to Privacy of an individual. Accordingly, procedural safeguards, in addition to those under section 5(2) of the Act, were laid down; eventually incorporated in the Telegraph Rules, 1951 (‘Telegraph Rules’). These included; such orders being only issued by the Home Secretaries of Central and State governments in times of emergency. Secondly, such an order shall be passed only when necessary and the authority passing the order shall maintain a detailed record of the intercepted communication and the procedure followed. Further, the order shall cease to be effective within two months, unless renewed. Lastly, the  intercepted material shall be used only for purposes deemed necessary under the Act.

In the Vinit Kumar case, during a bribery related investigation, three interception orders were issued directing the interception of telephone calls by the petitioner. These were challenged as being ultra vires of section 5(2) of the Act, non-compliant with the Telegraph Rules, and for being in violation of the fundamental rights guaranteed under Part-III of the Indian Constitution. 

The HC quashed the said orders by holding that: 

Firstly, the right to privacy would include telephone-conversation in the privacy of one’s home or office. Telephone-tapping would, thus, impermissibly infringe on the interceptee’s Article 21 rights unless it is conducted under the procedure established by law (in this case, the law laid down in PUCL and the Telegraph Rules). In Vinit Kumar, the HC found the impugned orders were in contravention of the procedural guidelines laid down for the protection of the right to privacy by the Supreme Court in PUCL, section 5 of the Act and Rule 419A of the Telegraph Rules. Additionally, (and crucially) the evidence obtained through infringement of the right to privacy would be inadmissible in the court of law. 

This blog analyses this third aspect of the HC judgment and argues that the approach of the HC reflects a true reading of the decision of the SC in K.S. Puttaswamy v UoI (‘Puttaswamy’) and ushers us into a new regime of right to privacy for accused persons. While doing so, the author critically examines the previous decisions wherein the courts have held the evidence collected through processes that infringe  the fundamental rights of the accused to be admissible.

Correct Reading of Privacy Doctrine and Puttaswamy Development

Based on the decisions of the SC in State v Navjot Sandhu and Umesh Kumar v State, the current legal position would appear to be that illegally obtained evidence is admissible in courts as long as it is relevant. Consequently, as Vrinda Bhandari and Karan Lahiri have argued, the State is placed in a position whereby it is incentivised to access private information of an accused in a manner which may not be legally permissible. There are no adverse legal consequences for illegally obtaining evidence, only prosecutorial benefits. This is reflected in the decisions concerning the admissibility of recordings of telephonic conversations without the knowledge of the accused.  The rule regarding admissibility of illegally collected evidence stems from a couple of cases, however it is submitted that the rule has a crumbling precedential basis. 

A good starting point is the  Supreme Court’s decision in RM Malkani v State  (‘Malkani’). It was held that telephone recordings without  the knowledge of the accused would be admissible in evidence as long as they are not obtained by coercion or compulsion. The Court had negligible analysis to offer insofar as the right to privacy of an individual is concerned. However, this decision dates back to the Pre-PUCL and the Pre-Puttaswamy era, wherein the right to privacy (especially vis-a-vis telephonic conversations) was not recognised as a fundamental right. Hence, it becomes imperative to question the continued relevance and correctness of this decision in light of the new developments in our understanding of fundamental rights under the Constitution. Moreover, Malkani relied on  Kharak Singh v. State of U.P, which was explicitly overruled by Puttaswamy. This also casts doubt on other cases which relied on the reasoning in Kharak singh on the issue of privacy. 

In Vinit Kumar, the HC rejected the approach adopted in Malkani and Kharak Singh. Affirming the right to privacy as a fundamental right, and relying on the requirements of ‘public emergency’ or ‘public order’, the HC observes that the respondents failed to justify any ingredients of “risk to the people at large or interest of the public safety, for having taken resort to the telephonic tapping by invading the right to privacy” (¶ 19). It emphasized the need to adhere by procedural safeguards, as provided in the Act, the Telegraph Rules, and the PUCL judgment, so as to ensure that the infringement of the right to privacy in a particular case meets the standards of proportionality laid down in Puttaswamy. Crucially, the HC goes a step further to hold that since the infringement of the right to privacy is not in accordance with the procedure established by law, the intercepted messages ought to be destructed and not used as evidence in trial as it is sourced from the infringement of the fundamental right to life (¶ 22). 

Thus, we can see an adherence to the new constitutional doctrines espoused by the Supreme Court whereby the HC emphatically rejected the now-overruled reasoning of Kharak Singh v State as far as the right to privacy is concerned, and refused to apply the cases of Malkani and Dharambir Khattar v UoI whose ratios flow from Kharak Singh’s non-recognition of a right to privacy. The HC held that such judgements have been overruled by Puttaswamy (to the extent that they do not recognise the right to privacy as a fundamental right). Furthermore, it was also held that these cases involved no examination of law on the touchstone of principles of proportionality and legitimacy, as laid down in Puttaswamy (¶ 37). It circumvented the issue of ‘relevancy’ by distinguishing between ‘illegally collected evidence’, and ‘unconstitutionally collected evidence’, ruling that the latter was inadmissible as it would lead to the erosion of fundamental rights at the convenience of the State’s investigatory arm. 

The HC judgment is, therefore, an important landmark with respect to the admissibility of evidence involving violation of fundamental rights. However, given the absence of a clear Supreme Court judgment in this regard, the rights of the Indian citizenry are susceptible to the difference in the approaches taken by other HCs. A case in point is the Delhi HC judgment in Deepti Kapur v. Kunal Julka wherein a video-recording of the wife’s conversation with her friend, collected by the CCTV camera in her room was admitted in evidence despite the arguments raised with regards to infringement of the right to privacy. Thus, the exact application of a bar on evidence collected through privacy infringing measures in different contexts will need to be developed on a case by case basis. 

Conclusion

The Bombay HC judgment correctly traces the evolution of the right to privacy debate in the Indian jurisprudence. It is based on the transformative vision of the Puttaswamy judgment and appropriate application of precedent with regards to the case in hand. It symbolizes a true deference to the  Constitution by protecting the citizenry from state surveillance and  potential abuses of power. Especially in the current electronic era where personal information can be extracted through unconstitutional means, the Vinit Kumar judgment affirms the importance of procedural due process under the fundamental rights regime in India. 

Examining ‘Deemed Consent’ for Credit-Scoring under India’s Draft Data Protection Law

By Shobhit Shukla

On November 22, 2022, the Ministry of Electronics and Information Technology released India’s draft data protection law, the Digital Personal Data Protection Bill, 2022 (‘Bill’).* The Bill sets out certain situations in which seeking an individual’s consent for processing of their personal data is “impracticable or inadvisable due to pressing concerns”. In such situations, the individual’s consent is assumed; further, they are not required to be notified of such processing. One such situation is for processing in ‘public interest’. The Bill also illustrates certain public-interest purposes and notably, includes ‘credit-scoring’ as a purpose, in Clause 8(8)(d). Put simply, the Bill allows an individual’s personal data to be processed non-consensually and without any notice to them, where such processing is for credit-scoring.

Evolution of credit-scoring in India

Credit-scoring is a process by which a lender (or its agent) assesses an individual’s creditworthiness i.e., their notional capacity to repay their prospective debt, as represented by a numerical credit score. Until recently, lenders in India relied largely on credit scores generated by credit information companies (‘CICs’), licensed by the Reserve Bank of India (‘RBI’) under the Credit Information Companies (Regulation) Act, 2005 (‘CIC Act’). CICs collect and process ‘credit information’, as defined under the CIC Act, to generate such scores. Such information, for an individual, comprises chiefly of the details of their outstanding loans and history of repayment/defaults. However, with the expansion of digital footprints and advancements in automated processing, the range of datasets deployed to generate credit scores has expanded significantly. Lenders are increasingly using credit scores generated algorithmically by third-party service-providers. Such agents aggregate and process a wide variety of alternative datasets relating to an individual, alongside credit information – these may include the individual’s employment history, social media activity, and web browsing history. This allows them to build a highly data-intensive credit profile of (and assign a more granular credit score to) the individual, to assist lenders in deciding whether to extend credit. Not only does this enable lenders to make notionally better-informed decisions, but also to assess and extend credit to individuals with meagre or no prior access to formal credit.

