The Digital Personal Data Protection Bill, 2022 (“2022 Bill”) was released by the Ministry of Electronics and Information Technology on November 18, 2022, with the stated intent of being concise, comprehensible, and simplified for the citizens. For these reasons, the 2022 Bill has made significant changes to the framework of the earlier Personal Data Protection Bill, 2019 (“2019 Bill”), which was withdrawn earlier this August during the Monsoon session of the Parliament.
We have prepared this detailed tracker to record the changes made in the 2022 Bill, and compared the differences in the key provisions of the 2022 Bill and the 2019 Bill. This tracker can be a helpful reference while analysing the two Bills, or even a quick guide to the changes brought out in the 2022 Bill.
This tracker has used the 2019 Bill as reference for the changes, as this was the last version of the Data Protection Bill which was introduced before the Parliament as a comprehensive legislation. We have analysed each clause and sub-clause of the 2022 Bill and compared it to the corresponding provisions of the 2019 Bill. We have provided the full text of the provisions (highlighting the differences) as well as a brief summary of changes under the 2022 Bill. Readers may use the 2022 Bill as the base, when looking for the changes made to specific provisions of the 2019 Bill.
As the public and expert analyses and opinions on the 2022 Bill are still being developed, we invite comments on any errors or omissions of corresponding provisions which may be present in this tracker.
On 25 June 2022, in Dobbs v. Jackson, the U.S. Supreme Court (“SCOTUS”) declared that the U.S. Constitution does not guarantee a right to abortion. SCOTUS thus overturned the celebrated 1973 judgment titled Roe v. Wade which had held the right to abortion to be constitutionally protected. This post analyses Roe and Dobbs, examining how and why they treated the term “liberty” differently. It then contrasts these definitions with the Indian understanding of “liberty”.
“Liberty” and “tradition”: A brief overview of Roe and Dobbs
The legal issue on which Roe and Dobbs disagree concerns the word “liberty” in the Fourteenth Amendment to the U.S. Constitution. The Amendment states that the State shall not “deprive any person of life, liberty, or property, without due process of law”. SCOTUS decisions prior to 1973 interpreted the word “liberty” narrowly . They held that the word does not include all kinds of liberties; it refers to those liberties which were historically and traditionally considered fundamental in the U.S. For example, Palko (1937) held that the Fourteenth Amendment only protects liberties “so rooted in the traditions and conscience of our people as to be ranked as fundamental.” Similarly, Snyder (1934) held that the words “due process” imply the processes traditionally guaranteed in the U.S.
The Court in Roe (1973) was aware of these precedents. However, the majority ultimately held that the Fourteenth Amendment protects “personal rights that can be deemed ‘fundamental’ or ‘implicit in the concept of ordered liberty’.” Conspicuously, the reference to history and tradition was omitted, presumably implying that history and tradition are not essential to the analysis. Hence, while narrating the history of abortion, the majority did not deem it necessary to locate a right to abortion in American tradition. It merely found that “at common law, at the time of the adoption of our Constitution, and throughout the major portion of the 19th century, abortion was viewed with less disfavor than under most American statutes currently in effect” (emphasis supplied). It then proceeded to hold that the right to abortion was protected under the Fourteenth Amendment as a facet of the right to privacy. Roe’s treatment of history and tradition would eventually become the main reason for its overturning in Dobbs.
But Roe was not alone in treating history and tradition as inconclusive. SCOTUS has generally wavered on this issue. E.g., in Obergefell (the 2015 decision affirming a right to same-sex marriages), SCOTUS held that while history and tradition “guide and discipline this inquiry”, they “do not set its outer boundaries”. Contrast this with Glucksberg (the 1997 decision rejecting a right to assisted suicide) which held that the “outlines” of the word “liberty” are to be “carefully refined by concrete examples involving fundamental rights found to be deeply rooted in our legal tradition,” indicating a conclusive reliance on tradition. Thus, the question of whether “liberty” is to be interpreted purely normatively (‘implicit to ordered liberty’), or must also be grounded in historical experience is itself contested in SCOTUS jurisprudence and has changed over time – often based on the composition of the court on a given day and case.
In attacking Roe’s conclusion, then, the main objection taken by the Dobbs Court — composed of a 6-3 conservative majority — was a historical one. The majority re-examined historical evidence and found that abortion has been traditionally criminalised, or at least negatively treated, in most states: “By the time the Fourteenth Amendment was adopted, three-quarters of the States had made abortion a crime at any stage of pregnancy. This consensus endured until the day Roe was decided. Roe either ignored or misstated this history….” Citing Palko (1937) and Glucksberg (1997) for the necessity to ground liberty in historical practice, the majority rejected the idea that an abortion right was “deep-rooted” in American history and tradition. Thus, it found, the word “liberty” in the Fourteenth Amendment did not protect a woman’s right to medically terminate her pregnancy.
The implication is this. After Dobbs, the 14th amendment itself does not include a right to medically terminate a pregnancy because the right is not “deeply rooted” in American history and tradition. Thus, there exists no need to examine whether there exists a countervailing right of the woman which must be “balanced” against the State’s interest in protecting prenatal life. As described by the dissent: “The constitutional regime we have lived in for the last 50 years recognized competing interests, and sought a balance between them. The constitutional regime we enter today erases the woman’s interest and recognizes only the State’s….”
It is easy to see why SCOTUS’ reliance on history and tradition is problematic. The point of a Bill of Rights is to insulate freedom and equality from majority control. It is hence paradoxical that the meaning of liberty turns on popular tradition. Relying on a male political majority’s treatment over a period of time of women (at a time when the latter were denied political representation – women were not allowed to vote when the 14th amendment was passed – and equal standing in society) to determine the liberties afforded to women today risks codifying past injustices into modern rights law. The Dobbs dissent rightly argues, quoting Obergefell, that “[i]f rights were defined by who exercised them in the past, then received practices could serve as their own continued justification.” This circular test—which sees the Constitution as a tool to cement tradition rather than challenge it—allows all kinds of regressive, liberty-restricting practices to be upheld so long as they are rooted in American history and tradition. Finally, history itself may be contested and heterogeneous, and the Court’s approach provides few safeguards against the selective reliance and interpretation of “history” by the majority.
Yet, the dissent struggles—and so does an amicus brief —to articulate an alternative test to define “liberty”. The dissent argues, rightly, that history and tradition are not captured “in a single moment” and should be understood with reference to “the longsweep of our history and from successive judicial precedents”. But this does not take us very far. Is tradition relevant at all? How relevant? When can you overlook it? Is it possible to ensure that judges will not start interpreting the word “liberty” based on their own personal biases, in ways completely disconnected from American tradition? The dissent does not argue that tradition is irrelevant, and does not provide any principled test to determine when its relevance is reduced.
“Liberty” in the Indian Constitution
While the Indian Supreme Court often discusses the history of the issue before it (very common in reservation cases, e.g.), history and tradition have never been the determining factors to define “liberty” in Art.21 of the Indian Constitution. The meaning of “liberty” has been determined by other considerations.
Art.21 prohibits the State from depriving any person of “personal liberty” except as per procedure established by law. Separately, Art.19 lists six (originally seven) freedoms: speech, assembly, association, movement, residence and trade. In its early years, the Supreme Court was called upon to decide if the “liberty” contemplated by Art.21 was broad enough to include the six freedoms listed in Art.19. This question was first answered in Gopalan (1950). By a 5-1 majority, the Court held that since Art.21 spoke only of “personal” liberty—i.e., liberty of one’s person—it had to be interpreted narrowly to mean freedom from bodily restraint. As Das J. put it, liberty is the “antithesis of physical restraint or coercion”. The majority viewed Art.19 and Art.21 as distinct rights having no overlapping content. In other words, the content of “liberty” in Art. 21 was not informed by the rights enumerated in Art. 19
In the Gopalan era, therefore, Art.21 had a narrow scope. It did not, e.g., include the right to privacy, as held in M.P. Sharma (1954) and Kharak Singh (1964). But Gopalan was overturned after the Emergency. In Maneka (1978), the Supreme Court held that fundamental rights are not siloed; they are overlapping in terms of their content. Accordingly, the meaning of “personal liberty” in Art.21 was held to include and be informed by the six enumerated freedoms of Art.19 and other constitutional sources.
But none of these activities or rights have had to pass a historical test before being recognised. The term “personal liberty” has been understood as being “of the widest amplitude” (Maneka 1978) and defined as “a power of acting according to the determinations of the will” (Mhetre 2011). These holdings imply that the words “personal liberty” encompass the freedom to do whatever one wants, although the freedom is not absolute and is subject to any fair, just and reasonable law made by the State (such as criminal legislations which identify and punish certain acts like murder, theft etc.) on legitimate grounds. In other words, the idea of “liberty” does not depend on the act being performed or its historical acceptance. In contrast with the SCOTUS, Indian courts have called the Constitution a “transformative” document, emphasizing its role as a revolutionary instrument that appropriately challenges tradition rather than protect it.
