Following the judgment of the Supreme Court in Puttaswamy, the privacy rights of accused persons have been litigated upon across various High Courts in India. The right to privacy is especially relevant at various stages of a criminal case where numerous situations can potentially infringe the accused’s privacy. In this post, I will examine how privacy claims made by the accused have been examined by courts post-Puttaswamy. I specifically examine two types of claims: (i) cases where the personal information of the accused is available (or has been made available) in the public domain; and (ii) cases concerning the procedures an accused may be subjected to.
In cases where the accused has raised a privacy claim, the State typically makes a ‘countervailing interest’ argument; that a key governmental interest such as effectively investigating crimes is furthered by interfering with an individual’s privacy, and hence is justified. However, Puttaswamy, laid down that State infringements on privacy cannot merely serve an important interest, but must fulfil the four-part test of legality, necessity, proportionality, and reasonable safeguards. The Supreme Court held that “An invasion of life or personal liberty must meet the threefold requirement of (i) legality, which postulates the existence of law; (ii) need, defined in terms of a legitimate State aim; and (iii) proportionality which ensures a rational nexus between the objects and the means adopted to achieve them.” The proportionality limb also specifically requires the State’s measure to be the least rights infringing measure possible that continues to fulfil the State’s desired objective, with courts balancing competing interests. Justice Kaul’s separate opinion would add a fourth limb to this test, ‘procedural safeguards against abuse of interference with rights’, in line with Article 21’s guarantee of a ‘procedure established by law’.
The first set of privacy claims is where the personal information of accused persons were made public due to them being the subject of a criminal prosecution and judicial interventions were sought to safeguard this data. One of the prominent cases in this regard was Re: Banners before the Allahabad High Court. The district administration and police had put up banners displaying the names and photographs of persons who were accused of vandalism.
Expressly referring to Puttaswamy’s, and applying thefour-tier test, the High Court in Re: Banners first held that there were no statutory provisions “permitting the State to place the banners with personal data of the accused” in public (contravening the ‘legality’ test). Further, the publication of personal data also failed the ‘legitimate aim’ and ‘proportionality’ requirements. The purported aim, as argued by the State, was to deter people from violating the law. According to the Court, this was insufficient as the action of publishing personal information on banners was not necessary to achieve this aim. Therefore, the banners were ordered to be removed and the administration was asked to refrain from such actions in the future without legal authority.
In Karthick Theodre, an individual who had been acquitted of criminal charges by a 2014 judgement sought the “erasure or redaction of his personal information from the public domain.” In other words, the petitioner sought the redaction or erasure of his name from the judgement. Relying on Puttaswamy, various arguments including the right to be forgotten were raised before the Madras High Court. The apprehension of the petitioner was duly noted, that whenever his name was searched through search engines, results relating to the judgment would appear. However, the Court dismissed the plea on the grounds that without an adequate data protection law, laying down the parameters of when the redaction of the names of the accused should be directed, there was no objective criteria based on which the court can pass orders. While certain High Courts have granted reliefs based on the right to be forgotten, (See Jorawar Singh Mundy, Zulfiqar Ahman Khan,) the Madras High Court held that absence of a statute renders the petitioner remediless.
The second set of cases are privacy claims by accused persons as to the procedures they can be subjected to during an investigation. In Mursaleen Mohammad, the appellant was convicted under the provisions of the Narcotic Drugs and Psychotropic Substances Act, 1985 (“NDPS”). The appellant was subject to an x-ray examination by the authorities and subsequently confined till he defecated to recover the contraband allegedly stored in his body. The Calcutta High Court observed that the search and recovery of contraband from a person contemplated under section 50 of the NDPS Act does not allow for invasive medical procedures absent compliance with strict statutory safeguards. The Court noted that there were procedural irregularities in collecting the ‘evidence’. By relying on Puttaswamy, the Court affirmatively held that ‘recovery of contraband inside the body of a suspect must not only be in accordance with the procedure established by law but also be compatible to (sic) the dignity of the individual and ought not subject him to cruel, inhuman treatment.” The recovery of contraband, according to the Court, encroached on the appellant’s right to privacy.
In Vinod Mittal, the Himachal Pradesh High Court considered the legality of an order by a Special Judge, directing the petitioner to undergo a polygraph test and provide a voice sample to the investigating agency. The petitioner challenged the constitutionality of these directions, relying on Article 20(3) of the Constitution and the decisions in Ritesh Sinha and Selvi. The petitioner, however, admitted that he was willing to provide the sample if the court found such procedures to be legally permissible. The High Court said that the tests the accused could be subjected to could broadly be divided into three kinds: “(i) permissible with or without consent, (ii) permissible with consent only, and (iii), impermissible altogether.” After studying relevant judgments, the Court held that polygraph tests fall under the second category.
The Court concluded that “It is not legally impermissible [for a court] to issue direction[s] to a person to undergo Narco Analysis, polygraph and BEAP test, but such direction shall be subject to consent of said person and the person has a right to elect to consent or refuse to undergo such test…” The Himachal Pradesh High Court, therefore, indicated through this case that such techniques, if done in an involuntary manner, would be an unjustified intrusion and violate an individual’s (mental) privacy.
These cases demonstrate that the four-tier test laid down in Puttaswamy has been significantly engaged with by constitutional courts in interpreting the right to privacy of the accused. The use of the conjunctive test laid down by the Supreme Court has facilitated a more robust scrutiny of State action vis-à-vis accused individuals. The interpretation certainly requires further development, with greater sophistication in enhancing the analysis under Puttaswamy. However, these are positive judicial observations that will likely result in a consistent and continuous engagement with violations of the right to privacy. While various aspects of the right to privacy, including the right to be forgotten, await comprehensive judicial recognition, privacy jurisprudence has tremendous potential to protect the rights of the accused in the years to come.
The right to be forgotten empowers individuals to seek de-indexing, erasure, or deletion of their personal data. The right is significant because it enables an individual to “determine the development of their life in an autonomous way, without being perpetually or periodically stigmatised because of specific actions performed in the past”. However,the right to seek the erasure of information from the public domain conflicts with the right to freedom of expression and the right to access information. Thus, even jurisdictions that statutorily recognise the right to be forgotten enforce it in limited circumstances.
