New Data Protection Law: It cements the power imbalances in the data economy

By Shashank Mohan*

The Indian government has clarified that its latest attempt at drafting a robust data protection law is predicated on it being a plain, simple statute to read and comprehend. Although the simplicity of law is a laudable goal, the proverbial devil is in the details — or in this case, the lack thereof. The bill, which is in its fourth life, creates significant obstructions in the path of grievance redressal for a data principal (the user) to remedy privacy harms, and request adequate compensation. It further cements the power imbalances in the data economy between users and data-processing entities. I explain below.

First, the Bill introduces the concept of “duties of data principals”. It lays down various responsibilities placed on users — to obey all applicable laws of the land, not register false or frivolous complaints, and to not furnish false information. An explanatory note released alongside the Bill explains that these duties have been inserted to ensure that there is no ‘misuse of rights’. It is pertinent to understand that the goal of a data protection law is to protect the privacy rights of citizens against data-processing entities and to lay down remedies for privacy harms. It should acknowledge the existing power imbalances between users, and those who process/use their data — heightening the risk of privacy loss. Users should not bear any responsibility in a law that primarily recognises the propensity of privacy harm towards them. To enforce such duties, the Bill empowers a Data Protection Board (DPB) (a quasi-adjudicatory authority) to “take action” against users and impose penalties up to Rs 10,000.

Second, a striking aspect of the Bill is how burdensome it is for users to file a complaint to the DPB. Once a complaint is filed, the DPB has the power to “close” proceedings on insufficient grounds at the preliminary stage. The Bill does not define what it envisions as insufficient grounds, or for that matter any bases on which complaints could be filed or rejected. It simply states that the function of the DPB would be to determine non-compliance with the Bill’s provisions and impose requisite penalties. Even if the inquiry proceeds, the DPB can, at any stage, conclude that a complaint is devoid of merits, and issue a warning or impose costs on the complainant. The Bill fails to lay down any guidelines for the DPB to assess such cases and doesn’t make it clear whether these costs will be capped at Rs 10,000.

Finally, what happens in cases wherein the DPB concludes that there has been a transgression by a processing entity resulting in privacy harm to a user? The Bill states that it can only impose penalties where it has found such a transgression to be “significant” in nature. Predictably, the Bill does not provide guidance on how the “significance” of non-compliance is judged by the DPB. This is critical, as a plain reading of the bill makes it clear that the power of the DPB to impose penalties even where non-compliance is positively determined (although “non-significant”) is zero.

These powers would give the DPB, which is wholly controlled by the central government, substantial discretion in closing and concluding complaints against data-processing entities. Considering that users would be disproportionately burdened, both financially and logistically, in filing complaints against data-processing entities, these new conditions that the Bill proposes will only add to their woes. The Bill, by design, disincentivises users from filing complaints to remedy privacy harm. Users will be at a critical disadvantage in proceedings before the DPB, as they have to adhere to vague duties, meet multiple unclear and uncertain conditions to obtain a positive determination, and even then, may not receive suitable redressal. Considering that there is no provision for awarding compensation to users in the Bill, it may be impractical for users to file complaints against data-processing entities, seriously limiting their right to seek redressal under the Bill.

Larger questions of the DPB’s independence aside, the Bill does little to provide it with the tools to impose requisite penalties and provide meaningful compensation. A law is only as strong as its enforcement. This strikes at the heart of the right to privacy of individuals and their realising informational autonomy and self-determination.

There are certain pointed changes that the Bill could incorporate to address these challenges.

One, remove duties, since the primary goal of a data protection Bill is to protect the privacy of individuals. Second, empower the DPB to compensate users in cases of non-compliance; this will incentivise them to file complaints and provide meaningful redressal. Third, “Significance” should not be a pre-condition for the imposition of penalties. The DPB must, on the merits of the complaint, be able to determine penalties without a requirement to determine significance. And fourth, as a corollary to the previous point, the DPB should not be able to impose costs, sanctions, or obligations on users in any situation.

Until such challenges are addressed, and the practical circumstances of users are accounted for, meaningful data protection for Indian citizens cannot be a reality.

*This article was first published on The Indian Express on December 28, 2023. It has been cross-posted with the author’s permission.

Report on Intermediary Liability in India

The question of when intermediaries are liable, or conversely not liable, for content they host or transmit is often at the heart of regulating content on the internet. This is especially true in India, where the Government has relied almost exclusively on intermediary liability to regulate online content. With the advent of the Intermediary Guidelines 2021, and their subsequent amendment in October 2022, there has been a paradigm shift in the regulation of online intermediaries in India. 

To help understand this new regulatory reality, the Centre for Communication Governance (CCG) is releasing its ‘Report on Intermediary Liability in India’ (December 2022).

This report aims to provide a comprehensive overview of the regulation of online intermediaries and their obligations with respect to unlawful content. It updates and expands on the Centre for Communication Governance’s 2015 report documenting the liability of online intermediaries to now cover the decisions in Shreya Singhal vs. Union of India and Myspace vs. Super Cassettes Industries Ltd, the Intermediary Guidelines 2021 (including the October 2022 Amendment), the E-Commerce Rules, and the IT Blocking Rules. It captures the over two decades of regulatory and judicial practice on the issue of intermediary liability since the adoption of the IT Act. The report aims to provide practitioners, lawmakers and regulators, judges, and academics with valuable insights as they embark on shaping the coming decades of intermediary liability in India.

Some key insights that emerge from the report are summarised below:

Limitations of Section 79 (‘Safe Harbour’) Approach: In the cases analysed in this report, there is little judicial consistency in the application of secondarily liability principles to intermediaries, including the obligations set out in Intermediary Guidelines 2021, and monetary damages for transmitting or hosting unlawful content are almost never imposed on intermediaries. This suggests that there are significant limitations to the regulatory impact of obligations imposed on intermediaries as pre-conditions to safe harbour.

Need for clarity on content moderation and curation: The text of Section 79(2) of the IT Act grants intermediaries safe harbour provided they act as mere conduits, not interfering with the transmission of content. There exists ambiguity over whether content moderation and curation activities would cause intermediaries to violate Section 79(2) and lose safe harbour. The Intermediary Guidelines 2021 have partially remedied this ambiguity by expressly stating that voluntary content moderation will not result in an intermediary ‘interfering’ with the transmission under Section 79(2). However, ultimately amendments to the IT Act are required to provide regulatory certainty.

Intermediary status and immunity on a case-by-case basis: An entity’s classification as an intermediary is not a status that applies across all its operations (like a ‘company’ or a ‘partnership’), but rather the function it is performing vis-à-vis the specific electronic content it is sued in connection with. Courts should determine whether an entity is an ‘intermediary’ and whether it complied with the conditions of Section 79 in relation to the content it is being sued for. Consistently making this determination at a preliminary stage of litigation would greatly further the efficacy of Section 79’s safe harbour approach.

Concerns over GACs: While the October 2022 Amendment stipulates that two members of every GAC shall be independent, no detail is provided as to how such independence shall be secured (e.g., security of tenure and salary, oath of office, minimum judicial qualifications etc.). Such independence is vital as GAC members are appointed by the Union Government but the Union Government or its functionaries or instrumentalities may also be parties before a GAC. Further, given that the GACs are authorities ‘under the control of the Government of India’, they have an obligation to abide by the principles of natural justice, due process, and comply with the Fundamental Rights set out in the Constitution. If a GAC directs the removal of content beyond the scope of Article 19(2) of the Constitution, questions of an impermissible restriction on free expression may be raised.

