In the wake of disclosures by the Pegasus Project, it has become more important than ever to understand the law which authorises the government to conduct surveillance – especially the provisions which permit non-digital phone tappings. To that end, the ‘Privacy High Court Tracker’ is an extremely useful tool developed by the Centre For Communication Governance, National Law University Delhi. The tracker enables stakeholders to analyse the evolving jurisprudence on privacy. High Courts across the country are at the forefront of this evolution. For the purposes of this piece, which discusses the law on state-mandated surveillance with a focus on phone-tappings, two judgments from the tracker are relevant – Vinit Kumar vs. CBI and Ors., 2019 (Bombay High Court) and Sanjay Bhandari and Ors. vs The Secretary of Govt. of India and Ors.2020 (Madras High Court).
But before we analyse these judgments, it is important to refer to the provisions of law that enable the government to listen to our conversations and the decision of the Supreme Court in PUCL vs. Union of India, (1997), which is the locus classicus on this subject.Section 5(2) of the Telegraph Act, 1885 (Telegraph Act) empowers the government to intercept any communication by a ‘telegraph’ from a person to another “on the occurrence of a public emergency” or “in the interest of public safety” if it is in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states or public order or to prevent incitement to the commission of an offence. Any order under Section 5(2) must be issued before the surveillance begins. Section 69 of the Information Technology Act, 2000 (IT Act) permits the government to intercept, monitor or decrypt communication generated, transmitted, received or stored in a computer.
Interestingly, Section 69 of the IT Act has not been subject to much judicial scrutiny. While challenges to its constitutionality are pending before the Supreme Court, the lack of scrutiny is perhaps because there is opacity around when, where and how this provision is used to conduct surveillance. Notably, the government has even refused to provide the total number of orders it has passed under this provision in a response to a right to information application filed by the Internet Freedom Foundation. Unlike Section 69 of the IT Act, Constitutional Courts have examined Section 5(2) of the Telegraph Act on several occasions. As mentioned above, the most notable instance is PUCL.
In PUCL, the constitutional validity of Section 5(2) of the Telegraph Act was challenged. The Supreme Court’s decision, which was subsequently affirmed in K.S. Puttaswamy vs. Union of India, , held that conversations over the telephone are private in nature. While this is significant since this judgment is from before Puttaswamy, the bite of the judgment was the Court’s interpretation of the phrases “on the occurrence of a public emergency” and “in the interest of public safety”. The Court held that public emergency would mean the prevailing of a sudden condition or state of affairs affecting the people at large, calling for immediate action. The expression “public safety” means the state or condition of freedom from danger or risk for the people at large. The Court also held that the phrases “take their colour off each other”, and that a breach of public safety/ a public emergency are evident to a reasonable person as they are not secretive conditions.
In terms of procedural safeguards, the Court, amongst other things, directed the Government to not conduct phone tapping unless there is an order from the home secretary which would ex-post be subject to review by a review committee also consisting of government officials. Notably, the Court stopped short of either prior or post judicial scrutiny.
The CCG Privacy High Court Tracker is a useful resource to examine how High Court’s have relied upon the decision in PUCL, especially after the Supreme Court’s decision in Puttaswamy. In this regard, the Bombay High Court decision in Vinit Kumar and Madras High Court’s decision in Sanjay Bhandari, offer a study in contrast.
In Vinit Kumar, the petitioner challenged three phone tapping orders issued against him, on the ground that they were ultra vires Section 5(2) of the Telegraph Act. Of course, the petitioner only found out that his conversations were being monitored after the Central Bureau of Investigation filed a charge-sheet against him in a criminal proceeding, where the petitioner was accused of bribing a public servant. The petitioner argued that there was no threat to public safety nor a public emergency to occasion such phone-tapping. The Bombay High Court agreed and noted that circumstances did not exist which “would make it evident to a reasonable person that there was an emergency or a threat to public safety”. The Court also went a step ahead and tested the phone tapping orders on the Puttaswamy proportionality standard (Kaul J, Paragraph 70) which requires the government to show – a) The action must be sanctioned by law; b) The action must be necessary in a democratic society; c) Proportionality – infringing action must be proportionate to the need for such interference; and d) Procedural safeguards. The Court found that the orders could not withstand the test and struck them down as they ‘neither had the sanction of law’ (as there was no public emergency nor a threat to public safety) nor have they been issued for a legitimate aim. (Paragraph 19)
In Sanjay Bhandari, the petitioners, who held official government positions, were accused of accepting a bribe in return for granting benefits. They found out that the Government was monitoring their conversations, and challenged the phone-tapping orders before the Madras High Court. Evidently, there was neither a public emergency nor threat to public safety that would justify the imposition of such an order. In PUCL, the Supreme Court had held that these situations are evident to a reasonable person as they are not secretive conditions. The Court also held that public emergency would mean the prevailing of a sudden condition or state of affairs affecting the people at large, calling for immediate action, and the expression “public safety” means the state or condition of freedom from danger or risk for the people at large.
The Madras High Court, going against established precedence, held that “Restricting the concept of public safety to the mere “situations that would be apparent to the reasonable persons” will exclude most of the actual threats which present the most grave circumstances like terrorist attacks, corruption at high places, economic and organised crimes, most of which are hatched in the most secretive of manners.”
Thus, the decision in Sanjay Bhandari interpreted Section 5(2) in a manner which was entirely contrary to the decision and perhaps, even legislative intent. The Court read into the provision its understanding of what constitutes “actual threats” and extended the scope of the provision to offences which do not have any bearing on public safety, as interpreted in PUCL and affirmed in Puttaswamy. And there is merit to that interpretation. The word safety follows the word ‘public’ which implies that the situation should be such that it puts at risk the people at large. Surely economic offences do not meet this criteria. There is merit to that interpretation, even from a rights perspective. Monitoring a person’s conversations constitutes a grave infringement on their right to privacy, and the need to undertake such an infringement must be proportionate to the ends sought to be achieved.
The Centre for Communication Governance (CCG) has recently launched a new initiative called the Privacy High Court Tracker which consists of decisions on the constitutional right to privacy passed by all High Courts in India. The Privacy High Court Tracker is a tool to enable lawyers, judges, policymakers, legislators, civil society organisations, academic and policy researchers and other relevant stakeholders, to engage with, understand and analyse the evolving privacy law and jurisprudence across India.
The cases on the tracker can broadly be divided into several themes such as – search and seizure, data protection, and gender rights. Within gender rights, there are several sub-themes, and this article, relying on information from the tracker, will be focusing on the rights of transgender people. It was the National Legal Services Authority vs. Union of India (“NALSA”) judgement of 2014 which gave unequivocal recognition to transgender people in India as the ‘Third Gender’. The Supreme Court interpreted ‘dignity’ under Article 21 of the Constitution to include diversity in self-expression, which allowed a person to lead a dignified life. It placed one’s gender identity within the framework of the fundamental right to dignity under Article 21. Article 21 was interpreted to include privacy by the Justice K. S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors., (“Puttaswamy 9-judge Bench”). The Puttaswamy 9-judge Bench unanimously recognised a fundamental right to privacy of every individual guaranteed by the Constitution, by reading privacy within Article 21, and in all of fundamental rights under Part III as a whole.
While NALSA gave members of the transgender community, the right to privacy in the protection of gender identity within Article 15, the Puttaswamy 9-judge Bench judgement placed the right to privacy as an expression of individual autonomy, dignity, and identity, at the intersection of Article 15 and 21. The right to life and personal dignity dwells in Article 21 but it is enriched by all the fundamental rights and its various interpretations.
In 2019, the Madurai Bench of the High Court of Madras, decided the case of Arunkumar and Ors. vs. The Inspector General of Registration. The facts of the case were – a cis-gendered male married a transwoman, in a temple in 2018. The Joint-Registrar refused to register the marriage, under Rule 5(1)(a) of the Tamil Nadu Registration of Marriage Rules. This was appealed before the District Registrar, who also refused and so it came before the High Court. The High Court stated that the definition of a ‘woman’ or a ‘bride’ is not a static one, and that it should be interpreted according to the need of the time. The Court also noted that Article 16 of the Universal Declaration of Human Rights broadly reads that, men and women have the right to marry without any limitations.
The case of Shafin Jahan vs. Asokan K.M. and Ors., was also referred to, where the Hon’ble Supreme Court held that the right to marry a person of one’s own choice is integral to Article 21. Moreover, the Court also relied on Dr. Ambedkar’s famous opinion that inter-caste marriages will lead to social integration, applying it to mean that marriages between transgenders and cis-genders will lead to the social integration of the members of the transgender community. The High Court famously decided that since the second petitioner self-identified as a woman, she is a woman; relying on both the NALSA and the Puttaswamy 9-judge Bench judgements.
