The Supreme Court’s Pegasus Order

This blog post has been authored by Shrutanjaya Bhardwaj.

On 28th October 2021, the Supreme Court passed an order in the “Pegasus” case establishing a 3-member committee of technical experts to investigate allegations of illegal surveillance by hacking into the phones of several Indian citizens, including journalists. This post  analyses the Pegasus order. Analyses by others may be accessed here, here and here.

Overview

The writ petitioners alleged that the Indian Government and its agencies have been using a spyware tool called “Pegasus”—produced by an Israeli technology firm named the NSO Group—to spy on Indian citizens. As the Court notes, Pegasus can be installed on digital devices such as mobile phones, and once Pegasus infiltrates the device, “the entire control over the device is allegedly handed over to the Pegasus user who can then remotely control all the functionalities of the device.” Practically, this means the ‘Pegasus user’ (i.e., the infiltrator) has access to all data on the device (emails, texts, and calls) and can remotely activate the camera and microphone to surveil the device owner and their immediate surroundings. 

The Court records some basic facts that are instructive in understanding its final order:

  1. The NSO Group itself claims that it only sells Pegasus to governments. 
  2. In November 2019, the then-Minister of Electronics and IT acknowledged in Parliament that Pegasus had infected the devices of certain Indians. 
  3. In June-July 2020, reputed media houses uncovered instances of Pegasus spyware attacks on many Indians including “senior journalists, doctors, political persons, and even some Court staff”.
  4. Foreign governments have since taken steps to diplomatically engage with Israel or/and internally conduct investigations to understand the issue.
  5. Despite repeated requests by the Court, the Union Government did not furnish any specific information to assist the Court’s understanding of the matter.

These facts led the Court to conclude that the petitioners’ allegations of illegal surveillance by hacking need further investigation. The Court noted that the petitioners had placed on record expert reports and there also existed a wealth of ‘cross-verified media coverage’ coupled with the reactions of foreign governments to the use of Pegasus. The Court’s order leaves open the possibility that a foreign State or perhaps a private entity may have conducted surveillance on Indians. Additionally, the Union Government’s refusal to clarify its position on the legality and use of Pegasus in Court raised the possibility that the Union Government itself may have used the spyware. As discussed below, this possibility ultimately shaped the Court’s directions and relief.  

The Pegasus order is analysed below along three lines: (i) the Court’s acknowledgement of the threat to fundamental rights, (ii) the Union Government’s submissions before the Court, and (iii) the Court’s assertion of its constitutional duty of judicial review—even in the face of sensitive considerations like national security.

Acknowledging the risks to fundamental rights

While all fundamental rights may be reasonably restricted by the State, every right has different grounds on which it may be restricted. Identifying the precise right under threat is hence an important exercise. The Court articulates three distinct rights at risk in a Pegasus attack. Two flow from the freedom of speech under Article 19(1)(a) of the Constitution and one from the right to privacy under Article 21. 

The first right, relatable to Article 19(1)(a), is journalistic freedom. The Court noted that the awareness of being spied on causes the journalist to tread carefully and think twice before speaking the truth. Additionally, when a journalist’s entire private communication is accessible to the State, the chances of undue pressure increase manifold. The Court described such surveillance as “an assault on the vital public watchdog role of the press”.

The second right, also traced to Article 19(1)(a), is the journalist’s right to protect their sources. The Court treats this as a “basic condition” for the freedom of the press. “Without such protection, sources may be deterred from assisting the press in informing the public on matters of public interest,” which harms the free flow of information that Article 19(1)(a) is designed to ensure. This observation and acknowledgment by the Court is significant and it will be interesting to see how the Court’s jurisprudence develops and engages with this issue.The third right, traceable to Article 21 as interpreted in Puttaswamy, is the citizen’s right to privacy (see CCG’s case brief on the CCG’s Privacy Law Library of Puttaswamy). Surveillance and hacking are prima facie an invasion of privacy. However, the State may justify a privacy breach as a reasonable restriction on constitutional grounds if the legality, necessity, and proportionality of the State’s surveillance measure is established.

Court’s response to the Government’s “conduct” before the Court

The Court devotes a significant part of the Pegasus order to discuss the Union Government’s “conduct”in the litigation. The first formal response filed by the Government, characterised as a “limited affidavit”, did not furnish any details about the controversy owing to an alleged “paucity of time”. When the Court termed this affidavit as “insufficient” and demanded a more detailed affidavit, the Solicitor General cited national security implications as the reason for not filing a comprehensive response to the surveillance allegations. This was despite repeated assurances given by both the Petitioners and the Court that no sensitive information was being sought, and the Government need only disclose what was necessary to decide the matter at hand. Additionally, the Government did not specify the national security consequences that would arise if more details were disclosed. (The Court’s response to the invocation of the national security ground on merits is discussed in the next section.) 

In addition to invoking national security, the Government made three other arguments:

  1. The press reports and expert evidence were “motivated and self-serving” and thus of insufficient veracity to trigger the Court’s jurisdiction.
  2. While all technology may be misused, the use of Pegasus cannot per se be impermissible, and India had sufficient legal safeguards to guard against constitutionally impermissible surveillance.
  3. The Court need not establish a committee as the Union Government was prepared to constitute its own committee of experts to investigate the issue.

The Court noted that the nature and “sheer volume” of news reports are such that these materials “cannot be brushed aside”. The Court was unwilling to accept the other two arguments in part due to the Union Government’s broader “conduct” on the issue of Pegasus. It noted that the first reports of Pegasus use dated back to 2018 and a Union Minister had informed Parliament of the spyware’s use on Indians in 2019, yet no steps to investigate or resolve the issue had been taken until the present writ petitions had been filed. Additionally, the Court ruled that the limited documentation provided by the Government did not clarify its stand on the use of Pegasus. In this context, and owing to reasons of natural justice (discussed below), the Court opined that independent fact finding and judicial review were warranted.

Assertion of constitutional duty of judicial review

As noted above, the Union Government invoked national security as a ground to not file documentation regarding its alleged use of Pegasus. The Court acknowledged that the government is entitled to invoke this ground, and even noted that the scope of judicial review is narrow on issues of national security. However, the Court held that the mere invocation of national security is insufficient to exclude court intervention. Rather, the government must demonstrate how the information being withheld would raise national security concerns and the Court will decide whether the government’s concerns are legitimate. 

The order contains important observations on the Government’s use of the national security exception to exclude judicial scrutiny. The Court notes that such arguments are not new; and that governments have often urged constitutional courts to take a hands-off approach in matters that have a “political” facet (like those pertaining to defence and security). But the Court has previously held, and also affirmed in the Pegasus order, that it will not abstain from interfering merely because a case has a political complexion. The Court noted that it may certainly choose to defer to the Government on sensitive aspects, but there is no “omnibus prohibition” on judicial review in matters of national security. If the State wishes to withhold information from the Court, it must “plead and prove” the necessary facts to justify such withholding.

The Government had also suggested that the Court let the Government set up a committee to investigate the matter. The Supreme Court had adopted this approach in the Kashmir Internet Shutdowns case by setting up an executive-led committee to examine the validity and necessity of continuing internet shutdowns. That judgment was widely criticised (see here, here and here). However, in the present case, as the petitions alleged that the Union Government itself had used Pegasus on Indians, the Court held that allowing the Union Government to set up a committee to investigate would violate the principle of bias in inquiries. The Court quoted the age-old principle that “justice must not only be done, but also be seen to be done”, and refused to allow the Government to set up its own committee. This is consistent with the Court’s assertion of its constitutional obligation of judicial review in the earlier parts of the order. 

Looking ahead

The terms of reference of the Committee are pointed and meaningful. The Committee is required to investigate, inter alia, (i) whether Pegasus was used to hack into phones of Indian citizens, and if so which citizens; (ii) whether the Indian Government procured and deployed Pegasus; and (iii) if the Government did use Pegasus, what law or regulatory framework the spyware was used under. All governmental agencies have been directed to cooperate with the Committee and furnish any required information.

Additionally, the Committee is to make recommendations regarding the enactment of a new surveillance law or amendment of existing law(s), improvements to India’s cybersecurity systems, setting up a robust investigation and grievance-redressal mechanism for the benefit of citizens, and any ad-hoc arrangements to be made by the Supreme Court for the protection of citizen’s rights pending requisite action by Parliament.

The Court has directed the Committee to carry out its investigation “expeditiously” and listed the matter again after 8 weeks. As per the Supreme Court’s website, the petitions are tentatively to be listed on 3 January 2022.

This blog was written with the support of the Friedrich Naumann Foundation for Freedom.

Vinit Kumar vs. Sanjay Bhandari – A Contrasting application of PUCL vs. Union of India

By Krishnesh Bapat

In the wake of disclosures by the Pegasus Project, it has become more important than ever to understand the law which authorises the government to conduct surveillance – especially the provisions which permit non-digital phone tappings. To that end, the ‘Privacy High Court Tracker’ is an extremely useful tool developed by the Centre For Communication Governance, National Law University Delhi. The tracker enables stakeholders to analyse the evolving jurisprudence on privacy. High Courts across the country are at the forefront of this evolution. For the purposes of this piece, which discusses the law on state-mandated surveillance with a focus on phone-tappings, two judgments from the tracker are relevant – Vinit Kumar vs. CBI and Ors., 2019 (Bombay High Court) and Sanjay Bhandari and Ors. vs The Secretary of Govt. of India and Ors.2020 (Madras High Court).  