Actual knowledge in 2022: The October 2022 Amendment requires intermediaries to make reasonable efforts to “cause” their users not to upload certain categories of content and ‘act on’ user complaints against content within seventy-two hours. Requiring intermediaries to remove content at the risk of losing safe harbour in circumstances other than the receipt of a court or government order prima facie violates the decision of Shreya Singhal. Further, India’s approach to notice and takedown continues to lack a system for reinstatement of content.  

Uncertainty over government blocking power: Section 69A of the IT Act expressly grants the Union Government power to block content, subject to a hearing by the originator (uploader) or intermediary. However, Section 79(3)(b) of the IT Act may also be utilised to require intermediaries to take down content absent some of the safeguards provided in Section 69A. The fact that the Government has relied on both provisions in the past and that it does not voluntarily disclose blocking orders makes a robust legal analysis of the blocking power challenging.

Hearing originators when blocking: The decision in Shreya Singhal and the requirements of due process support the understanding that the originator must be notified and granted a hearing under the IT Blocking Rules prior to their content being restricted under Section 69A. However, evidence suggests that the government regularly does not provide originators with hearings, even where the originator is known to the government. Instead, the government directly communicates with intermediaries away from the public eye, raising rule of law concerns.

Issues with first originators: Both the methods proposed for ‘tracing first originators’ (hashing unique messages and affixing encrypted originator information) are easily circumvented, require significant technical changes to the architecture of messaging services, offer limited investigatory or evidentiary value, and will likely undermine the privacy and security of all users to catch a few bad actors. Given these considerations, it is unlikely that such a measure would satisfy the proportionality test laid out by current Supreme Court doctrine.

Broad and inconsistent injunctions: An analysis of injunctions against online content reveals that the contents of court orders are often sweeping, imposing vague compliance burdens on intermediaries. When issuing injunctions against online content, courts should limit blocking or removals to specific URLs. Further courts should be cognisant of the fact that intermediaries have themselves not committed any wrongdoing, and the effect of an injunction should be seen as meaningfully dissuading users from accessing content rather than an absolute prohibition.

This report was made possible by the generous support we received from National Law University Delhi. CCG would like to thank our Faculty Advisor Dr. Daniel Mathew for his continuous direction and mentorship. This report would not be possible without the support provided by the Friedrich Naumann Foundation for Freedom, South Asia. We are grateful for comments received from the Data Governance Network and its reviewers. CCG would also like to thank Faiza Rahman and Shashank Mohan for their review and comments, and Jhalak M. Kakkar and Smitha Krishna Prasad for facilitating the report. We thank Oshika Nayak of National Law University Delhi for providing invaluable research assistance for this report. Lastly, we would also like to thank all members of CCG for the many ways in which they supported the report, in particular, the ever-present and ever-patient Suman Negi and Preeti Bhandari for the unending support for all the work we do.

Examining ‘Deemed Consent’ for Credit-Scoring under India’s Draft Data Protection Law

By Shobhit Shukla

On November 22, 2022, the Ministry of Electronics and Information Technology released India’s draft data protection law, the Digital Personal Data Protection Bill, 2022 (‘Bill’).* The Bill sets out certain situations in which seeking an individual’s consent for processing of their personal data is “impracticable or inadvisable due to pressing concerns”. In such situations, the individual’s consent is assumed; further, they are not required to be notified of such processing. One such situation is for processing in ‘public interest’. The Bill also illustrates certain public-interest purposes and notably, includes ‘credit-scoring’ as a purpose, in Clause 8(8)(d). Put simply, the Bill allows an individual’s personal data to be processed non-consensually and without any notice to them, where such processing is for credit-scoring.

Evolution of credit-scoring in India

Credit-scoring is a process by which a lender (or its agent) assesses an individual’s creditworthiness i.e., their notional capacity to repay their prospective debt, as represented by a numerical credit score. Until recently, lenders in India relied largely on credit scores generated by credit information companies (‘CICs’), licensed by the Reserve Bank of India (‘RBI’) under the Credit Information Companies (Regulation) Act, 2005 (‘CIC Act’). CICs collect and process ‘credit information’, as defined under the CIC Act, to generate such scores. Such information, for an individual, comprises chiefly of the details of their outstanding loans and history of repayment/defaults. However, with the expansion of digital footprints and advancements in automated processing, the range of datasets deployed to generate credit scores has expanded significantly. Lenders are increasingly using credit scores generated algorithmically by third-party service-providers. Such agents aggregate and process a wide variety of alternative datasets relating to an individual, alongside credit information – these may include the individual’s employment history, social media activity, and web browsing history. This allows them to build a highly data-intensive credit profile of (and assign a more granular credit score to) the individual, to assist lenders in deciding whether to extend credit. Not only does this enable lenders to make notionally better-informed decisions, but also to assess and extend credit to individuals with meagre or no prior access to formal credit.

While neither the Bill nor its explanatory note explain why credit-scoring constitutes a public-interest ground for non-consensual processing, it may be viewed as an attempt to remove the procedural burden associated with notice-and-consent. In the context of credit-scoring, if lenders (or their agents) are required to provide notice and seek consent at each instance to process the numerous streams of an individual’s personal data, the procedural costs may disincentivise them from accessing certain data-streams. Consequently, with limited data to assess credit-risk, lenders may adopt a risk-averse approach and avoid extending credit to certain sections of individuals. Alternatively, they may decide to extend credit despite the supposed inadequacy of personal data, thereby exposing themselves to higher risk of repayment defaults. While the former approach would be inimical to financial inclusion, the latter could possibly result in accumulation of bad loans on lenders’ balance sheets. Thus, encouraging data-intensive credit-scoring (for better-informed credit-decisions and/or for widening access to credit) may conceivably be viewed as a legitimate public interest.

However, in this post, I contend that even if this were to be accepted, a complete exemption from notice-and-consent for credit-scoring, poses a disproportionate risk to individuals’ right to privacy and data protection. The efficacy of notice-and-consent in enhancing informational autonomy remains debatable; however, a complete exemption from the requirement, without any accompanying safeguards, ignores specific concerns associated with credit-scoring.

Deemed consent for credit-scoring: Understanding the risks

First, the provision allows non-consensual processing of all forms of personal data, regardless of any correlation of such data with creditworthiness. In effect, this would encourage lenders to leverage the widest possible range of personal datasets. As research has demonstrated, the deployment of disparate datasets increases incidences of inaccuracy as well as of spurious connections between the data-input and the output. In credit-scoring, historical data using which the underlying algorithm is trained may conclude, for instance, that borrowers from a certain social background are likelier to default in repayment. Credit-scores generated from such fallacious and/or unverifiable conclusions can embed systemic disadvantages into future credit-decisions and deepen the exclusion of vulnerable groups. The exemption from notice-and-consent would only increase the likelihood of such exclusion – this is since individuals would not have any knowledge of the data-inputs used, or the algorithm using which such data-inputs were processed and consequently, no recourse against any credit-decisions arrived at via such processing.

Second, the provision allows any entity to non-consensually process personal data for credit-scoring. Notably, CICs are specifically licensed by the RBI to, inter alia, undertake credit-scoring. Additionally, in November 2021, the RBI amended the Credit Information Companies Regulations, 2006, to provide an avenue for entities (other than CICs) to register with any CIC, subject to the fulfilment of certain eligibility criteria, and to consequently access and process credit information for lenders. By allowing any entity to process personal data (including credit information) for credit-scoring, the Bill appears to undercut the RBI’s attempt to limit the processing of credit information to entities under its purview.