In one sense, this is a much neater test as compared to the one followed by SCOTUS. In context of abortion, because the interpretation of “liberty” does not presumptively exclude the right to terminate a pregnancy (Dobbs) it means that the Court must recognise two competing rights—the woman’s right to have an abortion and the fetal right (if it is shown to exist) to life—and resolve the conflict by evaluating the necessity and proportionality of the restrictions placed by the State.
This is not to say that the test under Art.21 has no flaws. The flexibility of the “fair, just and reasonable” standard also means that it is vague, and a restriction deemed to be reasonable by one bench or court could well be deemed unreasonable by another. Yet, the advantage of the Maneka test is that it does not allow the Court to outrightly reject either competing right on the ground that it does not comport with historical practices and popular traditions. The Court must at least enter the balancing exercise and explain why particular restrictions on rights are proportionate or disproportionate.
“Liberty” under the Indian Constitution is substantially different from that under the U.S. Constitution. The SCOTUS test is problematic; tradition and history are not objective and using them to define “liberty” is not wise. In contrast, Art.21 protects all liberty, and is open to recognising competing rights within the constitutional scheme. A woman’s right to abortion is hence recognised, but is to be ‘balanced’ against the right to life of the fetus (if such a competing right is shown to exist). This allows for a much more principled inquiry into the competing interests and for testing the necessity and proportionality of the State measure in question.
The Dobbs ruling has serious implications for privacy rights. The immediate implications are on pregnancy and reproductive autonomy: 11 states in the U.S. already have laws criminalizing abortions, while 13 more states are speculated to pass such laws in the near future. The de-recognition of the right to abortion as a fundamental right also poses dangers of surveillance and sensitive data collection by law enforcement agencies by piggy-backing on the data stored with financial companies and even mentruation-tracking apps in an effort to track individuals who may have had an abortion in a state where it is illegal. Looking beyond pregnancy, the Dobbs decision might imply—as both the concurrence (by Justice Thomas) and the dissent suggest—a threat to other rights which were recognized by SCOTUS as flowing from the right to privacy, including the right to contraception, the right to same-sex marriage, homosexuality rights, etc. The majority rejects this suggestion because “none of these decisions involved what is distinctive about abortion: its effect on what Roe termed ‘potential life’”. However, as the dissent notes, other rights based on the 14th amendment’s guarantee of autonomy and privacy may also fail the test of being “deeply rooted” in tradition. The effect of Dobbs on those other rights may be more complex than what the various Justices suggest. These and other aspects of the Dobbs fallout will be discussed in a future post.
This blog was written with the support of the Friedrich Naumann Foundation for Freedom.
On 26th May 2022, the Ministry of Electronics and Information Technology (MeitY), released the Draft National Data Governance Framework Policy (NDG Policy) for feedback and public comments. CCG submitted its comments on the NDG Policy, highlighting its feedback and key concerns with the proposed Data Governance Framework. The comments were authored by Joanne D’Cunha and Bilal Mohamed, and reviewed and edited by Jhalak M. Kakkar and Shashank Mohan.
The draft National Data Governance Framework Policy is a successor to the draft ‘India Data Accessibility and Use’ Policy, which was circulated in February 2022 for public comments and feedback. Among other objectives, the NDG policy aims to “enhance access, quality, and use of data to enable a data-led governance” and “catalyze AI and Data led research and start-up ecosystem”.
CCG’s comments to the MeitY are divided into five parts –
In Part I, of the comments we foreground our concerns by emphasising the need for comprehensive data protection legislation to safeguard citizens from potential privacy risks before implementing a policy around non-personal data governance.
In Part II, we focus on the NDG Policy’s objectives, scope, and key terminologies. We highlight that the NDG Policy lacks in sufficiently defining key terms and phrases such as non personal data, anonymisation, data usage rights, Open Data Portal, Chief Data Officers (CDOs), datasets ecosystem, and ownership of data. Having clear definitions will bring in much needed clarity and help stakeholders appreciate the objectives and implications of the policy. This also improves engagement from the stakeholders including the government in the policy consultation process. This also enhances engagement from the stakeholders, including the various government departments, in the policy consultation process. We also highlight that the policy does not illustrate how it will intersect and interact with other proposed data governance frameworks such as the Data Protection Bill 2021 and the Non Personal Data Governance Framework. We express our concerns around the NDG Policy’s objective of cataloguing datasets for increased processing and sharing of data matching with the aim to deploy AI more efficiently. It relies on creating a repository of data to further analytics, and AI and data led research. However, it does not take into consideration that increasing access to data might not be as beneficial if computational powers of the relevant technologies are inadequate. Therefore, it may be more useful if greater focus is placed on developing computing abilities as opposed to increasing the quantum of data used.
In Part III, we focus on the privacy risks, highlighting concerns around the development and formulation of anonymisation standards given the threat of re-identification from the linkage of different datasets. This, we argue, can pose significant risks to individual privacy, especially in the absence of a data protection legislation that can provide safeguards and recognise individual rights over personal data. In addition to individual privacy harms, we also point to the potential for collective harms from using aggregated data. To this end, we suggest the creation of frameworks that can keep up with the increased risks of reidentification posed by new and emerging technologies.
Part IV of our comments explores the institutional framework and regulatory structure of the proposed India Data Management Office. The proposed IDMO is responsible for framing, managing, reviewing, and revising the NDG Policy. Key concerns on the IDMO’s functioning pertain to the exclusion of technical experts and representatives of civil society and industry in the IDMO. There is also ambiguity on the technical expertise required for Chief Digital Officers of the Digital Management Units of government departments and ministries, and the implementation of the redressal mechanism. In this section, we also highlight the need for a framework within the Policy to define how user charges will be determined for data access. This is particularly relevant to ensure that access to datasets is not skewed and is available to all for the public good.
You can read our full submission to the ministry here.
Recent judicial decisions have transformed our understanding of privacy, autonomy, and equality; significantly so post the Supreme Court’s PuttaswamyI judgement. In Puttaswamy I, the Court reaffirmed privacy as a fundamental right grounded in the ideas of autonomy and dignity. An important consequence of this understanding of privacy is its impact on questions of individual privacy within the confines of a marriage. For example, in a recent case on the subject of marital rape, the Karnataka High Court allowed rape charges against the husband and emphasised the importance of reinforcing the right to equality and the right to individual autonomy and dignity of a woman within a marriage.
One such provision within family law that raises concerns about individual autonomy and privacy within marriage is the Restitution of Conjugal Rights (‘RCR’). It is a legal remedy available to spouses where one spouse deserts the other without a ‘reasonable’ excuse or on certain ‘unlawful’ grounds. In such cases, the ‘aggrieved’ party has the right to seek a decree for RCR, by which a court order may direct the deserting party to compulsory cohabit with the ‘aggrieved’ party. The remedy of RCR is provided for under Section 9 of the Hindu Marriage Act, 1955 as well as, Muslim Personal Law, the Parsi Marriage and Divorce Act, 1936 (S. 36), the Indian Divorce Act, 1869 (S. 32-33), and the Special Marriage Act, 1954 (S. 22). Generally, if a person fails to comply with a RCR decree a court can attach their property under the Civil Procedure Code (Order 21, Rule 32).
In this post, I analyse the State’s objectives in providing spouses with the RCR remedy and argue that the remedy itself violates the right to privacy under Article 21 by failing to satisfy the test of proportionality.
Privacy, autonomy, and State interference
State regulation of domestic relations has seen laws governing marriage, divorce, adultery, and sexual relations between consenting adults, for example the criminalisation of homosexuality. Marriage is a social contract recognised by the State and to a certain extent, is also subject to regulation by the State. Although regulations around marriage may be for a variety of reasons, it may be argued that they serve two key interests: protection of individual rights, and the State objective to protect the institution of marriage (often articulated as maintaining “cultural ethos and societal values”). Examples of the former rationale include laws recognising domestic violence, cruelty, and prioritising individual autonomy by providing divorce as a remedy. The latter rationale can be seen in laws criminalising adultery and homosexuality (both of which have been struck down by the Supreme Court of India post Puttaswamy I) and providing restitution of conjugal rights as a remedy. However, by protecting the institution of marriage, the State also protects a particular conceptionof that institution, specifically the socially accepted notion of a monogamous, heterosexual, and procreative marriage.
