The Bombay High Court (‘HC’) in Vinit Kumar v CBI was faced with a situation familiar to the constitutional courts in India. The HC was called upon to decide whether telephone recordings obtained in contravention of section 5(2) of the Telegraphs Act, 1885 (‘Act’) would be admissible in a criminal trial against the accused. Before delving into the reasoning of the HC, it will be instructive to refer to the facts of the case and an overview of India’s interception regime.
Section 5(2) of Telegraph Act, permits interception (or ‘phone tapping’) done in accordance with a “procedure established by law” and lays down two conditions: the occurrence of a “public emergency” and in the interests of “public safety”,under which such orders may be passed. Moreover, the order must be “necessary” for reasons related to the security of the state, friendly relations with other states, sovereignty or preventing the commission of an offense. The Apex Court in PUCL v. UOI (‘PUCL’) stated that telephone tapping without following the appropriate safeguards and legal process would infringe the Right to Privacy of an individual. Accordingly, procedural safeguards, in addition to those under section 5(2) of the Act, were laid down; eventually incorporated in the Telegraph Rules, 1951 (‘Telegraph Rules’). These included; such orders being only issued by the Home Secretaries of Central and State governments in times of emergency. Secondly, such an order shall be passed only when necessary and the authority passing the order shall maintain a detailed record of the intercepted communication and the procedure followed. Further, the order shall cease to be effective within two months, unless renewed. Lastly, the intercepted material shall be used only for purposes deemed necessary under the Act.
In the Vinit Kumar case, during a bribery related investigation, three interception orders were issued directing the interception of telephone calls by the petitioner. These were challenged as being ultra vires of section 5(2) of the Act, non-compliant with the Telegraph Rules, and for being in violation of the fundamental rights guaranteed under Part-III of the Indian Constitution.
The HC quashed the said orders by holding that:
Firstly, the right to privacy would include telephone-conversation in the privacy of one’s home or office. Telephone-tapping would, thus, impermissibly infringe on the interceptee’s Article 21 rights unless it is conducted under the procedure established by law (in this case, the law laid down in PUCL and the Telegraph Rules). In Vinit Kumar, the HC found the impugned orders were in contravention of the procedural guidelines laid down for the protection of the right to privacy by the Supreme Court in PUCL, section 5 of the Act and Rule 419A of the Telegraph Rules. Additionally, (and crucially) the evidence obtained through infringement of the right to privacy would be inadmissible in the court of law.
This blog analyses this third aspect of the HC judgment and argues that the approach of the HC reflects a true reading of the decision of the SC in K.S. Puttaswamy v UoI (‘Puttaswamy’) and ushers us into a new regime of right to privacy for accused persons. While doing so, the author critically examines the previous decisions wherein the courts have held the evidence collected through processes that infringe the fundamental rights of the accused to be admissible.
Correct Reading of Privacy Doctrine and Puttaswamy Development
Based on the decisions of the SC in State v Navjot Sandhuand Umesh Kumar v State, the current legal position would appear to be that illegally obtained evidence is admissible in courts as long as it is relevant. Consequently, as Vrinda Bhandari and Karan Lahiri have argued, the State is placed in a position whereby it is incentivised to access private information of an accused in a manner which may not be legally permissible. There are no adverse legal consequences for illegally obtaining evidence, only prosecutorial benefits. This is reflected in the decisions concerning the admissibility of recordings of telephonic conversations without the knowledge of the accused. The rule regarding admissibility of illegally collected evidence stems from a couple of cases, however it is submitted that the rule has a crumbling precedential basis.
A good starting point is the Supreme Court’s decision in RM Malkani v State (‘Malkani’). It was held that telephone recordings without the knowledge of the accused would be admissible in evidence as long as they are not obtained by coercion or compulsion. The Court had negligible analysis to offer insofar as the right to privacy of an individual is concerned. However, this decision dates back to the Pre-PUCL and the Pre-Puttaswamy era, wherein the right to privacy (especially vis-a-vis telephonic conversations) was not recognised as a fundamental right. Hence, it becomes imperative to question the continued relevance and correctness of this decision in light of the new developments in our understanding of fundamental rights under the Constitution. Moreover, Malkani relied on Kharak Singh v. State of U.P, which was explicitly overruled by Puttaswamy. This also casts doubt on other cases which relied on the reasoning in Kharak singh on the issue of privacy.