Third, the provision allows non-consensual processing of personal data for credit-scoring at any instance. A plain reading suggests that such processing may be undertaken even before the individual has expressed any intention to avail credit. Effectively, this would provide entities a free rein to pre-emptively mine troves of an individual’s personal data. Such data could then be processed for profiling the individual and behaviourally targeting them with customised advertisements for credit products. Clearly, such targeted advertising, without any intimation to the individual and without any opt-out, would militate against the individual’s right to informational self-determination. Further, as an RBI-constituted Working Group has noted, targeted advertising of credit products can promote irresponsible borrowing by individuals, leading them to debt entrapment. At scale, predatory lending enabled by targeted advertisements could perpetuate unsustainable credit and pose concerns to economic stability.

Alternatives for stronger privacy-protection in credit-scoring

The above arguments demonstrate that the complete exemption from notice-and-consent for processing of personal data for credit-scoring, threatens individual rights disproportionately. Moreover, the exemption may undermine precisely the same objectives that policymakers may be attempting to fulfil via the exemption. Thus, Clause 8(8)(d) of the Bill requires serious reconsideration.

First, I contend that Clause 8(8)(d) may be deleted before the Bill is enacted into law. In view of the CIC Act, CICs and other entities authorised by the RBI under the CIC Act shall, notwithstanding the deletion of the provision, continue to be able to access and process credit information relating to individual without their consent – such processing shall remain subject to the safeguards contained in the CIC Act, including the right of the individual to obtain a copy of such credit information from the lender.

Alternatively, the provision may be suitably modified to limit the exemption from notice-and-consent to certain forms of personal data. Such personal data may be limited to ‘credit information’ (as defined under the CIC Act) or ‘financial data’ (as may be defined in the Bill before its enactment) – resultantly, the processing of such data for credit-scoring would not require compliance with notice-and-consent. The non-consensual processing of such forms of  data (as opposed to all personal data), which carry logically intuitive correlations with creditworthiness, shall arguably correspond more closely to the individual’s reasonable expectations in the context of credit-scoring. An appropriate delineation of this nature would provide transparency in processing and also minimise the scope of fallacious and/or discriminatory correlations between data-inputs and creditworthiness.

Finally, as a third alternative, Clause 8(8)(d) may be modified to empower a specialised regulatory authority to notify credit-scoring as a purpose for non-consensual processing of data, but within certain limitations. Such limitations could relate to the processing of certain forms of personal data (as suggested above) and/or to certain kinds of entities specifically authorised to undertake such processing. This position would resemble proposals under previous versions of India’s draft data protection law, i.e. the Personal Data Protection Bill, 2019 and the Personal Data Protection Bill, 2018 – both draft legislations required any exemption from notice-and-consent to be notified by regulations. Further, such notification was required to be preceded by a consideration of, inter alia, individuals’ reasonable expectations in the context of the processing. In addition to this balancing exercise, the Bill may be modified to require the regulatory authority to consult with the RBI, before notifying any exemption for credit-scoring. Such consultation would facilitate harmonisation between data protection law and sectoral regulation surrounding financial data.

*For our complete comments on the Digital Personal Data Protection Bill, 2022, please click here – https://bit.ly/3WBdzXg) 

Censoring the Critics: The Need to Balance the Right to Erasure and Freedom of Speech

Clause 13(2)(d) of the Digital Data Protection Bill, 2022 (“DPDP Bill”) provides for the right to erasure of personal data i.e. “…any data about an individual who is identifiable by or in relation to such data”. The said clause states that a data principal has the right to erasure of personal data as per applicable laws and as prescribed. The clause further provides that such erasure of personal data shall take place after the data fiduciary receives a request for erasure. The precondition for erasure is that the personal data must no longer be necessary for the purpose for which it was processed and that it must not be necessary for any legal purpose either. 

This is in many ways a salutary provision. Data principals should have control over their data which includes the right to correct and erase data. This is especially important since it protects individuals from the negative impacts of the widespread availability of personal data on the internet. In today’s digital age, it is easier than ever for personal data to be collected, shared, and used in ways that are harmful or damaging to individuals. The right to erasure aids in countering these negative impacts by giving individuals the power to control their own personal information, and to have it removed from the internet if they choose to do so.

However, this provision can negatively impact several other fundamental rights such as the freedom of speech and right to information, especially when it is abused by powerful figures to silence criticism. For example, if an investigative journalist were to write an article in which they bring to light a government official’s corrupt deeds, the said official would be able to request the data fiduciary to erase such data since they are identifiable by it or are related to it. 

This article will seek to address such concerns in two ways. First, it will delve into the safeguards that can be included in the text of Clause 13(2)(d) to ensure that there is an appropriate balance between free speech and privacy. Second, it will recommend that the arbiter of this balance should be an independent authority and not data fiduciaries. 

(1) Safeguards 

Clause 13(2)(d) is heavily tilted in favor of the privacy interests of the data principal. It does not require data fiduciaries to take into account any other considerations that might have a bearing on the data principal’s erasure request. In order to prevent privacy interests from undermining other rights, the clause should be amended to include various safeguards. 

In particular, the clause should require data fiduciaries to consider the free speech rights of other individuals who might be affected by an erasure request. As indicated earlier, journalists may find it difficult to publish critical commentary on powerful public figures if their work is subject to easy erasure. There are also artistic, literary and research purposes for which personal data might be used by other individuals. These are valid uses of personal data that should not be negated simply because of an erasure request. 

Data fiduciaries can also be made to consider the following factors through subordinate legislation to harmonize free speech and privacy: (a) the role of the data principal in public life, (b) the sensitivity of the personal data sought to be erased, (c) purpose of processing, (d) public nature of data and (e) relevance of the personal data to the public. Incorporating such safeguards will help ensure that data fiduciaries appropriately balance the right to privacy and the right to speech when they receive erasure requests.

Further, a clearly laid out process for grievance redressal should also be codified. Currently, Clause 13(2)(d) does not provide for an appeal mechanism for erasure requests that have been rejected by data fiduciaries. The clause should explicitly provide that in case the data principal wants to contest the rejection of their erasure request, they can file a complaint with the Data Protection Board (DPB). 

(2) Independent Authority 

In addition to lacking sufficient safeguards, Clause 13(2)(d) puts the onus on data fiduciaries to decide the validity of erasure requests. Various jurisdictions including the United Kingdom and Spain along with other states from the European Union use this framework. However, giving decision making power directly to Data Fiduciaries will have a chilling effect on speech.

This is because they will tend to mechanically comply with erasure requests in order to escape liability for non-compliance. Data fiduciaries lack the bandwidth needed to properly assess the validity of erasure claims. They are for the most part private businesses with no obligation or commitment to uphold the rights and freedoms of citizens, especially if doing so will entail the expenditure of significant resources.

Consequently, there is a need for a different framework. Clause 13(2)(d) should be amended to provide for the creation of an independent authority which will decide the validity of erasure requests. Such a body should be staffed with free speech and privacy experts who have the incentive and the capability to balance competing privacy and speech considerations. 

Conclusion 

We can see from the discussion above that the right to erasure provision of the Digital Data Protection Bill, 2022 has failed to strike a sound balance between privacy and free speech. To achieve such a balance, Clause 13(2)(d) should be amended to incorporate various safeguards. Furthermore, an independent authority should be deciding the validity of erasure requests, not data fiduciaries.

Comparative tracker for the Digital Personal Data Protection Bill, 2022

The Digital Personal Data Protection Bill, 2022 (“2022 Bill”) was released by the Ministry of Electronics and Information Technology on November 18, 2022, with the stated intent of being concise, comprehensible, and simplified for the citizens. For these reasons, the 2022 Bill has made significant changes to the framework of the earlier Personal Data Protection Bill, 2019 (“2019 Bill”), which was withdrawn earlier this August during the Monsoon session of the Parliament.