It is widely accepted that RCR is an archaic English law (from a time when cohabitation was expected of women) that, as the Bombay High Court noted in 1885, did not exist prior to colonial rule. However, the remedy was codified in the Hindu Marriage Act in 1955 even after India achieved independence and continues to exist despite its patriarchal connotations. The 71st Law Commission Report of 1978 (page no. 27, para 6.5) emphasised the importance of cohabitation to protect the ‘sanctity of marriage’. The High Court of Delhi, in Harvinder Kaur vs. Harmander Singh Choudhry (1984)also adopted this view and held that the restitution of conjugal rights is an important remedy to protect the institution of marriage. The Delhi High Court rejected privacy considerations by stating that a decree of RCR was not the “starkest form of governmental intervention into marital privacy” since it merely aims to restore cohabitation and does not enforce sexual intercourse. As I argue below, this reasoning raises questions about individual autonomy. However, the Delhi High Court’s rationale was accepted by the Supreme Court in Saroj Rani vs. Sudarshan Kumar Chadha (1984), where the apex Court upheld the constitutionality of RCR and reiterated that the right to cohabitation is “inherent in the very institution of marriage itself.”
This view of RCR — to preserve the institution/ sanctity of marriage — creates tensions with the objective of the State to protect individual rights. An RCR decree interferes with the right to privacy and autonomy by compelling an individual to cohabit with their spouse against their will. This may especially be true after the articulation of the right to privacy by the Supreme Court in Puttaswamy I. The decree of RCR creates an unwanted intrusion into a person’s personal life by denying them autonomy over where they live, and also potentially on the sites of sexual and reproductive decision making. Any analysis of RCR must recognise the power asymmetry within domestic relations that pervasively results in women being subject to physical and sexual violence at home. Thus, contrary to the reasoning given by courts in Harvinder Kaur and Saroj Rani, by compelling women to cohabit with men they have deserted, a decree of RCR may place women at significant risk of domestic violence, economically compromised living conditions, and non-consensual sexual intercourse.
The Andhra Pradesh High Court in T Sareetha vs. Venkata Subbaiah in 1983 recognised that the grant of an RCR decree would amount to an interference of the State into the private sphere, compelling cohabitation or even indirectly, sexual intercourse. The High Court found that this interference of the State through RCR violated the right to privacy, autonomy, and dignity of the individual against whom the decree was sought by ‘transferring the decision to have or not have marital intercourse from the individual to the State’. This decision was overruled by the Supreme Court’s Saroj Rani decision in 1984. While the Puttaswamy 1 judgement in 2017 did not expressly refer to Sareetha, all nine judges broadly adopted the approach taken in the Sareetha judgement, adopting a conception of privacythat recognises its basis in individual autonomy and dignity.
In Puttaswamy I, the Supreme Court ruled that individual autonomy, that recognises the ability of individuals to control vital aspects of their life (including reproductive rights, sexual orientation, gender identity), is an intrinsic part of the right to privacy guaranteed under Article 21 of the Constitution. By this reasoning, a decree of RCR does not account for the right to autonomy of an individual and violates their right to privacy by legally compelling the individual to cohabit despite them making a conscious choice to separate from their spouse.
In recent years, there has been a shift in the thinking of courts, where the right to individual privacy and autonomy is prioritised as opposed to protection of the institution (and specific conceptions of that institution) of marriage. For instance, in Joseph Shine, the Supreme Court held that the law that criminalised adultery treated women as property and was unconstitutional. It opined that although the criminalisation of adultery was introduced to protect the institution of marriage, it serves the interests of one party and denies agency to women. The Court noted –
“The provision is proffered by the legislature as an effort to protect the institution of marriage. But it proceeds on a notion of marriage which is one sided and which denies agency to the woman in a marital tie. The ability to make choices within marriage and on every aspect concerning it is a facet of human liberty and dignity which the Constitution protects.”
Bearing in mind this view of the court, RCR would not stand up to judicial scrutiny as a constitutionally valid right, since it disregards the autonomy and dignity of an individual under the notion of the State aim to protect the institution of marriage.
The proportionality test
In 2017, Puttaswamy I laid down a four-part test for determining the validity of an infringement of the right to privacy. The test’s first limb necessitates the existence of a codified law, which is met with in the case of RCR through various statutory provisions. The test also requires the existence of procedural safeguards against abuse of State interference, which is of reduced significance in the case of RCR as both a RCR decree and post-decree attachment of property require prior judicial authorisation and oversight. In addition to the need for statutory authorisation and procedural safeguards, for an infringement to be valid it must satisfy the limbs of legitimate aim, necessity, and proportionality. The Puttaswamy II (Aadhar) case applied this test, which was first articulated in the Modern Dental College judgement in 2016. This test requires:
any limitation of a constitutional right is enforced for a proper purpose (legitimate aim);
there is a rational nexus between the proper purpose and the measure adopted to achieve it and there are no alternative measures which would achieve the purpose but are less restrictive of rights (necessity); and
the restriction on the constitutional right must be proportionate to the purpose set out by the State (balancing or proportionality).
Firstly, it must be noted that, as observed by the Supreme Court in Saroj Rani, the stated purpose of the measure is protecting the institution of marriage. As stated above, in Joseph Shine the Supreme Court rejected the State’s argument that protecting the institution of marriage was a proper purpose where the State’s measure protected “a notion of marriage that is one sided and denies agency to women.”. In this context, RCR only protects a notion of marriage where individuals cohabit and engage in sexual intercourse, denying agency to individuals and violating individual autonomy. Secondly, the decree of RCR should have a rational nexus with the aim of protecting the institution of marriage. In this regard, it is relevant to note that, in certain instances, individuals routinely file RCR cases expecting non-compliance by the other party, using this non-compliance with the RCR decree as a ground for divorce. Thus, the historically dominant objective of the State of “protecting” the institution of marriage through the positive remedy of RCR may also not be satisfied.
Even if RCR furthers the State’s aim of protecting marriage, it would need to pass the third prong of the proportionality test, i.e., the State must meet the objective of the law through the ‘least restrictive measure’. The State could resort to alternate measures, similar to the ones observed under divorce petitions; an order of mediation or a ‘cooling off’ period provisioned in cases of divorce with mutual consent furthers the aim of protecting the institution of marriage without violating individual rights. However, in a decree of RCR there persists a violation of an individual’s privacy, enforced by coercion through the attachment of property.
The fourth part of the proportionality test emphasises the need to have a balance between the interest of the State and the rights of individuals. As stated earlier, the infringement of individual rights through an RCR decree creates severe consequences that violate the right to privacy and autonomy of an individual, including putting women in particular, at risk of harm. Thus, the gravity of the rights violation arguably outweighs the State interest of protecting marriage, especially since the State aim is often not met and the decree becomes a ground for divorce.
The application of the test of proportionality by Indian courts has garnered criticism as being deferential to the State. However, even with this deferential application, as demonstrated above, RCR would likely not pass the four-part test of proportionality endorsed by the courts in Modern Dental College and Aadhaar.
In the post-Puttaswamy era, various High Courts have recognised the autonomy and dignity of women within marriage under the fundamental right to privacy. For instance, in a recent right to abortion case, the High Court of Kerala relied on Puttaswamy I and held that a woman’s autonomy of body and mind with respect to reproductive decisions are part of the right to privacy. As discussed above, the High Court of Karnataka, in its recent decision, while allowing rape charges against the husband, acknowledged that the exception of marital rape stems from an archaic notion of marriage where the wife was considered property. On similar grounds, one may argue that RCR should be considered invalid since it is based on the outdated notion of marriage where the wife was considered the property of the husband and had no individual autonomy of her own. As noted above, it is also incompatible with the test of proportionality.
On 30 December, 2021, the Gujarat HC observed that an RCR decree could not force a woman to cohabit with her husband. The court recognised that a decree of RCR needs to consider both the parties’ and not solely the ‘right of the husband’. Further, it opined that the very fact that there exists an option given to not comply with the RCR decree under the Civil Procedure Code indicates that the court cannot force a woman to cohabit against her will. The court further laid down certain grounds under which a person could refuse to comply with an RCR decree including cruelty, adultery, and failure of the husband in performing marital obligations. Although this decision seems to encourage considering the rights of women in a marital relationship – it fails to reaffirm the right to privacy and autonomy of the subject of the decree against a law that is effectively discriminatory. It grants power to the courts to decide on a case-to-case basis whether the right can be granted, which could lead to a potential violation of individual rights given the nature of this provision.
Striking down RCR provisions does not mean that there must be a complete embargo on the interference of the State into marriage – for example, the power asymmetry in domestic relationships necessitates the enforcement of laws against domestic violence and most likely requires the criminalisation of marital rape. However, taking into consideration the constitutional scrutiny of laws against the backdrop of State interference and right to privacy, RCR may not stand the test of constitutionality. Currently, a petition challenging the constitutionality of RCR is pending before the Supreme Court – if the above arguments are considered by the court, RCR may be struck down on the grounds that it violates the right to privacy.