The Arunkumar case simply decided on the issue of legalising love and commitment between two people. In doing so, it has now opened a plethora of other issues, such as – will a transwoman be allowed protection under the definition of ‘aggrieved person’ in a domestic relationship and have the same rights as a ‘woman’ under The Protection of Women from Domestic Violence Act, 2005 and the Hindu Adoptions and Maintenance Act, 1956? The right to divorce flows from the right to marry, can a transwoman claim alimony and/or maintenance? It can be said that The Hindu Succession (Amendment) Act, 2005 which removed gender discriminatory provisions in the Hindu Succession Act, 1956, will then apply to transwoman too, but what will happen to the inheritance rights of a transwoman who marries into a family practising Islam? The Arunkumar judgement, did not go into these details, but future litigants will need clarity on this matter, either with a legislation or in the absence of one, some clarity from the apex court.
Two other High Courts in India have also given judgements on marriages with transgender persons. One of them is Madras High Court’s Mansur Rahman vs. the Superintendent of Police & Anr. which has similar facts to the Arunkumar case (mentioned above) where the petitioner, a cis-gendered man had married a transwoman and was now seeking police protection from people harassing them. Here too, the Court noted the importance of integrating members of the transgender community in the contemporary community, by quoting Dr. Ambedkar’s views on inter-caste marriage. In the High Court of Orissa, in the case of Chinmayee Jena vs. State of Odisha & Ors. a transman, was in a live-in relationship with a cis-gendered female where the female was being forced into a heterosexual arranged marriage by her parents. The Court explicitly recognized the rights of trans persons to enter a live-in relationship with the partner of their choice, regardless of the “gender” of the partner. Thereby relying on the judgments in – NALSA, Puttaswamy 9-judge Bench and Navtej Singh Johar vs. Union Of India Ministry Of Law & Anr. (“Navtej”). This case too, will impact the right of a transman in inheritance, adoption of children and it also makes us question, what other rights do transmen have, for their protection?
In the case of X vs. State of Uttarkhand a single judge bench decided on a very interesting aspect of law – whether a transwoman’s complaint of rape should be recorded under section 377 or 375 of the Indian Penal Code, 1860 (‘IPC’)? The learned judge differentiated between post- Navtej section 377 which criminalizes all instances of non-consensual sexual intercourse regardless of gender and section 375 which criminalizes all instances of non-consensual sexual intercourse between a man and a woman. It also noted the difference in punishment, section 375 envisages a minimum imprisonment of 10 years leading to life (apart from fine), Section 377 envisages a maximum imprisonment of 10 years (apart from fine). While determining that, the court also decided that the transwoman had a right to self-determine her gender, “without further confirmation from any authority”. The Court stated that until the Parliament comes up with a legislation for the same, the law of the land is self-identification, as stated in NALSA. Accordingly, it ruled, in recognition of India’s international obligations undertaken in various convention, the Yogyakarta Principles, fundamental rights of life, liberty, dignity, privacy, the march of the law, and most importantly, in consonance with NALSA and Puttaswamy 9-judge Bench that the right to gender identity is a part of right to privacy. Notably, this case created a fine line of difference between Sections 377 and 375 of the IPC and implied that since the Petitioner self-identifies as a female, section 375 should apply. The Court particularly noted that self-identification is the law of the land, till the time there is a legislation a place. However, since then, the Transgender Persons (Protection of Rights) Act and Transgender Persons (Protection of Rights) Rules, 2020 have been implemented, which deviates from NALSA as sections 5 and 6 have made gender self-identification contingent on medical and psychological documentation.
On a final note, in the case of Puttaswamy, a 9-judge Bench led to the judiciary establishing that right to personal liberty, dignity and privacy are inalienable rights. This has been an important step forward for the transgender community in India. It is not only important that these rights are recognised by the Indian Constitution, but these rights are also foundational pillars of the Indian Constitution. They are intrinsic and inseparable to one another. To further this development, there needs to be legislation(s) and other social welfare schemes to address the challenges faced by the transgender community and to inculcate the community in such a way that there is no more ‘us’ and ‘them’.
The judgment of the Supreme Court in Justice (Retd.) K.S. Puttaswamy vs. Union of Indiawas the first comprehensive verdict on the right to privacy in India. While earlier judgments such as Rajagopal or Gobind discussed certain aspects of this right, in Puttaswamy, the court’s pronouncement was categorical, laying down definite principles and different contours of the right to privacy. The judgment in Puttaswamy will have – and in some cases, has already had – significant influence on various issues including state surveillance, data collection and retention and rights of sexual privacy. In this blog, I will focus on Puttaswamy’simpact on the right to intimate choices including marriage.
Among other things, the Supreme Court in Puttaswamy has made two aspects clear. First, the right to privacy is part of the right to liberty and dignity under part III, especially Article 21 and certain freedoms under Article 19 of the Constitution. Secondly, it located the right to intimate choices as part of the right to privacy. We shall see how this has enabled the courts to decide certain cases. (See here the Privacy High Court Tracker by CCG, used to identify the cases. The tracker “is a resource consisting of decisions on the constitutional right to privacy passed by all High Courts in India.”).
At various places in the judgment, there is agreement that privacy necessarily must protect the right to intimate choices. The court said – “The family, marriage, procreation and sexual orientation are all integral to the dignity of the individual” and that “privacy includes at its core the preservation of personal intimacies, the sanctity of family life, marriage, procreation, the home and sexual orientation.” Importantly, the oft-quoted right to be left alone was interlinked with the right to choose who enters one’s house, whom to live with and “what relationship” to live in. (Justice Kaul, para 78).
With this background, some cases from the Privacy Tracker are worthwhile studying. In Safiya Sultana and Ors. vs. State of U.P. and Ors., the writ petition was moved by the petitioner in the Allahabad High Court claiming that she is in the illegal custody of her father and she would like to live with her husband. During the deliberation, the court took up the issue of the requirements under the Special Marriage Act, 1954 (SMA) which make it difficult for couples to register their marriages.
The SMA is a secular law, meaning it can be used by persons belonging to any religion (or no religion at all). Persons belonging to the same religion, such as two Hindus also can marry under the SMA, as many often choose to. The petitioners argued that the provisions requiring notice before marriage and subsequent publication must be read as directory, instead of mandatory. They pointed out that “any such notice would be an invasion in their privacy and would have definitely caused unnecessary social pressure/interference in their free choice with regard to their marriage.”
Section 5 of the SMA provides that the couple intending to marry must give a notice in writing to the marriage officer before thirty days. According to section 6, the notice will be displayed for the public and the details of the notice entered into in the Marriage Notice Book, which is open for inspection by any person. Section 7 enables persons to object to the marriage on violation of certain conditions. In a society where agency of women in particular is curtailed and love-marriages often violently resisted, it is not difficult to see how these provisions can have significant dignity implications. While agreeing with the petitioners, the court noted that “society has no role to play in determining our choice of partners.”
Intimate choice consists of a bundle of rights where both privacy and autonomy interact: the right to choose a partner, the right to marry or not to marry, the right to choose a live-in relationship, the right to keep details of the marriage or nature of the relationship private. It becomes too ‘costly’ for young people to exercise the right to privacy and choice since there is constant invasion. Essentially, the actions of other persons and their possible access to your personal information impact your decisions on how to lead your life. The provisions of the SMA provide for this type of invasion by enabling the private details to be accessible to public. It went beyond the legitimate purpose of the state in securing the details of marriages in its register.
The court held that that giving and publication of notice under these provisions of the SMA shall be voluntary and not mandatory. Sections 5 and 6 were read down to this extent. The court directly relied on Puttaswamy to ascertain “the ability to make decisions on matters close to one’s life.” It also relied on Common Cause vs. Union of India and Anr. which said that “our autonomy as persons” is also founded in our ability to decide “whom to love and whom to partner.” This according to the High Court, is a protected entitlement of the Constitution. Hence, the court located “a right to a union” under Article 21. This union includes but is not exhausted by marriage. Neither the state nor other persons can intrude upon this right.
Moreover, according to the court, the provisions, if read as mandatory do not fulfil the three-tier test recognised by Puttaswamy while determining validity of laws (of legality, necessity and strict proportionality). The requirements of notice and publication apply only under the SMA, in comparison to other personal laws on marriage. “There is no apparent reasonable purpose achieved by making the procedure to be more protective or obstructive under the Act of 1954…”
Often, in addition to the SMA provisions, various States have made specific rules, guidelines or checklists for registration of marriages under the Act. One such checklist was the matter in issue before the Punjab & Haryana High Court. In this case, the Haryana government had issued a marriage checklist with 16 requirements to be fulfilled for registration. The petitioners argued that requirements such as notice to parents of the couple, publication of proposed marriage in a national newspaper violate their right to privacy. The court held that such a requirement violates the right to privacy and asked the state to modify the checklist.