In Vinit Kumar, the HC rejected the approach adopted in Malkani and Kharak Singh. Affirming the right to privacy as a fundamental right, and relying on the requirements of ‘public emergency’ or ‘public order’, the HC observes that the respondents failed to justify any ingredients of “risk to the people at large or interest of the public safety, for having taken resort to the telephonic tapping by invading the right to privacy” (¶ 19). It emphasized the need to adhere by procedural safeguards, as provided in the Act, the Telegraph Rules, and the PUCL judgment, so as to ensure that the infringement of the right to privacy in a particular case meets the standards of proportionality laid down in Puttaswamy. Crucially, the HC goes a step further to hold that since the infringement of the right to privacy is not in accordance with the procedure established by law, the intercepted messages ought to be destructed and not used as evidence in trial as it is sourced from the infringement of the fundamental right to life (¶ 22).
Thus, we can see an adherence to the new constitutional doctrines espoused by the Supreme Court whereby the HC emphatically rejected the now-overruled reasoning of Kharak Singh v Stateas far as the right to privacy is concerned, and refused to apply the cases of Malkani and Dharambir Khattar v UoI whose ratios flow from Kharak Singh’s non-recognition of a right to privacy. The HC held that such judgements have been overruled by Puttaswamy (to the extent that they do not recognise the right to privacy as a fundamental right). Furthermore, it was also held that these cases involved no examination of law on the touchstone of principles of proportionality and legitimacy, as laid down in Puttaswamy (¶ 37). It circumvented the issue of ‘relevancy’ by distinguishing between ‘illegally collected evidence’, and ‘unconstitutionally collected evidence’, ruling that the latter was inadmissible as it would lead to the erosion of fundamental rights at the convenience of the State’s investigatory arm.
The HC judgment is, therefore, an important landmark with respect to the admissibility of evidence involving violation of fundamental rights. However, given the absence of a clear Supreme Court judgment in this regard, the rights of the Indian citizenry are susceptible to the difference in the approaches taken by other HCs. A case in point is the Delhi HC judgment in Deepti Kapur v. Kunal Julka wherein a video-recording of the wife’s conversation with her friend, collected by the CCTV camera in her room was admitted in evidence despite the arguments raised with regards to infringement of the right to privacy. Thus, the exact application of a bar on evidence collected through privacy infringing measures in different contexts will need to be developed on a case by case basis.
Conclusion
The Bombay HC judgment correctly traces the evolution of the right to privacy debate in the Indian jurisprudence. It is based on the transformative vision of the Puttaswamy judgment and appropriate application of precedent with regards to the case in hand. It symbolizes a true deference to the Constitution by protecting the citizenry from state surveillance and potential abuses of power. Especially in the current electronic era where personal information can be extracted through unconstitutional means, the Vinit Kumar judgment affirms the importance of procedural due process under the fundamental rights regime in India.
The introduction ofThe Criminal Procedure (Identification) Act, 2022( ‘the Identification Act’) raised several surveillance and privacy concerns. Replacing the Identification of Prisoners Act 1920 ( ‘the Old Prisoners Act’), it attempts to modernize the process of identification of persons involved in criminal allegations to expedite and enhance criminal investigations. This is accomplished by expanding the types of ‘measurements’ that can be obtained (ie, the data that can be collected), the persons from whom measurements may be collected, and the storage of the said data for a period of 75 years.
The Identification Act permits the collection of measurements for an expansive set of categories and increases the persons whose measurements can be collected. Section 2 (1)(b) of the Identification Act, defines “measurements.” While the Old Prisoners Act authorizedonly the collection of measurements such as finger-impressions and foot-impressions, the Identification Act now includes within its ambit “finger-impressions, palm-print impressions, foot-print impressions, photographs, iris and retina scan, physical, biological samples and their analysis, behavioural attributes including signatures, handwriting,” on top of any other examination mentioned in Section 53 and 53Aof the Code of Criminal Procedure, 1973. This represents a significant expansion in the type of data collected from individuals.