In 2014, the European Court of Justice (ECJ) recognised the right in Google Spain SL and Google Inc v Mario Costeja González where the court directed Google to de-index a newspaper article because it disclosed the financial history of the petitioner. De-indexing would remove the site from the search engine’s index (in this case, Google’s) but not from the source web page. The Court noted that in general the petitioner’s (i.e., the data subject’s) rights would override Google’s (i.e., the data controller’s) legitimate interest of prominently publishing the article, however a balance had to be struck depending on the nature of the information, particularly if the information was of interest to the public. In another judgment, Google LLC v CNIL the ECJ ruled that an obligation on a search engine to de-index a webpage for users in the EU did not extend to de-indexing the page in other jurisdictions. Subsequently, Article 17 of the General Data Protection Regulation of the European Union gave statutory recognition to the ‘right to be forgotten’. This Article empowers data subjects to seek the erasure of their personal data, if, among other things,there is no overriding legitimate cause (such as public interest) in the continued processing of their data.
In India, the right is yet to gain statutory recognition. Clause 20 of Data Protection Bill 2021 (‘DPB’), which has been recently scrutinised by a Joint Parliamentary Committee, recognises the right of data principals (i.e., individuals) to prevent the ‘continuing disclosure’ of personal data, if: (i) it has served the purpose for which it was collected or is no longer necessary for the said purpose; (ii) consent for such processing is withdrawn; or (iii) if the disclosure is contrary to any law. However, the right can only be enforced by an order of an Adjudication Officer appointed under the DPB. To get a favourable order, the data principal must demonstrate to the Officer that the interest in preventing the continued disclosure of their data overrides the right to freedom of speech and expression and the right to information of other citizens and the right of the data fiduciary to retain, use and process such data in accordance with provisions of DPB.
While the DPB is yet to be enacted into law, the Privacy High Court Tracker, launched by the Centre for Communication Governance as a part of its Privacy Law Library shows that High Courts across the country have begun to determine the contours of the right to be forgotten as applicable to Indians. Most notable is the Orissa High Court’s decision in Subhranshu Rout @ Gogul v the State of Odisha. This case did not involve a pleading seeking erasure of information. Instead, the discussion on the right to be forgotten arose when a person accused of sexually harassing a woman and uploading images of her on Facebook sought bail. In its judgment rejecting the bail application, the Court noted that while the Indian criminal justice system prescribes strong penal action against the alleged actions of the bail applicant, it did not provide any mechanism to delete the objectionable material from social media permanently. The Court found that allowing such offensive material to remain on social media was an affront to the victim’s privacy rights. The Court discussed the right to be forgotten extensively but did not order the removal of the objectionable material because of a lack of enabling legislation. At the same time, the Court permitted the victim to approach the Court separately, for the erasure of the offensive posts.
The Orissa High Court in Subhranshu Rout was presented with facts that did not require balancing the victim’s rights with the public interest. Unlike the Orissa High Court, the Delhi High Court, on at least two occasions, has passed interim orders enforcing the right to be forgotten against content that may have been in the public interest. The first was the case of Zulfiqar Ahman Khan v Quintillion Business Media. In Zulfiqar, the plaintiff had sought a permanent injunction against the defendant, which had published two articles documenting sexual harassment complaints against him as a part of the #MeToo campaign. After the defendants had agreed to take down the article during the pendency of the suit (without prejudice to their rights), the plaintiffs asked for an injunction against re-publication of the article by third parties. Again, this was not an application seeking erasure of information. Instead, it was a case of plaintiff seeking enforcement of injunction against re-publication of previously injuncted content. But in paragraph 9, the Court cited the right to be forgotten of the plaintiffs as one of the reasons to prevent re-publication of the article. However, the Court did not explain why the plaintiff’s right to privacy should be protected over the right to freedom of speech of the defendants and the right to information of the public at large.
The second case was an interim order in Jorawar Singh Mundy v Union of Indiawhere the petitioner sought the removal of a reported judgment from the public domain. In the judgment, the petitioner’s acquittal was upheld by the Delhi High Court. The petitioner’s grievance was that he faced a considerable disadvantage in seeking employment because the judgement showed up whenever anyone conducted a background verification on him. The Court directed Google to de-index the judgment and directed Indian Kanoon (the website where the judgement was posted) to block the judgement from being accessed via search engines. This interim order is subject to change based on the final decision of the Court, but this case is significant because in Jorawar, unlike the cases mentioned above,the petitioner expressly sought enforcement of his right to be forgotten which was granted by the Court.
However in a similar case, the Madras High Court in Karthik Theodre v Registrar General, Madras High Court, in its final decision dated 3 August 2021, adopted a different approach. The petitioner, therein, also sought destruction or erasure or redaction of personal information from a court decision (a judgment of acquittal) that was available in the public domain. While in its interim order, the Court found that a prima facie case was made out for redacting his name, the final judgment recorded that granting such a plea would lead to ‘utter confusion’ in the absence of a proper policy. The Court also observed that it would be more appropriate to await the enactment of data protection legislation which might provide an objective criterion to be followed while dealing with pleas of redaction of names of accused persons who were acquitted from criminal proceedings.
The Supreme Court has also considered the balance between the right to privacy and freedom of speech and expression in the context of judicial orders in R. Rajagopal v State of Tamil Nadu. In that case, the Court recognised that the right to privacy is implicit under Article 21. Still, it did not extend the protection to individuals from publications based on public records, including Court records. The Apex Court also noted that the exception to this rule must be carved out in cases involving a female victim of sexual assault who ‘should not be subjected to the indignity of [being identified by] her name.’ Considering the ease with which personal data can be accessed in the digital age, the scope of the exception may be expanded to include those cases where the publication of a judgment is unjust – as in the case of Jorawar Singh Mundy,where continued publication of the petitioner’s case did not contribute to public discourse but adversely affected his life. However, as the Madras High Court correctly points out, this should not be done in an ad-hoc manner without objective criteria, ideally provided by legislation or a policy formulated by courts themselves.