In Salamat Ansari vs. State of UP and Others, a FIR was lodged against the accused for the offence, inter alia, of kidnapping a woman under the Indian Penal Code, 1860. The petitioners argued that the woman in question and the accused were married and hence the FIR, registered by the father of the woman must be quashed. The court relied on the ‘choice’ jurisprudence emerging out of Puttaswamy, Shakti Vahini vs. Union of Indiaand Shafin Jahan vs. Asokan K.M, that an adult person’s choice on whom to marry is not a territory for the court or the state to intervene. The court quashed the FIR reiterating no offences were made out and the case was simply of individuals choosing to live together.
In Monika Mehra vs. State and Ors., the petitioners, who were a married couple approached the Jammu and Kashmir High Court seeking directions for adequate security on grounds of facing threats to their life. By relying on Supreme Court jurisprudence on the rights to privacy and choice, the court allowed the prayer for adequate protection of life and liberty of the petitioners.
There are few aspects binding these cases together. The first is the choice-privacy intersection. In Puttaswamy, this link was clearly explained. How an artist or a musician expresses herself is illustrative of how “privacy facilitates freedom and is intrinsic to the exercise of liberty.” Therefore, privacy and choice are not mutually exclusive or disjoint. One facilitates the growth of another and infringement of the one can constitute infringement of the other. In the context of the SMA, burdensome requirements violating privacy rights, such as publication of intended marriage force a person to make corresponding choices of partner or marriage.
The second is that all cases reflect that the right to privacy is vulnerable when exercised in a society that does not seriously value it. The provisions in SMA, for instance are used by vigilante groups to invade privacy at a large scale. For example, online applications of inter-faith couples under the SMA were publicised on the internet by certain groups in Kerala. The provisions, when functional in a peculiar socio-political context can be more burdensome, as different from a less intrusive social climate. Requirements such as notice of intended marriage to the parents aim to infringe the intimate zone of privacy. This is also the motivation behind criminal charges of kidnapping as in Salamat and Monika, filed to intimidate persons who have made free and independent choices, and ascertained their right to self-determination. Ultimately, the Puttaswamy judgment has played an important role in shaping the right to intimate choices for future cases and one can hope that it continues to do so.
The recent revelation of the Pegasus hacks has re-ignited public discourse on privacy, surveillance and intelligence reform. As the proposed Personal Data Protection Bill, 2019 makes room for wide exemptions to military, intelligence and law enforcement agencies for the collection and processing of citizens’ data, privacy and data protection laws in their current form will be limited in their potential to enforce meaningful procedural safeguards and oversight over State surveillance.
Although these conversations are not new, we must continue to have them. At the same time, it is important to not miss the forest of State-run cybersurveillance programmes for the sprawling branches of the Pegasus tree. That the global cyber-surveillance industry thrives on State secrecy – is no secret.
While the need for and significance of surveillance reforms cannot be over-emphasized, data protection or privacy law in itself may not succeed in ensuring that Government is prohibited or restrained from acquiring Pegasus-like spyware. Nor will they ensure that the Government is obligated to disclose that such technologies that risk undermining basic fundamental freedoms of its citizenry have been procured by it, with the intent of deployment by law enforcement and/or intelligence agencies. In an earlier piece the Pegasus Hack, CCGNLUD had addressed issues in international frameworks for export controls designed for dual-use technology and their limitations in providing meaningful remedy to the aggrieved.
In this piece, the author argues that Parliamentary legislation and oversight on public procurement processes, classifications and procedures is far more likely to address the root of the multi-faceted problems we are faced with in the wake of Pegasus. Yet, public commentary or critique on the far-reaching consequences of such provisions is hard to come by. This is despite the fact that multiple estimates peg the share public procurements by Government departments and agencies as accounting for 20-30% of India’s national GDP.
The argument proceeds as follows. First, we highlight the central provision that enables the Government to keep such concerning acquisitions of technology in the dark, away from Parliamentary and public scrutiny. Second, we examine the far-reaching implications of this somewhat obscure provision for the cybersecurity industry in India and the public at large. Finally, we explain how this State-sanctioned secrecy in procurement of spyware – whether from foreign or Indian vendors – could potentially deprive the aggrieved targets of surveillance through Pegasus of meaningful legal remedy before the Courts.
Executive Regulations on Public Procurements and ‘National Security’
In the absence of a Parliamentary enactment, public procurements in general, are governed by the overarching principles and procedures codified in the General Financial Rules, 2017 (GFR). These rules were first issued after independence in 1947, and later revised in 1963 and 2005.
Rule 144 of the GFR mandates that every authority procuring goods in public interest shall have the responsibility and accountability to bring efficiency, economy and transparency in matters relating to public procurement and for fair and equitable treatment of suppliers and promotion of competition in public procurement. It also sets out certain ‘yardsticks’ with which procuring agencies must conform – and some are more problematic than others.
One of the most significant changes introduced in the 2017 iteration of the GFR, is the introduction of a ‘national security exception’. Under the these new provisions, Ministries/Departments may be exempted from requirement of e-procurement and e-publication of tender enquiries and bid awards, which is mandatory as a general rule. This may be permitted
In individual cases where confidentiality is required for reasons of national security, subject to approval by the Secretary of the Ministry/Department with the concurrence of the concerned Financial Advisor, [Rule 159(ii)]and
In individual case[s] where national security and strategic considerations demands confidentiality, after seeking approval of concerned Secretary and with concurrence of Financial Advisors. [Rule 160(ii)]
This indicates that the ‘national security exception’ is intended to apply to non-military procurements, expanding the realm of secrecy in procurements far beyond military matters with direct adverse consequences for the civilian realm of affairs. This is supported by the fact that Rule the procurement of goods for the military is excluded from the scope of the GFR by Rule 146. This rule prescribes that the procurement of goods required on mobilisation and/or during the continuance of military operations shall be regulated by special rules and orders issued by the Government from time to time.
Thus, the acquisition of spyware as a product to enhance India’s cybersecurity posture—which can easily be proved to implicate strategic considerations that demand confidentiality—could be exempted from mandatory obligations of e-procurement through the central portal and e-publication of the tender inquiry as well as the bid award, after approval from the concerned Secretary and/or Financial Advisors. Although the rule also obliges the Finance Ministry to maintain statistical information on cases where such an exemption is granted, and the value of the contract, whether or not such statistics are amenable to public disclosure through Right to Information (RTI) applications remains unclear at the time of writing.
What Implications for the Cybersecurity Industry?
In addition to spyware and malware, we can expect that even legitimate cybersecurity products and services when procured by Government could also be caught within the above mentioned clause for exempting an ‘individual case where national security and strategic considerations demands confidentiality’.
Given the current state of India’s information security, the acquisition of legitimate cybersecurity products and services will, and should be conducted across Ministries including but not limited to the Ministry of Defence or even law enforcement.
The demand and market for cybersecurity products and services in the country is burgeoning. These exceptions could also be invoked by the relevant ministry/department to keep the identity of vendors of cybersecurity products and private sector partners for the development of surveillance and other cyber capabilities outside the public domain.
The invocation of such regulatory provisions to keep details of the vendors of cybersecurity products and service providers as confidential may create information asymmetries about Government’s needs and preferences among private players in the market. This will not be conducive for creating a competitive market for cybersecurity products and services. These asymmetries can then distort the market with far-reaching implications for the health and growth of the cybersecurity and IT industry at large.
It also militates against the objective of promoting fair competition and transparency in the public procurement process. Adopting the right blend of rules to encourage competition in industry is crucial to fostering a healthy ecosystem for the cybersecurity industry in India, which is still in its infancy.
The Courts will Protect Us?
In other words, through the 2017 amendment of the GFRs, Government of India’s executive branch gave to itself–the power to procure goods and services ‘in the interest of national security’– whie remaining sheltered from the public gaze. This was the first time such a provision was inserted into the GFR – the language of its 2005, 1963 and 1947 iterations make no mention of ‘national security’ whatsoever.
It is pertinent to point out that the term ‘national security’ is an extra-constitutional one – it does not occur anywhere in the Constitution of India. Instead, the Constitution refers only to ‘security of the State’ or ‘defence of India’, or ‘sovereignty and integrity of India’. In recent years, the Executive has co-opted the term ‘national security’ as a catch-all phrase to encompass everything from serious threats of cross-border terrorism and acts of foreign aggression, to issues like organised protests which were traditionally considered as falling under ‘public order’ – a category clearly distinguished from ‘security of the State’ as early as 1966 by the Supreme Court of India in Ram Manohar Lohia v. State of Bihar AIR 1966 SC 740.
A more recent order of the Supreme Court in dated December 14, 2018, in Manohar Lal Sharma v. Narendra Damodardas Modi (The Rafale Case) underlines the Court’s reluctance to hold the Executive accountable for procurements and public spending in domains like defence. The Court stated,
“We also cannot lose sight of the tender in issue. The tender is not for construction of roads bridges et cetera it is a defence tender for the procurement of aircrafts. The parameters of scrutiny would give far more leeway to the government keeping in mind the nature of the procurement itself.”