But before we analyse these judgments, it is important to refer to the provisions of law that enable the government to listen to our conversations and the decision of the Supreme Court in PUCL vs. Union of India, (1997), which is the locus classicus on this subject. Section 5(2) of the Telegraph Act, 1885 (Telegraph Act) empowers the government to intercept any communication by a ‘telegraph’ from a person to another “on the occurrence of a public emergency” or “in the interest of public safety” if it is in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states or public order or to prevent incitement to the commission of an offence. Any order under Section 5(2) must be issued before the surveillance begins. Section 69 of the Information Technology Act, 2000 (IT Act) permits the government to intercept, monitor or decrypt communication generated, transmitted, received or stored in a computer. 

Interestingly, Section 69 of the IT Act has not been subject to much judicial scrutiny. While challenges to its constitutionality are pending before the Supreme Court, the lack of scrutiny is perhaps because there is opacity around when, where and how this provision is used to conduct surveillance. Notably, the government has even refused to provide the total number of orders it has passed under this provision in a response to a right to information application filed by the Internet Freedom Foundation. Unlike Section 69 of the IT Act, Constitutional Courts have examined Section 5(2) of the Telegraph Act on several occasions. As mentioned above, the most notable instance is PUCL

In PUCL, the constitutional validity of Section 5(2) of the Telegraph Act was challenged. The Supreme Court’s decision, which was subsequently affirmed in K.S. Puttaswamy vs. Union of India, , held that conversations over the telephone are private in nature. While this is significant since this judgment is from before Puttaswamy, the bite of the judgment was the Court’s interpretation of the phrases “on the occurrence of a public emergency” and “in the interest of public safety”. The Court held that public emergency would mean the prevailing of a sudden condition or state of affairs affecting the people at large, calling for immediate action. The expression “public safety” means the state or condition of freedom from danger or risk for the people at large. The Court also held that the phrases “take their colour off each other”, and that a breach of public safety/ a public emergency are evident to a reasonable person as they are not secretive conditions. 

In terms of procedural safeguards, the Court, amongst other things, directed the Government to not conduct phone tapping unless there is an order from the home secretary which would ex-post be subject to review by a review committee also consisting of government officials. Notably, the Court stopped short of either prior or post judicial scrutiny. 

The CCG Privacy High Court Tracker is a useful resource to examine how High Court’s have relied upon the decision in PUCL, especially after the Supreme Court’s decision in Puttaswamy. In this regard, the Bombay High Court decision in Vinit Kumar and Madras High Court’s decision in Sanjay Bhandari, offer a study in contrast. 

In Vinit Kumar, the petitioner challenged three phone tapping orders issued against him, on the ground that they were ultra vires Section 5(2) of the Telegraph Act. Of course, the petitioner only found out that his conversations were being monitored after the Central Bureau of Investigation filed a charge-sheet against him in a criminal proceeding, where the petitioner was accused of bribing a public servant. The petitioner argued that there was no threat to public safety nor a public emergency to occasion such phone-tapping. The Bombay High Court agreed and noted that circumstances did not exist which “would make it evident to a reasonable person that there was an emergency or a threat to public safety”. The Court also went a step ahead and tested the phone tapping orders on the Puttaswamy proportionality standard (Kaul J, Paragraph 70) which requires the government to show – a) The action must be sanctioned by law; b) The action must be necessary in a democratic society; c) Proportionality – infringing action must be proportionate to the need for such interference; and d) Procedural safeguards. The Court found that the orders could not withstand the test and struck them down as they ‘neither had the sanction of law’ (as there was no public emergency nor a threat to public safety) nor have they been issued for a legitimate aim. (Paragraph 19) 

In Sanjay Bhandari, the petitioners, who held official government positions, were accused of accepting a bribe in return for granting benefits. They found out that the Government was monitoring their conversations, and challenged the phone-tapping orders before the Madras High Court. Evidently, there was neither a public emergency nor threat to public safety that would justify the imposition of such an order. In PUCL, the Supreme Court had held that these situations are evident to a reasonable person as they are not secretive conditions. The Court also held that public emergency would mean the prevailing of a sudden condition or state of affairs affecting the people at large, calling for immediate action, and the expression “public safety” means the state or condition of freedom from danger or risk for the people at large.

The Madras High Court, going against established precedence, held that “Restricting the concept of public safety to the mere “situations that would be apparent to the reasonable persons” will exclude most of the actual threats which present the most grave circumstances like terrorist attacks, corruption at high places, economic and organised crimes, most of which are hatched in the most secretive of manners.” 

Thus, the decision in Sanjay Bhandari interpreted Section 5(2) in a manner which was entirely contrary to the decision and perhaps, even legislative intent. The Court read into the provision its understanding of what constitutes “actual threats” and extended the scope of the provision to offences which do not have any bearing on public safety, as interpreted in PUCL and affirmed in Puttaswamy. And there is merit to that interpretation. The word safety follows the word ‘public’ which implies that the situation should be such that it puts at risk the people at large. Surely economic offences do not meet this criteria. There is merit to that interpretation, even from a rights perspective. Monitoring a person’s conversations constitutes a grave infringement on their right to privacy, and the need to undertake such an infringement must be proportionate to the ends sought to be achieved.

The Puttaswamy Effect: Right to Privacy of Transgender People

By Suhavi Arya

The Centre for Communication Governance (CCG) has recently launched a new initiative called the Privacy High Court Tracker which consists of decisions on the constitutional right to privacy passed by all High Courts in India. The Privacy High Court Tracker is a tool to enable lawyers, judges, policymakers, legislators, civil society organisations, academic and policy researchers and other relevant stakeholders, to engage with, understand and analyse the evolving privacy law and jurisprudence across India.

The cases on the tracker can broadly be divided into several themes such as – search and seizure, data protection, and gender rights. Within gender rights, there are several sub-themes, and this article, relying on information from the tracker, will be focusing on the rights of transgender people. It was the National Legal Services Authority vs. Union of India (“NALSA”) judgement of 2014 which gave unequivocal recognition to transgender people in India as the ‘Third Gender’. The Supreme Court interpreted ‘dignity’ under Article 21 of the Constitution to include diversity in self-expression, which allowed a person to lead a dignified life. It placed one’s gender identity within the framework of the fundamental right to dignity under Article 21. Article 21 was interpreted to include privacy by the Justice K. S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors., (“Puttaswamy 9-judge Bench”). The Puttaswamy 9-judge Bench unanimously recognised a fundamental right to privacy of every individual guaranteed by the Constitution, by reading privacy within Article 21, and in all of fundamental rights under Part III as a whole.

While NALSA gave members of the transgender community, the right to privacy in the protection of gender identity within Article 15, the Puttaswamy 9-judge Bench judgement placed the right to privacy as an expression of individual autonomy, dignity, and identity, at the intersection of Article 15 and 21. The right to life and personal dignity dwells in Article 21 but it is enriched by all the fundamental rights and its various interpretations.

In 2019, the Madurai Bench of the High Court of Madras, decided the case of Arunkumar and Ors. vs. The Inspector General of Registration. The facts of the case were – a cis-gendered male married a transwoman, in a temple in 2018. The Joint-Registrar refused to register the marriage, under Rule 5(1)(a) of the Tamil Nadu Registration of Marriage Rules. This was appealed before the District Registrar, who also refused and so it came before the High Court. The High Court stated that the definition of a ‘woman’ or a ‘bride’ is not a static one, and that it should be interpreted according to the need of the time. The Court also noted that Article 16 of the Universal Declaration of Human Rights broadly reads that, men and women have the right to marry without any limitations.

The case of Shafin Jahan vs. Asokan K.M. and Ors., was also referred to, where the Hon’ble Supreme Court held that the right to marry a person of one’s own choice is integral to Article 21. Moreover, the Court also relied on Dr. Ambedkar’s famous opinion that inter-caste marriages will lead to social integration, applying it to mean that marriages between transgenders and cis-genders will lead to the social integration of the members of the transgender community. The High Court famously decided that since the second petitioner self-identified as a woman, she is a woman; relying on both the NALSA and the Puttaswamy 9-judge Bench judgements.

The Arunkumar case simply decided on the issue of legalising love and commitment between two people. In doing so, it has now opened a plethora of other issues, such as – will a transwoman be allowed protection under the definition of ‘aggrieved person’ in a domestic relationship and have the same rights as a ‘woman’ under The Protection of Women from Domestic Violence Act, 2005 and the Hindu Adoptions and Maintenance Act, 1956? The right to divorce flows from the right to marry, can a transwoman claim alimony and/or maintenance? It can be said that The Hindu Succession (Amendment) Act, 2005 which removed gender discriminatory provisions in the Hindu Succession Act, 1956, will then apply to transwoman too, but what will happen to the inheritance rights of a transwoman who marries into a family practising Islam? The Arunkumar judgement, did not go into these details, but future litigants will need clarity on this matter, either with a legislation or in the absence of one, some clarity from the apex court.