Nevertheless, until such criteria are enacted in the form of data protection legislation, which may take a while, the High Courts will continue to formulate the law on the right to be forgotten. The Madras High Court may have passed the buck to the legislature, but the Delhi High Court or the Kerala High Court where another case is pending, may not do so. But consistency across courts, especially in the context of judicial orders, is necessary.
Disclaimer – The author is part of the legal team representing Indian Kanoon in a case related to the right to be forgotten which is pending before the Kerala High Court
The Personal Data Protection Bill, 2019 (PDP Bill/ Bill) was introduced in the Lok Sabha on December 11, 2019 , and was immediately referred to a joint committee of the Parliament. The joint committee published a press communique on February 4, 2020 inviting comments on the Bill from the public.
The Bill is the successor to the Draft Personal Data Protection Bill 2018 (Draft Bill 2018), recommended by a government appointed expert committee chaired by Justice B.N. Srikrishna. In August 2018, shortly after the recommendations and publication of the draft Bill, the Ministry of Electronics and Information Technology (MeitY) invited comments on the Draft Bill 2018 from the public. (Our comments are available here.)
In this post we undertake a preliminary examination of:
The scope and applicability of the PDP Bill
The application of general data protection principles
The rights afforded to data subjects
The exemptions provided to the application of the law
In future posts in the series we will examine the Bill and look at the:
The restrictions on cross border transfer of personal data
The structure and functions of the regulatory authority
The enforcement mechanism and the penalties under the PDP Bill
Scope and Applicability
The Bill identifies four different categories of data. These are personal data, sensitive personal data, critical personal data and non-personal data
Personal data is defined as “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling”. (emphasis added)
The addition of inferred data in the definition realm of personal data is an interesting reflection of the way the conversation around data protection has evolved in the past few months, and requires further analysis.
Sensitive personal data is defined as data that may reveal, be related to or constitute a number of different categories of personal data, including financial data, health data, official identifiers, sex life, sexual orientation, genetic data, transgender status, intersex status, caste or tribe, and religious and political affiliations / beliefs. In addition, under clause 15 of the Bill the Central Government can notify other categories of personal data as sensitive personal data in consultation with the Data Protection Authority and the relevant sectoral regulator.
Similar to the 2018 Bill, the current bill does not define critical personal data and clause 33 provides the Central Government the power to notify what is included under critical personal data. However, in its report accompanying the 2018 Bill, the Srikrishna committee had referred to some examples of critical personal data that relate to critical state interest like Aadhaar number, genetic data, biometric data, health data, etc.
The Bill retains the terminology introduced in the 2018 Draft Bill, referring to data controllers as ‘data fiduciaries’ and data subjects ‘data principals’. The new terminology was introduced with the purpose of reflecting the fiduciary nature of the relationship between the data controllers and subjects. However, whether the use of the specific terminology has more impact on the protection and enforcement of the rights of the data subjects still needs to be seen.
Application of PDP Bill 2019
The Bill is applicable to (i) the processing of any personal data, which has been collected, disclosed, shared or otherwise processed in India; (ii) the processing of personal data by the Indian government, any Indian company, citizen, or person/ body of persons incorporated or created under Indian law; and (iii) the processing of personal data in relation to any individuals in India, by any persons outside of India.
The scope of the 2019 Bill, is largely similar in this context to that of the 2018 Draft Bill. However, one key difference is seen in relation to anonymised data. While the 2018 Draft Bill completely exempted anonymised data from its scope, the 2019 Bill does not apply to anonymised data, except under clause 91 which gives the government powers to mandate the use and processing of non-personal data or anonymised personal data under policies to promote the digital economy. There are a few concerns that arise in context of this change in treatment of anonymised personal data. First, there are concerns on the concept of anonymisation of personal data itself. While the Bill provides that the Data Protection Authority (DPA) will specify appropriate standards of irreversibility for the process of anonymisation, it is not clear that a truly irreversible form of anonymisation is possible at all. In this case, we need more clarity on what safeguards will be applicable for the use of anonymised personal data.
Second, is the Bill’s focus on the promotion of the digital economy. We have previously discussed some of the concerns regarding focus on the promotion of digital economy in a rights based legislation inour comments to the Draft Bill 2018.
These issues continue to be of concern, and are perhaps heightened with the introduction of a specific provision on the subject in the 2019 Bill (especially without adequate clarity on what services or policy making efforts in this direction, are to be informed by the use of anonymised personal data). Many of these issues are also still under discussion by thecommittee of experts set up to deliberate on data governance framework (non-personal data). The mandate of this committee includes the study of various issues relating to non-personal data, and to make specific suggestions for consideration of the central government on regulation of non-personal data.
The formation of the non-personal data committee was in pursuance of a recommendation by the Justice Srikrishna Committee to frame a legal framework for the protection of community data, where the community is identifiable. The mandate of the expert committee will overlap with the application of clause 91(2) of the Bill.
Data Fiduciaries, Social Media Intermediaries and Consent Managers
As discussed above the Bill categorises data controllers as data fiduciaries and significant data fiduciaries. Any person that determines the purpose and means of processing of personal data, (including the State, companies, juristic entities or individuals) is considered a data fiduciary. Some data fiduciaries may be notified as ‘significant data fiduciaries’, on the basis of factors such as the volume and sensitivity of personal data processed, the risks of harm etc. Significant data fiduciaries are held to higher standards of data protection. Under clauses 27-30, significant data fiduciaries are required to carry out data protection impact assessments, maintain accurate records, audit policy and the conduct of its processing of personal data and appoint a data protection officer.
Social Media Intermediaries
The Bill introduces a distinct category of intermediaries called social media intermediaries. Under clause 26(4) a social media intermediary is ‘an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services’. Intermediaries that primarily enable commercial or business-oriented transactions, provide access to the Internet, or provide storage services are not to be considered social media intermediaries.
Social media intermediaries may be notified to be significant data fiduciaries, if they have a minimum number of users, and their actions have or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India.
Under clause 28 social media intermediaries that have been notified as a significant data fiduciaries will be required to provide for voluntary verification of users to be accompanied with a demonstrable and visible mark of verification.
The Bill also introduces the idea of a ‘consent manager’ i.e. a (third party) data fiduciary which provides for management of consent through an ‘accessible, transparent and interoperable platform’. The Bill does not contain any details on how consent management will be operationalised, and only states that these details will be specified by regulations under the Bill.