This post was originally published on Livelawon 26 April 2022.
In Justice (Retd.) K.S. Puttaswamy vs. Union of India (“Puttaswamy”) the Apex Court noted that there is a distinction between public and private spaces. Keeping this in mind, this post investigates the scope of one’s right to privacy in one’s own home. In the course of writing this post, I relied on CCG’s Privacy High Court Tracker to identify cases that discuss the extent to which the right to privacy may be interpreted in light of this public-private distinction.
The case of Vilasini vs. State of Kerala from the High Court of Kerala sheds some light on the issue. This case relates to Kerala’s toddy (palm wine) shops, that were increasingly being described as somewhat of an eyesore, with the manufacturing, storage, consumption, and disposal of toddy creating a challenging atmosphere for surrounding residents. The people affected most by the existence of these toddy shops were immediate neighbours. Several individuals filed writ petitions against the operation of toddy shops in their neighbourhoods. One such petition also challenged the shifting of a toddy shop to the petitioner’s colony, which is also near a local “anganwadi”. The writ petitions filed — concerned several different toddy shops and varied issues, however, the Kerala High Court noted that the underlying concern in all these petitions was the protection of their privacy in their own homes and therefore considered these petitions together in a common judgement.
In the judgement, a single judge bench of Justice A. Muhamed Mustaque, stated that since the sale of liquor is regulated by the State, the State is bound to address any implication on the rights of others who are affected by the conduct and placement of toddy shops. Crucially, in this case it was the State that determined the location of toddy shops through a licensing regime. The High Court observed that the Apex court noted in the Puttaswamy case that privacy is not lost or surrendered merely because the individual is in a public space. Privacy attaches to the person and not the place as it part of the dignity of the human being. Furthermore, the Court added that “Privacy has both positive and negative content: The negative content restrains the State from committing an intrusion upon the life and personal liberty of a citizen. Its positive content imposes an obligation on the State to take all necessary measures to protect the privacy of the individual”. This is important because, while Puttaswamy did not enumerate an exhaustive list of rights that fall under ‘privacy’, it stated that anything that is essential to the dignity of a human being in private can be enforced by the person in public, including their well-being in their homes.
With this in mind, in the case of Vilasini, the Kerala High Court observed that there needs to be a standard by which a violation of privacy can be assessed. The High Court sought guidance from certain judgements of the European Court of Human Rights (‘ECtHR’) and laid down a framework of assessment that may apply in the Indian context as well. After having perused several European cases, the High Court noted that the ECtHR had developed a test; for an action to be a “breach of privacy, it must have a direct immediate consequence to the applicants’ right to respect for their homes” under Article 8 of the European Convention of Human Rights (respect for home and private life). These ECtHR cases balanced the gravity and severity of nuisance caused by the impugned action with the community’s interests as a whole, assessing if the State had struck a fair balance or violated the right to privacy of an individual. For example, one case concerned noise pollution from bars and discotheques near the petitioner’s house, with the ECtHR ruling that the excessive noise was above the permitted levels and had occurred over a number of years, thus violating the privacy of the petitioner.
In Vilasini, the High Court uses the phrase, a ‘threshold severity test’ to describe this analysis. But the roots of this test, can be traced from these ECtHR cases which relate to the minimum level of severity of the action complained against and an evaluation of the authorities’ role upon a complaint being made. Although Article 8 of the European Convention expressly refers to ‘the home, private life, and family’, the Kerala High Court has read this as a facet of India’s right to privacy doctrine. Based on this interpretation of the right to privacy, the High Court restrained the operation of one toddy shop and directed the State authorities to assess the privacy impact of the operation of other shops.
The case of Puttaswamy has led to a diverse applicability of privacy and Article 21. New contours of privacy are now being explored in different high courts around the country. While courts now study the scope of the right to privacy and associated rights, it’s important to chart trends and understand the implications of new facets of privacy being recognised. The specific contours of privacy and its interactions with the public realm are being developed by courts on a case by case basis, with each new challenge to state action throwing up novel questions for Indian privacy jurisprudence. In furthering this jurisprudence, it is important to keep in mind the most fundamental aspect of privacy – that it is integral to every aspect of a person’s overall well-being. The Kerala High Court’s recognition that the right to privacy includes a right to be left alone and at peace in one’s own home, and the State’s duty to facilitate this, is the concrete application of a new facet of the right to privacy.
In the wake of disclosures by the Pegasus Project, it has become more important than ever to understand the law which authorises the government to conduct surveillance – especially the provisions which permit non-digital phone tappings. To that end, the ‘Privacy High Court Tracker’ is an extremely useful tool developed by the Centre For Communication Governance, National Law University Delhi. The tracker enables stakeholders to analyse the evolving jurisprudence on privacy. High Courts across the country are at the forefront of this evolution. For the purposes of this piece, which discusses the law on state-mandated surveillance with a focus on phone-tappings, two judgments from the tracker are relevant – Vinit Kumar vs. CBI and Ors., 2019 (Bombay High Court) and Sanjay Bhandari and Ors. vs The Secretary of Govt. of India and Ors.2020 (Madras High Court).
But before we analyse these judgments, it is important to refer to the provisions of law that enable the government to listen to our conversations and the decision of the Supreme Court in PUCL vs. Union of India, (1997), which is the locus classicus on this subject.Section 5(2) of the Telegraph Act, 1885 (Telegraph Act) empowers the government to intercept any communication by a ‘telegraph’ from a person to another “on the occurrence of a public emergency” or “in the interest of public safety” if it is in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states or public order or to prevent incitement to the commission of an offence. Any order under Section 5(2) must be issued before the surveillance begins. Section 69 of the Information Technology Act, 2000 (IT Act) permits the government to intercept, monitor or decrypt communication generated, transmitted, received or stored in a computer.
Interestingly, Section 69 of the IT Act has not been subject to much judicial scrutiny. While challenges to its constitutionality are pending before the Supreme Court, the lack of scrutiny is perhaps because there is opacity around when, where and how this provision is used to conduct surveillance. Notably, the government has even refused to provide the total number of orders it has passed under this provision in a response to a right to information application filed by the Internet Freedom Foundation. Unlike Section 69 of the IT Act, Constitutional Courts have examined Section 5(2) of the Telegraph Act on several occasions. As mentioned above, the most notable instance is PUCL.
In PUCL, the constitutional validity of Section 5(2) of the Telegraph Act was challenged. The Supreme Court’s decision, which was subsequently affirmed in K.S. Puttaswamy vs. Union of India, , held that conversations over the telephone are private in nature. While this is significant since this judgment is from before Puttaswamy, the bite of the judgment was the Court’s interpretation of the phrases “on the occurrence of a public emergency” and “in the interest of public safety”. The Court held that public emergency would mean the prevailing of a sudden condition or state of affairs affecting the people at large, calling for immediate action. The expression “public safety” means the state or condition of freedom from danger or risk for the people at large. The Court also held that the phrases “take their colour off each other”, and that a breach of public safety/ a public emergency are evident to a reasonable person as they are not secretive conditions.
In terms of procedural safeguards, the Court, amongst other things, directed the Government to not conduct phone tapping unless there is an order from the home secretary which would ex-post be subject to review by a review committee also consisting of government officials. Notably, the Court stopped short of either prior or post judicial scrutiny.
The CCG Privacy High Court Tracker is a useful resource to examine how High Court’s have relied upon the decision in PUCL, especially after the Supreme Court’s decision in Puttaswamy. In this regard, the Bombay High Court decision in Vinit Kumar and Madras High Court’s decision in Sanjay Bhandari, offer a study in contrast.
In Vinit Kumar, the petitioner challenged three phone tapping orders issued against him, on the ground that they were ultra vires Section 5(2) of the Telegraph Act. Of course, the petitioner only found out that his conversations were being monitored after the Central Bureau of Investigation filed a charge-sheet against him in a criminal proceeding, where the petitioner was accused of bribing a public servant. The petitioner argued that there was no threat to public safety nor a public emergency to occasion such phone-tapping. The Bombay High Court agreed and noted that circumstances did not exist which “would make it evident to a reasonable person that there was an emergency or a threat to public safety”. The Court also went a step ahead and tested the phone tapping orders on the Puttaswamy proportionality standard (Kaul J, Paragraph 70) which requires the government to show – a) The action must be sanctioned by law; b) The action must be necessary in a democratic society; c) Proportionality – infringing action must be proportionate to the need for such interference; and d) Procedural safeguards. The Court found that the orders could not withstand the test and struck them down as they ‘neither had the sanction of law’ (as there was no public emergency nor a threat to public safety) nor have they been issued for a legitimate aim. (Paragraph 19)
In Sanjay Bhandari, the petitioners, who held official government positions, were accused of accepting a bribe in return for granting benefits. They found out that the Government was monitoring their conversations, and challenged the phone-tapping orders before the Madras High Court. Evidently, there was neither a public emergency nor threat to public safety that would justify the imposition of such an order. In PUCL, the Supreme Court had held that these situations are evident to a reasonable person as they are not secretive conditions. The Court also held that public emergency would mean the prevailing of a sudden condition or state of affairs affecting the people at large, calling for immediate action, and the expression “public safety” means the state or condition of freedom from danger or risk for the people at large.