We have prepared this detailed tracker to record the changes made in the 2022 Bill, and compared the differences in the key provisions of the 2022 Bill and the 2019 Bill. This tracker can be a helpful reference while analysing the two Bills, or even a quick guide to the changes brought out in the 2022 Bill. 

This tracker has used the 2019 Bill as reference for the changes, as this was the last version of the Data Protection Bill which was introduced before the Parliament as a comprehensive legislation. We have analysed each clause and sub-clause of the 2022 Bill and compared it to the corresponding provisions of the 2019 Bill. We have provided the full text of the provisions (highlighting the differences) as well as a brief summary of changes under the 2022 Bill. Readers may use the 2022 Bill as the base, when looking for the changes made to specific provisions of the 2019 Bill.

As the public and expert analyses and opinions on the 2022 Bill are still being developed, we invite comments on any errors or omissions of corresponding provisions which may be present in this tracker.

The tracker can be accessed here.

Please note: a detailed list of the removed provisions from the 2019 Bill will be added to the tracker in the next few days.

(Compiled by Tejaswita Kharel and Vignesh Shanmugam)

(Update January 24, 2023: We have included in the tracker a detailed list of provisions removed from the 2022 Bill along with our comments on the same)

Guest Post: Liberty, privacy and abortion rights: Comparing India and the U.S.

This post is authored by Shrutanjaya Bhardwaj

On 25 June 2022, in Dobbs v. Jackson, the U.S. Supreme Court (“SCOTUS”) declared that the U.S. Constitution does not guarantee a right to abortion. SCOTUS thus overturned the celebrated 1973 judgment titled Roe v. Wade which had held the right to abortion to be constitutionally protected. This post analyses Roe and Dobbs, examining how and why they treated the term “liberty” differently. It then contrasts these definitions with the Indian understanding of “liberty”.

“Liberty” and “tradition”: A brief overview of Roe and Dobbs

The legal issue on which Roe and Dobbs disagree concerns the word “liberty” in the Fourteenth Amendment to the U.S. Constitution. The Amendment states that the State shall not “deprive any person of life, liberty, or property, without due process of law”. SCOTUS decisions prior to 1973 interpreted the word “liberty” narrowly . They held that the word does not include all kinds of liberties; it refers to those liberties which were historically and traditionally considered fundamental in the U.S. For example, Palko (1937) held that the Fourteenth Amendment only protects liberties “so rooted in the traditions and conscience of our people as to be ranked as fundamental.” Similarly, Snyder (1934) held that the words “due process” imply the processes traditionally guaranteed in the U.S.

The Court in Roe (1973) was aware of these precedents. However, the majority ultimately held that the Fourteenth Amendment protects “personal rights that can be deemed ‘fundamental’ or ‘implicit in the concept of ordered liberty’.” Conspicuously, the reference to history and tradition was omitted, presumably implying that history and tradition are not essential to the analysis. Hence, while narrating the history of abortion, the majority did not deem it necessary to locate a right to abortion in American tradition. It merely found that “at common law, at the time of the adoption of our Constitution, and throughout the major portion of the 19th century, abortion was viewed with less disfavor than under most American statutes currently in effect” (emphasis supplied). It then proceeded to hold that the right to abortion was protected under the Fourteenth Amendment as a facet of the right to privacy. Roe’s treatment of history and tradition would eventually become the main reason for its overturning in Dobbs.

But Roe was not alone in treating history and tradition as inconclusive. SCOTUS has generally wavered on this issue. E.g., in Obergefell (the 2015 decision affirming a right to same-sex marriages), SCOTUS held that while history and tradition “guide and discipline this inquiry”, they “do not set its outer boundaries”. Contrast this with Glucksberg (the 1997 decision rejecting a right to assisted suicide) which held that the “outlines” of the word “liberty” are to be “carefully refined by concrete examples involving fundamental rights found to be deeply rooted in our legal tradition,” indicating a conclusive reliance on tradition. Thus, the question of whether “liberty” is to be interpreted purely normatively (‘implicit to ordered liberty’), or must also be grounded in historical experience is  itself contested in SCOTUS jurisprudence and has changed over time – often based on the composition of the court on a given day and case.

In attacking Roe’s conclusion, then, the main objection taken by the Dobbs Court — composed of a 6-3 conservative majority — was a historical one. The majority re-examined historical evidence and found that abortion has been traditionally criminalised, or at least negatively treated, in most states: “By the time the Fourteenth Amendment was adopted, three-quarters of the States had made abortion a crime at any stage of pregnancy. This consensus endured until the day Roe was decided. Roe either ignored or misstated this history….” Citing Palko (1937) and Glucksberg (1997) for the necessity to ground liberty in historical practice, the majority rejected the idea that an abortion right was “deep-rooted” in American history and tradition. Thus, it found, the word “liberty” in the Fourteenth Amendment did not protect a woman’s right to medically terminate her pregnancy. 

The implication is this. After Dobbs, the 14th amendment itself does not include a right to medically terminate a pregnancy because the right is not “deeply rooted” in American history and tradition. Thus, there exists no need to examine whether there exists a countervailing right of the woman which must be “balanced” against the State’s interest in protecting prenatal life. As described by the dissent: “The constitutional regime we have lived in for the last 50 years recognized competing interests, and sought a balance between them. The constitutional regime we enter today erases the woman’s interest and recognizes only the State’s….

It is easy to see why SCOTUS’ reliance on history and tradition is problematic. The point of a Bill of Rights is to insulate freedom and equality from majority control. It is hence paradoxical that the meaning of liberty turns on popular tradition. Relying on  a male political majority’s treatment over a period of time of women (at a time when the latter were denied political representation – women were not allowed to vote when the 14th amendment was passed – and equal standing in society) to determine the liberties afforded to women today risks codifying past injustices into modern rights law. The Dobbs dissent rightly argues, quoting Obergefell, that “[i]f rights were defined by who exercised them in the past, then received practices could serve as their own continued justification.” This circular test—which sees the Constitution as a tool to cement tradition rather than challenge it—allows all kinds of regressive, liberty-restricting practices to be upheld so long as they are rooted in American history and tradition. Finally, history itself may be contested and heterogeneous, and the Court’s approach  provides few safeguards against the selective reliance and interpretation of “history” by the majority.

Yet, the dissent struggles—and so does an amicus brief —to articulate an alternative test to define “liberty”. The dissent argues, rightly, that history and tradition are not captured “in a single moment” and should be understood with reference to “the longsweep of our history and from successive judicial precedents”. But this does not take us very far. Is tradition relevant at all? How relevant? When can you overlook it? Is it possible to ensure that judges will not start interpreting the word “liberty” based on their own personal biases, in ways completely disconnected from American tradition? The dissent does not argue that tradition is irrelevant, and does not provide any principled test to determine when its relevance is reduced.

“Liberty” in the Indian Constitution

While the Indian Supreme Court often discusses the history of the issue before it (very common in reservation cases, e.g.), history and tradition have never been the determining factors to define “liberty” in Art.21 of the Indian Constitution. The meaning of “liberty” has been determined by other considerations.