While neither the Bill nor its explanatory note explain why credit-scoring constitutes a public-interest ground for non-consensual processing, it may be viewed as an attempt to remove the procedural burden associated with notice-and-consent. In the context of credit-scoring, if lenders (or their agents) are required to provide notice and seek consent at each instance to process the numerous streams of an individual’s personal data, the procedural costs may disincentivise them from accessing certain data-streams. Consequently, with limited data to assess credit-risk, lenders may adopt a risk-averse approach and avoid extending credit to certain sections of individuals. Alternatively, they may decide to extend credit despite the supposed inadequacy of personal data, thereby exposing themselves to higher risk of repayment defaults. While the former approach would be inimical to financial inclusion, the latter could possibly result in accumulation of bad loans on lenders’ balance sheets. Thus, encouraging data-intensive credit-scoring (for better-informed credit-decisions and/or for widening access to credit) may conceivably be viewed as a legitimate public interest.

However, in this post, I contend that even if this were to be accepted, a complete exemption from notice-and-consent for credit-scoring, poses a disproportionate risk to individuals’ right to privacy and data protection. The efficacy of notice-and-consent in enhancing informational autonomy remains debatable; however, a complete exemption from the requirement, without any accompanying safeguards, ignores specific concerns associated with credit-scoring.

Deemed consent for credit-scoring: Understanding the risks

First, the provision allows non-consensual processing of all forms of personal data, regardless of any correlation of such data with creditworthiness. In effect, this would encourage lenders to leverage the widest possible range of personal datasets. As research has demonstrated, the deployment of disparate datasets increases incidences of inaccuracy as well as of spurious connections between the data-input and the output. In credit-scoring, historical data using which the underlying algorithm is trained may conclude, for instance, that borrowers from a certain social background are likelier to default in repayment. Credit-scores generated from such fallacious and/or unverifiable conclusions can embed systemic disadvantages into future credit-decisions and deepen the exclusion of vulnerable groups. The exemption from notice-and-consent would only increase the likelihood of such exclusion – this is since individuals would not have any knowledge of the data-inputs used, or the algorithm using which such data-inputs were processed and consequently, no recourse against any credit-decisions arrived at via such processing.

Second, the provision allows any entity to non-consensually process personal data for credit-scoring. Notably, CICs are specifically licensed by the RBI to, inter alia, undertake credit-scoring. Additionally, in November 2021, the RBI amended the Credit Information Companies Regulations, 2006, to provide an avenue for entities (other than CICs) to register with any CIC, subject to the fulfilment of certain eligibility criteria, and to consequently access and process credit information for lenders. By allowing any entity to process personal data (including credit information) for credit-scoring, the Bill appears to undercut the RBI’s attempt to limit the processing of credit information to entities under its purview.

Third, the provision allows non-consensual processing of personal data for credit-scoring at any instance. A plain reading suggests that such processing may be undertaken even before the individual has expressed any intention to avail credit. Effectively, this would provide entities a free rein to pre-emptively mine troves of an individual’s personal data. Such data could then be processed for profiling the individual and behaviourally targeting them with customised advertisements for credit products. Clearly, such targeted advertising, without any intimation to the individual and without any opt-out, would militate against the individual’s right to informational self-determination. Further, as an RBI-constituted Working Group has noted, targeted advertising of credit products can promote irresponsible borrowing by individuals, leading them to debt entrapment. At scale, predatory lending enabled by targeted advertisements could perpetuate unsustainable credit and pose concerns to economic stability.

Alternatives for stronger privacy-protection in credit-scoring

The above arguments demonstrate that the complete exemption from notice-and-consent for processing of personal data for credit-scoring, threatens individual rights disproportionately. Moreover, the exemption may undermine precisely the same objectives that policymakers may be attempting to fulfil via the exemption. Thus, Clause 8(8)(d) of the Bill requires serious reconsideration.

First, I contend that Clause 8(8)(d) may be deleted before the Bill is enacted into law. In view of the CIC Act, CICs and other entities authorised by the RBI under the CIC Act shall, notwithstanding the deletion of the provision, continue to be able to access and process credit information relating to individual without their consent – such processing shall remain subject to the safeguards contained in the CIC Act, including the right of the individual to obtain a copy of such credit information from the lender.

Alternatively, the provision may be suitably modified to limit the exemption from notice-and-consent to certain forms of personal data. Such personal data may be limited to ‘credit information’ (as defined under the CIC Act) or ‘financial data’ (as may be defined in the Bill before its enactment) – resultantly, the processing of such data for credit-scoring would not require compliance with notice-and-consent. The non-consensual processing of such forms of  data (as opposed to all personal data), which carry logically intuitive correlations with creditworthiness, shall arguably correspond more closely to the individual’s reasonable expectations in the context of credit-scoring. An appropriate delineation of this nature would provide transparency in processing and also minimise the scope of fallacious and/or discriminatory correlations between data-inputs and creditworthiness.

Finally, as a third alternative, Clause 8(8)(d) may be modified to empower a specialised regulatory authority to notify credit-scoring as a purpose for non-consensual processing of data, but within certain limitations. Such limitations could relate to the processing of certain forms of personal data (as suggested above) and/or to certain kinds of entities specifically authorised to undertake such processing. This position would resemble proposals under previous versions of India’s draft data protection law, i.e. the Personal Data Protection Bill, 2019 and the Personal Data Protection Bill, 2018 – both draft legislations required any exemption from notice-and-consent to be notified by regulations. Further, such notification was required to be preceded by a consideration of, inter alia, individuals’ reasonable expectations in the context of the processing. In addition to this balancing exercise, the Bill may be modified to require the regulatory authority to consult with the RBI, before notifying any exemption for credit-scoring. Such consultation would facilitate harmonisation between data protection law and sectoral regulation surrounding financial data.

*For our complete comments on the Digital Personal Data Protection Bill, 2022, please click here – https://bit.ly/3WBdzXg) 

Censoring the Critics: The Need to Balance the Right to Erasure and Freedom of Speech

Clause 13(2)(d) of the Digital Data Protection Bill, 2022 (“DPDP Bill”) provides for the right to erasure of personal data i.e. “…any data about an individual who is identifiable by or in relation to such data”. The said clause states that a data principal has the right to erasure of personal data as per applicable laws and as prescribed. The clause further provides that such erasure of personal data shall take place after the data fiduciary receives a request for erasure. The precondition for erasure is that the personal data must no longer be necessary for the purpose for which it was processed and that it must not be necessary for any legal purpose either. 

This is in many ways a salutary provision. Data principals should have control over their data which includes the right to correct and erase data. This is especially important since it protects individuals from the negative impacts of the widespread availability of personal data on the internet. In today’s digital age, it is easier than ever for personal data to be collected, shared, and used in ways that are harmful or damaging to individuals. The right to erasure aids in countering these negative impacts by giving individuals the power to control their own personal information, and to have it removed from the internet if they choose to do so.

However, this provision can negatively impact several other fundamental rights such as the freedom of speech and right to information, especially when it is abused by powerful figures to silence criticism. For example, if an investigative journalist were to write an article in which they bring to light a government official’s corrupt deeds, the said official would be able to request the data fiduciary to erase such data since they are identifiable by it or are related to it. 

This article will seek to address such concerns in two ways. First, it will delve into the safeguards that can be included in the text of Clause 13(2)(d) to ensure that there is an appropriate balance between free speech and privacy. Second, it will recommend that the arbiter of this balance should be an independent authority and not data fiduciaries. 

(1) Safeguards 

Clause 13(2)(d) is heavily tilted in favor of the privacy interests of the data principal. It does not require data fiduciaries to take into account any other considerations that might have a bearing on the data principal’s erasure request. In order to prevent privacy interests from undermining other rights, the clause should be amended to include various safeguards. 

In particular, the clause should require data fiduciaries to consider the free speech rights of other individuals who might be affected by an erasure request. As indicated earlier, journalists may find it difficult to publish critical commentary on powerful public figures if their work is subject to easy erasure. There are also artistic, literary and research purposes for which personal data might be used by other individuals. These are valid uses of personal data that should not be negated simply because of an erasure request. 