The Madras High Court, going against established precedence, held that “Restricting the concept of public safety to the mere “situations that would be apparent to the reasonable persons” will exclude most of the actual threats which present the most grave circumstances like terrorist attacks, corruption at high places, economic and organised crimes, most of which are hatched in the most secretive of manners.”
Thus, the decision in Sanjay Bhandari interpreted Section 5(2) in a manner which was entirely contrary to the decision and perhaps, even legislative intent. The Court read into the provision its understanding of what constitutes “actual threats” and extended the scope of the provision to offences which do not have any bearing on public safety, as interpreted in PUCL and affirmed in Puttaswamy. And there is merit to that interpretation. The word safety follows the word ‘public’ which implies that the situation should be such that it puts at risk the people at large. Surely economic offences do not meet this criteria. There is merit to that interpretation, even from a rights perspective. Monitoring a person’s conversations constitutes a grave infringement on their right to privacy, and the need to undertake such an infringement must be proportionate to the ends sought to be achieved.
The Centre for Communication Governance (CCG) has recently launched a new initiative called the Privacy High Court Tracker which consists of decisions on the constitutional right to privacy passed by all High Courts in India. The Privacy High Court Tracker is a tool to enable lawyers, judges, policymakers, legislators, civil society organisations, academic and policy researchers and other relevant stakeholders, to engage with, understand and analyse the evolving privacy law and jurisprudence across India.
The cases on the tracker can broadly be divided into several themes such as – search and seizure, data protection, and gender rights. Within gender rights, there are several sub-themes, and this article, relying on information from the tracker, will be focusing on the rights of transgender people. It was the National Legal Services Authority vs. Union of India (“NALSA”) judgement of 2014 which gave unequivocal recognition to transgender people in India as the ‘Third Gender’. The Supreme Court interpreted ‘dignity’ under Article 21 of the Constitution to include diversity in self-expression, which allowed a person to lead a dignified life. It placed one’s gender identity within the framework of the fundamental right to dignity under Article 21. Article 21 was interpreted to include privacy by the Justice K. S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors., (“Puttaswamy 9-judge Bench”). The Puttaswamy 9-judge Bench unanimously recognised a fundamental right to privacy of every individual guaranteed by the Constitution, by reading privacy within Article 21, and in all of fundamental rights under Part III as a whole.
While NALSA gave members of the transgender community, the right to privacy in the protection of gender identity within Article 15, the Puttaswamy 9-judge Bench judgement placed the right to privacy as an expression of individual autonomy, dignity, and identity, at the intersection of Article 15 and 21. The right to life and personal dignity dwells in Article 21 but it is enriched by all the fundamental rights and its various interpretations.
In 2019, the Madurai Bench of the High Court of Madras, decided the case of Arunkumar and Ors. vs. The Inspector General of Registration. The facts of the case were – a cis-gendered male married a transwoman, in a temple in 2018. The Joint-Registrar refused to register the marriage, under Rule 5(1)(a) of the Tamil Nadu Registration of Marriage Rules. This was appealed before the District Registrar, who also refused and so it came before the High Court. The High Court stated that the definition of a ‘woman’ or a ‘bride’ is not a static one, and that it should be interpreted according to the need of the time. The Court also noted that Article 16 of the Universal Declaration of Human Rights broadly reads that, men and women have the right to marry without any limitations.
The case of Shafin Jahan vs. Asokan K.M. and Ors., was also referred to, where the Hon’ble Supreme Court held that the right to marry a person of one’s own choice is integral to Article 21. Moreover, the Court also relied on Dr. Ambedkar’s famous opinion that inter-caste marriages will lead to social integration, applying it to mean that marriages between transgenders and cis-genders will lead to the social integration of the members of the transgender community. The High Court famously decided that since the second petitioner self-identified as a woman, she is a woman; relying on both the NALSA and the Puttaswamy 9-judge Bench judgements.
The Arunkumar case simply decided on the issue of legalising love and commitment between two people. In doing so, it has now opened a plethora of other issues, such as – will a transwoman be allowed protection under the definition of ‘aggrieved person’ in a domestic relationship and have the same rights as a ‘woman’ under The Protection of Women from Domestic Violence Act, 2005 and the Hindu Adoptions and Maintenance Act, 1956? The right to divorce flows from the right to marry, can a transwoman claim alimony and/or maintenance? It can be said that The Hindu Succession (Amendment) Act, 2005 which removed gender discriminatory provisions in the Hindu Succession Act, 1956, will then apply to transwoman too, but what will happen to the inheritance rights of a transwoman who marries into a family practising Islam? The Arunkumar judgement, did not go into these details, but future litigants will need clarity on this matter, either with a legislation or in the absence of one, some clarity from the apex court.
Two other High Courts in India have also given judgements on marriages with transgender persons. One of them is Madras High Court’s Mansur Rahman vs. the Superintendent of Police & Anr. which has similar facts to the Arunkumar case (mentioned above) where the petitioner, a cis-gendered man had married a transwoman and was now seeking police protection from people harassing them. Here too, the Court noted the importance of integrating members of the transgender community in the contemporary community, by quoting Dr. Ambedkar’s views on inter-caste marriage. In the High Court of Orissa, in the case of Chinmayee Jena vs. State of Odisha & Ors. a transman, was in a live-in relationship with a cis-gendered female where the female was being forced into a heterosexual arranged marriage by her parents. The Court explicitly recognized the rights of trans persons to enter a live-in relationship with the partner of their choice, regardless of the “gender” of the partner. Thereby relying on the judgments in – NALSA, Puttaswamy 9-judge Bench and Navtej Singh Johar vs. Union Of India Ministry Of Law & Anr. (“Navtej”). This case too, will impact the right of a transman in inheritance, adoption of children and it also makes us question, what other rights do transmen have, for their protection?
In the case of X vs. State of Uttarkhand a single judge bench decided on a very interesting aspect of law – whether a transwoman’s complaint of rape should be recorded under section 377 or 375 of the Indian Penal Code, 1860 (‘IPC’)? The learned judge differentiated between post- Navtej section 377 which criminalizes all instances of non-consensual sexual intercourse regardless of gender and section 375 which criminalizes all instances of non-consensual sexual intercourse between a man and a woman. It also noted the difference in punishment, section 375 envisages a minimum imprisonment of 10 years leading to life (apart from fine), Section 377 envisages a maximum imprisonment of 10 years (apart from fine). While determining that, the court also decided that the transwoman had a right to self-determine her gender, “without further confirmation from any authority”. The Court stated that until the Parliament comes up with a legislation for the same, the law of the land is self-identification, as stated in NALSA. Accordingly, it ruled, in recognition of India’s international obligations undertaken in various convention, the Yogyakarta Principles, fundamental rights of life, liberty, dignity, privacy, the march of the law, and most importantly, in consonance with NALSA and Puttaswamy 9-judge Bench that the right to gender identity is a part of right to privacy. Notably, this case created a fine line of difference between Sections 377 and 375 of the IPC and implied that since the Petitioner self-identifies as a female, section 375 should apply. The Court particularly noted that self-identification is the law of the land, till the time there is a legislation a place. However, since then, the Transgender Persons (Protection of Rights) Act and Transgender Persons (Protection of Rights) Rules, 2020 have been implemented, which deviates from NALSA as sections 5 and 6 have made gender self-identification contingent on medical and psychological documentation.
On a final note, in the case of Puttaswamy, a 9-judge Bench led to the judiciary establishing that right to personal liberty, dignity and privacy are inalienable rights. This has been an important step forward for the transgender community in India. It is not only important that these rights are recognised by the Indian Constitution, but these rights are also foundational pillars of the Indian Constitution. They are intrinsic and inseparable to one another. To further this development, there needs to be legislation(s) and other social welfare schemes to address the challenges faced by the transgender community and to inculcate the community in such a way that there is no more ‘us’ and ‘them’.