In the Old Prisoners Act, measurements could only be taken from persons who were convicted or those arrested in connection with an offence punishable by rigorous imprisonment of more than one year. However, in the Identification Act, the measurements can be taken of all convicted and arrested persons, without any requirement of a minimum threshold for those not convicted. Further, measurements can be taken from individuals under preventive detention as per Section 3(c). Thus, all-in-all, the new Act has introduced a whole sea of new measurements that could be taken, and these new measurements can be taken from more people than under the Old Prisoners Act.
In this blog, the authors analyse the constitutionality of the Identification Act by examining whether the collection and storage of measurements satisfy the proportionality test for privacy infringing measures set out in Justice K. S. Puttaswamy v Union of India (5 judge-bench) (“Puttaswamy”).
Proportionality: the Puttaswamy test
The proportionality test, first set out in the Right to Privacydecision, was subsequently elucidated on and applied by J. Sikri in the Puttaswamy judgment; the criteria for judging the constitutionality of State interference with an individual’s right to privacy may be summarised as follows:
Legitimate aim – the action taken by the government must be for a proper or legitimate purpose.
Rational nexus – there should be a rational connection between the infringing act and the legitimate state aim sought to be achieved.
Necessity – the state must demonstrate that it is necessary to introduce an intrusive measure despite the negative effect on the rights of the individuals; including that there are no lesser restrictive measures of similar efficacy available to the State.
Balancing – between the need to adopt the measure and the right to privacy.
Assessing the Identification Act –
Legitimate Aim; the expansive provision of the measurements does, arguably, have a proper purpose. Just like the Old Prisoners Act, it is meant to aid the police in investigating crimes.
Rational Nexus; completion of the investigative procedure with speed and accuracy is a legitimate state aim and the current expansion in the categories of measurements that can be obtained will aid in achieving that. The new measures would enable the authorities to create a database using the collected measurements and match the data of suspects against it, thereby aiding criminal investigations.
Necessity; there is no denying that the Identification Act interferes with extremely personal data of individuals as it broadens the scope of both the measurements (as explained above) and the categories of people from whom it can be obtained. On a comparative reading of the Section 2(a) Prisoners Act and Section 2(1)(b) of the Identification Act, it is evident that the latter encompasses significantly more data collection than the former. As the erstwhile Old Prisoner’s Act thus constitutes a lesser restrictive measure, the burden then lies on the state to establish that the Old Prisoners Act did not fulfill the “legitimate state aim” as effectively as the Identification Act will. This requires the State to demonstrate that the Prisoners Act failed to meet the state aim of expediting the criminal investigation process because of which there arose a need for a new, more privacy infringing measure Act. Absent this, the Old Prisoners Act remains a viable lesser restrictive measure. However, the State has failed to discharge its burden as it did not provide any data or conduct a study which showed that the Prisoners Act fell short of achieving the state aim. Thus, due to the existence of a less-restrictive alternative (in the form of the Old Prisoners Act), the necessity limb of the proportionality test is not met.
Proportionality or Balancing; it is imperative that State’s rights-infringing measures are not absolute and do not curtail the rights of individuals any more than necessary. The removal of the minimum requirement of severity of offences as it relates to whose data can be collected will enable the authorities to collect data of persons charged with petty offences carrying punishment as little as a month. The Identification Act doesn’t even attempt to define the term ‘biological samples’ and what it would entail. This leaving a major scope for misuse at the hands of state authorities. Due to the term not being defined anywhere, it could be construed to include tests such as narco-analysis, polygraph test, brain electrical activation profile test, etc. Such methods are not only extremely intrusive, violative of bodily autonomy, but also of the right against self incrimination. Further, the proportionality test requires the maintenance of balance between the extent and nature of the interference and the reasons for interfering. While there might be substance in the rationale behind collection of measurements, there is no reasonable justification for retaining the measurements for a period of 75 years, especially as the same severely undermines the right to privacy of such individuals even when they have served their sentence, if any. This is especially true considering that the life expectancy in India is itself 71 years. Thus, even if the necessity limb of the test would have been satisfied, the balancing limb would still warrant that the Identification Act be struck down.