Data fiduciaries can also be made to consider the following factors through subordinate legislation to harmonize free speech and privacy: (a) the role of the data principal in public life, (b) the sensitivity of the personal data sought to be erased, (c) purpose of processing, (d) public nature of data and (e) relevance of the personal data to the public. Incorporating such safeguards will help ensure that data fiduciaries appropriately balance the right to privacy and the right to speech when they receive erasure requests.

Further, a clearly laid out process for grievance redressal should also be codified. Currently, Clause 13(2)(d) does not provide for an appeal mechanism for erasure requests that have been rejected by data fiduciaries. The clause should explicitly provide that in case the data principal wants to contest the rejection of their erasure request, they can file a complaint with the Data Protection Board (DPB). 

(2) Independent Authority 

In addition to lacking sufficient safeguards, Clause 13(2)(d) puts the onus on data fiduciaries to decide the validity of erasure requests. Various jurisdictions including the United Kingdom and Spain along with other states from the European Union use this framework. However, giving decision making power directly to Data Fiduciaries will have a chilling effect on speech.

This is because they will tend to mechanically comply with erasure requests in order to escape liability for non-compliance. Data fiduciaries lack the bandwidth needed to properly assess the validity of erasure claims. They are for the most part private businesses with no obligation or commitment to uphold the rights and freedoms of citizens, especially if doing so will entail the expenditure of significant resources.

Consequently, there is a need for a different framework. Clause 13(2)(d) should be amended to provide for the creation of an independent authority which will decide the validity of erasure requests. Such a body should be staffed with free speech and privacy experts who have the incentive and the capability to balance competing privacy and speech considerations. 

Conclusion 

We can see from the discussion above that the right to erasure provision of the Digital Data Protection Bill, 2022 has failed to strike a sound balance between privacy and free speech. To achieve such a balance, Clause 13(2)(d) should be amended to incorporate various safeguards. Furthermore, an independent authority should be deciding the validity of erasure requests, not data fiduciaries.

Guest Post: Proportionality concerns with Criminal Procedure (Identification) Act

This post is authored by Ishita Tulsyan and Navdha Sharma.

The introduction of The Criminal Procedure (Identification) Act, 2022 ( ‘the Identification Act’) raised several surveillance and privacy concerns. Replacing the Identification of Prisoners Act 1920 ( ‘the Old Prisoners Act’), it attempts to modernize the process of identification of persons involved in criminal allegations to expedite and enhance criminal investigations. This is accomplished by expanding the types of ‘measurements’ that can be obtained (ie, the data that can be collected), the persons from whom measurements may be collected, and the storage of the said data for a period of 75 years.

The Identification Act permits the collection of measurements for an expansive set of categories and increases the persons whose measurements can be collected. Section 2 (1)(b) of the Identification Act, defines “measurements.” While the Old Prisoners Act authorized only the collection of measurements such as finger-impressions and foot-impressions, the Identification Act now includes within its ambit “finger-impressions, palm-print impressions, foot-print impressions, photographs, iris and retina scan, physical, biological samples and their analysis, behavioural attributes including signatures, handwriting,” on top of any other examination mentioned in Section 53 and 53A of the Code of Criminal Procedure, 1973. This represents a significant expansion in the type of data collected from individuals.

In the Old Prisoners Act, measurements could only be taken from persons who were convicted or those arrested in connection with an offence punishable by rigorous imprisonment of more than one year.  However, in the Identification Act, the measurements can be taken of all convicted and arrested persons, without any requirement of a minimum threshold for those not convicted. Further, measurements can be taken from individuals under preventive detention as per Section 3(c). Thus, all-in-all, the new Act has introduced a whole sea of new measurements that could be taken, and these new measurements can be taken from more people than under the Old Prisoners Act.

In this blog, the authors analyse the constitutionality of the Identification Act by examining whether the collection and storage of measurements satisfy the proportionality test for privacy infringing measures set out in Justice K. S. Puttaswamy v Union of India (5 judge-bench) (“Puttaswamy”).

Proportionality: the Puttaswamy test

The proportionality test, first set out in the Right to Privacy decision, was subsequently elucidated on and applied by J. Sikri in the Puttaswamy judgment; the criteria for judging the constitutionality of State interference with an individual’s right to privacy may be summarised as follows:

1. Legitimate aim – the action taken by the government must be for a proper or legitimate purpose.
2. Rational nexus – there should be a rational connection between the infringing act and the legitimate state aim sought to be achieved.
3. Necessity – the state must demonstrate that it is necessary to introduce an intrusive measure despite the negative effect on the rights of the individuals; including that there are no lesser restrictive measures of similar efficacy available to the State.
4. Balancing – between the need to adopt the measure and the right to privacy.

Assessing the Identification Act –

Legitimate Aim; the expansive provision of the measurements does, arguably, have a proper purpose. Just like the Old Prisoners Act, it is meant to aid the police in investigating crimes.

Rational Nexus; completion of the investigative procedure with speed and accuracy is a legitimate state aim and the current expansion in the categories of measurements that can be obtained will aid in achieving that. The new measures would enable the authorities to create a database using the collected measurements and match the data of suspects against it, thereby aiding criminal investigations.

Necessity; there is no denying that the Identification Act interferes with extremely personal data of individuals as it broadens the scope of both the measurements (as explained above) and the categories of people from whom it can be obtained. On a comparative reading of the Section 2(a) Prisoners Act and Section 2(1)(b) of the Identification Act, it is evident that the latter encompasses significantly more data collection than the former. As the erstwhile Old Prisoner’s Act thus constitutes a lesser restrictive measure, the burden then lies on the state to establish that the Old Prisoners Act did not fulfill the “legitimate state aim” as effectively as the Identification Act will. This requires the State to demonstrate that the Prisoners Act failed to meet the state aim of expediting the criminal investigation process because of which there arose a need for a new, more privacy infringing measure Act. Absent this, the Old Prisoners Act remains a viable lesser restrictive measure. However, the State has failed to discharge its burden as it did not provide any data or conduct a study which showed that the Prisoners Act fell short of achieving the state aim. Thus, due to the existence of a less-restrictive alternative (in the form of the Old Prisoners Act), the necessity limb of the proportionality test is not met.

Proportionality or Balancing; it is imperative that State’s rights-infringing measures are not absolute and do not curtail the rights of individuals any more than necessary. The removal of the minimum requirement of severity of offences as it relates to whose data can be collected will enable the authorities to collect data of persons charged with petty offences carrying punishment as little as a month. The Identification Act doesn’t even attempt to define the term ‘biological samples’ and what it would entail. This leaving a major scope for misuse at the hands of state authorities. Due to the term not being defined anywhere, it could be construed to include tests such as narco-analysis, polygraph test, brain electrical activation profile test, etc. Such methods are not only extremely intrusive, violative of bodily autonomy, but also of the right against self incrimination. Further, the proportionality test requires the maintenance of balance between the extent and nature of the interference and the reasons for interfering. While there might be substance in the rationale behind collection of measurements, there is no reasonable justification for  retaining the measurements for a period of 75 years, especially as the same severely undermines the right to privacy of such individuals even when they have served their sentence, if any. This is especially true considering that the life expectancy in India is itself 71 years. Thus, even if the necessity limb of the test would have been satisfied, the balancing limb would still warrant that the Identification Act be struck down.

Conclusion The proportionality test given under “Puttaswamy” is a conjunctive test and thus, failing any limb results in the measure being struck down. The Criminal Procedure (Identification) Act, 2022 fails to satisfy the necessity test to begin with, as the government has nowhere demonstrated that the lesser restrictive measure that the Identification Act replaces failed to meet its investigative requirements. Further, even beyond that, balancing limb of the proportionality test is also not satisfied given the Act’s extremely broad application and excessive data retention requirements. Thereby, it impermissibly restricts the right to privacy of convicted and non-convicted persons.