Data Protection Principles and Obligations of Data Fiduciaries
Consent and grounds for processing
The Bill recognises consent as well as a number of other grounds for the processing of personal data.
Clause 11 provides that personal data shall only be processed if consent is provided by the data principal at the commencement of processing. This provision, similar to the consent provision in the 2018 Draft Bill, draws from various principles including those under the Indian Contract Act, 1872 to inform the concept of valid consent under the PDP Bill. The clause requires that the consent should be free, informed, specific, clear and capable of being withdrawn.
Moreover, explicit consent is required for the processing of sensitive personal data. The current Bill appears to be silent on issues such as incremental consent which were highlighted in our comments in the context of the Draft Bill 2018.
The Bill provides for additional grounds for processing of personal data, consisting of very broad (and much criticised) provisions for the State to collect personal data without obtaining consent. In addition, personal data may be processed without consent if required in the context of employment of an individual, as well as a number of other ‘reasonable purposes’. Some of the reasonable purposes, which were listed in the Draft Bill 2018 as well, have also been a cause for concern given that they appear to serve mostly commercial purposes, without regard for the potential impact on the privacy of the data principal.
In a notable change from the Draft Bill 2018, the PDP Bill, appears to be silent on whether these other grounds for processing will be applicable in relation to sensitive personal data (with the exception of processing in the context of employment which is explicitly barred).
The Bill also incorporates a number of traditional data protection principles in the chapter outlining the obligations of data fiduciaries. Personal data can only be processed for a specific, clear and lawful purpose. Processing must be undertaken in a fair and reasonable manner and must ensure the privacy of the data principal – a clear mandatory requirement, as opposed to a ‘duty’ owed by the data fiduciary to the data principal in the Draft Bill 2018 (this change appears to be in line with recommendations made in multiple comments to the Draft Bill 2018 by various academics, including our own).
Purpose and collection limitation principles are mandated, along with a detailed description of the kind of notice to be provided to the data principal, either at the time of collection, or as soon as possible if the data is obtained from a third party. The data fiduciary is also required to ensure that data quality is maintained.
A few changes in the application of data protection principles, as compared to the Draft Bill 2018, can be seen in the data retention and accountability provisions.
On data retention, clause 9 of the Bill provides that personal data shall not be retained beyond the period ‘necessary’ for the purpose of data processing, and must be deleted after such processing, ostensibly a higher standard as compared to ‘reasonably necessary’ in the Draft Bill 2018. Personal data may only be retained for a longer period if explicit consent of the data principal is obtained, or if retention is required to comply with law. In the face of the many difficulties in ensuring meaningful consent in today’s digital world, this may not be a win for the data principal.
Clause 10 on accountability continues to provide that the data fiduciary will be responsible for compliance in relation to any processing undertaken by the data fiduciary or on its behalf. However, the data fiduciary is no longer required to demonstrate such compliance.
Rights of Data Principals
Chapter V of the PDP Bill 2019 outlines the Rights of Data Principals, including the rights to access, confirmation, correction, erasure, data portability and the right to be forgotten.
Right to Access and Confirmation
The PDP Bill 2019 makes some amendments to the right to confirmation and access, included in clause 17 of the bill. The right has been expanded in scope by the inclusion of sub-clause (3). Clause 17(3) requires data fiduciaries to provide data principals information about the identities of any other data fiduciaries with whom their personal data has been shared, along with details about the kind of data that has been shared.
This allows the data principal to exert greater control over their personal data and its use. The rights to confirmation and access are important rights that inform and enable a data principal to exercise other rights under the data protection law. As recognized in the Srikrishna Committee Report, these are ‘gateway rights’, which must be given a broad scope.
Right to Erasure
The right to correction (Clause 18) has been expanded to include the right to erasure. This allows data principals to request erasure of personal data which is not necessary for processing. While data fiduciaries may be allowed to refuse correction or erasure, they would be required to produce a justification in writing for doing so, and if there is a continued dispute, indicate alongside the personal data that such data is disputed.
The addition of a right to erasure, is an expansion of rights from the 2018 Bill. While the right to be forgotten only restricts or discontinues disclosure of personal data, the right to erasure goes a step ahead and empowers the data principal to demand complete removal of data from the system of the data fiduciary.
Many of the concerns expressed in the context of the Draft Bill 2018, in terms of the procedural conditions for the exercise of the rights of data principals, as well as the right to data portability specifically, continue to persist in the PDP Bill 2019.
Exceptions and Exemptions
While the PDP Bill ostensibly enables individuals to exercise their right to privacy against the State and the private sector, there are several exemptions available, which raise several concerns.
The Bill grants broad exceptions to the State. In some cases, it is in the context of specific obligations such as the requirement for individuals’ consent. In other cases, State action is almost entirely exempted from obligations under the law. Some of these exemptions from data protection obligations are available to the private sector as well, on grounds like journalistic purposes, research purposes and in the interests of innovation.
The most concerning of these provisions, are the exemptions granted to intelligence and law enforcement agencies under the Bill. The Draft Bill 2018, also provided exemptions to intelligence and law enforcement agencies, so far as the privacy invasive actions of these agencies were permitted under law, and met procedural standards, as well as legal standards of necessity and proportionality. We have previously discussed some of the concerns with this approach here.
The exemptions provided to these agencies under the PDP Bill, seem to exacerbate these issues.
Under the Bill, the Central Government can exempt an agency of the government from the application of this Act by passing an order with reasons recorded in writing if it is of the opinion that the exemption is necessary or expedient in the interest of sovereignty and integrity, security of the state, friendly relations with foreign states, public order; or for preventing incitement to the commission of any cognizable offence relating to the aforementioned grounds. Not only have the grounds on which government agencies can be exempted been worded in an expansive manner, the procedure of granting these exemptions also is bereft of any safeguards.