Two other High Courts in India have also given judgements on marriages with transgender persons. One of them is Madras High Court’s Mansur Rahman vs. the Superintendent of Police & Anr. which has similar facts to the Arunkumar case (mentioned above) where the petitioner, a cis-gendered man had married a transwoman and was now seeking police protection from people harassing them. Here too, the Court noted the importance of integrating members of the transgender community in the contemporary community, by quoting Dr. Ambedkar’s views on inter-caste marriage. In the High Court of Orissa, in the case of Chinmayee Jena vs. State of Odisha & Ors. a transman, was in a live-in relationship with a cis-gendered female where the female was being forced into a heterosexual arranged marriage by her parents. The Court explicitly recognized the rights of trans persons to enter a live-in relationship with the partner of their choice, regardless of the “gender” of the partner. Thereby relying on the judgments in – NALSA, Puttaswamy 9-judge Bench and Navtej Singh Johar vs. Union Of India Ministry Of Law & Anr. (“Navtej”). This case too, will impact the right of a transman in inheritance, adoption of children and it also makes us question, what other rights do transmen have, for their protection?

In the case of X vs. State of Uttarkhand a single judge bench decided on a very interesting aspect of law – whether a transwoman’s complaint of rape should be recorded under section 377 or 375 of the Indian Penal Code, 1860 (‘IPC’)? The learned judge differentiated between post- Navtej section 377 which criminalizes all instances of non-consensual sexual intercourse regardless of gender and section 375 which criminalizes all instances of non-consensual sexual intercourse between a man and a woman. It also noted the difference in punishment, section 375 envisages a minimum imprisonment of 10 years leading to life (apart from fine), Section 377 envisages a maximum imprisonment of 10 years (apart from fine). While determining that, the court also decided that the transwoman had a right to self-determine her gender, “without further confirmation from any authority”. The Court stated that until the Parliament comes up with a legislation for the same, the law of the land is self-identification, as stated in NALSA. Accordingly, it ruled, in recognition of India’s international obligations undertaken in various convention, the Yogyakarta Principles, fundamental rights of life, liberty, dignity, privacy, the march of the law, and most importantly, in consonance with NALSA and Puttaswamy 9-judge Bench that the right to gender identity is a part of right to privacy. Notably, this case created a fine line of difference between Sections 377 and 375 of the IPC and implied that since the Petitioner self-identifies as a female, section 375 should apply. The Court particularly noted that self-identification is the law of the land, till the time there is a legislation a place. However, since then, the Transgender Persons (Protection of Rights) Act and Transgender Persons (Protection of Rights) Rules, 2020 have been implemented, which deviates from NALSA as sections 5 and 6 have made gender self-identification contingent on medical and psychological documentation.

On a final note, in the case of Puttaswamy, a 9-judge Bench led to the judiciary establishing that right to personal liberty, dignity and privacy are inalienable rights. This has been an important step forward for the transgender community in India. It is not only important that these rights are recognised by the Indian Constitution, but these rights are also foundational pillars of the Indian Constitution. They are intrinsic and inseparable to one another. To further this development, there needs to be legislation(s) and other social welfare schemes to address the challenges faced by the transgender community and to inculcate the community in such a way that there is no more ‘us’ and ‘them’.

Privacy and the right to intimate choices

By Thulasi K. Raj

The judgment of the Supreme Court in Justice (Retd.) K.S. Puttaswamy vs. Union of India was the first comprehensive verdict on the right to privacy in India. While earlier judgments such as Rajagopal or Gobind discussed certain aspects of this right, in Puttaswamy, the court’s pronouncement was categorical, laying down definite principles and different contours of the right to privacy. The judgment in Puttaswamy will have – and in some cases, has already had – significant influence on various issues including state surveillance, data collection and retention and rights of sexual privacy. In this blog, I will focus on Puttaswamy’simpact on the right to intimate choices including marriage.

Among other things, the Supreme Court in Puttaswamy has made two aspects clear. First, the right to privacy is part of the right to liberty and dignity under part III, especially Article 21 and certain freedoms under Article 19 of the Constitution. Secondly, it located the right to intimate choices as part of the right to privacy. We shall see how this has enabled the courts to decide certain cases. (See here the Privacy High Court Tracker by CCG, used to identify the cases. The tracker “is a resource consisting of decisions on the constitutional right to privacy passed by all High Courts in India.”).

At various places in the judgment, there is agreement that privacy necessarily must protect the right to intimate choices. The court said – “The family, marriage, procreation and sexual orientation are all integral to the dignity of the individual” and that “privacy includes at its core the preservation of personal intimacies, the sanctity of family life, marriage, procreation, the home and sexual orientation.” Importantly, the oft-quoted right to be left alone was interlinked with the right to choose who enters one’s house, whom to live with and “what relationship” to live in. (Justice Kaul, para 78).

With this background, some cases from the Privacy Tracker are worthwhile studying. In Safiya Sultana and Ors. vs. State of U.P. and Ors., the writ petition was moved by the petitioner in the Allahabad High Court claiming that she is in the illegal custody of her father and she would like to live with her husband. During the deliberation, the court took up the issue of the requirements under the Special Marriage Act, 1954 (SMA) which make it difficult for couples to register their marriages.

The SMA is a secular law, meaning it can be used by persons belonging to any religion (or no religion at all). Persons belonging to the same religion, such as two Hindus also can marry under the SMA, as many often choose to. The petitioners argued that the provisions requiring notice before marriage and subsequent publication must be read as directory, instead of mandatory. They pointed out that “any such notice would be an invasion in their privacy and would have definitely caused unnecessary social pressure/interference in their free choice with regard to their marriage.

Section 5 of the SMA provides that the couple intending to marry must give a notice in writing to the marriage officer before thirty days. According to section 6, the notice will be displayed for the public and the details of the notice entered into in the Marriage Notice Book, which is open for inspection by any person. Section 7 enables persons to object to the marriage on violation of certain conditions. In a society where agency of women in particular is curtailed and love-marriages often violently resisted, it is not difficult to see how these provisions can have significant dignity implications. While agreeing with the petitioners, the court noted that “society has no role to play in determining our choice of partners.”

Intimate choice consists of a bundle of rights where both privacy and autonomy interact: the right to choose a partner, the right to marry or not to marry, the right to choose a live-in relationship, the right to keep details of the marriage or nature of the relationship private. It becomes too ‘costly’ for young people to exercise the right to privacy and choice since there is constant invasion. Essentially, the actions of other persons and their possible access to your personal information impact your decisions on how to lead your life. The provisions of the SMA provide for this type of invasion by enabling the private details to be accessible to public. It went beyond the legitimate purpose of the state in securing the details of marriages in its register.

The court held that that giving and publication of notice under these provisions of the SMA shall be voluntary and not mandatory. Sections 5 and 6 were read down to this extent. The court directly relied on Puttaswamy to ascertain “the ability to make decisions on matters close to one’s life.” It also relied on Common Cause vs. Union of India and Anr. which said that “our autonomy as persons” is also founded in our ability to decide “whom to love and whom to partner.” This according to the High Court, is a protected entitlement of the Constitution. Hence, the court located “a right to a union” under Article 21. This union includes but is not exhausted by marriage. Neither the state nor other persons can intrude upon this right.

Moreover, according to the court, the provisions, if read as mandatory do not fulfil the three-tier test recognised by Puttaswamy while determining validity of laws (of legality, necessity and strict proportionality). The requirements of notice and publication apply only under the SMA, in comparison to other personal laws on marriage. “There is no apparent reasonable purpose achieved by making the procedure to be more protective or obstructive under the Act of 1954…”

Often, in addition to the SMA provisions, various States have made specific rules, guidelines or checklists for registration of marriages under the Act. One such checklist was the matter in issue before the Punjab & Haryana High Court. In this case, the Haryana government had issued a marriage checklist with 16 requirements to be fulfilled for registration. The petitioners argued that requirements such as notice to parents of the couple, publication of proposed marriage in a national newspaper violate their right to privacy. The court held that such a requirement violates the right to privacy and asked the state to modify the checklist.

In Salamat Ansari vs. State of UP and Others, a FIR was lodged against the accused for the offence, inter alia, of kidnapping a woman under the Indian Penal Code, 1860. The petitioners argued that the woman in question and the accused were married and hence the FIR, registered by the father of the woman must be quashed. The court relied on the ‘choice’ jurisprudence emerging out of Puttaswamy, Shakti Vahini vs. Union of Indiaand Shafin Jahan vs. Asokan K.M, that an adult person’s choice on whom to marry is not a territory for the court or the state to intervene. The court quashed the FIR reiterating no offences were made out and the case was simply of individuals choosing to live together.

In Monika Mehra vs. State and Ors., the petitioners, who were a married couple approached the Jammu and Kashmir High Court seeking directions for adequate security on grounds of facing threats to their life. By relying on Supreme Court jurisprudence on the rights to privacy and choice, the court allowed the prayer for adequate protection of life and liberty of the petitioners.

There are few aspects binding these cases together. The first is the choice-privacy intersection. In Puttaswamy, this link was clearly explained. How an artist or a musician expresses herself is illustrative of how “privacy facilitates freedom and is intrinsic to the exercise of liberty.” Therefore, privacy and choice are not mutually exclusive or disjoint. One facilitates the growth of another and infringement of the one can constitute infringement of the other. In the context of the SMA, burdensome requirements violating privacy rights, such as publication of intended marriage force a person to make corresponding choices of partner or marriage.