Comparative tracker for the Digital Personal Data Protection Bill, 2022

The Digital Personal Data Protection Bill, 2022 (“2022 Bill”) was released by the Ministry of Electronics and Information Technology on November 18, 2022, with the stated intent of being concise, comprehensible, and simplified for the citizens. For these reasons, the 2022 Bill has made significant changes to the framework of the earlier Personal Data Protection Bill, 2019 (“2019 Bill”), which was withdrawn earlier this August during the Monsoon session of the Parliament.

We have prepared this detailed tracker to record the changes made in the 2022 Bill, and compared the differences in the key provisions of the 2022 Bill and the 2019 Bill. This tracker can be a helpful reference while analysing the two Bills, or even a quick guide to the changes brought out in the 2022 Bill. 

This tracker has used the 2019 Bill as reference for the changes, as this was the last version of the Data Protection Bill which was introduced before the Parliament as a comprehensive legislation. We have analysed each clause and sub-clause of the 2022 Bill and compared it to the corresponding provisions of the 2019 Bill. We have provided the full text of the provisions (highlighting the differences) as well as a brief summary of changes under the 2022 Bill. Readers may use the 2022 Bill as the base, when looking for the changes made to specific provisions of the 2019 Bill.

As the public and expert analyses and opinions on the 2022 Bill are still being developed, we invite comments on any errors or omissions of corresponding provisions which may be present in this tracker.

The tracker can be accessed here.

Please note: a detailed list of the removed provisions from the 2019 Bill will be added to the tracker in the next few days.

(Compiled by Tejaswita Kharel and Vignesh Shanmugam)

(Update January 24, 2023: We have included in the tracker a detailed list of provisions removed from the 2022 Bill along with our comments on the same)

Guest Post: Access to call records under Section 91, CrPC

This post is authored by Debayan Bhattacharya and Pulkit Goyal

Section 91 of the Criminal Procedure Code 1973 (“CrPC”) empowers the police to require the production of ‘any document or thing’ from any person if they consider it ‘necessary or desirable’ for any investigation, inquiry, or proceeding under the CrPC. The provision grants the police broad power to obtain evidence and it is frequently used to mandate the production of revealing data like Call Detail Records, (“CDRs”) which contain details of communications made over a telecommunications network. While they do not contain the content of the communication, they contain metadata such as the duration of call, who made it, who it was addressed to, when it was made and from where. The section, which stands in effect unchanged from section 94 of the CrPC, 1898 is a colonial provision that was enacted by a foreign power when fundamental rights, and in specific a right to privacy, did not exist. Moreover, our personal data, today, is available to a larger number of actors, at a higher level of granularity, than in the past. This makes the privacy risk associated with requisitioning data significantly greater. For example, RazorPay was recently required to hand over the data on thousands of transactions that had been made via its platform to AltNews. This post explores the privacy implications of the current framework, arguing that the provision is a significant infringement on individual privacy that lacks crucial safeguards. It also makes recommendations to address these concerns.

Issues with Section 91

The judgment in Puttuswamy I recognized the right to privacy as a fundamental right under Article 21 of the Constitution. By recognising privacy within the ambit of Article 21, the court ensured that restrictions on privacy would have to comply with the requirements of a ‘fair, just, and reasonable’ procedure set out by the decision in Maneka Gandhi. In fact, the court in PUCL had ruled that a surveillance provision in the Telegraph Act did not contain sufficient safeguards, prompting the court to lay down guidelines that were eventually codified in the Telegraph Rules. In Puttaswamy I, itself, Justice Chandrachud’s opinion traced and emphasized the importance of procedural safeguards for the right to privacy. Moreover, Justice Kaul at Para 71 of his opinion in the same judgment identifies the requirements of legality, necessity, proportionality, and procedural safeguards that must be met for a provision to be constitutional.

The lack of procedural safeguards causes Section 91 to constitute an impermissible infringement of individual privacy. At first blush, Section 91 of the CrPC seems to have some safeguards. It lays down a standard of ‘necessity or desirability’ to require the production of information. Textually speaking, ‘desirability’ means ‘the quality of being wanted’, which confers significant discretion by conflating ‘when the police want’ data and ‘when it is legal for the police to requisition data’. The standard may be contrasted with Section 311 of the CrPC, which permits the Court to summon a witness ‘essential to the just decision of the case.’ The Supreme Court recently distinguished Sections 91 from 311 in Varsha Garg v State of Madhya Pradesh. It held that the “necessary or desirable” standard under section 91 is met when the information sought is relevant, while 311 requires the higher standard of essentiality to be met. Even aside from this low standard, these safeguards are largely illusory as there is no independent oversight mechanism (either ex-ante or ex-post) to scrutinize whether the action was necessary (or desirable at the time it was done). 

Moreover, there are primarily two stages where section 91 requisitions are made – (1) during investigation by the police and (2) during trial on an application made in court. While applications made in court can be, and are, challenged (as they were in Varsha Garg), orders made during investigation are not. These orders are made by the police to entities in possession of data, which are corporations and intermediaries such as banks, telecos, etc. These entities lack any incentive to challenge any such order made against them, especially when noncompliance carries criminal consequences under section 174 of the Indian Penal Code, 1860 (Non-attendance in obedience to an order from public servant). Further, there is no requirement to notify the affected individual (either ex ante or post facto) so little or no adversarial contestation to section 91 orders made during investigation by the police to third party intermediaries. This further limits any potential challenge to Section 91 orders by investigative agencies. 

Additionally, since Section 91 does not limit whose data can be demanded, it is possible that a third person’s CDRs are presented at trial as evidence, this person will probably never learn of it or have the opportunity to challenge the disclosure of such information even post or during trial. Ultimately, the affected individual does not know when such a request is made, these requests are legally binding, the substantive threshold for initiating a request for information provides almost absolute discretion to the executive, and there is no mechanism to enforce a standard even if it is construed narrowly. Thus, there is a significant lack of procedural safeguards.  

Call data records

Another issue with Section 91 is that it is essentially a shortcut to a level of invasive surveillance that ordinally requires the State to satisfy higher standards. The Telegraph Act, 1885 and the Information Technology Act, 2000 provide for the interception of calls and electronic transmissions but have some safeguards in place. Specifically, Section 5(2) of the Telegraph Act allows for interception of messages  on the occurrence of a public emergency or in the interest of public safety. Further, Rule 419A of the Indian Telegraph Rules of 1951 provides for review of directions under Section 5(2) of the Telegraph Act. Similarly, section 69A of the Information Technology Act read with IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 empowers senior government officials to issue surveillance directions if it is necessary or expedient to do so for specific grounds (including in this case investigation of an offense). These directions are also reviewed as per Rule 22 of the Interception Rules. 

CDRs and ongoing interception (surveillance) may appear to be different since the latter deals with the recording of content of calls in real time while CDRs are metadata of past calls. However, the routine maintenance of CDRs itself represents an indirect and ongoing form of surveillance. With access to metadata, it is possible to combine this metadata with other publicly available data, such as phone books, social media accounts, etc., and discern information such that it constitutes a significant violation of the right to privacy, arguably on par with real-time surveillance. Moreover, metadata can be more easily processed by computers than content data. For e.g A calls her sister B for an hour following which A calls an abortion clinic which is followed with multiple follow up calls over the period of a few months. It may reasonably be deduced, even without knowing the contents of the call, that A got an abortion. This is private information but can be revealed just by perusing metadata. Metadata, thus, also carries substantial privacy implications. Accordingly, the requisitioning of CDRs should be accorded similar safeguards to those which apply to interception. The provisions under the Telegraph Act and IT Act have more safeguards in the form of who is empowered to issue the directions and that the directions are reviewed by specific authorities. Though these safeguards are in no way sufficient, the issue is that section 91 effectively bypasses the limited safeguards that do exist to obtain information that is privacy infringing to a similar degree. 

Alternatives and recommendations

Choices made with respect to the collection of evidence strike a specific balance between Crime Control and Due Process models of criminal procedure. The former emphasizes the importance of tailoring evidence law to ensure sufficient punishment of crimes while the latter provides greater importance to the protection of rights and liberties. Since Section 91 allows for a broad, unchecked power for police to acquire CDRs and other documents, it clearly leans towards a crime control model. 