Additionally, the emergence of the Supreme Court’s “sealed cover” jurisprudence, although recent in its origins –is testament to the growing shadow of secret executive action pervading the judicial sphere with opacity as well. In this context, it is relevant that recent coverage of the award of the “all-India tender” for the provision of a video conferencing platform for the Supreme Court of India does not yet disclose which entity or corporation was awarded this contract.
Coming back to the Pegasus, should the aggrieved persons targeted with this spyware seek judicial remedy, Section 123 of the Indian Evidence Act, 1872 prohibits Government officials from providing evidence “derived from unpublished official records relating to any affairs of State, except with the permission of the officer at the head of the department concerned, who shall give or withhold such permission as he thinks fit.” (emphasis added)
This means that if a case relating to procurements exempted from e-publication is brought before courts, the appropriate authority to give or withhold permission for disclosure to court would be the same Secretary and Financial Advisors who permitted the procurement to be exempted from publication requirements in the first place. Section 124 further prohibits compelled disclosure of official communications made to a Government official in confidence.
And thus, the conspiracy of silence on potentially criminal acts of Government officials could easily escape judicial scrutiny. This will invariably create a challenging situation for individuals impacted by the use of the Pegasus spyware to effectively seek judicial redressal for violation of their right to privacy and hold the government accountable.
Without an explicit acknowledgment from the Government of the fact that the spyware was in fact procured by it – questions on the legality of procedures that resulted in its targeted deployment against citizens and judicial remedies for violations of due process in criminal investigation remains a moot point. In their current form, the applicable rules permit the Government to enable secret procurement of goods and services for non-military purposes under the GFR’s ‘national security exception’, and also permits the Government to disallow disclosure of this information in judicial proceedings.
Given the lower level of judicial scrutiny that such procurements will likely be subjected to, the doctrine of checks and balances and the doctrine of separation of powers necessitates that appropriate parliamentary mechanisms be set up to ensure effective oversight over all government procurements. Presently, the legal framework for procurements is comprised almost exclusively of executive-issued regulations.Constitutionalism requires that no organ of government should be granted or allowed to exercise unfettered discretion and is always held accountable by the other organs of the government.
This is an essential element of the Rule of Law and can only be ensured by way of a Parliamentary enactment on procurement procedures and concomitant disclosure requirements as well as effective Parliamentary oversight mechanisms to enforce accountability on public spending incurred for procurements in the name of national security.
The debate on privacy rose to the forefront after the Supreme Court passed a judgement in the case of Justice K.S Puttaswamy (Retd.) v. Union of India, where the Court held that the right to privacy was an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution of India. In arriving at this conclusion, the Court examined a wide range of privacy-related issues and held that the right to privacy included the right to personal autonomy over a wide range of domains in a person’s life.
While the above decision seems obvious in its simplicity, complications arise when one considers that a child or adolescent may not understand the consequences of their individual choices. When taken in the context of online data privacy, it is safe to say that children may be unaware of the exact manner in which any data that they share online is put to use. The report submitted by the committee of experts under the chairmanship of Justice B.N Srikrishna clearly endorses this belief.
Clause 16 of the Indian Personal Data Protection Bill, 2019 (‘PDPB 2019’), which was tabled in parliament on December 11, 2019, deals with the processing of personal and sensitive personal data of children. It states categorically that every data fiduciary shall “process the personal data of a child in a manner that protects the rights of, and is in the best interests of, the child.” It further states that a data fiduciary shall only process the personal data of a child, after verifying their age and obtaining the consent of their parent or guardian, in the manner specified by future regulations.
Based on this provision, the primary question that arises is, who is a child as per the PDPB 2019? According to the provisions of the bill, a child is someone who “has not completed the age of 18 years.” This is distinct from the data protection statutes passed in other jurisdictions. The EU General Data Protection Rules (‘GDPR’) specifies that the age limit on the definition of ‘child’ may be up to the discretion of individual member states and can be anywhere between 13-16 years. The US Children’s Online Privacy Protection Act, 1998 on the other hand, puts the age limit at a firm 13 years. Notwithstanding the above, the PDPB 2019 specifies 18 as the age of majority. This was done to ensure that the provisions of the bill would be in conformity with the prevailing laws of the country.
The adoption of a singular age of majority serves to prevent confusion and conflict between the laws in the country, however, it also serves to underestimate the awareness and advancement of today’s youth. An example of this understanding was espoused by the Madras High Court in the case of Sabari Sabarinathan Sabarivasan v. State Commission for Protection of Child Rights and Ors. This judgment examines existing flaws in the Protection of Children from Sexual Offences (POCSO) Act, 2012 and recommends a change in the definition of the term ‘child,’ so that a consensual relationship between a girl above 16 years of age and a boy between 16 to 21 years of age, would not attract the draconian provisions of the law. The drafters of the PDPB 2019 could have taken a similar view, rather than conforming with the provisions of a statute like the Indian Contract Act or the Indian Majority Act, both of which were enacted in the late-1800’s. Furthermore, a 2019 study conducted among 630 adolescents across 8 schools in the nation’s capital, revealed that 60 per cent of the boys and 40 per cent of the girls, owned their own device while almost half reportedly used two or more devices to access the Internet. The numbers have no doubt increased since then and the COVID-19 crises has further accelerated the adoption of online services for both education and entertainment. This means that mandating a guardian’s consent for anyone below the age of 18 years could very well result in some data fiduciaries inadvertently being on the wrong side of the law.
Another question raised by Clause 16 of the PDPB 2019, is the determination of what constitutes the best interests of the child. The bill does not specify how this is to be determined; however, subclause 5 of Clause 16 categorizes certain types of data processing like behavioural monitoring, tracking, and targeted advertising as harmful for children.
We then come to the requirement for age verification and parental consent. The provisions of the bill do not explore this in detail. It merely states that the process of acquiring such consent and/or verification will be specified in further rules, after taking into account factors like the volume of personal data processed, the proportion of such personal data likely to be that of a child, the potential of harm that may occur to said child as a result of the processing of his/her personal data etc.
Regardless, one issue that may arise when it comes to consent is the question of capacity. Clause 11 of the PDPB 2019 states that among other things, consent must be free and informed. However, parents cannot provide such free and informed consent on behalf of their children, if they do not understand the terms and conditions provided in the policies of these websites. In many instances, we find that children possess a much greater awareness of current technology trends and their implications. Additional issues arise when we consider the concept of free choice. However, the fact of the matter is that if one wants to register with any of the popular online apps and services available, one inevitably has to agree with their terms and conditions, regardless of any reservations one might have. Therefore, the concept of consent being “freely given” is rendered pointless.
GDPR and the European Union
Article 8 of the GDPR states that where there is an offer of “information society service directly to a child” the processing of personal data of said child shall be lawful, where the child is at least 16 years old. If the child is below the age of 16 years, such processing shall be lawful only if consent has been obtained by the “holder of parental responsibility over the child.”Member States can provide for a lower age limit, provided it is not below 13 years of age. The provision further provides that “reasonable efforts” must be made to verify that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
Article 8 is the principal provision relating to the protection of children’s personal data in the GDPR. There are other provisions that mandate the type of measures that must be taken for the protection of the personal data of a child. For example, when obtaining data from a child, data controllers must ensure that any information on the processing of such data, should be in clear and plain terms for a child to easily understand. The GDPR also provides for the ‘right of erasure’ for children’s personal data. This is particularly relevant in cases where the data subject may have provided their consent as a child, without being fully aware of the risks involved and now seek the erasure of such personal data. Clause 16 of the PDPB, which relates to the processing of personal data of children, closely mirrors Article 8 of the GDPR. To that end, this post will be limited to an examination of Article 8 of the GDPR to examine the potential pitfalls that await in the implementation of Clause 16 of PDPB 2019.
Article 8 applies only to information society services offered directly to a child. Information society services or ISS is any service that is provided at a distance, by electronic means, and at the individual request of a recipient of the services. The definition also includes the requirement that the service be one that is provided in exchange for “remuneration”. However, the majority of online services that teenagers have access to do not directly require remuneration from the users. Common examples of this include popular social media sites like Facebook, Instagram etc. For this reason, the phrase “remuneration” is interpreted broadly by the European Court of Justice (‘ECJ’). The Court has held that “the essential characteristic of remuneration […] lies in the fact that it constitutes consideration for the service in question and is normally agreed upon between the provider and the recipient of the service’’. It is not essential that the recipient of the services provide the consideration. It is only essential for the consideration to have been received by the service provider. Subsequent rulings specified that such services may also include services provided by a non-profit organization, services involving an element of chance, and services that are of a recreational or sporting nature.
Some confusion may arise in situations where the ISS has both online and offline components. In such cases one must determine whether or not the online component is integral to the nature of the service provided. If it is not integral, then such services cannot be categorized as an ISS. While these cases provide some clarity, it is clear that the definition and scope of what constitutes an ISS will continue to evolve with the evolution of technology. This is in direct contrast to the definition of a data fiduciary in the PDPB 2019, which is much more straightforward. The bill defines a data fiduciary as “any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.”