The judgment of the Supreme Court in Justice (Retd.) K.S. Puttaswamy vs. Union of Indiawas the first comprehensive verdict on the right to privacy in India. While earlier judgments such as Rajagopal or Gobind discussed certain aspects of this right, in Puttaswamy, the court’s pronouncement was categorical, laying down definite principles and different contours of the right to privacy. The judgment in Puttaswamy will have – and in some cases, has already had – significant influence on various issues including state surveillance, data collection and retention and rights of sexual privacy. In this blog, I will focus on Puttaswamy’simpact on the right to intimate choices including marriage.
Among other things, the Supreme Court in Puttaswamy has made two aspects clear. First, the right to privacy is part of the right to liberty and dignity under part III, especially Article 21 and certain freedoms under Article 19 of the Constitution. Secondly, it located the right to intimate choices as part of the right to privacy. We shall see how this has enabled the courts to decide certain cases. (See here the Privacy High Court Tracker by CCG, used to identify the cases. The tracker “is a resource consisting of decisions on the constitutional right to privacy passed by all High Courts in India.”).
At various places in the judgment, there is agreement that privacy necessarily must protect the right to intimate choices. The court said – “The family, marriage, procreation and sexual orientation are all integral to the dignity of the individual” and that “privacy includes at its core the preservation of personal intimacies, the sanctity of family life, marriage, procreation, the home and sexual orientation.” Importantly, the oft-quoted right to be left alone was interlinked with the right to choose who enters one’s house, whom to live with and “what relationship” to live in. (Justice Kaul, para 78).
With this background, some cases from the Privacy Tracker are worthwhile studying. In Safiya Sultana and Ors. vs. State of U.P. and Ors., the writ petition was moved by the petitioner in the Allahabad High Court claiming that she is in the illegal custody of her father and she would like to live with her husband. During the deliberation, the court took up the issue of the requirements under the Special Marriage Act, 1954 (SMA) which make it difficult for couples to register their marriages.
The SMA is a secular law, meaning it can be used by persons belonging to any religion (or no religion at all). Persons belonging to the same religion, such as two Hindus also can marry under the SMA, as many often choose to. The petitioners argued that the provisions requiring notice before marriage and subsequent publication must be read as directory, instead of mandatory. They pointed out that “any such notice would be an invasion in their privacy and would have definitely caused unnecessary social pressure/interference in their free choice with regard to their marriage.”
Section 5 of the SMA provides that the couple intending to marry must give a notice in writing to the marriage officer before thirty days. According to section 6, the notice will be displayed for the public and the details of the notice entered into in the Marriage Notice Book, which is open for inspection by any person. Section 7 enables persons to object to the marriage on violation of certain conditions. In a society where agency of women in particular is curtailed and love-marriages often violently resisted, it is not difficult to see how these provisions can have significant dignity implications. While agreeing with the petitioners, the court noted that “society has no role to play in determining our choice of partners.”
Intimate choice consists of a bundle of rights where both privacy and autonomy interact: the right to choose a partner, the right to marry or not to marry, the right to choose a live-in relationship, the right to keep details of the marriage or nature of the relationship private. It becomes too ‘costly’ for young people to exercise the right to privacy and choice since there is constant invasion. Essentially, the actions of other persons and their possible access to your personal information impact your decisions on how to lead your life. The provisions of the SMA provide for this type of invasion by enabling the private details to be accessible to public. It went beyond the legitimate purpose of the state in securing the details of marriages in its register.
The court held that that giving and publication of notice under these provisions of the SMA shall be voluntary and not mandatory. Sections 5 and 6 were read down to this extent. The court directly relied on Puttaswamy to ascertain “the ability to make decisions on matters close to one’s life.” It also relied on Common Cause vs. Union of India and Anr. which said that “our autonomy as persons” is also founded in our ability to decide “whom to love and whom to partner.” This according to the High Court, is a protected entitlement of the Constitution. Hence, the court located “a right to a union” under Article 21. This union includes but is not exhausted by marriage. Neither the state nor other persons can intrude upon this right.
Moreover, according to the court, the provisions, if read as mandatory do not fulfil the three-tier test recognised by Puttaswamy while determining validity of laws (of legality, necessity and strict proportionality). The requirements of notice and publication apply only under the SMA, in comparison to other personal laws on marriage. “There is no apparent reasonable purpose achieved by making the procedure to be more protective or obstructive under the Act of 1954…”
Often, in addition to the SMA provisions, various States have made specific rules, guidelines or checklists for registration of marriages under the Act. One such checklist was the matter in issue before the Punjab & Haryana High Court. In this case, the Haryana government had issued a marriage checklist with 16 requirements to be fulfilled for registration. The petitioners argued that requirements such as notice to parents of the couple, publication of proposed marriage in a national newspaper violate their right to privacy. The court held that such a requirement violates the right to privacy and asked the state to modify the checklist.
In Salamat Ansari vs. State of UP and Others, a FIR was lodged against the accused for the offence, inter alia, of kidnapping a woman under the Indian Penal Code, 1860. The petitioners argued that the woman in question and the accused were married and hence the FIR, registered by the father of the woman must be quashed. The court relied on the ‘choice’ jurisprudence emerging out of Puttaswamy, Shakti Vahini vs. Union of Indiaand Shafin Jahan vs. Asokan K.M, that an adult person’s choice on whom to marry is not a territory for the court or the state to intervene. The court quashed the FIR reiterating no offences were made out and the case was simply of individuals choosing to live together.
In Monika Mehra vs. State and Ors., the petitioners, who were a married couple approached the Jammu and Kashmir High Court seeking directions for adequate security on grounds of facing threats to their life. By relying on Supreme Court jurisprudence on the rights to privacy and choice, the court allowed the prayer for adequate protection of life and liberty of the petitioners.
There are few aspects binding these cases together. The first is the choice-privacy intersection. In Puttaswamy, this link was clearly explained. How an artist or a musician expresses herself is illustrative of how “privacy facilitates freedom and is intrinsic to the exercise of liberty.” Therefore, privacy and choice are not mutually exclusive or disjoint. One facilitates the growth of another and infringement of the one can constitute infringement of the other. In the context of the SMA, burdensome requirements violating privacy rights, such as publication of intended marriage force a person to make corresponding choices of partner or marriage.
The second is that all cases reflect that the right to privacy is vulnerable when exercised in a society that does not seriously value it. The provisions in SMA, for instance are used by vigilante groups to invade privacy at a large scale. For example, online applications of inter-faith couples under the SMA were publicised on the internet by certain groups in Kerala. The provisions, when functional in a peculiar socio-political context can be more burdensome, as different from a less intrusive social climate. Requirements such as notice of intended marriage to the parents aim to infringe the intimate zone of privacy. This is also the motivation behind criminal charges of kidnapping as in Salamat and Monika, filed to intimidate persons who have made free and independent choices, and ascertained their right to self-determination. Ultimately, the Puttaswamy judgment has played an important role in shaping the right to intimate choices for future cases and one can hope that it continues to do so.
The recent revelation of the Pegasus hacks has re-ignited public discourse on privacy, surveillance and intelligence reform. As the proposed Personal Data Protection Bill, 2019 makes room for wide exemptions to military, intelligence and law enforcement agencies for the collection and processing of citizens’ data, privacy and data protection laws in their current form will be limited in their potential to enforce meaningful procedural safeguards and oversight over State surveillance.
Although these conversations are not new, we must continue to have them. At the same time, it is important to not miss the forest of State-run cybersurveillance programmes for the sprawling branches of the Pegasus tree. That the global cyber-surveillance industry thrives on State secrecy – is no secret.
While the need for and significance of surveillance reforms cannot be over-emphasized, data protection or privacy law in itself may not succeed in ensuring that Government is prohibited or restrained from acquiring Pegasus-like spyware. Nor will they ensure that the Government is obligated to disclose that such technologies that risk undermining basic fundamental freedoms of its citizenry have been procured by it, with the intent of deployment by law enforcement and/or intelligence agencies. In an earlier piece the Pegasus Hack, CCGNLUD had addressed issues in international frameworks for export controls designed for dual-use technology and their limitations in providing meaningful remedy to the aggrieved.
In this piece, the author argues that Parliamentary legislation and oversight on public procurement processes, classifications and procedures is far more likely to address the root of the multi-faceted problems we are faced with in the wake of Pegasus. Yet, public commentary or critique on the far-reaching consequences of such provisions is hard to come by. This is despite the fact that multiple estimates peg the share public procurements by Government departments and agencies as accounting for 20-30% of India’s national GDP.