The executive functioning in India suffers from problems of opacity and unfettered discretion at times, which requires a robust system of checks and balances to avoid abuse. The Indian Telegraph Act, 1885 (Telegraph Act) and the Information Technology Act, 2000 (IT Act) enable government surveillance of communications made over telephones and the internet. For drawing comparison here, we primarily refer to the Telegraph Act as it allows the government to intercept phone calls on similar grounds as mentioned in clause 35 of the Bill by an order in writing. However, the Telegraph Act limits the use of this power to two scenarios – occurrence of a public emergency or in the interest of public safety. The government cannot intercept communications made over telephones in the absence of these two preconditions. The Supreme Court in People’s Union for Civil Liberties v. Union of India, (1997) introduced guidelines to check abuse of surveillance powers under the Telegraph Act which were later incorporated in Rule 419A of the Indian Telegraph Rules, 1951. A prominent safeguard included in Rule 419A requires that surveillance and monitoring orders be issued only after considering ‘other reasonable means’ for acquiring the required information. The court had further limited the scope of interpretation of ‘public emergency’ and ‘public safety’ to mean “the prevalence of a sudden condition or state of affairs affecting the people at large and calling for immediate action”, and “the state or condition of freedom from danger or risk at large” respectively. In spite of the introduction of these safeguards, the procedure of intercepting telephone communications under the Telegraph Act is criticised for lack of transparency and improper implementation. For instance, a 2014 report revealed that around 7500 – 9000 phone interception orders were issued by the Central Government every month. The application of procedural safeguards, in each case would have been physically impossible given the sheer numbers. Thus, legislative and judicial oversight becomes a necessity in such cases.
The constitutionality of India’s surveillance apparatus inclduing section 69 of the IT Act which allows for surveillance on broader grounds on the basis of necessity and expediency and not ‘public emergency’ and ‘public safety’, has been challenged before the Supreme Court and is currently pending. Clause 35 of the Bill also mentions necessity and expediency as prerequisites for the government to exercise its power to grant exemption, which appear to be vague and open-ended as they are not defined. The test of necessity, implies resorting to the least intrusive method of encroachment up on privacy to achieve the legitimate state aim. This test is typically one among several factors applied in deciding on whether a particular intrusion on a right is tenable or not, under human rights law. In his concurring opinion in Puttaswamy (I) J. Kaul had included ‘necessity’ in the proportionality test. (However, this test is not otherwise well developed in Indian jurisprudence). Expediency, on the other hand, is not a specific legal basis used for determining the validity of an intrusion on human rights. It has also not been referred to in Puttaswamy (I) as a basis of assessing a privacy violation. The use of the term ‘expediency’ in the Bill is deeply worrying as it seems to bring down the threshold for allowing surveillance which is a regressive step in the context of cases like PUCL and Puttaswamy (I). A valid law along with the principles of proportionality and necessity are essential to put in place an effective system of checks and balances on the powers of the executive to provide exemptions. It seems unlikely that the clause will pass the test of proportionality (sanction of law, legitimate aim, proportionate to the need of interference, and procedural guarantees against abuse) as laid down by the Supreme Court in Puttaswamy (I).
The Srikrishna Committee report had recommended that surveillance should not only be conducted under law (and not executive order), but also be subject to oversight, and transparency requirements. The Committee had argued that the tests of lawfulness, necessity and proportionality provided for under clauses 42 and 43 (of the Draft Bill 2018) were sufficient to meet the standards set out under the Puttaswamy judgment. Since the PDP Bill completely does away with all these safeguards and leaves the decision to executive discretion, the law is unconstitutional. After the Bill was introduced in the Lok Sabha, J. Srikrishna had criticised it for granting expansive exemptions in the absence of judicial oversight. He warned that the consequences could be disastrous from the point of view of safeguarding the right to privacy and could turn the country into an “Orwellian State”. He has also opined on the need for a separate legislation to govern the terms under which the government can resort to surveillance.
Clause 36 of the Bill deals with exemption of some provisions for certain processing of personal data. It combines four different clauses on exemption which were listed in the Draft Bill 2018 (clauses 43, 44, 46 and 47). These include processing of personal data in the interests of prevention, detection, investigation and prosecution of contraventions of law; for the purpose of legal proceedings; personal or domestic purposes; and journalistic purposes. The Draft Bill 2018 had detailed provisions on the need for a law passed by Parliament or the State Legislature which is necessary and proportionate, for processing of personal data in the interests of prevention, detection, investigation and prosecution of contraventions of law. Clause 36 of the Bill does not enumerate the need for a law to process personal data under these exemptions. We hadargued that these exemptions granted by the Draft Bill 2018 (clauses 43, 44, 46 and 47) were wide, vague and needed clarifications, but the exemptions under clause 36 of the Bill are even more ambiguous as they merely enlist the exemptions without any specificities or procedural safeguards in place.
In the Draft Bill 2018, the Authority could not give exemption from the obligation of fair and reasonable processing, measures of security safeguards and data protection impact assessment for research, archiving or statistical purposes As per the current Bill, the Authority can provide exemption from any of the provisions of the Act for research, archiving or statistical purposes.
The last addition to this chapter of exemptions is that of creating a sandbox for encouraging innovation. This newly added clause 40 is aimed at encouraging innovation in artificial intelligence, machine-learning or any other emerging technology in public interest. The details of what the sandbox entails other than exemption from some of the obligations of Chapter II might need further clarity. Additionally, to be considered an eligible applicant, a data fiduciary has to necessarily obtain certification of its privacy by design policy from the DPA, as mentioned in clause 40(4) read with clause 22.
Though well appreciated for its intent, this provision requires clarification on grounds of selection and details of what the sandbox might entail.
 At the time of introduction of the PDP Bill 2019, the Minister for Law and Justice of India, Mr. Ravi Shankar Prasad suggested that over 2000 inputs were received on the Draft Bill 2018, based on which changes have been made in the PDP Bill 2019. However, these comments and inputs have not been published by MeitY, and only a handful of comments have been published, by the stakeholders submitting these comments themselves.
The deadline to link PAN cards with Aadhaar was extended to December 31 this week; the Election Commission ruled that voting rights of those excluded in the NRC process remain unaffected; the Home Minister proposed a digital census with multipurpose ID cards for 2021; and 27 nations including the US, UK and Canada issued joint statement urging for a rules-based order in cyberspace – presenting this week’s most important developments in law, technology and national security.
Aadhaar and Digital IDs
[Sep 23] Home Minister announces
digital census in 2021, proposed multipurpose ID card, Entrackr report; Business Today report.