Art.21 prohibits the State from depriving any person of “personal liberty” except as per procedure established by law. Separately, Art.19 lists six (originally seven) freedoms: speech, assembly, association, movement, residence and trade. In its early years, the Supreme Court was called upon to decide if the “liberty” contemplated by Art.21 was broad enough to include the six freedoms listed in Art.19. This question was first answered in Gopalan (1950). By a 5-1 majority, the Court held that since Art.21 spoke only of “personal” liberty—i.e., liberty of one’s person—it had to be interpreted narrowly to mean freedom from bodily restraint. As Das J. put it, liberty is the “antithesis of physical restraint or coercion”. The majority viewed Art.19 and Art.21 as distinct rights having no overlapping content. In other words, the content of “liberty” in Art. 21 was not informed by the rights enumerated in Art. 19

In the Gopalan era, therefore, Art.21 had a narrow scope. It did not, e.g., include the right to privacy, as held in M.P. Sharma (1954) and Kharak Singh (1964). But Gopalan was overturned after the Emergency. In Maneka (1978), the Supreme Court held that fundamental rights are not siloed; they are overlapping in terms of their content. Accordingly, the meaning of “personal liberty” in Art.21 was held to include and be informed by the six enumerated freedoms of Art.19 and other constitutional sources. 

Since Maneka, the meaning of “personal liberty” has been continuously expanded. Now, Art.21 includes, inter alia, the rights to legal aid and speedy trial, the right to shelter, workers’ right to health and medical aid, a woman’s right to make free choices regarding sterilization procedures, the right to privacy, and indeed, a qualified right to have an abortion subject to reasonable restrictions imposed by the Medical Termination of Pregnancy Act, 1971

But none of these activities or rights have had to pass a historical test before being recognised. The term “personal liberty” has been understood as being “of the widest amplitude” (Maneka 1978) and defined as “a power of acting according to the determinations of the will” (Mhetre 2011). These holdings imply that the words “personal liberty” encompass the freedom to do whatever one wants, although the freedom is not absolute and is subject to any fair, just and reasonable law made by the State (such as criminal legislations which identify and punish certain acts like murder, theft etc.) on legitimate grounds. In other words, the idea of “liberty” does not depend on the act being performed or its historical acceptance. In contrast with the SCOTUS, Indian courts have called the Constitution a “transformative” document, emphasizing its role as a revolutionary instrument that appropriately challenges tradition rather than protect it.

In one sense, this is a much neater test as compared to the one followed by SCOTUS. In context of abortion, because the interpretation of “liberty” does not presumptively exclude the right to terminate a pregnancy (Dobbs) it means that the Court must recognise two competing rights—the woman’s right to have an abortion and the fetal right (if it is shown to exist) to life—and resolve the conflict by evaluating the necessity and proportionality of the restrictions placed by the State. 

Conclusion

This is not to say that the test under Art.21 has no flaws. The flexibility of the “fair, just and reasonable” standard also means that it is vague, and a restriction deemed to be reasonable by one bench or court could well be deemed unreasonable by another. Yet, the advantage of the Maneka test is that it does not allow the Court to outrightly reject either competing right on the ground that it does not comport with historical practices and popular traditions. The Court must at least enter the balancing exercise and explain why particular restrictions on rights are proportionate or disproportionate.

“Liberty” under the Indian Constitution is substantially different from that under the U.S. Constitution. The SCOTUS test is problematic; tradition and history are not objective and using them to define “liberty” is not wise. In contrast, Art.21 protects all liberty, and is open to recognising competing rights within the constitutional scheme. A woman’s right to abortion is hence recognised, but is to be ‘balanced’ against the right to life of the fetus (if such a competing right is shown to exist). This allows for a much more principled inquiry into the competing interests and for testing the necessity and proportionality of the State measure in question.

The Dobbs ruling has serious implications for privacy rights. The immediate implications are on pregnancy and reproductive autonomy: 11 states in the U.S. already have laws criminalizing abortions, while 13 more states are speculated to pass such laws in the near future. The de-recognition of the right to abortion as a fundamental right also poses dangers of surveillance and sensitive data collection by law enforcement agencies by piggy-backing on the data stored with financial companies and even mentruation-tracking apps in an effort to track individuals who may have had an abortion in a state where it is illegal. Looking beyond pregnancy, the Dobbs decision might imply—as both the concurrence (by Justice Thomas) and the dissent suggest—a threat to other rights which were recognized by SCOTUS as flowing from the right to privacy, including the right to contraception, the right to same-sex marriage, homosexuality rights, etc. The majority rejects this suggestion because “none of these decisions involved what is distinctive about abortion: its effect on what Roe termed ‘potential life’”. However, as the dissent notes, other rights based on the 14th amendment’s guarantee of autonomy and privacy may also fail the test of being “deeply rooted” in tradition. The effect of Dobbs on those other rights may be more complex than what the various Justices suggest. These and other aspects of the Dobbs fallout will be discussed in a future post.

This blog was written with the support of the Friedrich Naumann Foundation for Freedom.

CCG’s Comments to the Ministry of Electronics and Information Technology on the Draft National Data Governance Framework Policy

Authors: Joanne D’Cunha and Bilal Mohamed

On 26th May 2022, the Ministry of Electronics and Information Technology (MeitY), released the Draft National Data Governance Framework Policy (NDG Policy) for feedback and public comments. CCG submitted its comments on the NDG Policy, highlighting its feedback and key concerns with the proposed Data Governance Framework. The comments were authored by Joanne D’Cunha and Bilal Mohamed, and reviewed and edited by Jhalak M. Kakkar and Shashank Mohan.

The draft National Data Governance Framework Policy is a successor to the draft ‘India Data Accessibility and Use’ Policy, which was circulated in February 2022 for public comments and feedback. Among other objectives, the NDG policy aims to “enhance access, quality, and use of data to enable a data-led governance” and “catalyze AI and Data led research and start-up ecosystem”.

“Mountain” by Mariah Jochai is licensed under CC BY 4.0

CCG’s comments to the MeitY are divided into five parts – 

In Part I, of the comments we foreground our concerns by emphasising the need for comprehensive data protection legislation to safeguard citizens from potential privacy risks before implementing a policy around non-personal data governance. 

In Part II, we focus on the NDG Policy’s objectives, scope, and key terminologies. We highlight that the NDG Policy lacks in  sufficiently defining key terms and phrases such as non personal data, anonymisation, data usage rights, Open Data Portal, Chief Data Officers (CDOs), datasets ecosystem, and ownership of data. Having clear definitions will bring in much needed clarity and help stakeholders appreciate the objectives and implications of the policy. This also improves  engagement from the stakeholders including the government in the policy consultation process. This also enhances engagement from the stakeholders, including the various government departments, in the policy consultation process.  We also highlight that the policy does not illustrate how it will intersect and interact with other proposed data governance frameworks such as the Data Protection Bill 2021 and the Non Personal Data Governance Framework. We express our concerns around the NDG Policy’s objective of cataloguing datasets for increased processing and sharing of data matching with the aim to deploy AI more efficiently.  It relies on creating a repository of data to further analytics, and AI and data led research. However, it does not take into consideration that increasing access to data might not be as beneficial if computational powers of the relevant technologies are inadequate. Therefore, it may be more useful if greater focus is placed on developing computing abilities as opposed to increasing the quantum of data used.

In Part III, we focus on the privacy risks, highlighting concerns around the development and formulation of anonymisation standards given the threat of re-identification from the linkage of different datasets. This, we argue, can pose significant risks to individual privacy, especially in the absence of a data protection legislation that can provide safeguards and recognise individual rights over personal data. In addition to individual privacy harms, we also point to the potential for collective harms from using aggregated data. To this end, we suggest the creation of frameworks that can keep up with the increased risks of reidentification posed by new and emerging technologies.

Part IV of our comments explores the institutional framework and regulatory structure of the proposed India Data Management Office. The proposed IDMO is responsible for framing, managing, reviewing, and revising the NDG Policy. Key concerns on the IDMO’s functioning pertain to the exclusion of technical experts and representatives of civil society and industry in the IDMO. There is also ambiguity on the technical expertise required for Chief Digital Officers of the Digital Management Units of government departments and ministries, and the implementation of the redressal mechanism. In this section, we also highlight the need for a framework within the Policy to define how user charges will be determined for data access. This is particularly relevant to ensure that access to datasets is not skewed and is available to all for the public good. 