What would a due process approach look like? The South African Constitutional Court recently held that surveillance orders constitutionally require notification to the person affected as soon as it can be given without jeopardizing the purpose of the investigation. It further required the collected data to be deleted after a fixed amount of time. In the United States, a warrant is required for the production of such evidence and consequently, as per the IVth Amendment, requires probable cause in order to justify infringing the privacy of individuals. Probable cause must be shown to a judge for the issue of a warrant, meaning that there is a procedural safeguard in the form of application of judicial mind to ensure adherence to the standard.

Therefore, a good starting point for additional safeguards (for CDRs at the bare minimum) includes requiring prior permission from a judicial authority in the form of a warrant and a notification of the surveillance (either ex ante or post facto). This would allow a challenge to the requisition order in a court of law as violating their fundamental rights and ensure some prior judicial application of mind in the process. 

Guest Post: Puttaswamy and privacy rights of the accused

This post is authored by Thulasi K. Raj

Following the judgment of the Supreme Court in Puttaswamy, the privacy rights of accused persons have been litigated upon across various High Courts in India. The right to privacy is especially relevant at various stages of a criminal case where numerous situations can potentially infringe the accused’s privacy. In this post, I will examine how privacy claims made by the accused have been examined by courts post-Puttaswamy. I specifically examine two types of claims: (i) cases where the personal information of the accused is available (or has been made available) in the public domain; and (ii) cases concerning the procedures an accused may be subjected to.

In cases where the accused has raised a privacy claim, the State typically makes a ‘countervailing interest’ argument; that a key governmental interest such as effectively investigating crimes is furthered by interfering with an individual’s privacy, and hence is justified. However, Puttaswamy, laid down that State infringements on privacy cannot merely serve an important interest, but must fulfil the four-part test of legality, necessity, proportionality, and reasonable safeguards. The Supreme Court held that “An invasion of life or personal liberty must meet the threefold requirement of (i) legality, which postulates the existence of law; (ii) need, defined in terms of a legitimate State aim; and (iii) proportionality which ensures a rational nexus between the objects and the means adopted to achieve them.” The proportionality limb also specifically requires the State’s measure to be the least rights infringing measure possible that continues to fulfil the State’s desired objective, with courts balancing competing interests. Justice Kaul’s separate opinion would add a fourth limb to this test, ‘procedural safeguards against abuse of interference with rights’, in line with Article 21’s guarantee of a ‘procedure established by law’.

The first set of privacy claims is where the personal information of accused persons were made public due to them being the subject of a criminal prosecution and judicial interventions were sought to safeguard this data. One of the prominent cases in this regard was Re: Banners before the Allahabad High Court. The district administration and police had put up banners displaying the names and photographs of persons who were accused of vandalism.

Expressly referring to Puttaswamy’s, and applying thefour-tier test, the High Court in Re: Banners first held that there were no statutory provisions “permitting the State to place the banners with personal data of the accused” in public (contravening the ‘legality’ test). Further, the publication of personal data also failed the ‘legitimate aim’ and ‘proportionality’ requirements. The purported aim, as argued by the State, was to deter people from violating the law. According to the Court, this was insufficient as the action of publishing personal information on banners was not necessary to achieve this aim. Therefore, the banners were ordered to be removed and the administration was asked to refrain from such actions in the future without legal authority.

In Karthick Theodre, an individual who had been acquitted of criminal charges by a 2014 judgement sought the “erasure or redaction of his personal information from the public domain.” In other words, the petitioner sought the redaction or erasure of his name from the judgement. Relying on Puttaswamy, various arguments including the right to be forgotten were raised before the Madras High Court. The apprehension of the petitioner was duly noted, that whenever his name was searched through search engines, results relating to the judgment would appear. However, the Court dismissed the plea on the grounds that without an adequate data protection law, laying down the parameters of when the redaction of the names of the accused should be directed, there was no objective criteria based on which the court can pass orders. While certain High Courts have granted reliefs based on the right to be forgotten, (See Jorawar Singh Mundy, Zulfiqar Ahman Khan,) the Madras High Court held that absence of a statute renders the petitioner remediless.

The second set of cases are privacy claims by accused persons as to the procedures they can be subjected to during an investigation. In Mursaleen Mohammad, the appellant was convicted under the provisions of the Narcotic Drugs and Psychotropic Substances Act, 1985 (“NDPS”). The appellant was subject to an x-ray examination by the authorities and subsequently confined till he defecated to recover the contraband allegedly stored in his body. The Calcutta High Court observed that the search and recovery of contraband from a person contemplated under section 50 of the NDPS Act does not allow for invasive medical procedures absent compliance with strict statutory safeguards. The Court noted that there were procedural irregularities in collecting the ‘evidence’. By relying on Puttaswamy, the Court affirmatively held that ‘recovery of contraband inside the body of a suspect must not only be in accordance with the procedure established by law but also be compatible to (sic) the dignity of the individual and ought not subject him to cruel, inhuman treatment.” The recovery of contraband, according to the Court, encroached on the appellant’s right to privacy.

In Vinod Mittal, the Himachal Pradesh High Court considered the legality of an order by a Special Judge, directing the petitioner to undergo a polygraph test and provide a voice sample to the investigating agency. The petitioner challenged the constitutionality of these directions, relying on Article 20(3) of the Constitution and the decisions in Ritesh Sinha and Selvi. The petitioner, however, admitted that he was willing to provide the sample if the court found such procedures to be legally permissible. The High Court said that the tests the accused could be subjected to could broadly be divided into three kinds: “(i) permissible with or without consent, (ii) permissible with consent only, and (iii), impermissible altogether.” After studying relevant judgments, the Court held that polygraph tests fall under the second category.

The Court concluded that “It is not legally impermissible [for a court] to issue direction[s] to a person to undergo Narco Analysis, polygraph and BEAP test, but such direction shall be subject to consent of said person and the person has a right to elect to consent or refuse to undergo such test…” The Himachal Pradesh High Court, therefore, indicated through this case that such techniques, if done in an involuntary manner, would be an unjustified intrusion and violate an individual’s (mental) privacy.

These cases demonstrate that the four-tier test laid down in Puttaswamy has been significantly engaged with by constitutional courts in interpreting the right to privacy of the accused. The use of the conjunctive test laid down by the Supreme Court has facilitated a more robust scrutiny of State action vis-à-vis accused individuals. The interpretation certainly requires further development, with greater sophistication in enhancing the analysis under Puttaswamy. However, these are positive judicial observations that will likely result in a consistent and continuous engagement with violations of the right to privacy. While various aspects of the right to privacy, including the right to be forgotten, await comprehensive judicial recognition, privacy jurisprudence has tremendous potential to protect the rights of the accused in the years to come.

Guest Post: Liberty, privacy and abortion rights: Comparing India and the U.S.

This post is authored by Shrutanjaya Bhardwaj

On 25 June 2022, in Dobbs v. Jackson, the U.S. Supreme Court (“SCOTUS”) declared that the U.S. Constitution does not guarantee a right to abortion. SCOTUS thus overturned the celebrated 1973 judgment titled Roe v. Wade which had held the right to abortion to be constitutionally protected. This post analyses Roe and Dobbs, examining how and why they treated the term “liberty” differently. It then contrasts these definitions with the Indian understanding of “liberty”.

“Liberty” and “tradition”: A brief overview of Roe and Dobbs

The legal issue on which Roe and Dobbs disagree concerns the word “liberty” in the Fourteenth Amendment to the U.S. Constitution. The Amendment states that the State shall not “deprive any person of life, liberty, or property, without due process of law”. SCOTUS decisions prior to 1973 interpreted the word “liberty” narrowly . They held that the word does not include all kinds of liberties; it refers to those liberties which were historically and traditionally considered fundamental in the U.S. For example, Palko (1937) held that the Fourteenth Amendment only protects liberties “so rooted in the traditions and conscience of our people as to be ranked as fundamental.” Similarly, Snyder (1934) held that the words “due process” imply the processes traditionally guaranteed in the U.S.