Further, much like Clause 16 of the PDPB 2019, the drafting of Article 8 raises questions on what constitutes proper consent and how such consent can be appropriately verified. Some of these questions have been delineated above in the Indian context and are also applicable here. The European Data Protection Board (‘EDPB’) have addressed these issues in its guidelines on consent under issued under the GDPR. The guidelines state that if a data subject consents because they feel they have no real choice, then the consent is not valid. The guidelines also specify certain situations where the existence of an imbalance of power between the data subject and the controller, would render consent invalid. It further provides that consent would not be considered to be “freely given” if the consent was bundled with the acceptance of the terms and conditions of a website. Additionally, when it comes to the issue of capacity, the guidelines provide that for the consent to be informed, the data subject, or the individual having parental responsibility over the data subject, must have knowledge of the controller’s identity, knowledge of the purpose of each of the processing operations for which consent is sought, knowledge of the type of data collected and used, and knowledge of the existence of the right to withdraw consent.
Finally, even if the validity of consent is established, there is no provision to determine whether the person providing such consent is qualified to do so. According to the provisions of Article 8, consent must be given by a holder of parental responsibility. Does this include even individuals who are acting in loco parenti? For example, in the US, schools may act on the parents’ behalf in an educational context, when personal data is collected from the students for the use and benefit of the school. Further, once this consent is obtained, how is it to be verified? The GDPR has merely required that the controller take “reasonable efforts” to verify said consent. This means that in situations where consent was not verifiable, the controller could still rely on the un-verified consent so long as they prove that “reasonable” efforts were made to verify the same. Fortunately, the EDPB Guidelines on consent fills this gap in Article 8 by recommending two types of verification mechanisms for high-risk and low-risk categories respectively. In the low-risk category, verification of parental consent via email was held to be sufficient. In the high-risk category, it was recommended that further proof of consent would need to be acquired. Trusted third-party verification services were also recommended, to minimise the amount of personal data the controller had to process itself.
The examination of the GDPR provisions clearly shows that numerous issues have arisen in the course of its implementation. These issues have been resolved on a case-by-case basis by courts and other authorities. However, these solutions are remedial and not preventative. One preventative approach is the implementation of principles like data protection by design and default as specified in Article 25 of the GDPR. Data protection by design ensures that privacy and data protection issues are considered at the design phase of any system, service or product and then implemented throughout the lifecycle of the same. Data protection by default limits the type of data collected. It requires controllers to collect and process only such data as is necessary to achieve their specific purpose.
Data protection by design is a principle that is already enshrined in Clause 22 of the PDPB, which provides that every data fiduciary shall submit a privacy by design policy to the proposed Data Protection Authority (DPA) for approval and certification. The manner in which this is to be implemented and the standards of protection required for certification would be subject to future regulations. However, by requiring data fiduciaries engaged in the collection and processing of children’s data to adhere to a higher standard of data protection, the DPA could probably ensure the protection of children’s data regardless of any pitfalls in the practical implementation of Clause 16.
The above measure might not effectively solve the issues specified with the implementation of Clause 16. Notwithstanding these drawbacks, the provisions of this Bill might be the very first step in bringing India’s data protection thresholds at par with the rest of the world.
This is a guest post authored by Aishwarya Giridhar.
How far does the right to control personal information about oneself extend online? Would it extend, for example, to having a person’s name erased from a court order on online searches, or to those who have been subjected to revenge pornography or sexual violence such that pictures or videos have non-consensually been shared online? These are some questions that have come up in Indian courts and are some of the issues that jurisprudence relating to the ‘right to be forgotten’ seeks to address. This right is derived from the concepts of personal autonomy and informational self-determination, which are coreaspects of the right to privacy. They were integral to the Indian Supreme Court’s conception of privacy in Puttaswamy vs. Union of India which held that privacy was a fundamental right guaranteed by the Indian Constitution. However, privacy is not an absolute right and needs to be balanced with other rights such as freedom of expression and access to information, and the right to be forgotten tests the extent to which the right to privacy extends.
On a general level, the right to be forgotten enables individuals to have personal information about themselves removed from publicly available sources under certain circumstances. This post examines the right to be forgotten under the General Data Protection Regulation (GDPR) in Europe, and the draft Personal Data Protection Bill, 2019 (PDP Bill) in India.
What is the right to be forgotten?
The right to be forgotten was brought into prominence in 2014 when the European Court of Justice (ECJ) held that users can require search engines to remove personal data from search results, where the linked websites contain information that is “inadequate, irrelevant or no longer relevant, or excessive.” The Court recognised that search engines had the ability to significantly affect a person’s right to privacy since it allowed any Internet user to obtain a wide range of information on a person’s life, which would have been much harder or even impossible to find without the search engine.
The GDPR provides statutory recognition to the right to be forgotten in the form of a ‘right to erasure’ (Article 17). It provides data subjects the right to request controllers to erase personal data in some circumstances, such as when the data is no longer needed for their original processing purpose, or when the data subject has withdrawn her consent or objected to data processing. In this context, the data subject is the person to whom the relevant personal data relates, and the controller is the entity which determines how and why the data would be processed. Under this provision, the controller would be required to assess whether to keep or remove information when it receives a request from data subjects.
In comparison, clause 20 of India’s Personal Data Protection Bill (PDP Bill), which proposes a right to be forgotten, allows data principals (similar to data subjects) to require data fiduciaries (similar to data controllers) to restrict or prevent the disclosure of personal information. This is possible where such disclosure is no longer necessary, was made on the basis of consent which has since been withdrawn, or was made contrary to law. Unlike the GDPR, the PDP Bill requires data subjects to approach Adjudicating Officers appointed under the legislation to request restricted disclosure of personal information. The rights provided under both the GDPR and PDP Bill are not absolute and are limited by the freedom of speech and information and other specified exceptions. In the PDP Bill, for example, some of the factors the Adjudicating Officer is required to account for are the sensitivity of the data, the scale of disclosure and how much it is sought to be restricted, the role of the data principal in public life, and the relevance of the data to the public.
Although the PDP Bill, if passed, would be the first legislation to recognise this right in India, courts have provided remedies that allow for removing personal information in some circumstances. Petitioners have approached courts for removing information in cases ranging from matrimonial disputes to defamation and information affecting employment opportunities, and courts have sometimes granted the requested reliefs. Courts have also acknowledged the right to be forgotten in some cases, although there have been conflicting orders on whether a person can have personal information redacted from judicial decisions available on online repositories and other sources. In November last year, the Orissa High Court also highlighted the importance of the right to be forgotten for persons who’s photos and videos have been uploaded online, without their consent, especially in the case of sexual violence. These cases also highlight why it is essential that this right is provided by statute, so that the extent of protections offered under this right, as well as the relevant safeguards can be clearly defined.
Intersections with access to information and free speech
The most significant criticisms of the right to be forgotten stem from its potential to restrict speech and access to information. Critics are concerned that this right will lead to widespreadcensorship and a whitewashing of personal histories when it comes to past crimes and information on public figures, and a less free and open Internet. There are also concerns that global takedowns of information, if required by national laws, can severely restrict speech and serve as a tool of censorship. Operationalising this right can also lead to other issues in practice.
For instance, the right framed under the GDPR requires private entities to balance the right to privacy with the larger public interest and the right to information. Two cases decided by the ECJ in 2019 provided some clarity on the obligations of search engines in this context. In the first, the Court clarified that controllers are not under an obligation to apply the right globally and that removing search results for domains in the EU would suffice. However, it left the option open for countries to enact laws that would require global delisting. In the second case, among other issues, the Court identified some factors that controllers would need to account for in considering requests for delisting. These included the nature of information, the public’s interest in having that information, and the role the data subject plays in public life, among others. Guidelines framed by the Article 29 Working Party, set up under the GDPR’s precursor also provide limited, non-binding guidance for controllers in assessing which requests for delisting are valid.
Nevertheless, the balance between the right to be forgotten and competing considerations can still be difficult to assess on a case-by-case basis. This issue is compounded by concerns that data controllers would be incentivised to over-remove content to shield themselves from liability, especially where they have limited resources. While larger entities like Google may have the resources to be able to invest in assessing claims under the right to be forgotten, this will not be possible for smaller platforms. There are also concerns that requiring private parties to make such assessments amounts to the ‘privatisation of regulation’, and the limited potential for transparency on erasures remove an important check against over-removal of information.
What is clear is that there are no easy answers when it comes to providing the right to be forgotten. It can provide a remedy in some situations where people do not currently have recourse, such as with revenge pornography or other non-consensual use of data. However, when improperly implemented, it can significantly hamper access to information. Drawing lessons from how this right is evolving in the EU can prove instructive for India. Although the assessment of whether or not to delist information will always subjective to some extent, there are some steps that can be taken provide clarity on how such determinations are made. Clearly outlining the scope of the right in the relevant legislation, and developing substantive standards that are aimed at protecting access to information, that can be used in assessing whether to remove information are some measures that can help strike a better balance between privacy and competing considerations.