The second is that all cases reflect that the right to privacy is vulnerable when exercised in a society that does not seriously value it. The provisions in SMA, for instance are used by vigilante groups to invade privacy at a large scale. For example, online applications of inter-faith couples under the SMA were publicised on the internet by certain groups in Kerala. The provisions, when functional in a peculiar socio-political context can be more burdensome, as different from a less intrusive social climate. Requirements such as notice of intended marriage to the parents aim to infringe the intimate zone of privacy. This is also the motivation behind criminal charges of kidnapping as in Salamat and Monika, filed to intimidate persons who have made free and independent choices, and ascertained their right to self-determination. Ultimately, the Puttaswamy judgment has played an important role in shaping the right to intimate choices for future cases and one can hope that it continues to do so.

The Pegasus Hack–II: Secrecy for Snooping in Public Procurement?

“Into the Rabbit Hole” by Aswin Behera @Behera_Aswin is licensed under CC BY 4.0.
From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative

By Gunjan Chawla

The recent revelation of the Pegasus hacks has re-ignited public discourse on privacy, surveillance and intelligence reform. As the proposed Personal Data Protection Bill, 2019 makes room for wide exemptions to military, intelligence and law enforcement agencies for the collection and processing of citizens’ data, privacy and data protection laws in their current form will be limited in their potential to enforce meaningful procedural safeguards and oversight over State surveillance.

Although these conversations are not new, we must continue to have them. At the same time, it is important to not miss the forest of State-run cybersurveillance programmes for the sprawling branches of the Pegasus tree.  That the global cyber-surveillance industry thrives on State secrecy – is no secret.

While the need for and significance of surveillance reforms cannot be over-emphasized, data protection or privacy law in itself may not succeed in ensuring that Government is prohibited or restrained from acquiring Pegasus-like spyware. Nor will they ensure that the Government is obligated to disclose that such technologies that risk undermining basic fundamental freedoms of its citizenry have been procured by it, with the intent of deployment by law enforcement and/or intelligence agencies. In an earlier piece the Pegasus Hack, CCGNLUD had addressed issues in international frameworks for export controls designed for dual-use technology and their limitations in providing meaningful remedy to the aggrieved.

In this piece, the author argues that Parliamentary legislation and oversight on public procurement processes, classifications and procedures is far more likely to address the root of the multi-faceted problems we are faced with in the wake of Pegasus. Yet, public commentary or critique on the far-reaching consequences of such provisions is hard to come by. This is despite the fact that multiple estimates peg the share public procurements by Government departments and agencies as accounting for 20-30% of India’s national GDP.[1]

The argument proceeds as follows. First, we highlight the central provision that enables the Government to keep such concerning acquisitions of technology in the dark, away from Parliamentary and public scrutiny. Second, we examine the far-reaching implications of this somewhat obscure provision for the cybersecurity industry in India and the public at large. Finally, we explain how this State-sanctioned secrecy in procurement of spyware – whether from foreign or Indian vendors – could potentially deprive the aggrieved targets of surveillance through Pegasus of meaningful legal remedy before the Courts.

Executive Regulations on Public Procurements and ‘National Security’

In the absence of a Parliamentary enactment, public procurements in general, are  governed by the overarching principles and procedures codified in the General Financial Rules, 2017 (GFR).  These rules were first issued after independence in 1947, and later revised in 1963 and 2005.[2]

Rule 144 of the GFR mandates that every authority procuring goods in public interest shall have the responsibility and accountability to bring efficiency, economy and transparency in matters relating to public procurement and for fair and equitable treatment of suppliers and promotion of competition in public procurement.[3] It also sets out certain ‘yardsticks’ with which procuring agencies must conform – and some are more problematic than others.

One of the most significant changes introduced in the 2017 iteration of the GFR, is the introduction of a ‘national security exception’. Under the these new provisions, Ministries/Departments may be exempted from requirement of e-procurement and e-publication of tender enquiries and bid awards, which is mandatory as a general rule. This may be permitted

  1. In individual cases where confidentiality is required for reasons of national security, subject to approval by the Secretary of the Ministry/Department with the concurrence of the concerned Financial Advisor, [Rule 159(ii)]and
  2. In individual case[s] where national security and strategic considerations demands confidentiality, after seeking approval of concerned Secretary and with concurrence of Financial Advisors. [Rule 160(ii)]

This indicates that the ‘national security exception’ is intended to apply to non-military procurements, expanding the realm of secrecy in procurements far beyond military matters with direct adverse consequences for the civilian realm of affairs. This is supported by the fact that Rule the procurement of goods for the military is excluded from the scope of the GFR by Rule 146. This rule prescribes that the procurement of goods required on mobilisation and/or during the continuance of military operations shall be regulated by special rules and orders issued by the Government from time to time.

Thus, the acquisition of spyware as a product to enhance India’s cybersecurity posture—which can easily be proved to implicate strategic considerations that demand confidentiality—could be exempted from mandatory obligations of e-procurement through the central portal and e-publication of the tender inquiry as well as the bid award, after approval from the concerned Secretary and/or Financial Advisors. Although the rule also obliges the Finance Ministry to maintain statistical information on cases where such an exemption is granted, and the value of the contract,[4] whether or not such statistics are amenable to public disclosure through Right to Information (RTI) applications remains unclear at the time of writing.

What Implications for the Cybersecurity Industry?

In addition to spyware and malware, we can expect that even legitimate cybersecurity products and services when procured by Government could also be caught within the above mentioned clause for exempting an ‘individual case where national security and strategic considerations demands confidentiality’.

Given the current state of India’s information security, the acquisition of legitimate cybersecurity products and services will, and should be conducted across Ministries including but not limited to the Ministry of Defence or even law enforcement.

The demand and market for cybersecurity products and services in the country is burgeoning. These exceptions could also be invoked by the relevant ministry/department to keep the identity of vendors of cybersecurity products and private sector partners for the development of surveillance and other cyber capabilities outside the public domain.

The invocation of such regulatory provisions to keep details of the vendors of cybersecurity products and service providers as confidential may create information asymmetries about Government’s needs and preferences among private players in the market. This will not be conducive for creating a competitive market for cybersecurity products and services. These asymmetries can then distort the market with far-reaching implications for the health and growth of the cybersecurity and IT industry at large.

It also militates against the objective of promoting fair competition and transparency in the public procurement process. Adopting the right blend of rules to encourage competition in industry is crucial to fostering a healthy ecosystem for the cybersecurity industry in India, which is still in its infancy.

The Courts will Protect Us?

In other words, through the 2017 amendment of the GFRs, Government of India’s executive branch gave to itself–the power to procure goods and services ‘in the interest of national security’– whie remaining sheltered from the public gaze. This was the first time such a provision was inserted into the GFR – the language of its 2005, 1963 and 1947 iterations make no mention of ‘national security’ whatsoever.

It is pertinent to point out that the term ‘national security’ is an extra-constitutional one – it does not occur anywhere in the Constitution of India. Instead, the Constitution refers only to ‘security of the State’ or ‘defence of India’, or ‘sovereignty and integrity of India’. In recent years, the Executive has co-opted the term ‘national security’ as a catch-all phrase to encompass everything from serious threats of cross-border terrorism and acts of foreign aggression, to issues like organised protests which were traditionally considered as falling under ‘public order’ – a category clearly distinguished from ‘security of the State’ as early as 1966 by the Supreme Court of India in Ram Manohar Lohia v. State of Bihar AIR 1966 SC 740.

A more recent order of the Supreme Court in dated December 14, 2018, in Manohar Lal Sharma v. Narendra Damodardas Modi (The Rafale Case) underlines the Court’s reluctance to hold the Executive accountable for procurements and public spending in domains like defence.  The Court stated,

We also cannot lose sight of the tender in issue. The tender is not for construction of roads bridges et cetera it is a defence tender for the procurement of aircrafts.  The parameters of scrutiny would give far more leeway to the government keeping in mind the nature of the procurement itself.[5]

Additionally, the emergence of the Supreme Court’s “sealed cover” jurisprudence, although recent in its origins –is testament to the growing shadow of secret executive action pervading the judicial sphere with opacity as well. In this context, it is relevant that recent coverage of the award of the “all-India tender” for the provision of a video conferencing platform for the Supreme Court of India does not yet disclose which entity or corporation was awarded this contract.

Coming back to the Pegasus, should the aggrieved persons targeted with this spyware seek judicial remedy, Section 123 of the Indian Evidence Act, 1872 prohibits Government officials from providing evidence “derived from unpublished official records relating to any affairs of State, except with the permission of the officer at the head of the department concerned, who shall give or withhold such permission as he thinks fit.” (emphasis added)

This means that if a case relating to procurements exempted from e-publication is brought before courts, the appropriate authority to give or withhold permission for disclosure to court would be the same Secretary and Financial Advisors who permitted the procurement to be exempted from publication requirements in the first place. Section 124 further prohibits compelled disclosure of official communications made to a Government official in confidence.

And thus, the conspiracy of silence on potentially criminal acts of Government officials could easily escape judicial scrutiny. This will invariably create a challenging situation for individuals impacted by the use of the Pegasus spyware to effectively seek judicial redressal for violation of their right to privacy and hold the government accountable.

Without an explicit acknowledgment from the Government of the fact that the spyware was in fact procured by it – questions on the legality of procedures that resulted in its targeted deployment against citizens and judicial remedies for violations of due process in criminal investigation remains a moot point. In their current form, the applicable rules permit the Government to enable secret procurement of goods and services for non-military purposes under the GFR’s ‘national security exception’, and also permits the Government to disallow disclosure of this information in judicial proceedings.