Conclusion The proportionality test given under “Puttaswamy” is a conjunctive test and thus, failing any limb results in the measure being struck down. The Criminal Procedure (Identification) Act, 2022 fails to satisfy the necessity test to begin with, as the government has nowhere demonstrated that the lesser restrictive measure that the Identification Act replaces failed to meet its investigative requirements. Further, even beyond that, balancing limb of the proportionality test is also not satisfied given the Act’s extremely broad application and excessive data retention requirements. Thereby, it impermissibly restricts the right to privacy of convicted and non-convicted persons.
Section 91 of the Criminal Procedure Code 1973 (“CrPC”) empowers the police to require the production of ‘any document or thing’ from any person if they consider it ‘necessary or desirable’ for any investigation, inquiry, or proceeding under the CrPC. The provision grants the police broad power to obtain evidence and it is frequently used to mandate the production of revealing data like Call Detail Records, (“CDRs”) which contain details of communications made over a telecommunications network. While they do not contain the content of the communication, they contain metadata such as the duration of call, who made it, who it was addressed to, when it was made and from where. The section, which stands in effect unchanged from section 94 of the CrPC, 1898 is a colonial provision that was enacted by a foreign power when fundamental rights, and in specific a right to privacy, did not exist. Moreover, our personal data, today, is available to a larger number of actors, at a higher level of granularity, than in the past. This makes the privacy risk associated with requisitioning data significantly greater. For example, RazorPay was recently required to hand over the data on thousands of transactions that had been made via its platform to AltNews. This post explores the privacy implications of the current framework, arguing that the provision is a significant infringement on individual privacy that lacks crucial safeguards. It also makes recommendations to address these concerns.
Issues with Section 91
The judgment in Puttuswamy Irecognized the right to privacy as a fundamental right under Article 21 of the Constitution. By recognising privacy within the ambit of Article 21, the court ensured that restrictions on privacy would have to comply with the requirements of a ‘fair, just, and reasonable’ procedure set out by the decision in Maneka Gandhi. In fact, the court in PUCL had ruled that a surveillance provision in the Telegraph Act did not contain sufficient safeguards, prompting the court to lay down guidelines that were eventually codified in the Telegraph Rules. In Puttaswamy I, itself,Justice Chandrachud’s opinion traced and emphasized the importance of procedural safeguards for the right to privacy. Moreover, Justice Kaul at Para 71 of his opinion in the same judgment identifies the requirements of legality, necessity, proportionality, and procedural safeguards that must be met for a provision to be constitutional.
The lack of procedural safeguards causes Section 91 to constitute an impermissible infringement of individual privacy. At first blush, Section 91 of the CrPC seems to have some safeguards. It lays down a standard of ‘necessity or desirability’ to require the production of information. Textually speaking, ‘desirability’ means ‘the quality of being wanted’, which confers significant discretion by conflating ‘when the police want’ data and ‘when it is legal for the police to requisition data’. The standard may be contrasted with Section 311 of the CrPC, which permits the Court to summon a witness ‘essential to the just decision of the case.’ The Supreme Court recently distinguished Sections 91 from 311 in Varsha Garg v State of Madhya Pradesh. It held that the “necessary or desirable” standard under section 91 is met when the information sought is relevant, while 311 requires the higher standard of essentiality to be met. Even aside from this low standard, these safeguards are largely illusory as there is no independent oversight mechanism (either ex-ante or ex-post) to scrutinize whether the action was necessary (or desirable at the time it was done).
Moreover, there are primarily two stages where section 91 requisitions are made – (1) during investigation by the police and (2) during trial on an application made in court. While applications made in court can be, and are, challenged (as they were in Varsha Garg), orders made during investigation are not. These orders are made by the police to entities in possession of data, which are corporations and intermediaries such as banks, telecos, etc. These entities lack any incentive to challenge any such order made against them, especially when noncompliance carries criminal consequences under section 174 of the Indian Penal Code, 1860 (Non-attendance in obedience to an order from public servant). Further, there is no requirement to notify the affected individual (either ex ante or post facto) so little or no adversarial contestation to section 91 orders made during investigation by the police to third party intermediaries. This further limits any potential challenge to Section 91 orders by investigative agencies.