[Sep 24] NRIs can now apply for
Aadhaar on arrival without 182-day wait, The Economic Times report.
[Sep 24] Aadhaar will be linked
to driving license to avoid forgery: Ravi Shankar Prasad, The Indian Express report.
[Sep 24] One nation, one card?
Amit Shah floats idea of all-in-one ID; here are all the problems with that
idea, Medianama report; Money Control report.
[Sep 24] Explained: Is India
likely to have a multipurpose national ID card? The Indian Express report.
[Sep 24] UIDAI nod to ‘voluntary’
use of Aadhaar for National Population Register rollout, The Economic Times report.
[Sep 24] Govt must decide on
Aadhaar-social media linkage:SC, Deccan Herald report.
[Sep 25] New law needed for
Aadhaar-social media linkage: UIDAI, The Economic Times report; Inc42 report.
[Sep 26] NPR process to include
passport, voter ID, Aadhaar and other details, Business Standard report.
[Sep 27] Gang involved in making
fake Aadhaar cards busted, The Tribune report.
[Sep 27] What will happen if you
don’t link your PAN card with Aadhaar by Sep 20, The Quint report.
[Sep 27] Explained: The National
Population Register, and the controversy around it, The Indian Express report.
[Sep 27] Aadhaar to weed out
bogus social security beneficiaries in Karnataka, Deccan Herald report.
[Sep 29] Bajrang Dal wants
Aadhaar mandatory at dandiya to keep ‘non-Hindus’ out, The Hindustan Times report; The Wire report.
[Sep 30] Kerala urges Centre to
extend deadline to link ration cards with Aadhaar, The News Minute report.
[Sep 30] PAN-Aadhaar linking
deadline extended to December 31, The Economic Times report.
[Sep 25] India’s regulatory
approach should focus on the regulation of the ‘core’: IAMAI, Livemint report.
[Sep 27] India may have to offer
sops to boost electronic manufacturing, ET Tech report; Inc42 report.
[Sep 27] Digital India, start-ups
are priorities for $5 trillion economy: PM Modi, Medianama report.
[Sep 29] Tech giants aim to skill
Indian govt officials in AI, cloud, ET CIO report.
[Sep 29] India’s share in IT,
R&D biz up in 2 years: report, The Economic Times report.
[Sep 24] Supreme Court to MeitY:
What’s the status of intermediary guidelines? Tell us by Oct 15, Medianama report.
[Sep 26] Will not be ‘excessive’
with social media rules, ay Govt officials, Inc42 report.
[Sep 26] Government trying to
balance privacy and security in draft IT intermediary norms, The Economic Times
[Sep 27] Citizens, tech companies
served better with some regulation: Facebook India MD Ajit Mohan, ET Tech report; Inc42 report.
[Sep 27] Balance benefits of
internet, data security: Google CEO Sundar Pichai, ET Tech report; Business Today report.
[Sep 25] Jadavpur University
calls upon ‘stakeholders’ to ensure free speech on campus, The New Indian
[Sep 28] RSS raises objections to
uncensored content of Maoj Bajpayee’s “The Family Man”, The Hindu report; Outlook report.
Privacy and Data Protection
[Sep 23] A landmark decision on
Tuesday could radically reshape how Google’s search results work, Business
[Sep 23] Google tightens its
voice assistant rules amidst privacy backlash, Wired report.
[Sep 24] Dell rolls out new data
protection storage appliances and capabilities, ZDNet report.
[Sep 24] ‘Right to be forgotten’
privacy rule is limited by Europe’s top court, The New York Times report; Live Law report.
[Sep 27] Nigeria launches
investigation into Truecaller for potential breach of privacy, Medianama report.
[Sep 29] Right to be forgotten
will be arduous as India frames data protection law, Business Standard report.
[Sep 30] FPIs move against data
bill, seek exemption, ET Telecom report; Entrackr report.
[Sep 26] Reconsider imposition of
data localisation: IAMAI report, The Economic Times report.
[Sep 27] Why data is not oil:
Here’s how India’s data localisation norms will hurt the economy, Inc42 report.
Digital Payments and Fintech
[Sep 23] RBI rider on credit
bureau data access has Fintech in a quandary, ET Tech report.
After months of speculation, the Committee of Experts on data protection (“Committee”), led by Justice B N Sri Krishna, has submitted its recommendations and a draft data protection bill to the Ministry of Electronics and Information Technology (“MEITY”) today. As we sit down for some not-so-light weekend reading to understand what our digital futures could look like if the committee’s recommendations are adopted, this series puts together a quick summary of the Personal Data Protection Bill, 2018 (“Bill”).
Scope and definitions
The Committee appears to have moved forward with the idea of a comprehensive, cross-sectoral data protection legislation that was advocated in its white paper published late last year. The Bill is meant to apply to (i) the processing of any personal data, which has been collected, disclosed, shared or otherwise processed in India; and (ii) the processing of personal data by the Indian government, any Indian company, citizen, or person / body of persons incorporated or created under Indian law. It also applies to any persons outside of India that engage in processing personal data of individuals in India. It does not apply to the processing of anonymised data.
The Bill continues to use the 2-level approach in defining the type of information that the law applies to. However, the definitions of personal data and sensitive personal data have been expanded upon significantly when compared to the definitions in our current data protection law.
Personal data includes “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information”. The move towards relying on ‘identifiability’, when read together with definitions of terms such as ‘anonymisation’, which focuses on irreversibility of anonymisation, is welcome, given that section 2 clearly states that the law will not apply in relation to anonymised data. However, the ability of data processors / the authority to identify whether an anonymisation process is irreversible in practice will need to be examined, before the authority sets out the criteria for such ‘anonymisation’.
Sensitive personal data on the other hand continues to be defined in the form of a list of different categories, albeit a much more expansive list, that now includes information such as / about official identifiers, sex life, genetic data, transgender status, intersex status, caste or tribe, and religious and political affiliations / beliefs.
Interestingly, the Committee has moved away from the use of other traditional data protection language such as data subject and data controller – instead arguing that the relationship between an individual and a person / organisation processing their data is better characterised as a fiduciary relationship. Justice Sri Krishna emphasised this issue during the press conference organised at the time of submission of the report, noting that personal data is not to be considered property.