The argument proceeds as follows. First, we highlight the central provision that enables the Government to keep such concerning acquisitions of technology in the dark, away from Parliamentary and public scrutiny. Second, we examine the far-reaching implications of this somewhat obscure provision for the cybersecurity industry in India and the public at large. Finally, we explain how this State-sanctioned secrecy in procurement of spyware – whether from foreign or Indian vendors – could potentially deprive the aggrieved targets of surveillance through Pegasus of meaningful legal remedy before the Courts.
Executive Regulations on Public Procurements and ‘National Security’
In the absence of a Parliamentary enactment, public procurements in general, are governed by the overarching principles and procedures codified in the General Financial Rules, 2017 (GFR). These rules were first issued after independence in 1947, and later revised in 1963 and 2005.
Rule 144 of the GFR mandates that every authority procuring goods in public interest shall have the responsibility and accountability to bring efficiency, economy and transparency in matters relating to public procurement and for fair and equitable treatment of suppliers and promotion of competition in public procurement. It also sets out certain ‘yardsticks’ with which procuring agencies must conform – and some are more problematic than others.
One of the most significant changes introduced in the 2017 iteration of the GFR, is the introduction of a ‘national security exception’. Under the these new provisions, Ministries/Departments may be exempted from requirement of e-procurement and e-publication of tender enquiries and bid awards, which is mandatory as a general rule. This may be permitted
In individual cases where confidentiality is required for reasons of national security, subject to approval by the Secretary of the Ministry/Department with the concurrence of the concerned Financial Advisor, [Rule 159(ii)]and
In individual case[s] where national security and strategic considerations demands confidentiality, after seeking approval of concerned Secretary and with concurrence of Financial Advisors. [Rule 160(ii)]
This indicates that the ‘national security exception’ is intended to apply to non-military procurements, expanding the realm of secrecy in procurements far beyond military matters with direct adverse consequences for the civilian realm of affairs. This is supported by the fact that Rule the procurement of goods for the military is excluded from the scope of the GFR by Rule 146. This rule prescribes that the procurement of goods required on mobilisation and/or during the continuance of military operations shall be regulated by special rules and orders issued by the Government from time to time.
Thus, the acquisition of spyware as a product to enhance India’s cybersecurity posture—which can easily be proved to implicate strategic considerations that demand confidentiality—could be exempted from mandatory obligations of e-procurement through the central portal and e-publication of the tender inquiry as well as the bid award, after approval from the concerned Secretary and/or Financial Advisors. Although the rule also obliges the Finance Ministry to maintain statistical information on cases where such an exemption is granted, and the value of the contract, whether or not such statistics are amenable to public disclosure through Right to Information (RTI) applications remains unclear at the time of writing.
What Implications for the Cybersecurity Industry?
In addition to spyware and malware, we can expect that even legitimate cybersecurity products and services when procured by Government could also be caught within the above mentioned clause for exempting an ‘individual case where national security and strategic considerations demands confidentiality’.
Given the current state of India’s information security, the acquisition of legitimate cybersecurity products and services will, and should be conducted across Ministries including but not limited to the Ministry of Defence or even law enforcement.
The demand and market for cybersecurity products and services in the country is burgeoning. These exceptions could also be invoked by the relevant ministry/department to keep the identity of vendors of cybersecurity products and private sector partners for the development of surveillance and other cyber capabilities outside the public domain.
The invocation of such regulatory provisions to keep details of the vendors of cybersecurity products and service providers as confidential may create information asymmetries about Government’s needs and preferences among private players in the market. This will not be conducive for creating a competitive market for cybersecurity products and services. These asymmetries can then distort the market with far-reaching implications for the health and growth of the cybersecurity and IT industry at large.
It also militates against the objective of promoting fair competition and transparency in the public procurement process. Adopting the right blend of rules to encourage competition in industry is crucial to fostering a healthy ecosystem for the cybersecurity industry in India, which is still in its infancy.
The Courts will Protect Us?
In other words, through the 2017 amendment of the GFRs, Government of India’s executive branch gave to itself–the power to procure goods and services ‘in the interest of national security’– whie remaining sheltered from the public gaze. This was the first time such a provision was inserted into the GFR – the language of its 2005, 1963 and 1947 iterations make no mention of ‘national security’ whatsoever.
It is pertinent to point out that the term ‘national security’ is an extra-constitutional one – it does not occur anywhere in the Constitution of India. Instead, the Constitution refers only to ‘security of the State’ or ‘defence of India’, or ‘sovereignty and integrity of India’. In recent years, the Executive has co-opted the term ‘national security’ as a catch-all phrase to encompass everything from serious threats of cross-border terrorism and acts of foreign aggression, to issues like organised protests which were traditionally considered as falling under ‘public order’ – a category clearly distinguished from ‘security of the State’ as early as 1966 by the Supreme Court of India in Ram Manohar Lohia v. State of Bihar AIR 1966 SC 740.
A more recent order of the Supreme Court in dated December 14, 2018, in Manohar Lal Sharma v. Narendra Damodardas Modi (The Rafale Case) underlines the Court’s reluctance to hold the Executive accountable for procurements and public spending in domains like defence. The Court stated,
“We also cannot lose sight of the tender in issue. The tender is not for construction of roads bridges et cetera it is a defence tender for the procurement of aircrafts. The parameters of scrutiny would give far more leeway to the government keeping in mind the nature of the procurement itself.”
Additionally, the emergence of the Supreme Court’s “sealed cover” jurisprudence, although recent in its origins –is testament to the growing shadow of secret executive action pervading the judicial sphere with opacity as well. In this context, it is relevant that recent coverage of the award of the “all-India tender” for the provision of a video conferencing platform for the Supreme Court of India does not yet disclose which entity or corporation was awarded this contract.
Coming back to the Pegasus, should the aggrieved persons targeted with this spyware seek judicial remedy, Section 123 of the Indian Evidence Act, 1872 prohibits Government officials from providing evidence “derived from unpublished official records relating to any affairs of State, except with the permission of the officer at the head of the department concerned, who shall give or withhold such permission as he thinks fit.” (emphasis added)
This means that if a case relating to procurements exempted from e-publication is brought before courts, the appropriate authority to give or withhold permission for disclosure to court would be the same Secretary and Financial Advisors who permitted the procurement to be exempted from publication requirements in the first place. Section 124 further prohibits compelled disclosure of official communications made to a Government official in confidence.
And thus, the conspiracy of silence on potentially criminal acts of Government officials could easily escape judicial scrutiny. This will invariably create a challenging situation for individuals impacted by the use of the Pegasus spyware to effectively seek judicial redressal for violation of their right to privacy and hold the government accountable.
Without an explicit acknowledgment from the Government of the fact that the spyware was in fact procured by it – questions on the legality of procedures that resulted in its targeted deployment against citizens and judicial remedies for violations of due process in criminal investigation remains a moot point. In their current form, the applicable rules permit the Government to enable secret procurement of goods and services for non-military purposes under the GFR’s ‘national security exception’, and also permits the Government to disallow disclosure of this information in judicial proceedings.
Given the lower level of judicial scrutiny that such procurements will likely be subjected to, the doctrine of checks and balances and the doctrine of separation of powers necessitates that appropriate parliamentary mechanisms be set up to ensure effective oversight over all government procurements. Presently, the legal framework for procurements is comprised almost exclusively of executive-issued regulations.Constitutionalism requires that no organ of government should be granted or allowed to exercise unfettered discretion and is always held accountable by the other organs of the government.
This is an essential element of the Rule of Law and can only be ensured by way of a Parliamentary enactment on procurement procedures and concomitant disclosure requirements as well as effective Parliamentary oversight mechanisms to enforce accountability on public spending incurred for procurements in the name of national security.
The debate on privacy rose to the forefront after the Supreme Court passed a judgement in the case of Justice K.S Puttaswamy (Retd.) v. Union of India, where the Court held that the right to privacy was an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution of India. In arriving at this conclusion, the Court examined a wide range of privacy-related issues and held that the right to privacy included the right to personal autonomy over a wide range of domains in a person’s life.
While the above decision seems obvious in its simplicity, complications arise when one considers that a child or adolescent may not understand the consequences of their individual choices. When taken in the context of online data privacy, it is safe to say that children may be unaware of the exact manner in which any data that they share online is put to use. The report submitted by the committee of experts under the chairmanship of Justice B.N Srikrishna clearly endorses this belief.
Clause 16 of the Indian Personal Data Protection Bill, 2019 (‘PDPB 2019’), which was tabled in parliament on December 11, 2019, deals with the processing of personal and sensitive personal data of children. It states categorically that every data fiduciary shall “process the personal data of a child in a manner that protects the rights of, and is in the best interests of, the child.” It further states that a data fiduciary shall only process the personal data of a child, after verifying their age and obtaining the consent of their parent or guardian, in the manner specified by future regulations.