Additionally, since Section 91 does not limit whose data can be demanded, it is possible that a third person’s CDRs are presented at trial as evidence, this person will probably never learn of it or have the opportunity to challenge the disclosure of such information even post or during trial. Ultimately, the affected individual does not know when such a request is made, these requests are legally binding, the substantive threshold for initiating a request for information provides almost absolute discretion to the executive, and there is no mechanism to enforce a standard even if it is construed narrowly. Thus, there is a significant lack of procedural safeguards.
Call data records
Another issue with Section 91 is that it is essentially a shortcut to a level of invasive surveillance that ordinally requires the State to satisfy higher standards. The Telegraph Act, 1885 and the Information Technology Act, 2000 provide for the interception of calls and electronic transmissions but have some safeguards in place. Specifically, Section 5(2) of the Telegraph Act allows for interception of messages on the occurrence of a public emergency or in the interest of public safety. Further, Rule 419A of the Indian Telegraph Rules of 1951 provides for review of directions under Section 5(2) of the Telegraph Act. Similarly, section 69A of the Information Technology Act read with IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 empowers senior government officials to issue surveillance directions if it is necessary or expedient to do so for specific grounds (including in this case investigation of an offense). These directions are also reviewed as per Rule 22 of the Interception Rules.
CDRs and ongoing interception (surveillance) may appear to be different since the latter deals with the recording of content of calls in real time while CDRs are metadata of past calls. However, the routine maintenance of CDRs itself represents an indirect and ongoing form of surveillance. With access to metadata, it is possible to combine this metadata with other publicly available data, such as phone books, social media accounts, etc., and discern information such that it constitutes a significant violation of the right to privacy, arguably on par with real-time surveillance. Moreover, metadata can be more easily processed by computers than content data. For e.g A calls her sister B for an hour following which A calls an abortion clinic which is followed with multiple follow up calls over the period of a few months. It may reasonably be deduced, even without knowing the contents of the call, that A got an abortion. This is private information but can be revealed just by perusing metadata. Metadata, thus, also carries substantial privacy implications. Accordingly, the requisitioning of CDRs should be accorded similar safeguards to those which apply to interception. The provisions under the Telegraph Act and IT Act have more safeguards in the form of who is empowered to issue the directions and that the directions are reviewed by specific authorities. Though these safeguards are in no way sufficient, the issue is that section 91 effectively bypasses the limited safeguards that do exist to obtain information that is privacy infringing to a similar degree.
Alternatives and recommendations
Choices made with respect to the collection of evidence strike a specific balance between Crime Control and Due Process models of criminal procedure. The former emphasizes the importance of tailoring evidence law to ensure sufficient punishment of crimes while the latter provides greater importance to the protection of rights and liberties. Since Section 91 allows for a broad, unchecked power for police to acquire CDRs and other documents, it clearly leans towards a crime control model.
What would a due process approach look like? The South African Constitutional Court recently held that surveillance orders constitutionally require notification to the person affected as soon as it can be given without jeopardizing the purpose of the investigation. It further required the collected data to be deleted after a fixed amount of time. In the United States, a warrant is required for the production of such evidence and consequently, as per the IVth Amendment, requires probable cause in order to justify infringing the privacy of individuals. Probable cause must be shown to a judge for the issue of a warrant, meaning that there is a procedural safeguard in the form of application of judicial mind to ensure adherence to the standard.
Therefore, a good starting point for additional safeguards (for CDRs at the bare minimum) includes requiring prior permission from a judicial authority in the form of a warrant and a notification of the surveillance (either ex ante or post facto). This would allow a challenge to the requisition order in a court of law as violating their fundamental rights and ensure some prior judicial application of mind in the process.
On 21st September 2022, the Department of Telecommunications (“DoT”) released the Draft Telecommunication Bill, 2022 for feedback and public comments. The draft is based on the consultation paper on ‘Need for a new legal framework governing Telecommunication in India’ which was published by the DoT in July 2022. The proposal aims to replace three laws: the Indian Telegraph Act, 1885, the Indian Wireless Telegraphy Act, 1933, and the Telegraph Wires (Unlawful Possession) Act, 1950.