You can read our full submission to the ministry here.

Protecting Privacy: A Case Against State Interference Through Restitution of Conjugal Rights

Recent judicial decisions have transformed our understanding of privacy, autonomy, and equality; significantly so post the Supreme Court’s Puttaswamy I judgement. In Puttaswamy I, the Court reaffirmed privacy as a fundamental right grounded in the ideas of autonomy and dignity. An important consequence of this understanding of privacy is its impact on questions of individual privacy within the confines of a marriage. For example, in a recent case on the subject of marital rape, the Karnataka High Court allowed rape charges against the husband and emphasised the importance of reinforcing the right to equality and the right to individual autonomy and dignity of a woman within a marriage.

One such provision within family law that raises concerns about individual autonomy and privacy within marriage is the Restitution of Conjugal Rights (‘RCR’). It is a legal remedy available to spouses where one spouse deserts the other without a ‘reasonable’ excuse or on certain ‘unlawful’ grounds. In such cases, the ‘aggrieved’ party has the right to seek a decree for RCR, by which a court order may direct the deserting party to compulsory cohabit with the ‘aggrieved’ party. The remedy of RCR is provided for under Section 9 of the Hindu Marriage Act, 1955 as well as, Muslim Personal Law, the Parsi Marriage and Divorce Act, 1936 (S. 36), the Indian Divorce Act, 1869 (S. 32-33), and the Special Marriage Act, 1954 (S. 22). Generally, if a person fails to comply with a RCR decree a court can attach their property under the Civil Procedure Code (Order 21, Rule 32).

In this post, I analyse the State’s objectives in providing spouses with the RCR remedy and argue that the remedy itself violates the right to privacy under Article 21 by failing to satisfy the test of proportionality.

Privacy, autonomy, and State interference

State regulation of domestic relations has seen laws governing marriage, divorce, adultery, and sexual relations between consenting adults, for example the criminalisation of homosexuality. Marriage is a social contract recognised by the State and to a certain extent, is also subject to regulation by the State. Although regulations around marriage may be for a variety of reasons, it may be argued that they serve two key interests: protection of individual rights, and the State objective to protect the institution of marriage (often articulated as maintaining cultural ethos and societal values). Examples of the former rationale include laws recognising domestic violence, cruelty, and prioritising individual autonomy by providing divorce as a remedy. The latter rationale can be seen in laws criminalising adultery and homosexuality (both of which have been struck down by the Supreme Court of India post Puttaswamy I) and providing restitution of conjugal rights as a remedy. However, by protecting the institution of marriage, the State also protects a particular conceptionof that institution, specifically the socially accepted notion of a monogamous, heterosexual, and procreative marriage.

It is widely accepted that RCR is an archaic English law (from a time when cohabitation was expected of women) that, as the Bombay High Court noted in 1885, did not exist prior to colonial rule. However, the remedy was codified in the Hindu Marriage Act in 1955 even after India achieved independence and continues to exist despite its patriarchal connotations. The 71st Law Commission Report of 1978 (page no. 27, para 6.5) emphasised the importance of cohabitation to protect the ‘sanctity of marriage’. The High Court of Delhi, in Harvinder Kaur vs. Harmander Singh Choudhry (1984) also adopted this view and held that the restitution of conjugal rights is an important remedy to protect the institution of marriage. The Delhi High Court rejected privacy considerations by stating that a decree of RCR was not the “starkest form of governmental intervention into marital privacy” since it merely aims to restore cohabitation and does not enforce sexual intercourse. As I argue below, this reasoning raises questions about individual autonomy. However, the Delhi High Court’s rationale was accepted by the Supreme Court in Saroj Rani vs. Sudarshan Kumar Chadha (1984), where the apex Court upheld the constitutionality of RCR and reiterated that the right to cohabitation is “inherent in the very institution of marriage itself.”  

This view of RCR — to preserve the institution/ sanctity of marriage — creates tensions with the objective of the State to protect individual rights. An RCR decree interferes with the right to privacy and autonomy by compelling an individual to cohabit with their spouse against their will. This may especially be true after the articulation of the right to privacy by the Supreme Court in Puttaswamy I. The decree of RCR creates an unwanted intrusion into a person’s personal life by denying them autonomy over where they live, and also potentially on the sites of sexual and reproductive decision making. Any analysis of RCR must recognise the power asymmetry within domestic relations that pervasively results in women being subject to physical and sexual violence at home. Thus, contrary to the reasoning given by courts in Harvinder Kaur and Saroj Rani, by compelling women to cohabit with men they have deserted, a decree of RCR may place women at significant risk of domestic violence, economically compromised living conditions, and non-consensual sexual intercourse.

The Andhra Pradesh High Court in T Sareetha vs. Venkata Subbaiah in 1983 recognised that the grant of an RCR decree would amount to an interference of the State into the private sphere, compelling cohabitation or even indirectly, sexual intercourse. The High Court found that this interference of the State through RCR violated the right to privacy, autonomy, and dignity of the individual against whom the decree was sought by ‘transferring the decision to have or not have marital intercourse from the individual to the State’. This decision was overruled by the Supreme Court’s Saroj Rani decision in 1984. While the Puttaswamy 1 judgement in 2017 did not expressly refer to Sareetha, all nine judges broadly adopted the approach taken in the Sareetha judgement, adopting a conception of privacythat recognises its basis in individual autonomy and dignity.

In Puttaswamy I, the Supreme Court ruled that individual autonomy, that recognises the ability of individuals to control vital aspects of their life (including reproductive rights, sexual orientation, gender identity), is an intrinsic part of the right to privacy guaranteed under Article 21 of the Constitution. By this reasoning, a decree of RCR does not account for the right to autonomy of an individual and violates their right to privacy by legally compelling the individual to cohabit despite them making a conscious choice to separate from their spouse.

In recent years, there has been a shift in the thinking of courts, where the right to individual privacy and autonomy is prioritised as opposed to protection of the institution (and specific conceptions of that institution) of marriage. For instance, in Joseph Shine, the Supreme Court held that the law that criminalised adultery treated women as property and was unconstitutional. It opined that although the criminalisation of adultery was introduced to protect the institution of marriage, it serves the interests of one party and denies agency to women. The Court noted –

“The provision is proffered by the legislature as an effort to protect the institution of marriage. But it proceeds on a notion of marriage which is one sided and which denies agency to the woman in a marital tie. The ability to make choices within marriage and on every aspect concerning it is a facet of human liberty and dignity which the Constitution protects.”

Bearing in mind this view of the court, RCR would not stand up to judicial scrutiny as a constitutionally valid right, since it disregards the autonomy and dignity of an individual under the notion of the State aim to protect the institution of marriage.

The proportionality test

In 2017, Puttaswamy I laid down a four-part test for determining the validity of an infringement of the right to privacy. The test’s first limb necessitates the existence of a codified law, which is met with in the case of RCR through various statutory provisions. The test also requires the existence of procedural safeguards against abuse of State interference, which is of reduced significance in the case of RCR as both a RCR decree and post-decree attachment of property require prior judicial authorisation and oversight. In addition to the need for statutory authorisation and procedural safeguards, for an infringement to be valid it must satisfy the limbs of legitimate aim, necessity, and proportionality. The Puttaswamy II (Aadhar) case applied this test, which was first articulated in the Modern Dental College judgement in 2016. This test requires:

  1. any limitation of a constitutional right is enforced for a proper purpose (legitimate aim);
  2. there is a rational nexus between the proper purpose and the measure adopted to achieve it and there are no alternative measures which would achieve the purpose but are less restrictive of rights (necessity); and
  3. the restriction on the constitutional right must be proportionate to the purpose set out by the State (balancing or proportionality).