Based on this provision, the primary question that arises is, who is a child as per the PDPB 2019? According to the provisions of the bill, a child is someone who “has not completed the age of 18 years.” This is distinct from the data protection statutes passed in other jurisdictions. The EU General Data Protection Rules (‘GDPR’) specifies that the age limit on the definition of ‘child’ may be up to the discretion of individual member states and can be anywhere between 13-16 years. The US Children’s Online Privacy Protection Act, 1998 on the other hand, puts the age limit at a firm 13 years. Notwithstanding the above, the PDPB 2019 specifies 18 as the age of majority. This was done to ensure that the provisions of the bill would be in conformity with the prevailing laws of the country.
The adoption of a singular age of majority serves to prevent confusion and conflict between the laws in the country, however, it also serves to underestimate the awareness and advancement of today’s youth. An example of this understanding was espoused by the Madras High Court in the case of Sabari Sabarinathan Sabarivasan v. State Commission for Protection of Child Rights and Ors. This judgment examines existing flaws in the Protection of Children from Sexual Offences (POCSO) Act, 2012 and recommends a change in the definition of the term ‘child,’ so that a consensual relationship between a girl above 16 years of age and a boy between 16 to 21 years of age, would not attract the draconian provisions of the law. The drafters of the PDPB 2019 could have taken a similar view, rather than conforming with the provisions of a statute like the Indian Contract Act or the Indian Majority Act, both of which were enacted in the late-1800’s. Furthermore, a 2019 study conducted among 630 adolescents across 8 schools in the nation’s capital, revealed that 60 per cent of the boys and 40 per cent of the girls, owned their own device while almost half reportedly used two or more devices to access the Internet. The numbers have no doubt increased since then and the COVID-19 crises has further accelerated the adoption of online services for both education and entertainment. This means that mandating a guardian’s consent for anyone below the age of 18 years could very well result in some data fiduciaries inadvertently being on the wrong side of the law.
Another question raised by Clause 16 of the PDPB 2019, is the determination of what constitutes the best interests of the child. The bill does not specify how this is to be determined; however, subclause 5 of Clause 16 categorizes certain types of data processing like behavioural monitoring, tracking, and targeted advertising as harmful for children.
We then come to the requirement for age verification and parental consent. The provisions of the bill do not explore this in detail. It merely states that the process of acquiring such consent and/or verification will be specified in further rules, after taking into account factors like the volume of personal data processed, the proportion of such personal data likely to be that of a child, the potential of harm that may occur to said child as a result of the processing of his/her personal data etc.
Regardless, one issue that may arise when it comes to consent is the question of capacity. Clause 11 of the PDPB 2019 states that among other things, consent must be free and informed. However, parents cannot provide such free and informed consent on behalf of their children, if they do not understand the terms and conditions provided in the policies of these websites. In many instances, we find that children possess a much greater awareness of current technology trends and their implications. Additional issues arise when we consider the concept of free choice. However, the fact of the matter is that if one wants to register with any of the popular online apps and services available, one inevitably has to agree with their terms and conditions, regardless of any reservations one might have. Therefore, the concept of consent being “freely given” is rendered pointless.
GDPR and the European Union
Article 8 of the GDPR states that where there is an offer of “information society service directly to a child” the processing of personal data of said child shall be lawful, where the child is at least 16 years old. If the child is below the age of 16 years, such processing shall be lawful only if consent has been obtained by the “holder of parental responsibility over the child.”Member States can provide for a lower age limit, provided it is not below 13 years of age. The provision further provides that “reasonable efforts” must be made to verify that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
Article 8 is the principal provision relating to the protection of children’s personal data in the GDPR. There are other provisions that mandate the type of measures that must be taken for the protection of the personal data of a child. For example, when obtaining data from a child, data controllers must ensure that any information on the processing of such data, should be in clear and plain terms for a child to easily understand. The GDPR also provides for the ‘right of erasure’ for children’s personal data. This is particularly relevant in cases where the data subject may have provided their consent as a child, without being fully aware of the risks involved and now seek the erasure of such personal data. Clause 16 of the PDPB, which relates to the processing of personal data of children, closely mirrors Article 8 of the GDPR. To that end, this post will be limited to an examination of Article 8 of the GDPR to examine the potential pitfalls that await in the implementation of Clause 16 of PDPB 2019.
Article 8 applies only to information society services offered directly to a child. Information society services or ISS is any service that is provided at a distance, by electronic means, and at the individual request of a recipient of the services. The definition also includes the requirement that the service be one that is provided in exchange for “remuneration”. However, the majority of online services that teenagers have access to do not directly require remuneration from the users. Common examples of this include popular social media sites like Facebook, Instagram etc. For this reason, the phrase “remuneration” is interpreted broadly by the European Court of Justice (‘ECJ’). The Court has held that “the essential characteristic of remuneration […] lies in the fact that it constitutes consideration for the service in question and is normally agreed upon between the provider and the recipient of the service’’. It is not essential that the recipient of the services provide the consideration. It is only essential for the consideration to have been received by the service provider. Subsequent rulings specified that such services may also include services provided by a non-profit organization, services involving an element of chance, and services that are of a recreational or sporting nature.
Some confusion may arise in situations where the ISS has both online and offline components. In such cases one must determine whether or not the online component is integral to the nature of the service provided. If it is not integral, then such services cannot be categorized as an ISS. While these cases provide some clarity, it is clear that the definition and scope of what constitutes an ISS will continue to evolve with the evolution of technology. This is in direct contrast to the definition of a data fiduciary in the PDPB 2019, which is much more straightforward. The bill defines a data fiduciary as “any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.”
Further, much like Clause 16 of the PDPB 2019, the drafting of Article 8 raises questions on what constitutes proper consent and how such consent can be appropriately verified. Some of these questions have been delineated above in the Indian context and are also applicable here. The European Data Protection Board (‘EDPB’) have addressed these issues in its guidelines on consent under issued under the GDPR. The guidelines state that if a data subject consents because they feel they have no real choice, then the consent is not valid. The guidelines also specify certain situations where the existence of an imbalance of power between the data subject and the controller, would render consent invalid. It further provides that consent would not be considered to be “freely given” if the consent was bundled with the acceptance of the terms and conditions of a website. Additionally, when it comes to the issue of capacity, the guidelines provide that for the consent to be informed, the data subject, or the individual having parental responsibility over the data subject, must have knowledge of the controller’s identity, knowledge of the purpose of each of the processing operations for which consent is sought, knowledge of the type of data collected and used, and knowledge of the existence of the right to withdraw consent.
Finally, even if the validity of consent is established, there is no provision to determine whether the person providing such consent is qualified to do so. According to the provisions of Article 8, consent must be given by a holder of parental responsibility. Does this include even individuals who are acting in loco parenti? For example, in the US, schools may act on the parents’ behalf in an educational context, when personal data is collected from the students for the use and benefit of the school. Further, once this consent is obtained, how is it to be verified? The GDPR has merely required that the controller take “reasonable efforts” to verify said consent. This means that in situations where consent was not verifiable, the controller could still rely on the un-verified consent so long as they prove that “reasonable” efforts were made to verify the same. Fortunately, the EDPB Guidelines on consent fills this gap in Article 8 by recommending two types of verification mechanisms for high-risk and low-risk categories respectively. In the low-risk category, verification of parental consent via email was held to be sufficient. In the high-risk category, it was recommended that further proof of consent would need to be acquired. Trusted third-party verification services were also recommended, to minimise the amount of personal data the controller had to process itself.
The examination of the GDPR provisions clearly shows that numerous issues have arisen in the course of its implementation. These issues have been resolved on a case-by-case basis by courts and other authorities. However, these solutions are remedial and not preventative. One preventative approach is the implementation of principles like data protection by design and default as specified in Article 25 of the GDPR. Data protection by design ensures that privacy and data protection issues are considered at the design phase of any system, service or product and then implemented throughout the lifecycle of the same. Data protection by default limits the type of data collected. It requires controllers to collect and process only such data as is necessary to achieve their specific purpose.
Data protection by design is a principle that is already enshrined in Clause 22 of the PDPB, which provides that every data fiduciary shall submit a privacy by design policy to the proposed Data Protection Authority (DPA) for approval and certification. The manner in which this is to be implemented and the standards of protection required for certification would be subject to future regulations. However, by requiring data fiduciaries engaged in the collection and processing of children’s data to adhere to a higher standard of data protection, the DPA could probably ensure the protection of children’s data regardless of any pitfalls in the practical implementation of Clause 16.
The above measure might not effectively solve the issues specified with the implementation of Clause 16. Notwithstanding these drawbacks, the provisions of this Bill might be the very first step in bringing India’s data protection thresholds at par with the rest of the world.