Given the lower level of judicial scrutiny that such procurements will likely be subjected to, the doctrine of checks and balances and the doctrine of separation of powers necessitates that appropriate parliamentary mechanisms be set up to ensure effective oversight over all government procurements. Presently, the legal framework for procurements is comprised almost exclusively of executive-issued regulations. Constitutionalism requires that no organ of government should be granted or allowed to exercise unfettered discretion and is always held accountable by the other organs of the government.

This is an essential element of the Rule of Law and can only be ensured by way of a Parliamentary enactment on procurement procedures and concomitant disclosure requirements as well as effective Parliamentary oversight mechanisms to enforce accountability on public spending incurred for procurements in the name of national security.


[1] Government Procurement in India : Domestic Regulations and Trade Prospects, CUTS International, October 2012,p. 33, accessible at http://www.cuts-citee.org/pdf/Government-Procurement-in-India_Domestic-Regulations-Trade-Prospects.pdf. CUTS’ analysis draws upon reports and estimates in various reports of the World Bank, Planning Commission of India, the Central Vigilance Commission along with the Reserve Bank of India’s GDP Data on Macro-Economic Aggregates.

[2] General Financial Rules, 2005 http://finmin.nic.in/the_ministry/dept_expenditure/GFRS/gfr2005.pdf .

[3]Rule 144, General Financial Rules 2017.

[4] Rule 159(ii), General Financial Rules 2017.

[5] Manohar Lal Sharma v. Narendra Damodardas Modi, WP (Crl) 225/2018 etc, at para 9.

Launch of the CCG High Court Privacy Tracker

CCG is excited to announce the launch of the CCG High Court Privacy Tracker, a resource consisting of decisions on the constitutional right to privacy passed by all High Courts in India. The High Court Privacy Tracker captures cases post the pronouncement of the Justice (Retd.) K.S. Puttaswamy vs. Union of India (Puttaswamy) judgment. In Puttaswamy, the Supreme Court of India reaffirmed the existence of the right to privacy in India’s Constitution as a fundamental right. 

The High Court Privacy Tracker is a tool to enable lawyers, judges, policymakers, legislators, civil society organisations, academic and policy researchers and other relevant stakeholders, to engage with, understand and analyse the evolving privacy law and jurisprudence across India. 

The CCG High Court Privacy Tracker can be accessed – here

The High Court Privacy Tracker serves as a natural extension of and supplements the efforts of the existing CCG Privacy Law Library (PLL). The PLL contains case briefs of more than 160 cases and tracks privacy jurisprudence from nine countries around the world with a mix of emerging economies, developing and developed countries – India, Sri Lanka, Nepal, USA, Canada, South Africa, South Korea, Singapore, Europe (ECJ and ECtHR). CCG will continue to add more jurisdictions and cases to the PLL.

Why Did CCG Build the High Court Privacy Tracker?

The Puttaswamy judgment marked a watershed moment for privacy law and jurisprudence in India. In Puttaswamy, the Supreme Court of India not only clarified that India’s Constitution guaranteed a right to privacy, but also recognised various types of privacy that the right protects. To name a few, the Court acknowledged rights such as – bodily privacy, communicational privacy, associational privacy, and informational privacy. 

This expansive reading of the right to privacy, resulted in broadening India’s fundamental rights law and jurisprudence. Various rights such as the right to marry a person of one’s choice (for heterosexual couples), right to determination of sexual identity, and the right to die with dignity were subsequently recognised by the Supreme Court by relying on principles of privacy as expounded in Puttaswamy

In Puttaswamy, the Supreme Court also laid down a four-part test for determining the legitimacy of State action that limited or restricted the right to privacy. The four-part test includes – legality, which postulates the existence of law; need or necessity, defined in terms of a legitimate state aim; proportionality, which ensures a rational nexus between the objects and the means adopted to achieve them; and procedural guarantees or safeguards against abuse of the privacy restricting measure. 

Refer to our handbook to read about all the privacy cases from the Supreme Court of India starting from the year 1950, please click – here

CCG believes that as the right to privacy finds prominence in India’s fundamental right’s jurisprudence and High Courts around the country provide their own interpretation of the principles and tests recognised in Puttaswamy, a tracker for mapping out these decisions would be helpful to relevant stakeholders. 

High Courts – Defending Privacy Rights

High Courts in India are increasingly playing a major role in the evolution of privacy rights in India. 

The Karnataka High Court’s recent decision on the Aarogya Setu app (India’s COVID-19 contact tracing app) and the challenges it posed to informational privacy is an important example of the application of principles to data protection as recognised in Puttaswamy. Through an interim order, the High Court restrained the central government and the National Informatics Centre (a government agency that helped develop the Aarogya Setu app) from sharing the data with other government agencies. The Court held that users were not informed, and therefore their consent was not obtained, thereby impinging on their privacy rights. 

In another pending case before the Delhi High Court, wherein the petitioner, who was an American citizen of Indian origin, requested for removal of a judgment concerning him from Google, Indian Kanoon, and vLex.in (the latter two being online legal databases). The judgment was in relation to a case against him under the Narcotics Drugs and Psychotropic Substances Act, 1985. The Court, through an interim order, asked Google to remove the judgment in question from its search results and similarly directed Indian Kanoon to block access to the judgment via search engines such as Google or Yahoo. While arriving on its decision, the Court relied on the right to privacy as recognised in Puttaswamy, and also the ‘right to be forgotten’ as emanating from the right to privacy. 

These are just two examples wherein High Courts have relied on the right to privacy and provided meaningful remedies even before issuing the final judgments. 

CCG will continue to track the development of these cases and others from High Courts across India and periodically update the tracker.

Methodology

The High Court Privacy Tracker has been developed using judgements pulled from the Manupatra case law database. Through its search function, CCG identified cases that relied upon the Puttaswamy judgment and were pertaining to the right to privacy, and filtered them by each of the 25 High Courts in India. These were then further examined to identify those cases whose decisions concerned a core aspect of privacy. CCG identified the following aspects of privacy (1) autonomy, (2) bodily integrity, (3) data protection, (4) dignity, (5) informational privacy, (6) phone tapping, (7) press freedom, (8) right to know and access information, and (9) surveillance, search and seizure. Cases where only incidental or passing observations or references were made to Puttaswamy and the right to privacy were not included in the tracker. The selected cases were then compiled into the database per High Court, with several details highlighted for ease of reference. These details consist of case name, decision date, case citation and number, case status, legal provisions involved, and bench strength. The tracker also includes select quotes concerning the right to privacy from each case, to assist users to more easily and quickly grasp the crux of the case. 

For ease of access to the text of the judgments, each case on our tracker is linked to the Indian Kanoon version of the judgment (wherever available) or an alternative open-access version of the judgment text.

We welcome your feedback. In addition, you may write to us at – ccg@nludelhi.ac.in with the details of any privacy case we may not have included from any High Court in India. 

Limitations

The High Court Privacy Tracker currently only consists of cases reported on Manupatra, and those reported upto 15 May 2021 (CCG will continue to update the tracker periodically). Only final judgements are included in the tracker, and not interim orders of the High Courts. Hence, the decisions referred to above, including the Karnataka High Court’s order on Aarogya Setu and the Delhi High Court order in the ‘right to be forgotten’ case, shall be included in our list once the final judgments are issued.

We hope that our readers will find the High Court Privacy Tracker useful. As ever, we welcome feedback.

CCG thanks Jhalak M. Kakkar, Shashank Mohan, Sharngan Aravindakshan, Nidhi Singh, Anna Kallivayalil, Priyanshi Dixit and Aditya Gaggar for their work conceptualising, designing and putting together the Tracker. The work on this tracker is supported by Omidyar Network India. We are thankful for their support. 

Technology Regulation: Risk-based approaches to Artificial Intelligence governance, Part 1

Post authored by Prateek Sibal

In five years, between 2015 and 2020, 117 initiatives have published AI ethics principles worldwide. Despite a skewed geographical scope, with 91 of these initiatives emerging in Europe and North America, the proliferation of such initiatives on AI ethics principles paves the way for building global consensus on AI governance. Notably, the 37 OECD Member States have adopted the OECD AI Recommendation, the G20 has endorsed these principles, and the Global Partnership on AI is operationalising them. In the UN system, the United Nations Educational, Scientific and Cultural Organization (UNESCO) is developing a Recommendation on the Ethics of AI that 193 countries may adopt in 2021.

An analysis of different principles reveals a high-level consensus around eight themes: privacy, accountability, safety and security, transparency and explainability, fairness and non-discrimination, human control of technology, professional responsibility, and promotion of human values. At the same time, ethical principles are criticised for lacking enforcement mechanisms. Companies often commit to AI ethics principles to improve their public image with little follow-up on implementing them; an exercise termed as “ethics washing”. Evidence also suggests that knowledge of the ethical tenets has little or no effect on whether software engineers factor in ethical principles in developing products or services.

Defining principles is essential, but it is only the first step for ethical AI governance. There is a need for mid-level norms, standards and guidelines at the international level that may inform regional or national regulation to translate principles into practice. This two-part blog will discuss the need for AI governance to evolve past the ‘ethics formation stage’ into concrete and tangible steps such as developing technical benchmarks and adopting risk-based regulation for AI systems.