The Court in Roe (1973) was aware of these precedents. However, the majority ultimately held that the Fourteenth Amendment protects “personal rights that can be deemed ‘fundamental’ or ‘implicit in the concept of ordered liberty’.” Conspicuously, the reference to history and tradition was omitted, presumably implying that history and tradition are not essential to the analysis. Hence, while narrating the history of abortion, the majority did not deem it necessary to locate a right to abortion in American tradition. It merely found that “at common law, at the time of the adoption of our Constitution, and throughout the major portion of the 19th century, abortion was viewed with less disfavor than under most American statutes currently in effect” (emphasis supplied). It then proceeded to hold that the right to abortion was protected under the Fourteenth Amendment as a facet of the right to privacy. Roe’s treatment of history and tradition would eventually become the main reason for its overturning in Dobbs.

But Roe was not alone in treating history and tradition as inconclusive. SCOTUS has generally wavered on this issue. E.g., in Obergefell (the 2015 decision affirming a right to same-sex marriages), SCOTUS held that while history and tradition “guide and discipline this inquiry”, they “do not set its outer boundaries”. Contrast this with Glucksberg (the 1997 decision rejecting a right to assisted suicide) which held that the “outlines” of the word “liberty” are to be “carefully refined by concrete examples involving fundamental rights found to be deeply rooted in our legal tradition,” indicating a conclusive reliance on tradition. Thus, the question of whether “liberty” is to be interpreted purely normatively (‘implicit to ordered liberty’), or must also be grounded in historical experience is  itself contested in SCOTUS jurisprudence and has changed over time – often based on the composition of the court on a given day and case.

In attacking Roe’s conclusion, then, the main objection taken by the Dobbs Court — composed of a 6-3 conservative majority — was a historical one. The majority re-examined historical evidence and found that abortion has been traditionally criminalised, or at least negatively treated, in most states: “By the time the Fourteenth Amendment was adopted, three-quarters of the States had made abortion a crime at any stage of pregnancy. This consensus endured until the day Roe was decided. Roe either ignored or misstated this history….” Citing Palko (1937) and Glucksberg (1997) for the necessity to ground liberty in historical practice, the majority rejected the idea that an abortion right was “deep-rooted” in American history and tradition. Thus, it found, the word “liberty” in the Fourteenth Amendment did not protect a woman’s right to medically terminate her pregnancy. 

The implication is this. After Dobbs, the 14th amendment itself does not include a right to medically terminate a pregnancy because the right is not “deeply rooted” in American history and tradition. Thus, there exists no need to examine whether there exists a countervailing right of the woman which must be “balanced” against the State’s interest in protecting prenatal life. As described by the dissent: “The constitutional regime we have lived in for the last 50 years recognized competing interests, and sought a balance between them. The constitutional regime we enter today erases the woman’s interest and recognizes only the State’s….”

It is easy to see why SCOTUS’ reliance on history and tradition is problematic. The point of a Bill of Rights is to insulate freedom and equality from majority control. It is hence paradoxical that the meaning of liberty turns on popular tradition. Relying on  a male political majority’s treatment over a period of time of women (at a time when the latter were denied political representation – women were not allowed to vote when the 14th amendment was passed – and equal standing in society) to determine the liberties afforded to women today risks codifying past injustices into modern rights law. The Dobbs dissent rightly argues, quoting Obergefell, that “[i]f rights were defined by who exercised them in the past, then received practices could serve as their own continued justification.” This circular test—which sees the Constitution as a tool to cement tradition rather than challenge it—allows all kinds of regressive, liberty-restricting practices to be upheld so long as they are rooted in American history and tradition. Finally, history itself may be contested and heterogeneous, and the Court’s approach  provides few safeguards against the selective reliance and interpretation of “history” by the majority.

Yet, the dissent struggles—and so does an amicus brief —to articulate an alternative test to define “liberty”. The dissent argues, rightly, that history and tradition are not captured “in a single moment” and should be understood with reference to “the longsweep of our history and from successive judicial precedents”. But this does not take us very far. Is tradition relevant at all? How relevant? When can you overlook it? Is it possible to ensure that judges will not start interpreting the word “liberty” based on their own personal biases, in ways completely disconnected from American tradition? The dissent does not argue that tradition is irrelevant, and does not provide any principled test to determine when its relevance is reduced.

“Liberty” in the Indian Constitution

While the Indian Supreme Court often discusses the history of the issue before it (very common in reservation cases, e.g.), history and tradition have never been the determining factors to define “liberty” in Art.21 of the Indian Constitution. The meaning of “liberty” has been determined by other considerations.

Art.21 prohibits the State from depriving any person of “personal liberty” except as per procedure established by law. Separately, Art.19 lists six (originally seven) freedoms: speech, assembly, association, movement, residence and trade. In its early years, the Supreme Court was called upon to decide if the “liberty” contemplated by Art.21 was broad enough to include the six freedoms listed in Art.19. This question was first answered in Gopalan (1950). By a 5-1 majority, the Court held that since Art.21 spoke only of “personal” liberty—i.e., liberty of one’s person—it had to be interpreted narrowly to mean freedom from bodily restraint. As Das J. put it, liberty is the “antithesis of physical restraint or coercion”. The majority viewed Art.19 and Art.21 as distinct rights having no overlapping content. In other words, the content of “liberty” in Art. 21 was not informed by the rights enumerated in Art. 19

In the Gopalan era, therefore, Art.21 had a narrow scope. It did not, e.g., include the right to privacy, as held in M.P. Sharma (1954) and Kharak Singh (1964). But Gopalan was overturned after the Emergency. In Maneka (1978), the Supreme Court held that fundamental rights are not siloed; they are overlapping in terms of their content. Accordingly, the meaning of “personal liberty” in Art.21 was held to include and be informed by the six enumerated freedoms of Art.19 and other constitutional sources. 

Since Maneka, the meaning of “personal liberty” has been continuously expanded. Now, Art.21 includes, inter alia, the rights to legal aid and speedy trial, the right to shelter, workers’ right to health and medical aid, a woman’s right to make free choices regarding sterilization procedures, the right to privacy, and indeed, a qualified right to have an abortion subject to reasonable restrictions imposed by the Medical Termination of Pregnancy Act, 1971. 

But none of these activities or rights have had to pass a historical test before being recognised. The term “personal liberty” has been understood as being “of the widest amplitude” (Maneka 1978) and defined as “a power of acting according to the determinations of the will” (Mhetre 2011). These holdings imply that the words “personal liberty” encompass the freedom to do whatever one wants, although the freedom is not absolute and is subject to any fair, just and reasonable law made by the State (such as criminal legislations which identify and punish certain acts like murder, theft etc.) on legitimate grounds. In other words, the idea of “liberty” does not depend on the act being performed or its historical acceptance. In contrast with the SCOTUS, Indian courts have called the Constitution a “transformative” document, emphasizing its role as a revolutionary instrument that appropriately challenges tradition rather than protect it.

In one sense, this is a much neater test as compared to the one followed by SCOTUS. In context of abortion, because the interpretation of “liberty” does not presumptively exclude the right to terminate a pregnancy (Dobbs) it means that the Court must recognise two competing rights—the woman’s right to have an abortion and the fetal right (if it is shown to exist) to life—and resolve the conflict by evaluating the necessity and proportionality of the restrictions placed by the State. 

Conclusion

This is not to say that the test under Art.21 has no flaws. The flexibility of the “fair, just and reasonable” standard also means that it is vague, and a restriction deemed to be reasonable by one bench or court could well be deemed unreasonable by another. Yet, the advantage of the Maneka test is that it does not allow the Court to outrightly reject either competing right on the ground that it does not comport with historical practices and popular traditions. The Court must at least enter the balancing exercise and explain why particular restrictions on rights are proportionate or disproportionate.

“Liberty” under the Indian Constitution is substantially different from that under the U.S. Constitution. The SCOTUS test is problematic; tradition and history are not objective and using them to define “liberty” is not wise. In contrast, Art.21 protects all liberty, and is open to recognising competing rights within the constitutional scheme. A woman’s right to abortion is hence recognised, but is to be ‘balanced’ against the right to life of the fetus (if such a competing right is shown to exist). This allows for a much more principled inquiry into the competing interests and for testing the necessity and proportionality of the State measure in question.