Collection and Processing
The Bill elaborates on the notice and consent mechanisms to be adopted by ‘data fiduciaries’, and accounts for both data that is directly collected from the data principal, and data that is obtained via a third party. Notice must be given at the time of collection of personal data, and where data is not collected directly, as soon as possible. Consent must be obtained before processing.
The Committee’s earlier white paper, and the report accompanying the Bill have both discussed the pitfalls in a data protection framework that relies so heavily on consent – noting that consent is often not informed or meaningful. The report however also notes that it may not be feasible to do away with consent altogether, and tries to address this issue by way of adopting higher standards for consent, and purpose limitation. The Bill also provides that consent is to be only one of the grounds for processing of personal data. However, this seems to result in some catch-all provisions allowing processing for ‘reasonable purposes’. While it appears that these reasonable purposes may need to be pre-determined by the data protection authority, the impact of this section will need to be examined in greater detail. The other such wide provision in this context seems to allow the State to process data – another provision that will need more examination.
Sensitive personal data
Higher standards have been proposed for the processing of sensitive personal data, as well as personal / sensitive personal data of children. The emphasis on the effect of processing of certain types of data, keeping in mind factors such as the harm caused to a ‘discernible class of persons’, or even the provision of counselling or child protection services in these sections is welcome. However, there remains a wide provision allowing for the State to process sensitive personal data (of adults), which could be cause for concern.
Rights of data principals
The Bill also proposes 4 sets of rights for data principals: the right to confirmation and access, the right to correction, the right to data portability, and the right to be forgotten. There appears to be no right to erasure of data, apart from a general obligation on the data fiduciary to delete data once the purpose for collection / processing of data has been met. The Bill proposes certain procedural requirements to be met by the data principal exercising these rights – an issue which some have already pointed out may be cause for concern.
Transparency and accountability
The Bill requires all data fiduciaries to adopt privacy by design, transparency and security measures.
Each data fiduciary is required to appoint a data protection officer, conduct data protection impact assessments before the adoption of certain types of processing, maintain records of data processing, and conduct regular data protection audits. These obligations are applicable to those notified as ‘significant data fiduciaries’, depending on criteria such as the volume and sensitivity of personal data processed, the risk of harm, the use of new technology, and the turnover of the data fiduciary.
The requirements for data protection impact assessments is interesting – an impact assessment must be conducted before a fiduciary undertakes any processing involving new technologies, or large scale profiling or use of sensitive personal data such as genetic or biometric data (or any other data processing which carries a risk of significant harm to data principals). If the data protection authority thinks that such processing may cause harm (based on the assessment), they may direct the fiduciary to cease such processing, or impose conditions on the processing. The language here implies that these requirements could be applicable to processing by the State / private actors, where new technology is used in relation to Aadhaar, among other things. However, as mentioned above, this will be subject to the data fiduciary in question being notified as a ‘significant data fiduciary’.
In a welcome move, the Bill also provides a process for notification in the case of a breach of personal data by data fiduciaries. However, this requirement is limited to notifying the data protection authority, which then decides whether there is a need to notify the data principal involved. It is unfortunate that the Committee has chosen to limit the rights of data principals in this regard, making them rely instead on the authority to even be notified of a breach that could potentially harm them.
Cross border transfer of data
In what has already become a controversial move, the Bill proposes that at least one copy of all personal data under the law, should be stored on a server or data centre located in India. In addition, the central government (not the data protection authority) may notify additional categories of data that are ‘critical’ and should be stored only in India.
Barring exceptions in the case of health / emergency services, and transfers to specific international organisations, all transfer of personal data outside India will be subject to the approval of the data protection authority, and in most cases, consent of the data principal.
This approval may be in the form of approval of standard contractual clauses applicable to the transfer, or a blanket approval of transfers to a particular country / sector within a country.
This provision is ostensibly in the interest of the data principals, and works towards ensuring a minimum standard of data protection. The protection of the data principal under this provision, like many other provisions, including those relating to data breach notifications to the data principal, will be subject to the proper functioning of the data protection authority. In the past, we have seen that simple steps such as notification of security standards under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, have not been undertaken for years.
In the next post in this series, we will discuss the functions of the authority, and other provisions in the Bill, including the exemptions granted, and penalties and remedies provided for.
Last month saw important developments in the discourse around the right to be forgotten. Two high courts, Gujarat and Karnataka, delivered judgments on separate pleas to have particular judgments either removed from online repositories and search engine results or have personal information redacted from them. The Gujarat High Court dismissed the petition, holding that there was no legal basis to seek removal of a judgment from the Internet. On the other hand, the Karnataka High Court ordered the Court’s Registry to redact the aggrieved person’s name before releasing the order to any entity wanting to publish it. This post examines both judgments to understand the reasoning and legal basis for denying or accepting a claim based on the right to be forgotten.
Gujarat High Court
According to the facts reproduced in the order, the petitioner in this case had criminal charges filed against him for several offences, including murder, which ultimately resulted in an acquittal. At the appellate stage too, the petitioner’s acquittal was confirmed. The judgment was classified as ‘non reportable’ but nevertheless published on an online portal that reproduces judgments from all superior courts in India. It was also indexed by Google, making it easily accessible. Being distressed about this, the petitioner sought ‘permanent restrain of free public exhibition of the judgement…over the Internet’.
While dismissing the petition, the Court held that it was permissible for third parties to obtain copies of the judgment under the Gujarat High Court Rules 1993, provided their application was accompanied by an affidavit and stated reasons for requiring the judgment. Moreover, it held that publication on a website did not amount to a judgment being reported, as the classification of ‘reportable’ was only relevant from the point of view of law reports. In the Court’s opinion, there was no legal basis to order such removal and the presence of the judgment on the Internet did not violate the petitioner’s rights under Article 21 – from which the right to privacy emanates.