Part one of the blog has three sections. The first section discusses some of the technical advances in AI technologies in recent years. These advances have led to new commercial applications with some potentially adverse social implications. Section two discusses the challenges of AI governance and presents a framework for mitigating the adverse implications of technology on society. Finally, section three discusses the role of technical benchmarks for evaluating AI systems. Part two of the blog will contain further discussion on risk assessment approaches to help identify the AI applications and contexts that need to be regulated.  It will also discuss the next steps for national initiatives for AI governance.

The blog follows the definition of an AI system proposed by the OECD’s AI Experts Group. They describe an AI system as a “machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations or decisions influencing real or virtual environments. It uses machine or human-based inputs to perceive real or virtual environments, abstract such perceptions into models (in an automated manner, e.g. with ML or manually), and use model inference to formulate options for information or action. AI systems are designed to operate with varying levels of autonomy.”

Recent Advances in AI Technologies

Artificial Intelligence is developing rapidly. It is important to lay down a broad overview of AI developments, which may have profound and potentially adverse impacts on individuals and society. The 2021 AI Index report notes four crucial technical advances that hastened the commercialisation of AI technologies:

  • AI-Generated Content: AI systems can generate high-quality text, audio and visual content to a level that it is difficult for humans to distinguish between synthetic and non-synthetic content.
  • Image Processing: Computer vision, a branch of computer science that “works on enabling computers to see, identify and process images in the same way that human vision does, and then provide appropriate output”, has seen immense progress in the past decade and is fast industrialising in applications that include autonomous vehicles.
  • Language Processing: Natural Language Processing (NLP) is a branch of computer science “concerned with giving computers the ability to understand the text and spoken words in much the same way human beings can”. NLP has advanced such that AI systems with language capabilities now have meaningful economic impact through live translations, captioning, and virtual voice assistants.
  • Healthcare and biology:DeepMind’s AlphaFold solved the decades-old protein folding problem using machine learning techniques. This breakthrough will allow the study of protein structure and will contribute to drug discovery.

These technological advances have social implications. For instance, the technology generating synthetic faces has rapidly improved. As shown in Figure 1, in 2014, AI systems produced grainy faces, but by 2017, they were generating realistic synthetic faces. Such AI systems have led to the proliferation of ‘deepfake’ pornography that overwhelmingly targets women and has the potential to erode people’s trust in information and videos they encounter online. Some actors misuse the deepfake technology to spread online disinformation, resulting in adverse implications for democracy and political stability. Such developments have made AI governance a pressing matter.


Figure 1: Improvement in AI-generated images. Source: https://arxiv.org/pdf/1802.07228.pdf

Challenges of AI Governance

In this blog, AI governance is understood as the development and application by governments, the private sector, and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape AI’s evolution and use. As highlighted in the previous section, the rapid advancements in the field of AI technologies have brought the need for better AI governance to the forefront.

In thinking about AI governance, a conundrum that preoccupies many governments worldwide concerns enactment of regulation that does not stifle innovation while also providing adequate safeguards to protect human rights and fundamental freedoms.

Technology regulation is complicated because until a technology has been extensively developed and widely used, its impact on society is difficult to predict. However, once it is deeply entrenched and its effect on society is understood better, it becomes more challenging to regulate the technology. This tension between free and unimpeded technology development and regulating adverse implications is termed the Collingridge dilemma.

David Collingridge, the author of the Social Control of Technologies, noted that when regulatory decisions have to be made under ignorance of technologies’ social impact, continuous monitoring of the impact of technology on society can help correct unexpected consequences early. Collingridge’s guidelines for decision-making under ignorance can inform AI governance as well. These include choosing technology options with:

  • Low failure costs: Selecting options with low error costs, i.e. if a policy or regulation fails to achieve its intended objective, the costs associated with failure are limited.
  • Quicker to correct: Selecting technologies with low response time for correction after the discovery of unanticipated problems.
  • Low cost of applying remedy: Selecting solutions with low cost of applying the remedy, i.e. options with a low fixed cost and a higher variable cost, should be given preference over the ones with a higher fixed cost, and
  • Continuous monitoring: Cost-effective and efficient monitoring can ensure the discovery of unpredicted consequences quickly.

For instance, the requirements around transparency in AI systems provide information for monitoring the impact of AI systems on society. Similarly, risk assessments of AI systems offer a pre-emptive form of oversight over technology development and use, which can help minimise potential social harms.  

Technical benchmarks for evaluating AI systems

To address ethical problems related to bias, discrimination, lack of transparency, and accountability in algorithmic decision-making,  quantitative benchmarks to assess AI systems’ performance against these ethical principles are needed.

The Institute of Electrical and Electronics Engineers (IEEE), through its Global Initiative on Ethics of Autonomous and Intelligent Systems, is developing technical standards, including on bias in AI systems. They describe “specific methodologies to help users certify how they worked to address and eliminate issues of negative bias in the creation of their algorithms”. Similarly, in the United States, the National Institute of Standards and Technology (NIST) is developing standards for explainable AI based on principles that call for AI systems to provide reasons for their outputs in a manner that is understandable to individual users, explain the process used for generating the output, and deliver their decision only when the AI system is fully confident.

For example, there is significant progress in introducing benchmarks for the regulation of facial recognition technology. Facial recognition systems have a large commercial market. They and used for various tasks, including law enforcement and border controls. These tasks involve detecting visa photos, matching photos in criminal databases, and child abuse images. Such facial recognition systems have been the cause of significant concern due to high error rates in detecting faces and impinging on human rights. Biases in such systems have adverse consequences for individuals denied entry at borders or wrongfully incarcerated. In the United States, the National Institute of Standards and Technology’s Face Recognition Vendor Test provides a benchmark to compare different commercially available facial recognition systems’ performance by operating their algorithms on different image datasets.

The progress in defining benchmarks for ethical principles needs to be complemented by risk assessments of AI systems to pre-empt potentially adverse social impact in line with the Collingridge Dilemma discussed in the previous section. Risk assessments allow the categorisation of AI applications by their risk ratings. They can help develop risk-proportionate regulation for AI systems instead of blanket rules that may place an unnecessary compliance burden on technology development. The next blog in this two-part series will engage with potential risk-based approaches to AI regulation.

The author would like to thank Jhalak Kakkar and Nidhi Singh for their helpful feedback.

This blog was written with the support of the Friedrich Naumann Foundation for Freedom.

The Personal Data Protection Bill, 2019 vs. GDPR: Provisions for the rights of the child and its implications

This post is authored by Puja Nair

The debate on privacy rose to the forefront after the Supreme Court passed a judgement in the case of Justice K.S Puttaswamy (Retd.) v. Union of India, where the Court held that the right to privacy was an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution of India. In arriving at this conclusion, the Court examined a wide range of privacy-related issues and held that the right to privacy included the right to personal autonomy over a wide range of domains in a person’s life.

While the above decision seems obvious in its simplicity, complications arise when one considers that a child or adolescent may not understand the consequences of their individual choices. When taken in the context of online data privacy, it is safe to say that children may be unaware of the exact manner in which any data that they share online is put to use. The report submitted by the committee of experts under the chairmanship of Justice B.N Srikrishna clearly endorses this belief.

Clause 16 of the Indian Personal Data Protection Bill, 2019 (‘PDPB 2019’), which was tabled in parliament on December 11, 2019, deals with the processing of personal and sensitive personal data of children. It states categorically that every data fiduciary shall “process the personal data of a child in a manner that protects the rights of, and is in the best interests of, the child.” It further states that a data fiduciary shall only process the personal data of a child, after verifying their age and obtaining the consent of their parent or guardian, in the manner specified by future regulations.

Based on this provision, the primary question that arises is, who is a child as per the PDPB 2019? According to the provisions of the bill, a child is someone who “has not completed the age of 18 years.” This is distinct from the data protection statutes passed in other jurisdictions. The EU General Data Protection Rules (‘GDPR’) specifies that the age limit on the definition of ‘child’ may be up to the discretion of individual member states and can be anywhere between 13-16 years. The US Children’s Online Privacy Protection Act, 1998 on the other hand, puts the age limit at a firm 13 years. Notwithstanding the above, the PDPB 2019 specifies 18 as the age of majority. This was done to ensure that the provisions of the bill would be in conformity with the prevailing laws of the country.

The adoption of a singular age of majority serves to prevent confusion and conflict between the laws in the country, however, it also serves to underestimate the awareness and advancement of today’s youth. An example of this understanding was espoused by the Madras High Court in the case of Sabari Sabarinathan Sabarivasan v. State Commission for Protection of Child Rights and Ors. This judgment examines existing flaws in the Protection of Children from Sexual Offences (POCSO) Act, 2012 and recommends a change in the definition of the term ‘child,’ so that a consensual relationship between a girl above 16 years of age and a boy between 16 to 21 years of age, would not attract the draconian provisions of the law. The drafters of the PDPB 2019 could have taken a similar view, rather than conforming with the provisions of a statute like the Indian Contract Act or the Indian Majority Act, both of which were enacted in the late-1800’s. Furthermore, a 2019 study conducted among 630 adolescents across 8 schools in the nation’s capital, revealed that 60 per cent of the boys and 40 per cent of the girls, owned their own device while almost half reportedly used two or more devices to access the Internet. The numbers have no doubt increased since then and the COVID-19 crises has further accelerated the adoption of online services for both education and entertainment. This means that mandating a guardian’s consent for anyone below the age of 18 years could very well result in some data fiduciaries inadvertently being on the wrong side of the law.