The Dobbs ruling has serious implications for privacy rights. The immediate implications are on pregnancy and reproductive autonomy: 11 states in the U.S. already have laws criminalizing abortions, while 13 more states are speculated to pass such laws in the near future. The de-recognition of the right to abortion as a fundamental right also poses dangers of surveillance and sensitive data collection by law enforcement agencies by piggy-backing on the data stored with financial companies and even mentruation-tracking apps in an effort to track individuals who may have had an abortion in a state where it is illegal. Looking beyond pregnancy, the Dobbs decision might imply—as both the concurrence (by Justice Thomas) and the dissent suggest—a threat to other rights which were recognized by SCOTUS as flowing from the right to privacy, including the right to contraception, the right to same-sex marriage, homosexuality rights, etc. The majority rejects this suggestion because “none of these decisions involved what is distinctive about abortion: its effect on what Roe termed ‘potential life’”. However, as the dissent notes, other rights based on the 14th amendment’s guarantee of autonomy and privacy may also fail the test of being “deeply rooted” in tradition. The effect of Dobbs on those other rights may be more complex than what the various Justices suggest. These and other aspects of the Dobbs fallout will be discussed in a future post.

This blog was written with the support of the Friedrich Naumann Foundation for Freedom.

CCG’s Comments to the Ministry of Electronics and Information Technology on the Draft National Data Governance Framework Policy

Authors: Joanne D’Cunha and Bilal Mohamed

On 26th May 2022, the Ministry of Electronics and Information Technology (MeitY), released the Draft National Data Governance Framework Policy (NDG Policy) for feedback and public comments. CCG submitted its comments on the NDG Policy, highlighting its feedback and key concerns with the proposed Data Governance Framework. The comments were authored by Joanne D’Cunha and Bilal Mohamed, and reviewed and edited by Jhalak M. Kakkar and Shashank Mohan.

The draft National Data Governance Framework Policy is a successor to the draft ‘India Data Accessibility and Use’ Policy, which was circulated in February 2022 for public comments and feedback. Among other objectives, the NDG policy aims to “enhance access, quality, and use of data to enable a data-led governance” and “catalyze AI and Data led research and start-up ecosystem”.

“Mountain” by Mariah Jochai is licensed under CC BY 4.0

CCG’s comments to the MeitY are divided into five parts – 

In Part I, of the comments we foreground our concerns by emphasising the need for comprehensive data protection legislation to safeguard citizens from potential privacy risks before implementing a policy around non-personal data governance. 

In Part II, we focus on the NDG Policy’s objectives, scope, and key terminologies. We highlight that the NDG Policy lacks in  sufficiently defining key terms and phrases such as non personal data, anonymisation, data usage rights, Open Data Portal, Chief Data Officers (CDOs), datasets ecosystem, and ownership of data. Having clear definitions will bring in much needed clarity and help stakeholders appreciate the objectives and implications of the policy. This also improves  engagement from the stakeholders including the government in the policy consultation process. This also enhances engagement from the stakeholders, including the various government departments, in the policy consultation process.  We also highlight that the policy does not illustrate how it will intersect and interact with other proposed data governance frameworks such as the Data Protection Bill 2021 and the Non Personal Data Governance Framework. We express our concerns around the NDG Policy’s objective of cataloguing datasets for increased processing and sharing of data matching with the aim to deploy AI more efficiently.  It relies on creating a repository of data to further analytics, and AI and data led research. However, it does not take into consideration that increasing access to data might not be as beneficial if computational powers of the relevant technologies are inadequate. Therefore, it may be more useful if greater focus is placed on developing computing abilities as opposed to increasing the quantum of data used.

In Part III, we focus on the privacy risks, highlighting concerns around the development and formulation of anonymisation standards given the threat of re-identification from the linkage of different datasets. This, we argue, can pose significant risks to individual privacy, especially in the absence of a data protection legislation that can provide safeguards and recognise individual rights over personal data. In addition to individual privacy harms, we also point to the potential for collective harms from using aggregated data. To this end, we suggest the creation of frameworks that can keep up with the increased risks of reidentification posed by new and emerging technologies.

Part IV of our comments explores the institutional framework and regulatory structure of the proposed India Data Management Office. The proposed IDMO is responsible for framing, managing, reviewing, and revising the NDG Policy. Key concerns on the IDMO’s functioning pertain to the exclusion of technical experts and representatives of civil society and industry in the IDMO. There is also ambiguity on the technical expertise required for Chief Digital Officers of the Digital Management Units of government departments and ministries, and the implementation of the redressal mechanism. In this section, we also highlight the need for a framework within the Policy to define how user charges will be determined for data access. This is particularly relevant to ensure that access to datasets is not skewed and is available to all for the public good. 

You can read our full submission to the ministry here.

Protecting Privacy: A Case Against State Interference Through Restitution of Conjugal Rights

Recent judicial decisions have transformed our understanding of privacy, autonomy, and equality; significantly so post the Supreme Court’s Puttaswamy I judgement. In Puttaswamy I, the Court reaffirmed privacy as a fundamental right grounded in the ideas of autonomy and dignity. An important consequence of this understanding of privacy is its impact on questions of individual privacy within the confines of a marriage. For example, in a recent case on the subject of marital rape, the Karnataka High Court allowed rape charges against the husband and emphasised the importance of reinforcing the right to equality and the right to individual autonomy and dignity of a woman within a marriage.

One such provision within family law that raises concerns about individual autonomy and privacy within marriage is the Restitution of Conjugal Rights (‘RCR’). It is a legal remedy available to spouses where one spouse deserts the other without a ‘reasonable’ excuse or on certain ‘unlawful’ grounds. In such cases, the ‘aggrieved’ party has the right to seek a decree for RCR, by which a court order may direct the deserting party to compulsory cohabit with the ‘aggrieved’ party. The remedy of RCR is provided for under Section 9 of the Hindu Marriage Act, 1955 as well as, Muslim Personal Law, the Parsi Marriage and Divorce Act, 1936 (S. 36), the Indian Divorce Act, 1869 (S. 32-33), and the Special Marriage Act, 1954 (S. 22). Generally, if a person fails to comply with a RCR decree a court can attach their property under the Civil Procedure Code (Order 21, Rule 32).

In this post, I analyse the State’s objectives in providing spouses with the RCR remedy and argue that the remedy itself violates the right to privacy under Article 21 by failing to satisfy the test of proportionality.

Privacy, autonomy, and State interference

State regulation of domestic relations has seen laws governing marriage, divorce, adultery, and sexual relations between consenting adults, for example the criminalisation of homosexuality. Marriage is a social contract recognised by the State and to a certain extent, is also subject to regulation by the State. Although regulations around marriage may be for a variety of reasons, it may be argued that they serve two key interests: protection of individual rights, and the State objective to protect the institution of marriage (often articulated as maintaining “cultural ethos and societal values”). Examples of the former rationale include laws recognising domestic violence, cruelty, and prioritising individual autonomy by providing divorce as a remedy. The latter rationale can be seen in laws criminalising adultery and homosexuality (both of which have been struck down by the Supreme Court of India post Puttaswamy I) and providing restitution of conjugal rights as a remedy. However, by protecting the institution of marriage, the State also protects a particular conceptionof that institution, specifically the socially accepted notion of a monogamous, heterosexual, and procreative marriage.

It is widely accepted that RCR is an archaic English law (from a time when cohabitation was expected of women) that, as the Bombay High Court noted in 1885, did not exist prior to colonial rule. However, the remedy was codified in the Hindu Marriage Act in 1955 even after India achieved independence and continues to exist despite its patriarchal connotations. The 71st Law Commission Report of 1978 (page no. 27, para 6.5) emphasised the importance of cohabitation to protect the ‘sanctity of marriage’. The High Court of Delhi, in Harvinder Kaur vs. Harmander Singh Choudhry (1984) also adopted this view and held that the restitution of conjugal rights is an important remedy to protect the institution of marriage. The Delhi High Court rejected privacy considerations by stating that a decree of RCR was not the “starkest form of governmental intervention into marital privacy” since it merely aims to restore cohabitation and does not enforce sexual intercourse. As I argue below, this reasoning raises questions about individual autonomy. However, the Delhi High Court’s rationale was accepted by the Supreme Court in Saroj Rani vs. Sudarshan Kumar Chadha (1984), where the apex Court upheld the constitutionality of RCR and reiterated that the right to cohabitation is “inherent in the very institution of marriage itself.”  