Firstly, it must be noted that, as observed by the Supreme Court in Saroj Rani, the stated purpose of the measure is protecting the institution of marriage. As stated above, in Joseph Shine the Supreme Court rejected the State’s argument that protecting the institution of marriage was a proper purpose where the State’s measure protected “a notion of marriage that is one sided and denies agency to women.”. In this context, RCR only protects a notion of marriage where individuals cohabit and engage in sexual intercourse, denying agency to individuals and violating individual autonomy. Secondly, the decree of RCR should have a rational nexus with the aim of protecting the institution of marriage. In this regard, it is relevant to note that, in certain instances, individuals routinely file RCR cases expecting non-compliance by the other party, using this non-compliance with the RCR decree as a ground for divorce. Thus, the historically dominant objective of the State of “protecting” the institution of marriage through the positive remedy of RCR may also not be satisfied.

Even if RCR furthers the State’s aim of protecting marriage, it would need to pass the third prong of the proportionality test, i.e., the State must meet the objective of the law through the ‘least restrictive measure’. The State could resort to alternate measures, similar to the ones observed under divorce petitions; an order of mediation or a ‘cooling off’ period provisioned in cases of divorce with mutual consent furthers the aim of protecting the institution of marriage without violating individual rights. However, in a decree of RCR there persists a violation of an individual’s privacy, enforced by coercion through the attachment of property.

The fourth part of the proportionality test emphasises the need to have a balance between the interest of the State and the rights of individuals. As stated earlier, the infringement of individual rights through an RCR decree creates severe consequences that violate the right to privacy and autonomy of an individual, including putting women in particular, at risk of harm. Thus, the gravity of the rights violation arguably outweighs the State interest of protecting marriage, especially since the State aim is often not met and the decree becomes a ground for divorce.

The application of the test of proportionality by Indian courts has garnered criticism as being deferential to the State. However, even with this deferential application, as demonstrated above, RCR would likely not pass the four-part test of proportionality endorsed by the courts in Modern Dental College and Aadhaar.

Conclusion

In the post-Puttaswamy era, various High Courts have recognised the autonomy and dignity of women within marriage under the fundamental right to privacy. For instance, in a recent right to abortion case, the High Court of Kerala relied on Puttaswamy I and held that a woman’s autonomy of body and mind with respect to reproductive decisions are part of the right to privacy. As discussed above, the High Court of Karnataka, in its recent decision, while allowing rape charges against the husband, acknowledged that the exception of marital rape stems from an archaic notion of marriage where the wife was considered property. On similar grounds, one may argue that RCR should be considered invalid since it is based on the outdated notion of marriage where the wife was considered the property of the husband and had no individual autonomy of her own. As noted above, it is also incompatible with the test of proportionality.

On 30 December, 2021, the Gujarat HC observed that an RCR decree could not force a woman to cohabit with her husband. The court recognised that a decree of RCR needs to consider both the parties’ and not solely the ‘right of the husband’. Further, it opined that the very fact that there exists an option given to not comply with the RCR decree under the Civil Procedure Code indicates that the court cannot force a woman to cohabit against her will. The court further laid down certain grounds under which a person could refuse to comply with an RCR decree including cruelty, adultery, and failure of the husband in performing marital obligations. Although this decision seems to encourage considering the rights of women in a marital relationship – it fails to reaffirm the right to privacy and autonomy of the subject of the decree against a law that is effectively discriminatory. It grants power to the courts to decide on a case-to-case basis whether the right can be granted, which could lead to a potential violation of individual rights given the nature of this provision.

Striking down RCR provisions does not mean that there must be a complete embargo on the interference of the State into marriage – for example, the power asymmetry in domestic relationships necessitates the enforcement of laws against domestic violence and most likely requires the criminalisation of marital rape. However, taking into consideration the constitutional scrutiny of laws against the backdrop of State interference and right to privacy, RCR may not stand the test of constitutionality. Currently, a petition challenging the constitutionality of RCR is pending before the Supreme Court – if the above arguments are considered by the court, RCR may be struck down on the grounds that it violates the right to privacy.

This post was originally published on Livelaw on 26 April 2022.

Guest Post: Right to Privacy at Home

This post is authored by Suhavi Arya.

In Justice (Retd.) K.S. Puttaswamy vs. Union of India (“Puttaswamy”) the Apex Court noted that there is a distinction between public and private spaces. Keeping this in mind, this post investigates the scope of one’s right to privacy in one’s own home. In the course of writing this post, I relied on CCG’s Privacy High Court Tracker to identify cases that discuss the extent to which the right to privacy may be interpreted in light of this public-private distinction.

The case of Vilasini vs. State of Kerala from the High Court of Kerala sheds some light on the issue. This case relates to Kerala’s toddy (palm wine) shops, that were increasingly being described as somewhat of an eyesore, with the manufacturing, storage, consumption, and disposal of toddy creating a challenging atmosphere for surrounding residents. The people affected most by the existence of these toddy shops were immediate neighbours. Several individuals filed writ petitions against the operation of toddy shops in their neighbourhoods. One such petition also challenged the shifting of a toddy shop to the petitioner’s colony, which is also near a local “anganwadi”. The writ petitions filed — concerned several different toddy shops and varied issues, however, the Kerala High Court noted that the underlying concern in all these petitions was the protection of their privacy in their own homes and therefore considered these petitions together in a common judgement.

In the judgement, a single judge bench of Justice A. Muhamed Mustaque, stated that since the sale of liquor is regulated by the State, the State is bound to address any implication on the rights of others who are affected by the conduct and placement of toddy shops. Crucially, in this case it was the State that determined the location of toddy shops through a licensing regime. The High Court observed that the Apex court noted in the Puttaswamy case that privacy is not lost or surrendered merely because the individual is in a public space. Privacy attaches to the person and not the place as it part of the dignity of the human being. Furthermore, the Court added that “Privacy has both positive and negative content: The negative content restrains the State from committing an intrusion upon the life and personal liberty of a citizen. Its positive content imposes an obligation on the State to take all necessary measures to protect the privacy of the individual”. This is important because, while Puttaswamy did not enumerate an exhaustive list of rights that fall under ‘privacy’, it stated that anything that is essential to the dignity of a human being in private can be enforced by the person in public, including their well-being in their homes.

With this in mind, in the case of Vilasini, the Kerala High Court observed that there needs to be a standard by which a violation of privacy can be assessed. The High Court sought guidance from certain judgements of the European Court of Human Rights (‘ECtHR’) and laid down a framework of assessment that may apply in the Indian context as well. After having perused several European cases, the High Court noted that the ECtHR[1]  had developed a test; for an action to be a “breach of privacy, it must have a direct immediate consequence to the applicants’ right to respect for their homes” under Article 8 of the European Convention of Human Rights (respect for home and private life). These ECtHR cases balanced the gravity and severity of nuisance caused by the impugned action with the community’s interests as a whole, assessing if the State had struck a fair balance or violated the right to privacy of an individual. For example, one case concerned noise pollution from bars and discotheques near the petitioner’s house, with the ECtHR ruling that the excessive noise was above the permitted levels and had occurred over a number of years, thus violating the privacy of the petitioner.