The Supreme Court of the US (SCOTUS) has carved out the right to privacy from various provisions of the US constitution, particularly the first, fourth, fifth, ninth and fourteenth amendments to the US constitution. The Court has included the right to privacy in varying contexts through an expansive interpretation of the constitutional provisions. For instance, the Court has read privacy rights into the first amendment for protecting private possession of obscene material from State intrusion; the fourth amendment for protecting privacy of the person and possessions from unreasonable State intrusion; and the fourteenth amendment which recognises an individual’s decisions about abortion and family planning as part of their right of liberty that encompasses aspects of privacy such as dignity and autonomy under the amendment’s due process clause.
The right to privacy is not expressly provided for in the US constitution. However, the Court identified an implicit right to privacy, for the very first time, in Griswold v. Connecticut(1965) in the context of the right to use contraceptives/ marital privacy. Since then, the Court has extended the scope to include, inter alia, reasonable expectation of privacy against State intrusion in Katz v. United States (1967), abortion rights of women in Roe v. Wade (1973), and right to sexual intimacy between consenting adults of the same-sex in Lawrence v. Texas (2003).
The US privacy framework consists of several privacy laws and regulations developed at both the federal and state level. As of now, the US privacy laws are primarily sector specific, instead of a single comprehensive federal data protection law like the European Union’s General Data Protection Regulation (GDPR) and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). However, there are certain states in the US like California that have enacted comprehensive privacy laws, comparable to the GDPR and PIPEDA. The California Consumer Privacy Act (CCPA) which came into effect on January 1, 2020 aims to protect consumers’ privacy across industry. It codifies certain rights and remedies for consumers, and obligations for entities/businesses. One of its main aims is to provide consumers more control over their data by obligating businesses to ensure transparency about how they collect, use, share and sell consumer data.
On 6th October, the European Court of Justice (ECJ/ Court) delivered its much anticipated judgments in the consolidated matter of C-623/17,Privacy International from the UK and joined cases from France, C-511/18, La Quadrature du Net and others, C-512/18, French Data Network and others, and Belgium, C-520/18,Ordre des barreaux francophones et germanophone and others (Collectively “Bulk Communications Surveillance Judgments”).
In this post, I briefly discuss the Bulk Communication Surveillance Judgments, their significance for other countries and for India.
Through these cases, the Court invalidated the disproportionate interference by Member States with the rights of their citizens, as provided by EU law, in particular the Directive on privacy and electronic communications (e-Privacy Directive) and European Union’s Charter of Fundamental Rights (EU Charter). The Court assessed the Member States’ bulk communications surveillance laws and practices relating to their access and use of telecommunications data.
The Court recognised the importance of the State’s positive obligations towards conducting surveillance, although it noted that it was essential for surveillance systems to conform with the general principles of EU law and the rights guaranteed under the EU Charter. It laid down clear principles and measures as to when and how the national authorities could access and use telecommunications data (further discussed in the sections ‘The UK Judgment’ and ‘The French and Belgian Judgment’). It carved a few exceptions as well (in the joined cases of France and Belgium) for emergency situations, but held that such measures would have to pass the threshold of being serious and genuine (further discussed in the section ‘The French and Belgian Judgment’).
The Cases in Brief
The Court delivered two separate judgments, one in the UK case and one in the joined cases of France and Belgium. Since these cases had similar sets of issues, the proceedings were adjoined. The UK application challenged the bulk acquisition and use of telecommunications data by its Security and Intelligence Agencies (SIAs) in the interest of national security (as per the UK’s Telecommunication Act of 1984). The French and Belgian applications challenged the indiscriminate data retention and access by SIAs for combating crime.
The French and Belgian applications questioned the legality of their respective data retention laws (numerous domestic surveillance laws which permitted bulk collection of telecommunication data) that imposed blanket obligations on Electronic Communications Service Providers (ECSP) to provide relevant data. The Belgian law required ECSPs to retain various kinds of traffic and location data for a period of 12 months. Whereas, the French law provided for automated analysis and real time data collection measures for preventing terrorism. The French application also raised the issue of providing a notification to the person under the surveillance.
The Member States contended that such surveillance measures enabled them to inter alia, safeguard national security, prevent terrorism, and combat serious crimes. Hence, they claimed inapplicability of the e-Privacy Directive on their surveillance laws/ activities.
The UK Judgment
The ECJ found the UK surveillance regime unlawful and inconsistent with EU law, and specifically the e-Privacy Directive. The Court analysed the scope and scheme of the e-Privacy Directive with regard to exclusion of certain State purposes such as national and public security, defence, and criminal investigation. Noting the importance of such State purposes, it held that EU Member States could adopt legislative measures that restricted the scope of rights and obligations (Article 5, 6 and 9) provided in the e-Privacy Directive. However, this was allowed only if the Member States complied with the requirements laid down by the Court in Tele2 Sverige and Watson and Others(C-203/15 and C-698/15) (Tele2)andthe e-Privacy Directive. In addition to these, the Court held that the EU Charter must be respected too. In Tele2, the ECJ held that legislative measures obligating ECSPs to retain data must be targeted and limited to what was strictly necessary. Such targeted retention had to be with regard to specific categories of persons and data for a limited time period. Also, the access to data must be subject to a prior review by an independent body.
The e-Privacy Directive ensures the confidentiality of electronic communications and the data relating to it (Article 5(1)). It allows ECSPs to retain metadata (context specific data relating to the users and subscribers, location and traffic) for various purposes such as billing, valued added services and security purposes. However, this data must be deleted or made anonymous, once the purpose is fulfilled unless a law allows for a derogation for State purposes. The e-Privacy Directive allows the Member States to derogate (Article 15(1)) from the principle of confidentiality and corresponding obligations (contained in Article 6 (traffic data) and 9 (location data other than traffic data)) for certain State purposes when it is appropriate, necessary and proportionate.
The Court clarified that measures undertaken for the purpose of national security would not make EU law inapplicable and exempt the Member States from their obligation to ensure confidentiality of communications under the e-Privacy Directive. Hence, an independent review of surveillance activities such as data retention for indefinite time periods, or further processing or sharing, must be conducted for authorising such activities. It was noted that the domestic law at present did not provide for prior review, as a limit on the above mentioned surveillance activities.
The French and Belgian Judgment
While assessing the joined cases, the Court arrived at a determination in similar terms as the UK case. It reiterated that the exception (Article 15(1) of the e-Privacy Directive) to the principle of confidentiality of communications (Article 5(1) of the e-Privacy Directive) should not become the norm. Hence, national measures that provided for general and indiscriminate data retention and access for State purposes were held to be incompatible with EU law, specifically the e-Privacy Directive.
The Court in the joined cases, unlike the UK case, allowed for specific derogations for State purposes such as safeguarding national security, combating serious crimes and preventing serious threats. It laid down certain requirements that the Member States had to comply with in case of derogations. The derogations should (1) be clear and precise to the stated objective (2) be limited to what is strictly necessary and for a limited time period (3) have a safeguards framework including substantive and procedural conditions to regulate such instances (4) include guarantees to protect the concerned individuals against abuse. They should also be subjected to an ‘effective review’ by a court or an independent body and must be in compliance of general rules and proportionality principles of EU law and the rights provided in the EU Charter.
The Court held that in establishing a minimum threshold for a safeguards framework, the EU Charter must be interpreted along with the European Convention on Human Rights (ECHR). This would ensure consistency between the rights guaranteed under the EU Charter and the corresponding rights guaranteed in the ECHR (as per Article 52(3) of the EU Charter).
The Court, in particular, allowed for general and indiscriminate data retention in cases of serious threat to national security. Such a threat should be genuine, and present or foreseeable. Real-time data collection and automated analysis were allowed in such circumstances. But the real-time data collection of persons should be limited to those suspected of terrorist activities. Moreover, it should be limited to what was strictly necessary and subject to prior review. It even allowed for general and indiscriminate data retention of IP addresses for the purpose of national security, combating serious crimes and preventing serious threats to public security. Such retention must be for a limited time period to what was strictly necessary. For such purposes, the Court also permitted ECSPs to retain data relating to the identity particulars of their customers (such as name, postal and email/account addresses and payment details) in a general and indiscriminate manner, without specifying any time limitations.
The Court allowed targeted data retention for the purpose of safeguarding national security and preventing crime, provided that it was for a limited time period and strictly necessary and was done on the basis of objective and non-discriminatory factors. It was held that such retention should be specific to certain categories of persons or geographical areas. The Court also allowed, subject to effective judicial review, expedited data retention after the initial retention period ended, to shed light on serious criminal offences or acts affecting national security. Lastly, in the context of criminal proceedings, the Court held that it was for the Member States to assess the admissibility of evidence resulting from general and indiscriminate data retention. However, the information and evidence must be excluded where it infringes on the right to a fair trial.
