This post is authored by Debayan Bhattacharya and Pulkit Goyal
Section 91 of the Criminal Procedure Code 1973 (“CrPC”) empowers the police to require the production of ‘any document or thing’ from any person if they consider it ‘necessary or desirable’ for any investigation, inquiry, or proceeding under the CrPC. The provision grants the police broad power to obtain evidence and it is frequently used to mandate the production of revealing data like Call Detail Records, (“CDRs”) which contain details of communications made over a telecommunications network. While they do not contain the content of the communication, they contain metadata such as the duration of call, who made it, who it was addressed to, when it was made and from where. The section, which stands in effect unchanged from section 94 of the CrPC, 1898 is a colonial provision that was enacted by a foreign power when fundamental rights, and in specific a right to privacy, did not exist. Moreover, our personal data, today, is available to a larger number of actors, at a higher level of granularity, than in the past. This makes the privacy risk associated with requisitioning data significantly greater. For example, RazorPay was recently required to hand over the data on thousands of transactions that had been made via its platform to AltNews. This post explores the privacy implications of the current framework, arguing that the provision is a significant infringement on individual privacy that lacks crucial safeguards. It also makes recommendations to address these concerns.
Issues with Section 91
The judgment in Puttuswamy I recognized the right to privacy as a fundamental right under Article 21 of the Constitution. By recognising privacy within the ambit of Article 21, the court ensured that restrictions on privacy would have to comply with the requirements of a ‘fair, just, and reasonable’ procedure set out by the decision in Maneka Gandhi. In fact, the court in PUCL had ruled that a surveillance provision in the Telegraph Act did not contain sufficient safeguards, prompting the court to lay down guidelines that were eventually codified in the Telegraph Rules. In Puttaswamy I, itself, Justice Chandrachud’s opinion traced and emphasized the importance of procedural safeguards for the right to privacy. Moreover, Justice Kaul at Para 71 of his opinion in the same judgment identifies the requirements of legality, necessity, proportionality, and procedural safeguards that must be met for a provision to be constitutional.
The lack of procedural safeguards causes Section 91 to constitute an impermissible infringement of individual privacy. At first blush, Section 91 of the CrPC seems to have some safeguards. It lays down a standard of ‘necessity or desirability’ to require the production of information. Textually speaking, ‘desirability’ means ‘the quality of being wanted’, which confers significant discretion by conflating ‘when the police want’ data and ‘when it is legal for the police to requisition data’. The standard may be contrasted with Section 311 of the CrPC, which permits the Court to summon a witness ‘essential to the just decision of the case.’ The Supreme Court recently distinguished Sections 91 from 311 in Varsha Garg v State of Madhya Pradesh. It held that the “necessary or desirable” standard under section 91 is met when the information sought is relevant, while 311 requires the higher standard of essentiality to be met. Even aside from this low standard, these safeguards are largely illusory as there is no independent oversight mechanism (either ex-ante or ex-post) to scrutinize whether the action was necessary (or desirable at the time it was done).
Moreover, there are primarily two stages where section 91 requisitions are made – (1) during investigation by the police and (2) during trial on an application made in court. While applications made in court can be, and are, challenged (as they were in Varsha Garg), orders made during investigation are not. These orders are made by the police to entities in possession of data, which are corporations and intermediaries such as banks, telecos, etc. These entities lack any incentive to challenge any such order made against them, especially when noncompliance carries criminal consequences under section 174 of the Indian Penal Code, 1860 (Non-attendance in obedience to an order from public servant). Further, there is no requirement to notify the affected individual (either ex ante or post facto) so little or no adversarial contestation to section 91 orders made during investigation by the police to third party intermediaries. This further limits any potential challenge to Section 91 orders by investigative agencies.
Additionally, since Section 91 does not limit whose data can be demanded, it is possible that a third person’s CDRs are presented at trial as evidence, this person will probably never learn of it or have the opportunity to challenge the disclosure of such information even post or during trial. Ultimately, the affected individual does not know when such a request is made, these requests are legally binding, the substantive threshold for initiating a request for information provides almost absolute discretion to the executive, and there is no mechanism to enforce a standard even if it is construed narrowly. Thus, there is a significant lack of procedural safeguards.
Call data records
Another issue with Section 91 is that it is essentially a shortcut to a level of invasive surveillance that ordinally requires the State to satisfy higher standards. The Telegraph Act, 1885 and the Information Technology Act, 2000 provide for the interception of calls and electronic transmissions but have some safeguards in place. Specifically, Section 5(2) of the Telegraph Act allows for interception of messages on the occurrence of a public emergency or in the interest of public safety. Further, Rule 419A of the Indian Telegraph Rules of 1951 provides for review of directions under Section 5(2) of the Telegraph Act. Similarly, section 69A of the Information Technology Act read with IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 empowers senior government officials to issue surveillance directions if it is necessary or expedient to do so for specific grounds (including in this case investigation of an offense). These directions are also reviewed as per Rule 22 of the Interception Rules.
CDRs and ongoing interception (surveillance) may appear to be different since the latter deals with the recording of content of calls in real time while CDRs are metadata of past calls. However, the routine maintenance of CDRs itself represents an indirect and ongoing form of surveillance. With access to metadata, it is possible to combine this metadata with other publicly available data, such as phone books, social media accounts, etc., and discern information such that it constitutes a significant violation of the right to privacy, arguably on par with real-time surveillance. Moreover, metadata can be more easily processed by computers than content data. For e.g A calls her sister B for an hour following which A calls an abortion clinic which is followed with multiple follow up calls over the period of a few months. It may reasonably be deduced, even without knowing the contents of the call, that A got an abortion. This is private information but can be revealed just by perusing metadata. Metadata, thus, also carries substantial privacy implications. Accordingly, the requisitioning of CDRs should be accorded similar safeguards to those which apply to interception. The provisions under the Telegraph Act and IT Act have more safeguards in the form of who is empowered to issue the directions and that the directions are reviewed by specific authorities. Though these safeguards are in no way sufficient, the issue is that section 91 effectively bypasses the limited safeguards that do exist to obtain information that is privacy infringing to a similar degree.
Alternatives and recommendations
Choices made with respect to the collection of evidence strike a specific balance between Crime Control and Due Process models of criminal procedure. The former emphasizes the importance of tailoring evidence law to ensure sufficient punishment of crimes while the latter provides greater importance to the protection of rights and liberties. Since Section 91 allows for a broad, unchecked power for police to acquire CDRs and other documents, it clearly leans towards a crime control model.
What would a due process approach look like? The South African Constitutional Court recently held that surveillance orders constitutionally require notification to the person affected as soon as it can be given without jeopardizing the purpose of the investigation. It further required the collected data to be deleted after a fixed amount of time. In the United States, a warrant is required for the production of such evidence and consequently, as per the IVth Amendment, requires probable cause in order to justify infringing the privacy of individuals. Probable cause must be shown to a judge for the issue of a warrant, meaning that there is a procedural safeguard in the form of application of judicial mind to ensure adherence to the standard.
Therefore, a good starting point for additional safeguards (for CDRs at the bare minimum) includes requiring prior permission from a judicial authority in the form of a warrant and a notification of the surveillance (either ex ante or post facto). This would allow a challenge to the requisition order in a court of law as violating their fundamental rights and ensure some prior judicial application of mind in the process.