In Vilasini, the High Court uses the phrase, a ‘threshold severity test’ to describe this analysis. But the roots of this test, can be traced from these ECtHR cases which relate to the minimum level of severity of the action complained against and an evaluation of the authorities’ role upon a complaint being made. Although Article 8 of the European Convention expressly refers to ‘the home, private life, and family’, the Kerala High Court has read this as a facet of India’s right to privacy doctrine.   Based on this interpretation of the right to privacy, the High Court restrained the operation of one toddy shop and directed the State authorities to assess the privacy impact of the operation of other shops.

The case of Puttaswamy has led to a diverse applicability of privacy and Article 21. New contours of privacy are now being explored in different high courts around the country.  While courts now study the scope of the right to privacy and associated rights, it’s important to chart trends and understand the implications of new facets of privacy being recognised.  The specific contours of privacy and its interactions with the public realm are being developed by courts on a case by case basis, with each new challenge to state action throwing up novel questions for Indian privacy jurisprudence. In furthering this jurisprudence, it is important to keep in mind the most fundamental aspect of privacy – that it is integral to every aspect of a person’s overall well-being. The Kerala High Court’s recognition that the right to privacy includes a right to be left alone and at peace in one’s own home, and the State’s duty to facilitate this, is the concrete application of a new facet of the right to privacy.  


[1] of Moreno Gomez vs. Spain (Application No.4143/02); Hatton and Others vs. the United Kingdom [GC] (No. 36022/97, ECHR 2003- VIII); Lopez Ostra vs. Spain (Application No.16798/90); Guerra and Others vs. Italy [Application No.116/1996/735/932]; Cuenca Zarzoso vs. Spain [Application No.23383/12]; of Deés vs. Hungary [Application No.2345/06] and Fadeyeva vs. Russia [Application No.55723/00]

Vinit Kumar vs. Sanjay Bhandari – A Contrasting application of PUCL vs. Union of India

By Krishnesh Bapat

In the wake of disclosures by the Pegasus Project, it has become more important than ever to understand the law which authorises the government to conduct surveillance – especially the provisions which permit non-digital phone tappings. To that end, the ‘Privacy High Court Tracker’ is an extremely useful tool developed by the Centre For Communication Governance, National Law University Delhi. The tracker enables stakeholders to analyse the evolving jurisprudence on privacy. High Courts across the country are at the forefront of this evolution. For the purposes of this piece, which discusses the law on state-mandated surveillance with a focus on phone-tappings, two judgments from the tracker are relevant – Vinit Kumar vs. CBI and Ors., 2019 (Bombay High Court) and Sanjay Bhandari and Ors. vs The Secretary of Govt. of India and Ors.2020 (Madras High Court).  

But before we analyse these judgments, it is important to refer to the provisions of law that enable the government to listen to our conversations and the decision of the Supreme Court in PUCL vs. Union of India, (1997), which is the locus classicus on this subject. Section 5(2) of the Telegraph Act, 1885 (Telegraph Act) empowers the government to intercept any communication by a ‘telegraph’ from a person to another “on the occurrence of a public emergency” or “in the interest of public safety” if it is in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states or public order or to prevent incitement to the commission of an offence. Any order under Section 5(2) must be issued before the surveillance begins. Section 69 of the Information Technology Act, 2000 (IT Act) permits the government to intercept, monitor or decrypt communication generated, transmitted, received or stored in a computer. 

Interestingly, Section 69 of the IT Act has not been subject to much judicial scrutiny. While challenges to its constitutionality are pending before the Supreme Court, the lack of scrutiny is perhaps because there is opacity around when, where and how this provision is used to conduct surveillance. Notably, the government has even refused to provide the total number of orders it has passed under this provision in a response to a right to information application filed by the Internet Freedom Foundation. Unlike Section 69 of the IT Act, Constitutional Courts have examined Section 5(2) of the Telegraph Act on several occasions. As mentioned above, the most notable instance is PUCL

In PUCL, the constitutional validity of Section 5(2) of the Telegraph Act was challenged. The Supreme Court’s decision, which was subsequently affirmed in K.S. Puttaswamy vs. Union of India, , held that conversations over the telephone are private in nature. While this is significant since this judgment is from before Puttaswamy, the bite of the judgment was the Court’s interpretation of the phrases “on the occurrence of a public emergency” and “in the interest of public safety”. The Court held that public emergency would mean the prevailing of a sudden condition or state of affairs affecting the people at large, calling for immediate action. The expression “public safety” means the state or condition of freedom from danger or risk for the people at large. The Court also held that the phrases “take their colour off each other”, and that a breach of public safety/ a public emergency are evident to a reasonable person as they are not secretive conditions. 

In terms of procedural safeguards, the Court, amongst other things, directed the Government to not conduct phone tapping unless there is an order from the home secretary which would ex-post be subject to review by a review committee also consisting of government officials. Notably, the Court stopped short of either prior or post judicial scrutiny. 

The CCG Privacy High Court Tracker is a useful resource to examine how High Court’s have relied upon the decision in PUCL, especially after the Supreme Court’s decision in Puttaswamy. In this regard, the Bombay High Court decision in Vinit Kumar and Madras High Court’s decision in Sanjay Bhandari, offer a study in contrast. 

In Vinit Kumar, the petitioner challenged three phone tapping orders issued against him, on the ground that they were ultra vires Section 5(2) of the Telegraph Act. Of course, the petitioner only found out that his conversations were being monitored after the Central Bureau of Investigation filed a charge-sheet against him in a criminal proceeding, where the petitioner was accused of bribing a public servant. The petitioner argued that there was no threat to public safety nor a public emergency to occasion such phone-tapping. The Bombay High Court agreed and noted that circumstances did not exist which “would make it evident to a reasonable person that there was an emergency or a threat to public safety”. The Court also went a step ahead and tested the phone tapping orders on the Puttaswamy proportionality standard (Kaul J, Paragraph 70) which requires the government to show – a) The action must be sanctioned by law; b) The action must be necessary in a democratic society; c) Proportionality – infringing action must be proportionate to the need for such interference; and d) Procedural safeguards. The Court found that the orders could not withstand the test and struck them down as they ‘neither had the sanction of law’ (as there was no public emergency nor a threat to public safety) nor have they been issued for a legitimate aim. (Paragraph 19) 

In Sanjay Bhandari, the petitioners, who held official government positions, were accused of accepting a bribe in return for granting benefits. They found out that the Government was monitoring their conversations, and challenged the phone-tapping orders before the Madras High Court. Evidently, there was neither a public emergency nor threat to public safety that would justify the imposition of such an order. In PUCL, the Supreme Court had held that these situations are evident to a reasonable person as they are not secretive conditions. The Court also held that public emergency would mean the prevailing of a sudden condition or state of affairs affecting the people at large, calling for immediate action, and the expression “public safety” means the state or condition of freedom from danger or risk for the people at large.

The Madras High Court, going against established precedence, held that “Restricting the concept of public safety to the mere “situations that would be apparent to the reasonable persons” will exclude most of the actual threats which present the most grave circumstances like terrorist attacks, corruption at high places, economic and organised crimes, most of which are hatched in the most secretive of manners.” 

Thus, the decision in Sanjay Bhandari interpreted Section 5(2) in a manner which was entirely contrary to the decision and perhaps, even legislative intent. The Court read into the provision its understanding of what constitutes “actual threats” and extended the scope of the provision to offences which do not have any bearing on public safety, as interpreted in PUCL and affirmed in Puttaswamy. And there is merit to that interpretation. The word safety follows the word ‘public’ which implies that the situation should be such that it puts at risk the people at large. Surely economic offences do not meet this criteria. There is merit to that interpretation, even from a rights perspective. Monitoring a person’s conversations constitutes a grave infringement on their right to privacy, and the need to undertake such an infringement must be proportionate to the ends sought to be achieved.