Another question raised by Clause 16 of the PDPB 2019, is the determination of what constitutes the best interests of the child. The bill does not specify how this is to be determined; however, subclause 5 of Clause 16 categorizes certain types of data processing like behavioural monitoring, tracking, and targeted advertising as harmful for children.

We then come to the requirement for age verification and parental consent. The provisions of the bill do not explore this in detail. It merely states that the process of acquiring such consent and/or verification will be specified in further rules, after taking into account factors like the volume of personal data processed, the proportion of such personal data likely to be that of a child, the potential of harm that may occur to said child as a result of the processing of his/her personal data etc.

Regardless, one issue that may arise when it comes to consent is the question of capacity. Clause 11 of the PDPB 2019 states that among other things, consent must be free and informed. However, parents cannot provide such free and informed consent on behalf of their children, if they do not understand the terms and conditions provided in the policies of these websites. In many instances, we find that children possess a much greater awareness of current technology trends and their implications. Additional issues arise when we consider the concept of free choice. However, the fact of the matter is that if one wants to register with any of the popular online apps and services available, one inevitably has to agree with their terms and conditions, regardless of any reservations one might have. Therefore, the concept of consent being “freely given” is rendered pointless.

GDPR and the European Union

Article 8 of the GDPR states that where there is an offer of “information society service directly to a child” the processing of personal data of said child shall be lawful, where the child is at least 16 years old. If the child is below the age of 16 years, such processing shall be lawful only if consent has been obtained by the “holder of parental responsibility over the child.”Member States can provide for a lower age limit, provided it is not below 13 years of age. The provision further provides that “reasonable efforts” must be made to verify that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

Article 8 is the principal provision relating to the protection of children’s personal data in the GDPR. There are other provisions that mandate the type of measures that must be taken for the protection of the personal data of a child. For example, when obtaining data from a child, data controllers must ensure that any information on the processing of such data, should be in clear and plain terms for a child to easily understand. The GDPR also provides for the ‘right of erasure’ for children’s personal data. This is particularly relevant in cases where the data subject may have provided their consent as a child, without being fully aware of the risks involved and now seek the erasure of such personal data. Clause 16 of the PDPB, which relates to the processing of personal data of children, closely mirrors Article 8 of the GDPR. To that end, this post will be limited to an examination of Article 8 of the GDPR to examine the potential pitfalls that await in the implementation of Clause 16 of PDPB 2019.

Article 8 applies only to information society services offered directly to a child. Information society services or ISS is any service that is provided at a distance, by electronic means, and at the individual request of a recipient of the services. The definition also includes the requirement that the service be one that is provided in exchange for “remuneration”. However, the majority of online services that teenagers have access to do not directly require remuneration from the users. Common examples of this include popular social media sites like Facebook, Instagram etc. For this reason, the phrase “remuneration” is interpreted broadly by the European Court of Justice (‘ECJ’). The Court has held that “the essential characteristic of remuneration […] lies in the fact that it constitutes consideration for the service in question and is normally agreed upon between the provider and the recipient of the service’’. It is not essential that the recipient of the services provide the consideration. It is only essential for the consideration to have been received by the service provider. Subsequent rulings specified that such services may also include services provided by a non-profit organization, services involving an element of chance, and services that are of a recreational or sporting nature.

Some confusion may arise in situations where the ISS has both online and offline components. In such cases one must determine whether or not the online component is integral to the nature of the service provided. If it is not integral, then such services cannot be categorized as an ISS. While these cases provide some clarity, it is clear that the definition and scope of what constitutes an ISS will continue to evolve with the evolution of technology. This is in direct contrast to the definition of a data fiduciary in the PDPB 2019, which is much more straightforward. The bill defines a data fiduciary as “any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.”

Further, much like Clause 16 of the PDPB 2019, the drafting of Article 8 raises questions on what constitutes proper consent and how such consent can be appropriately verified. Some of these questions have been delineated above in the Indian context and are also applicable here. The European Data Protection Board (‘EDPB’) have addressed these issues in its guidelines on consent under issued under the GDPR. The guidelines state that if a data subject consents because they feel they have no real choice, then the consent is not valid. The guidelines also specify certain situations where the existence of an imbalance of power between the data subject and the controller, would render consent invalid. It further provides that consent would not be considered to be “freely given” if the consent was bundled with the acceptance of the terms and conditions of a website. Additionally, when it comes to the issue of capacity, the guidelines provide that for the consent to be informed, the data subject, or the individual having parental responsibility over the data subject, must have knowledge of the controller’s identity, knowledge of the purpose of each of the processing operations for which consent is sought, knowledge of the type of data collected and used, and knowledge of the existence of the right to withdraw consent.

Finally, even if the validity of consent is established, there is no provision to determine whether the person providing such consent is qualified to do so. According to the provisions of Article 8, consent must be given by a holder of parental responsibility. Does this include even individuals who are acting in loco parenti? For example, in the US, schools may act on the parents’ behalf in an educational context, when personal data is collected from the students for the use and benefit of the school. Further, once this consent is obtained, how is it to be verified? The GDPR has merely required that the controller take “reasonable efforts” to verify said consent. This means that in situations where consent was not verifiable, the controller could still rely on the un-verified consent so long as they prove that “reasonable” efforts were made to verify the same. Fortunately, the EDPB Guidelines on consent fills this gap in Article 8 by recommending two types of verification mechanisms for high-risk and low-risk categories respectively. In the low-risk category, verification of parental consent via email was held to be sufficient. In the high-risk category, it was recommended that further proof of consent would need to be acquired. Trusted third-party verification services were also recommended, to minimise the amount of personal data the controller had to process itself.

Conclusion

The examination of the GDPR provisions clearly shows that numerous issues have arisen in the course of its implementation. These issues have been resolved on a case-by-case basis by courts and other authorities. However, these solutions are remedial and not preventative. One preventative approach is the implementation of principles like data protection by design and default as specified in Article 25 of the GDPR. Data protection by design ensures that privacy and data protection issues are considered at the design phase of any system, service or product and then implemented throughout the lifecycle of the same. Data protection by default limits the type of data collected. It requires controllers to collect and process only such data as is necessary to achieve their specific purpose.

Data protection by design is a principle that is already enshrined in Clause 22 of the PDPB, which provides that every data fiduciary shall submit a privacy by design policy to the proposed Data Protection Authority (DPA) for approval and certification. The manner in which this is to be implemented and the standards of protection required for certification would be subject to future regulations. However, by requiring data fiduciaries engaged in the collection and processing of children’s data to adhere to a higher standard of data protection, the DPA could probably ensure the protection of children’s data regardless of any pitfalls in the practical implementation of Clause 16.

The above measure might not effectively solve the issues specified with the implementation of Clause 16. Notwithstanding these drawbacks, the provisions of this Bill might be the very first step in bringing India’s data protection thresholds at par with the rest of the world.


Search Engines and the Right to be Forgotten

This post is authored by Thulasi K. Raj.

In January 2021, Indian Kanoon, the legal case law database argued before the Kerala High Court that requiring de-indexing of search results in the guise of privacy rights under Article 21 of the Constitution of India restricts the right to free speech. The petitioner in this case was aggrieved by the display of personal details including his name and address on Google, via Indian Kanoon. This has rekindled the debate on the right to be forgotten (“RTBF”) and its ambit in the Indian legal framework. 

When we walk down the street, various personal identifiers such as one’s skin colour, approximate height, weight and other physical features are unconsciously communicated to others. It would be strange indeed, if the right to privacy required us to erase these memories, which we involuntarily capture in normal social life.

What makes digital memory different, however is its relative permanency. A digital device can store data more or less permanently. Schönberger explores how human forgetfulness is problematically replaced by perfect memory in his aptly titled bookDelete: The virtue of forgetting in the digital age.’ He rightly remarks that the “balance of remembering and forgetting has become inverted.” Remembering is now the default, “and forgetting, the exception.” If a derogatory news report from several years ago emerges in search results, it can momentarily damage one’s reputation and infringe upon privacy. This is where RTBF becomes significant.

Recital 65 of the EU’s General Data Protection Regulation (GDPR) acknowledges a “right to be forgotten”, i.e., for the personal data to be erased on certain occasions. One, where the data is no longer necessary in relation to the purpose for which it was collected. Two, where the particular individual has withdrawn their consent or objects to their data being processed or three, where the personal data does not comply with the GDPR. Recital 66 strengthens this right as it requires the data controller that made the personal data public, to inform other controllers that may also be processing the same personal data to also remove links or copies. 

The privacy argument behind the RTBF is that firstly, one must have control over one’s personal information. This includes personal details, contact information or search engine queries. Moreover, the individual,  according to Mantelero, has a right not to be reminded of her previous acts, “without being perpetually or periodically stigmatized as a consequence of a specific action.” It enables her to regain control over her past, to decide as to which parts of her information should be accessible to others and which not.

The decision by the European Court of Justice (‘ECJ’) in Google Inc. v. AEPD in 2014 brought the discussion on the RTBF to mainstream political and academic debate. In this case, one Mario Costeja González in Spain, found that when his name was searched on Google, the results included a newspaper announcement of a real estate auction for recovery of his social security debts. He approached Agencia Española de Protección de Datos (AEDP), the Spanish Data Protection Agency seeking removal of the information from Google. The claims against Google were allowed and Google appealed to the high court in Spain. The matter was then referred to the ECJ. The court recognised the RTBF under the 1995 EU Data Protection Directive, for the first time, and held that search engines must remove ‘inadequate, irrelevant, or excessive’ personal information about users. 