Significance of the Bulk Communication Surveillance Judgments
With these cases, the ECJ decisively resolved a long-standing discord between the Member States and privacy activists in the EU. For a while now, the Court has been dealing with questions relating to surveillance programs for national security and law enforcement purposes. Though the Member States have largely considered these programs outside the ambit of EU privacy law, the Court has been expanding the scope of privacy rights.
Placing limitations and controls on State powers in democratic societies was considered necessary by the Court in its ruling in Privacy International. This decision may act as a trigger for considering surveillance reforms in many parts of the world, and more specifically for those aspiring to attain an EU adequacy status. India could benefit immensely should it choose to pay heed.
As of date, India does not have a comprehensive surveillance framework. Various provisions of the Personal Data Protection Bill, 2019 (Bill), Information Technology Act, 2000, Telegraph Act, 1885, and the Code of Criminal Procedure, 1973 provide for targeted surveillance measures. The Bill provides for wide powers to the executive (under Clause 35, 36 and 91 of the Bill) to access personal and non-personal data in the absence of proper and necessary safeguards. This may cause problems for achieving the EU adequacy status as per Article 45 of the EU General Data Protection Regulation (GDPR) that assesses the personal data management rules of third-party countries.
Recent news reports suggest that the Bill, which is under legislative consideration, is likely to undergo a significant overhaul. India could use this as an opportunity to introduce meaningful changes in the Bill as well as its surveillance regime. India’s privacy framework could be strengthened by adhering to the principles outlined in the Justice K.S. Puttaswamy v. Union of Indiajudgment and the Bulk Communications Surveillance Judgments.
Embedding Principles of Privacy, Transparency and Accountability
This post has been authored by Jhalak M. Kakkar and Nidhi Singh
In July 2020, the NITI Aayog released a draft Working Document entitled “Towards Responsible AI for All” (hereafter ‘NITI Aayog Working Document’ or ‘Working Document’). This Working Document was initially prepared for an expert consultation that was held on 21 July 2020. It was later released for comments by stakeholders on the development of a ‘Responsible AI’ policy in India. CCG’s comments and analysis on the Working Document can be accessed here.
In our first post in the series, ‘Building an AI governance framework for India’, we discussed the legal and regulatory implications of the Working Document and argued that India’s approach to regulating AI should be (1) firmly grounded in its constitutional framework, and (2) based on clearly articulated overarching ‘Principles for Responsible AI’. Part II of the series discussed specific Principles for Responsible AI – Safety and Reliability, Equality, and Inclusivity and Non-Discrimination. We explored the constituent elements of these principles and the avenues for incorporating them into the Indian regulatory framework.
In this final post of the series, we will discuss the remaining principles of Privacy, Transparency and Accountability.
Principle of Privacy
Given the diversity of AI systems, the privacy risks which they pose to the individuals, and society as a whole are also varied. These may be be broadly related to :
(i) Data protection and privacy: This relates to privacy implications of the use of data by AI systems and subsequent data protection considerations which arise from this use. There are two broad aspects to think about in terms of the privacy implications from the use of data by AI systems. Firstly,AI systems must be tailored to the legal frameworks for data protection. Secondly, given that AI systems can be used to re-identify anonymised data, the mere anonymisation of data for the training of AI systems may not provide adequate levels of protection for the privacy of an individual.
a) Data protection legal frameworks: Machine learning and AI technologies have existed for decades, however, it was the explosion in the availability of data, which accounts for the advancement of AI technologies in recent years. Machine Learning and AI systems depend upon data for their training. Generally, the more data the system is given, the more it learns and ultimately the more accurate it becomes. The application of existing data protection frameworks to the use of data by AI systems may raise challenges.
In the Indian context, the Personal Data Protection Bill, 2019 (PDP Bill), currently being considered by Parliament, contains some provisions that may apply to some aspects of the use of data by AI systems. One such provision is Clause 22 of the PDP Bill, which requires data fiduciaries to incorporate the seven ‘privacy by design’ principles and embed privacy and security into the design and operation of their product and/or network. However, given that AI systems rely significantly on anonymised personal data, their use of data may not fall squarely within the regulatory domain of the PDP Bill. The PDP Bill does not apply to the regulation of anonymised data at large but the Data Protection Authority has the power to specify a code of practice for methods of de-identification and anonymisation, which will necessarily impact AI technologies’ use of data.
b) Use of AI to re-identify anonymised data: AI applications can be used to re-identify anonymised personal data. To safeguard the privacy of individuals, datasets composed of the personal data of individuals are often anonymised through a de-identification and sampling process, before they are shared for the purposes of training AI systems to address privacy concerns. However, current technology makes it possible for AI systems to reverse this process of anonymisation to re-identify people, having significant privacy implications for an individual’s personal data.
(ii) Impact on society: The impact of the use of AI systems on society essentially relates to broader privacy considerations that arise at a societal level due to the deployment and use of AI, including mass surveillance, psychological profiling, and the use of data to manipulate public opinion. The use of AI in facial recognition surveillance technology is one such AI system that has significant privacy implications for society as a whole. Such AI technology enables individuals to be easily tracked and identified and has the potential to significantly transform expectations of privacy and anonymity in public spaces.
Due to the varying nature of privacy risks and implications caused by AI systems, we will have to design various regulatory mechanisms to address these concerns. It is important to put in place a reporting and investigation mechanism that collects and analyses information on privacy impacts caused by the deployment of AI systems, and privacy incidents that occur in different contexts. The collection of this data would allow actors across the globe to identify common threads of failure and mitigate against potential privacy failures arising from the deployment of AI systems.
To this end, we can draw on a mechanism that is currently in place in the context of reporting and investigating aircraft incidents, as detailed under Annexure 13 of the Convention on International Civil Aviation (Chicago Convention). It lays down the procedure for investigating aviation incidents and a reporting mechanism to share information between countries. The aim of this accident investigation report is not to apportion blame or liability from the investigation, but rather to extensively study the cause of the accident and prevent future incidents.
A similar incident investigation mechanism may be employed for AI incidents involving privacy breaches. With many countries now widely developing and deploying AI systems, such a model of incident investigation would ensure that countries can learn from each other’s experiences and deploy more privacy-secure AI systems.
Principle of Transparency
The concept of transparency is a recognised prerequisite for the realisation of ‘trustworthy AI’. The goal of transparency in ethical AI is to make sure that the functioning of the AI system and resultant outcomes are non-discriminatory, fair, and bias mitigating, and that the AI system inspires public confidence in the delivery of safe and reliable AI innovation and development. Additionally, transparency is also important in ensuring better adoption of AI technology—the more users feel that they understand the overall AI system, the more inclined and better equipped they are to use it.
The level of transparency must be tailored to its intended audience. Information about the working of an AI system should be contextualised to the various stakeholder groups interacting and using the AI system. The Institute of Electrical and Electronics Engineers, a global professional organisation of electronic and electrical engineers, suggested that different stakeholder groups may require varying levels of transparency in accordance with the target group. This means that groups such as users, incident investigators, and the general public would require different standards of transparency depending upon the nature of information relevant for their use of the AI system.
Presently, many AI algorithms are black boxes where automated decisions are taken, based on machine learning over training datasets, and the decision making process is not explainable. When such AI systems produce a decision, human end users don’t know how it arrived at its conclusions. This brings us to two major transparency problems, the public perception and understanding of how AI works, and how much developers actually understand about their own AI system’s decision making process. In many cases, developers may not know, or be able to explain how an AI system makes conclusions or how it has arrived at certain solutions.
This results in a lack of transparency. Some organisations have suggested opening up AI algorithms for scrutiny and ending reliance on opaque algorithms. On the other hand, the NITI Working Document is of the view that disclosing the algorithm is not the solution and instead, the focus should be on explaining how the decisions are taken by AI systems. Given the challenges around explainability discussed above, it will be important for NITI Aayog to discuss how such an approach will be operationalised in practice.
While many countries and organisations are researching different techniques which may be useful in increasing the transparency of an AI system, one of the common suggestions which have gained traction in the last few years is the introduction of labelling mechanisms in AI systems. An example of this is Google’s proposal to use ‘Model Cards’, which are intended to clarify the scope of the AI systems deployment and minimise their usage in contexts for which they may not be well suited.
Model cards are short documents which accompany a trained machine learning model. They enumerate the benchmarked evaluation of the working of an AI system in a variety of conditions, across different cultural, demographic, and intersectional groups which may be relevant to the intended application of the AI system. They also contain clear information on an AI system’s capabilities including the intended purpose for which it is being deployed, conditions under which it has been designed to function, expected accuracy and limitations. Adopting model cards and other similar labelling requirements in the Indian context may be a useful step towards introducing transparency into AI systems.