This view of RCR — to preserve the institution/ sanctity of marriage — creates tensions with the objective of the State to protect individual rights. An RCR decree interferes with the right to privacy and autonomy by compelling an individual to cohabit with their spouse against their will. This may especially be true after the articulation of the right to privacy by the Supreme Court in Puttaswamy I. The decree of RCR creates an unwanted intrusion into a person’s personal life by denying them autonomy over where they live, and also potentially on the sites of sexual and reproductive decision making. Any analysis of RCR must recognise the power asymmetry within domestic relations that pervasively results in women being subject to physical and sexual violence at home. Thus, contrary to the reasoning given by courts in Harvinder Kaur and Saroj Rani, by compelling women to cohabit with men they have deserted, a decree of RCR may place women at significant risk of domestic violence, economically compromised living conditions, and non-consensual sexual intercourse.

The Andhra Pradesh High Court in T Sareetha vs. Venkata Subbaiah in 1983 recognised that the grant of an RCR decree would amount to an interference of the State into the private sphere, compelling cohabitation or even indirectly, sexual intercourse. The High Court found that this interference of the State through RCR violated the right to privacy, autonomy, and dignity of the individual against whom the decree was sought by ‘transferring the decision to have or not have marital intercourse from the individual to the State’. This decision was overruled by the Supreme Court’s Saroj Rani decision in 1984. While the Puttaswamy 1 judgement in 2017 did not expressly refer to Sareetha, all nine judges broadly adopted the approach taken in the Sareetha judgement, adopting a conception of privacythat recognises its basis in individual autonomy and dignity.

In Puttaswamy I, the Supreme Court ruled that individual autonomy, that recognises the ability of individuals to control vital aspects of their life (including reproductive rights, sexual orientation, gender identity), is an intrinsic part of the right to privacy guaranteed under Article 21 of the Constitution. By this reasoning, a decree of RCR does not account for the right to autonomy of an individual and violates their right to privacy by legally compelling the individual to cohabit despite them making a conscious choice to separate from their spouse.

In recent years, there has been a shift in the thinking of courts, where the right to individual privacy and autonomy is prioritised as opposed to protection of the institution (and specific conceptions of that institution) of marriage. For instance, in Joseph Shine, the Supreme Court held that the law that criminalised adultery treated women as property and was unconstitutional. It opined that although the criminalisation of adultery was introduced to protect the institution of marriage, it serves the interests of one party and denies agency to women. The Court noted –

“The provision is proffered by the legislature as an effort to protect the institution of marriage. But it proceeds on a notion of marriage which is one sided and which denies agency to the woman in a marital tie. The ability to make choices within marriage and on every aspect concerning it is a facet of human liberty and dignity which the Constitution protects.”

Bearing in mind this view of the court, RCR would not stand up to judicial scrutiny as a constitutionally valid right, since it disregards the autonomy and dignity of an individual under the notion of the State aim to protect the institution of marriage.

The proportionality test

In 2017, Puttaswamy I laid down a four-part test for determining the validity of an infringement of the right to privacy. The test’s first limb necessitates the existence of a codified law, which is met with in the case of RCR through various statutory provisions. The test also requires the existence of procedural safeguards against abuse of State interference, which is of reduced significance in the case of RCR as both a RCR decree and post-decree attachment of property require prior judicial authorisation and oversight. In addition to the need for statutory authorisation and procedural safeguards, for an infringement to be valid it must satisfy the limbs of legitimate aim, necessity, and proportionality. The Puttaswamy II (Aadhar) case applied this test, which was first articulated in the Modern Dental College judgement in 2016. This test requires:

1. any limitation of a constitutional right is enforced for a proper purpose (legitimate aim);
2. there is a rational nexus between the proper purpose and the measure adopted to achieve it and there are no alternative measures which would achieve the purpose but are less restrictive of rights (necessity); and
3. the restriction on the constitutional right must be proportionate to the purpose set out by the State (balancing or proportionality).

Firstly, it must be noted that, as observed by the Supreme Court in Saroj Rani, the stated purpose of the measure is protecting the institution of marriage. As stated above, in Joseph Shine the Supreme Court rejected the State’s argument that protecting the institution of marriage was a proper purpose where the State’s measure protected “a notion of marriage that is one sided and denies agency to women.”. In this context, RCR only protects a notion of marriage where individuals cohabit and engage in sexual intercourse, denying agency to individuals and violating individual autonomy. Secondly, the decree of RCR should have a rational nexus with the aim of protecting the institution of marriage. In this regard, it is relevant to note that, in certain instances, individuals routinely file RCR cases expecting non-compliance by the other party, using this non-compliance with the RCR decree as a ground for divorce. Thus, the historically dominant objective of the State of “protecting” the institution of marriage through the positive remedy of RCR may also not be satisfied.

Even if RCR furthers the State’s aim of protecting marriage, it would need to pass the third prong of the proportionality test, i.e., the State must meet the objective of the law through the ‘least restrictive measure’. The State could resort to alternate measures, similar to the ones observed under divorce petitions; an order of mediation or a ‘cooling off’ period provisioned in cases of divorce with mutual consent furthers the aim of protecting the institution of marriage without violating individual rights. However, in a decree of RCR there persists a violation of an individual’s privacy, enforced by coercion through the attachment of property.

The fourth part of the proportionality test emphasises the need to have a balance between the interest of the State and the rights of individuals. As stated earlier, the infringement of individual rights through an RCR decree creates severe consequences that violate the right to privacy and autonomy of an individual, including putting women in particular, at risk of harm. Thus, the gravity of the rights violation arguably outweighs the State interest of protecting marriage, especially since the State aim is often not met and the decree becomes a ground for divorce.

The application of the test of proportionality by Indian courts has garnered criticism as being deferential to the State. However, even with this deferential application, as demonstrated above, RCR would likely not pass the four-part test of proportionality endorsed by the courts in Modern Dental College and Aadhaar.

Conclusion

In the post-Puttaswamy era, various High Courts have recognised the autonomy and dignity of women within marriage under the fundamental right to privacy. For instance, in a recent right to abortion case, the High Court of Kerala relied on Puttaswamy I and held that a woman’s autonomy of body and mind with respect to reproductive decisions are part of the right to privacy. As discussed above, the High Court of Karnataka, in its recent decision, while allowing rape charges against the husband, acknowledged that the exception of marital rape stems from an archaic notion of marriage where the wife was considered property. On similar grounds, one may argue that RCR should be considered invalid since it is based on the outdated notion of marriage where the wife was considered the property of the husband and had no individual autonomy of her own. As noted above, it is also incompatible with the test of proportionality.

On 30 December, 2021, the Gujarat HC observed that an RCR decree could not force a woman to cohabit with her husband. The court recognised that a decree of RCR needs to consider both the parties’ and not solely the ‘right of the husband’. Further, it opined that the very fact that there exists an option given to not comply with the RCR decree under the Civil Procedure Code indicates that the court cannot force a woman to cohabit against her will. The court further laid down certain grounds under which a person could refuse to comply with an RCR decree including cruelty, adultery, and failure of the husband in performing marital obligations. Although this decision seems to encourage considering the rights of women in a marital relationship – it fails to reaffirm the right to privacy and autonomy of the subject of the decree against a law that is effectively discriminatory. It grants power to the courts to decide on a case-to-case basis whether the right can be granted, which could lead to a potential violation of individual rights given the nature of this provision.

Striking down RCR provisions does not mean that there must be a complete embargo on the interference of the State into marriage – for example, the power asymmetry in domestic relationships necessitates the enforcement of laws against domestic violence and most likely requires the criminalisation of marital rape. However, taking into consideration the constitutional scrutiny of laws against the backdrop of State interference and right to privacy, RCR may not stand the test of constitutionality. Currently, a petition challenging the constitutionality of RCR is pending before the Supreme Court – if the above arguments are considered by the court, RCR may be struck down on the grounds that it violates the right to privacy.

This post was originally published on Livelaw on 26 April 2022.