The Court’s dismissal of the argument that a non-reportable judgment is on an equal footing with a reportable judgment is problematic, but hardly surprising. In a 2008 decision, while describing the functions of a law reporter that was a party before it, the Supreme Court observed that “the [law report] publishes all reportable judgments along with non-reportable judgments of the Supreme Court of India” The distinction between reportable and non-reportable judgments was not in issue, but it does call for some introspection on the legal basis and rationale for classification of judgments. In an article on the evolution of law reporting in India, the constitutional expert M.P Jain explains that law reports were created as a response to Indian courts adopting the doctrine of precedent. This is the doctrine that binds lower courts to decisions of the higher courts. Precedent is created when a court lays down a new principle of law or changes or clarifies existing law. Consequently, the decision to make a ruling reportable (ideally) depends on whether it sets a precedent or not. Presumably then, there is a lesser public interest in having access to non-reportable judgments as compared to reportable ones.
While there is a clear distinction between publication in a law report and publication of the transcript of the judgment, the lack of a public interest element could have been taken into account by the High Court while deciding the petition. Moreover, it is unclear how reliance on the High Court Rules helped the Court decide against the petitioner. Third parties may be entitled to obtain a copy of a judgment, but the motivation behind a right to be forgotten is to only make information less accessible, when it is determined that there is no countervailing interest in its publication. At its root, the right is intended to enable citizens to exercise greater control over their personal information, allowing them to live without the fear that a single Google search could jeopardise their professional or personal prospects.
Karnataka High Court
Less than three weeks after the Gujarat High Court’s decision, the Karnataka High Court ordered its Registry to redact the name of the petitioner’s daughter from the cause title as well as the body of an order before handing out copies of it to any ‘service provider’. It accepted the petitioner’s contention that a name-wise search on a search engine might throw up the order, adversely affecting his daughter’s reputation and relationship with her husband. The Court clarified that the name need not be redacted from the order published on the Court’s official website.
Towards the end, it remarked that such an action was ‘in line with the trend in Western countries’ where the right to be forgotten exists as a rule in ‘sensitive cases involving women in general and highly sensitive cases involving rape or affecting the modesty and reputation of the person concerned’.
This statement is problematic. The right to be forgotten emanates from the right to privacy and data protection, which are both regarded as fundamental rights in Europe. Basing the right on ideas of honour and modesty [of women] creates some cause for concern. Further, an important distinction between this case and the one before the Gujarat High Court is that neither Google nor any website publishing court judgments were made parties to it. The claim was based on redaction of information from the source, rather than de-listing it from search engine results or deleting it from a website. This is interesting, because it allows us to think of the right to be forgotten as a comprehensive concept, instead of a singular right to de-list information from search engine results. It provides courts with a choice, allowing them to opt for the least restrictive means to secure an individual’s right to online privacy.
However, the lack of a clear legal basis to allow or deny such claims raises cause for concern. As is already apparent, different high courts are likely to take divergent views on the right to be forgotten in the absence of an overarching data protection framework that grants such rights and prescribes limits to them. In several cases, the right to be forgotten will trigger a corresponding right to freedom of expression and the right to know. The criteria to balance these important but competing claims should be in place for courts to be able to decide such requests in a just manner.
The pending right to be forgotten petition came up for hearing before the Delhi High Court today. The case seeks the deletion of a court order, which has been reproduced on the website Indiankanoon.com, on the ground that it violates the petitioners’ right to privacy and reputation. This post looks at some of the contentions raised before the Court today and its response to them. However, these are mere observations and the Court is yet to take a final decision regarding the petitioner’s prayer(s).
During the course of today’s hearing, the presiding judge observed that all orders of the court constitute public records and cannot be deleted. In any case, it was pointed out that judicial decisions are normally reported and accessible on the National Judicial Data Grid and their removal from a particular website would not serve the desired purpose. Moreover, the court thought that even if the petitioner’s relief was granted, removal of content from the Internet was a technical impossibility.
The Court however did acknowledge that certain information could be redacted from judicial orders in some cases. This is routinely done in cases related to rape or other sexual offences owing to the presence of a clear legal basis for such redaction. In the present case however, the Court appeared unconvinced that a similar legal basis existed for redacting information. The petitioner’s counsel contended that personal information might become obsolete or irrelevant in certain cases, reflecting only half-truths and causing prejudice to an individual’s reputation and privacy. However, the Court observed that orders of a court could not become obsolete, and the balance if any would always tilt towards the public interest in transparency.
On several occasions, the petitioner’s counsel made a reference to the European Court of Justice’s decision in Google Spain, which is commonly credited with creating the right to be forgotten in Europe. However, the Google Spain ruling created a distinction between deleting information from its source and merely delisting it from search engine results. Further, the delisting is limited to results displayed for search performed for a particular name, ensuring that the information continues to be indexed and displayed if Internet users perform a generic search. However, no distinction was made between delisting and erasure during the course of arguments in the present case.
As an alternate prayer, it was argued for the petitioner that his name be anonymised from the court order in question. Here again, the Court felt that there was no legal basis for anonymisation in the present case. In the Court’s opinion, the information in the order was not prejudicial to the petitioner, per se. The fact that information about a family dispute was accessible to the public at large was not seen as particularly damaging.
The Indian legal framework lacks a coherent policy for anonymisation of names in judicial decisions. Under the Indian Penal Code, publishing names of victims of certain offences is prohibited. Realising that the provision did not bar courts from publishing the names of the victim, the Supreme Court held that names should be anonymised from judgments too, keeping the object of the law in mind. However, research indicates that names continue to be published by courts in a substantial number of cases. A few other laws also provide a legal basis for anonymisation, but these are limited to cases such as minor victims of sexual offences or juvenile offenders. On a few occasions, courts have used their inherent powers to order anonymisation of party names in family cases – making the decision dependent on the discretion of a judge, rather than a result of a larger policy objective. Increasing digitization of court records and easy availability of judgments on the Internet has new implications for online privacy. Transparency of the judicial process is crucial, but in the absence of any larger public interest, anonymisation may be warranted in a wider range of cases than is currently permitted.
As a concept, some form of the right to be forgotten may be essential in today’s age. However, it’s successful implementation is entirely dependent on clear legal principles that strike a balance between competing rights. In the absence of a comprehensive data protection legislation, this is difficult. However, besides the question of a right to be forgotten, this petition presents an interesting opportunity for the Court to analyse and perhaps frame guidelines where anonymisation may be adequate to protect privacy, without delisting or deleting any content.