Principle of Accountability
The Principle of Accountability aims to recognise the responsibility of different organisations and individuals that develop, deploy and use the AI systems. Accountability is about responsibility, answerability and trust. There is no one standard form of accountability, rather this is dependent upon the context of the AI and the circumstances of its deployment.
Holding individuals and entities accountable for harm caused by AI systems has significant challenges as AI systems generally involve multiple parties at various stages of the development process. The regulation of the adverse impacts caused by AI systems often goes beyond the existing regimes of tort law, privacy law or consumer protection law. Some degree of accountability can be achieved by enabling greater human oversight. In order to foster trust in AI and appropriately determine the party who is accountable, it is necessary to build a set of shared principles that clarify responsibilities of each stakeholder involved with the research, development and implementation of an AI system ranging from the developers, service providers and end users.
Accountability has to be ensured at the following stages of an AI system:
(i) Pre-deployment: It would be useful to implement an audit process before the AI system is deployed. A potential mechanism for implementing this could be a multi-stage audit process which is undertaken post design, but before the deployment of the AI system by the developer. This would involve scoping, mapping and testing a potential AI system before it is released to the public. This can include ensuring risk mitigation strategies for changing development environments and ensuring documentation of policies, processes and technologies used in the AI system.
Depending on the nature of the AI system and the potential for risk, regulatory guidelines can be developed prescribing the involvement of various categories of auditors such as internal, expert third party and from the relevant regulatory agency, at various stages of the audit. Such audits which are conducted pre-deployment are aimed at closing the accountability gap which exists currently.
(ii) During deployment: Once the AI system has been deployed, it is important to keep auditing the AI system to note the changes being made/evolution happening in the AI system in the course of its deployment. AI systems constantly learn from the data and evolve to become better and more accurate. It is important that the development team is continuously monitoring the system to capture any errors that may arise, including inconsistencies arising from input data or design features, and address them promptly.
(iii) Post-deployment: Ensuring accountability post-deployment in an AI system can be challenging. The NITI Working Document also recognised that assigning accountability for specific decisions becomes difficult in a scenario with multiple players in the development and deployment of an AI system. In the absence of any consequences for decisions harming others, no one party would feel obligated to take responsibility or take actions to mitigate the effect of the AI systems. Additionally, the lack of accountability also leads to difficulties in grievance redressal mechanisms which can be used to address scenarios where harm has arisen from the use of AI systems.
The Council of Europe, in its guidelines on the human rights impacts of algorithmic systems, highlighted the need for effective remedies to ensure responsibility and accountability for the protection of human rights in the context of the deployment of AI systems. A potential model for grievance redressal is the redressal mechanism suggested in the AI4People’s Ethical Framework for a Good Society report by the Atomium – European Institute for Science, Media and Democracy. The report suggests that any grievance redressal mechanism for AI systems would have to be widely accessible and include redress for harms inflicted, costs incurred, and other grievances caused by the AI system. It must demarcate a clear system of accountability for both organisations and individuals. Of the various redressal mechanisms they have suggested, two significant mechanisms are:
(a) AI ombudsperson: This would ensure the auditing of allegedly unfair or inequitable uses of AI reported by users of the public at large through an accessible judicial process.
(b) Guided process for registering a complaint: This envisions laying down a simple process, similar to filing a Right to Information request, which can be used to bring discrepancies, or faults in an AI system to the notice of the authorities.
Such mechanisms can be evolved to address the human rights concerns and harms arising from the use of AI systems in India.
In early October, the Government of India hosted the Responsible AI for Social Empowerment (RAISE) Summit which has involved discussions around India’s vision and a roadmap for social transformation, inclusion and empowerment through Responsible AI. At the RAISE Summit, speakers underlined the need for adopting AI ethics and a human centred approach to the deployment of AI systems. However, this conversation is still at a nascent stage and several rounds of consultations may be required to build these principles into an Indian AI governance and regulatory framework.
As India enters into the next stage of developing and deploying AI systems, it is important to have multi-stakeholder consultations to discuss mechanisms for the adoption of principles for Responsible AI. This will enable the framing of an effective governance framework for AI in India that is firmly grounded in India’s constitutional framework. While the NITI Aayog Working Document has introduced the concept of ‘Responsible AI’ and the ethics around which AI systems may be designed, it lacks substantive discussion on these principles. Hence, in our analysis, we have explored global views and practices around these principles and suggested mechanisms appropriate for adoption in India’s governance framework for AI.Ourdetailed analysis of these principles can be accessed in our comments to the NITI Aayog’s Working Document Towards Responsible AI for All.
India is in the midst of establishing a robust data governance framework, which will impact the rights and liabilities of all key stakeholders – the government, private entities, and citizens at large. As a parliamentary committee debates its first personal data protection legislation (‘PDPB 2019’), proposals for the regulation of non-personal data and a data empowerment and protection architecture are already underway.
As data processing capabilities continue to evolve at a feverish pace, basic data protection regulations like the PDPB 2019 might not be sufficient to address new challenges. For example, big data analytics renders traditional notions of consent meaningless as users have no knowledge of how such algorithms behave and what determinations are made about them by such technology.
Creative data governance models, which are aimed at reversing the power dynamics in the larger data economy are the need of the hour. Recognising these challenges policymakers are driving the conversation on data governance in the right direction. However, they might be missing out on crucial experiments being run in other parts of the world.
As users of digital products and services increasingly lose control over data flows, various new models of data governance are being recommended for example, data trusts, data cooperatives, and data commons. Out of these, one of the most promising new models of data governance is – data trusts.
(For the purposes of this blog post, I’ll be using the phrase data processors as an umbrella term to cover data fiduciaries/controllers and data processors in the legal sense. The word users is meant to include all data principals/subjects.)
What are data trusts?
Though there are various definitions of data trusts, one which is helpful in understanding the concept is – ‘data trusts are intermediaries that aggregate user interests and represent them more effectively vis-à-vis data processors.’
To solve the information asymmetries and power imbalances between users and data processors, data trusts will act as facilitators of data flow between the two parties, but on the terms of the users. Data trusts will act in fiduciary duty and in the best interests of its members. They will have the requisite legal and technical knowledge to act on behalf of users. Instead of users making potentially ill-informed decisions over data processing, data trusts will make such decisions on their behalf, based on pre-decided factors like a bar on third-party sharing, and in their best interests. For example, data trusts to users can be what mutual fund managers are to potential investors in capital markets.
Currently, in a typical transaction in the data economy, if users wish to use a particular digital service, neither do they have the knowledge to understand the possible privacy risks nor the negotiation powers for change. Data trusts with a fiduciary responsibility towards users, specialised knowledge, and multiple members might be successful in tilting back the power dynamics in favour of users. Data trusts might be relevant from the perspective of both the protection and controlled sharing of personal as well as non-personal data.
(MeitY’s Non-Personal Data Governance Framework introduces the concept of data trustees and data trusts in India’s larger data governance and regulatory framework. But, this applies only to the governance of ‘non-personal data’ and not personal data, as being recommended here. CCG’s comments on MeitY’s Non-Personal Data Governance Framework, can be accessed – here)
Challenges with data trusts
Though creative solutions like data trusts seem promising in theory, they must be thoroughly tested and experimented with before wide-scale implementation. Firstly, such a new form of trusts, where the subject matter of the trust is data, is not envisaged by Indian law (see section 8 of the Indian Trusts Act, 1882, which provides for only property to be the subject matter of a trust). Current and even proposed regulatory structures don’t account for the regulation of institutions like data trusts (the non-personal data governance framework proposes data trusts, but only as data sharing institutions and not as data managers or data stewards, as being suggested here). Thus, data trusts will need to be codified into Indian law to be an operative model.
Secondly, data processors might not embrace the notion of data trusts, as it may result in loss of market power. Larger tech companies, who have existing stores of data on numerous users may not be sufficiently incentivised to engage with models of data trusts. Structures will need to be built in a way that data processors are incentivised to participate in such novel data governance models.
Thirdly, the business or operational models for data trusts will need to be aligned to their members i.e. users. Data trusts will require money to operate – for profit entities may not have the best interests of users in mind. Subscription based models, whether for profit or not, might fail as users are habitual to free services. Donation based models might need to be monitored closely for added transparency and accountability.
Lastly, other issues like creation of technical specifications for data sharing and security, contours of consent, and whether data trusts will help in data sharing with the government, will need to be accounted for.
Privacy centric data governance models
At this early stage of developing data governance frameworks suited to Indian needs, policymakers are at a crucial juncture of experimenting with different models. These models must be centred around the protection and preservation of privacy rights of Indians, both from private and public entities. Privacy must also be read in its expansive definition as provided by the Supreme Court in JusticeK.S. Puttaswamy vs. Union of India. The autonomy, choice, and control over informational privacy are crucial to the Supreme Court’s interpretation of privacy.
(CCG’s privacy law database that tracks privacy jurisprudence globally and currently contains information from India and Europe, can be accessed – here)