In India, clause 20 of the Personal Data Protection Bill, 2019 recognises RTBF when any of the three conditions are satisfied: when retention of information is unnecessary, consent given for disclosure of personal data is withdrawn, or when retention of data is illegal. Unlike the EU, adjudicating officers have to determine whether these conditions are met before ordering for withholding of the information. The Supreme Court has made references to RTBF in the Puttaswamy judgment. Various High Courts also have discussed this right while considering pleas of removal of information from search engine results. Although such pleas are allowed in some cases, it is difficult to find an authoritative judicial pronouncement affirmatively and comprehensively locating a right to be forgotten in the Indian legal framework. 

An objection against recognition of the RTBF is its conflict with the right to free speech, especially in jurisdictions like the US where search engines claim the right to free speech. For example, while search engines are required to cease retaining personal information, they often argue that such requirement violates their right to freedom of speech. They claim that the right to display information is part of the right to free speech since it involves collection, selection, arrangement and display of information. For instance, in Langdon v. Google Inc. in the United States, Google has argued that the kind of function the search engine engages is not fundamentally different from that of a newspaper editor who collects, sorts and publishes information, and is therefore entitled to a comparable right to free speech. 

In India, free speech rights of search engine companies are not categorically adjudicated on so far. The right to free speech is available to citizens alone under Article 19 of the Constitution. But the Supreme Court in Chiranjit Lal  Chowdhuri held that fundamental rights are available not only to citizens, but “corporate bodies as well.” The Court has also held in Delhi Cloth and General Mills that the free speech rights of companies are co-extensive to that of shareholders and denial of one can lead to denial of the other. This jurisprudence might enable search engine companies, such as Indian Kanoon in India to make a free speech argument.  However, the courts will be confronted with the critical question of how far search engine companies that collate information can be treated in par with companies engaged in printing and publishing newspapers.

The determination of the Indian Kanoon case will depend among other things on two aspects, from a rights perspective: firstly, whether and to what extent the court will recognise a right to be forgotten under the Indian law. This argument could rely on an expansive understanding of the right to privacy, especially informational privacy under Article 21 in the light of the Puttaswamy judgment. Secondly, whether search engines will be entitled to a free speech claim under Article 19. It remains to be seen what the implications of such a recognition will be, for search engines as well as for users. 

(The author is a practising lawyer and a DIGITAL Fellow at the Centre for Communication Governance at National Law University, Delhi).

The Right to be Forgotten – Examining Approaches in Europe and India

This is a guest post authored by Aishwarya Giridhar.

How far does the right to control personal information about oneself extend online? Would it extend, for example, to having a person’s name erased from a court order on online searches, or to those who have been subjected to revenge pornography or sexual violence such that pictures or videos have non-consensually been shared online? These are some questions that have come up in Indian courts and are some of the issues that jurisprudence relating to the ‘right to be forgotten’ seeks to address. This right is derived from the concepts of personal autonomy and informational self-determination, which are core aspects of the right to privacy. They were integral to the Indian Supreme Court’s conception of privacy in Puttaswamy vs. Union of India which held that privacy was a fundamental right guaranteed by the Indian Constitution. However, privacy is not an absolute right and needs to be balanced with other rights such as freedom of expression and access to information, and the right to be forgotten tests the extent to which the right to privacy extends.

On a general level, the right to be forgotten enables individuals to have personal information about themselves removed from publicly available sources under certain circumstances. This post examines the right to be forgotten under the General Data Protection Regulation (GDPR) in Europe, and the draft Personal Data Protection Bill, 2019 (PDP Bill) in India.

What is the right to be forgotten?

The right to be forgotten was brought into prominence in 2014 when the European Court of Justice (ECJ) held that users can require search engines to remove personal data from search results, where the linked websites contain information that is “inadequate, irrelevant or no longer relevant, or excessive.” The Court recognised that search engines had the ability to significantly affect a person’s right to privacy since it allowed any Internet user to obtain a wide range of information on a person’s life, which would have been much harder or even impossible to find without the search engine. 

The GDPR provides statutory recognition to the right to be forgotten in the form of a ‘right to erasure’ (Article 17). It provides data subjects the right to request controllers to erase personal data in some circumstances, such as when the data is no longer needed for their original processing purpose, or when the data subject has withdrawn her consent or objected to data processing. In this context, the data subject is the person to whom the relevant personal data relates, and the controller is the entity which determines how and why the data would be processed. Under this provision, the controller would be required to assess whether to keep or remove information when it receives a request from data subjects.

In comparison, clause 20 of India’s Personal Data Protection Bill (PDP Bill), which proposes a right to be forgotten, allows data principals (similar to data subjects) to require data fiduciaries (similar to data controllers) to restrict or prevent the disclosure of personal information. This is possible where such disclosure is no longer necessary, was made on the basis of consent which has since been withdrawn, or was made contrary to law. Unlike the GDPR, the PDP Bill requires data subjects to approach Adjudicating Officers appointed under the legislation to request restricted disclosure of personal information. The rights provided under both the GDPR and PDP Bill are not absolute and are limited by the freedom of speech and information and other specified exceptions. In the PDP Bill, for example, some of the factors the Adjudicating Officer is required to account for are the sensitivity of the data, the scale of disclosure and how much it is sought to be restricted, the role of the data principal in public life, and the relevance of the data to the public. 

Although the PDP Bill, if passed, would be the first legislation to recognise this right in India, courts have provided remedies that allow for removing personal information in some circumstances. Petitioners have approached courts for removing information in cases ranging from matrimonial disputes to defamation and information affecting employment opportunities, and courts have sometimes granted the requested reliefs. Courts have also acknowledged the right to be forgotten in some cases, although there have been conflicting orders on whether a person can have personal information redacted from judicial decisions available on online repositories and other sources. In November last year, the Orissa High Court also highlighted the importance of the right to be forgotten for persons who’s photos and videos have been uploaded online, without  their consent, especially in the case of sexual violence. These cases also highlight why it is essential that this right is provided by statute, so that the extent of protections offered under this right, as well as the relevant safeguards can be clearly defined.

Intersections with access to information and free speech

The most significant criticisms of the right to be forgotten stem from its potential to restrict speech and access to information. Critics are concerned that this right will lead to widespread censorship and a whitewashing of personal histories when it comes to past crimes and information on public figures, and a less free and open Internet. There are also concerns that global takedowns of information, if required by national laws, can severely restrict speech and serve as a tool of censorship. Operationalising this right can also lead to other issues in practice.

For instance, the right framed under the GDPR requires private entities to balance the right to privacy with the larger public interest and the right to information. Two cases decided by the ECJ in 2019 provided some clarity on the obligations of search engines in this context. In the first, the Court clarified that controllers are not under an obligation to apply the right globally and that removing search results for domains in the EU would suffice. However, it left the option open for countries to enact laws that would require global delisting. In the second case, among other issues, the Court identified some factors that controllers would need to account for in considering requests for delisting. These included the nature of information, the public’s interest in having that information, and the role the data subject plays in public life, among others. Guidelines framed by the Article 29 Working Party, set up under the GDPR’s precursor also provide limited, non-binding guidance for controllers in assessing which requests for delisting are valid.

Nevertheless, the balance between the right to be forgotten and competing considerations can still be difficult to assess on a case-by-case basis. This issue is compounded by concerns that data controllers would be incentivised to over-remove content to shield themselves from liability, especially where they have limited resources. While larger entities like Google may have the resources to be able to invest in assessing claims under the right to be forgotten, this will not be possible for smaller platforms. There are also concerns that requiring private parties to make such assessments amounts to the ‘privatisation of regulation’, and the limited potential for transparency on erasures remove an important check against over-removal of information. 

As a result of some of this criticism, the right to be forgotten is framed differently under the PDP Bill in India. Unlike the GDPR, the PDP Bill requires Adjudicating Officers and not data fiduciaries to assess whether the rights and interests of the data principal in restricting disclosure overrides the others’ right to information and free speech. Adjudicating Officers are required to have special knowledge of or professional experience in areas relating to law and policy, and the terms of their appointment would have to ensure their independence. While they seem better suited to make this assessment than data fiduciaries, much of how this right is implemented will depend on whether the Adjudicating Officers are able to function truly independently and are adequately qualified. Additionally, this system is likely to lead to long delays in assessment, especially if the quantum of requests is similar to that in the EU. It will also not address the issues with transparency highlighted above. Moreover, the PDP Bill is not finalised and may change significantly, since the Joint Parliamentary Committee that is reviewing it is reportedly considering substantial changes to its scope.

What is clear is that there are no easy answers when it comes to providing the right to be forgotten. It can provide a remedy in some situations where people do not currently have recourse, such as with revenge pornography or other non-consensual use of data. However, when improperly implemented, it can significantly hamper access to information. Drawing lessons from how this right is evolving in the EU can prove instructive for India. Although the assessment of whether or not to delist information will always subjective to some extent, there are some steps that can be taken provide clarity on how such determinations are made. Clearly outlining the scope of the right in the relevant legislation, and developing substantive standards that are aimed at protecting access to information, that can be used in assessing whether to remove information are some measures that can help strike a better balance between privacy and competing considerations.