CCG submitted its comments on the Bill, highlighting its feedback and key concerns. The comments were authored by Aishwarya Giridhar, Priyanshi Dixit, Sidharth Deb, reviewed and edited by Jhalak M. Kakkar, Shashank Mohan, Sachin Dhawan with research help from Shreenandini Mukhopadhyay and Shreya Parashar.
CCG’s key comments on the Government of India’s proposals under the Bill are divided into 6 parts –
Exclude digital/ internet based services from telecommunication regulation
The Information Technology Act, 2000 (“IT Act”) exclusively deals with issues pertaining to the internet and digital platforms, and provides corresponding regulation and user safeguards. The Bill’s proposed inclusion of digital services within telecommunications law may create a parallel legal regime and regulatory confusion that hinders innovation and the ease of doing business. Additionally, this Bill would likely subsist in parallel to the forthcoming Digital India Act which is under development at the Ministry of Electronics and Information Technology (“MeitY”). Therefore, we propose that the telecommunication regulation in India should not include digital services as it would create dual compliances for services which will negatively impact India’s overall internet ecosystem.
Revisit the Premise of Licensing Internet Based Digital and Software Services
Telecom Service Providers (“TSPs”) require a license to operate in the market since their operations are dependent on the use of spectrum, which is a limited natural resource. It is based on this scarcity that the Government grants exclusive licenses to access and use spectrum to select service providers. The Government’s privilege in this regard emerges from spectrum scarcity and the public trust doctrines. Conversely, internet based services do not function with the same scarcities and resource requirements as TSPs. Instead, they offer their services over the internet/ telecom network infrastructure. The internet is an ecosystem of abundance and thus digital service providers need not contend with the same infrastructural scarcities as network operators. Since OTTs services do not require exclusive allocation of a scarce public resource like spectrum, imposing strict licensing requirements on them would hinder innovation, consumer choice and user accessibility.
The Bill Should Avoid One Size Fits All Regulation
The Bill in its current form deploys overbroad definitions for several terms including “telecommunication services” and “message”. This particular definition will envelope all OTT communication services, data communication services, email, and other digital platforms within a common licensing regime as all telecom services. Aside from compromising the principle of legal certainty, this overbroad definition contributes to a one size fits all regulatory approach for both carriage and content providers. Such a broad approach is antithetical to the internet’s innate characteristics and heterogeneities across its network stack. It is also inconsistent with the growing international and domestic consensus that the internet requires differential regulations which are curated to the features and contextual harms which are native to specific types of platforms and services.
The Bill’s Interception Proposals are Overbroad and may Violate Constitutional Rights
The Bill allows the State to order the interception of messages transmitted over telecommunication services or networks in specific situations. The broad definition in the Bill allows this provision to broadly apply to all messages communicated over all digital services, which may amount to a disproportionate restriction on users’ right to privacy. Under Indian jurisprudence, measures restricting privacy must: (a) be provided by law; (b) pursue a legitimate aim and be necessary in a democratic society; (c) be proportionate to the need for the interference with the right to privacy; and (d) contain procedural safeguards to prevent against abuse. Existing provisions permitting interception must be re-examined for conformity with these standards and recent Supreme Court jurisprudence. Additionally, interception provisions in the Bill overlap with those in the IT Act and risks creating a parallel regulatory regime over digital services.
The Bill’s ID Verification Proposals may Violate Constitutional Rights to Privacy and Free Expression
The Bill requires service providers to identify users of their services, and also requires the identity of persons sending messages over telecommunication services to be made available to the recipient. Although these measures may have sought to target cyber-fraud, they will also serve to effectively remove anonymity in online communications. Online anonymity and encrypted services can however play a key role in protecting user privacy and the right to free expression, and mandated identity verification systems can significantly restrict these rights, particularly for minorities and vulnerable populations.
Provisions relating to the Suspension of Telecommunications Services Would Restrict the Right to Free Expression
The Bill authorises the State to direct the suspension of communications transmitted or received by telecommunication networks. It allows for the suspension of ‘telecommunication services’, which would include all digital services, along with phone calls, text messaging, etc. This provision would expand the ambit of suspension powers to allow states to restrict or blacklist specific services, in addition to restricting access to the internet as a whole. The internet plays a key role in exercising fundamental rights such as free expression and education, and in accessing essential services. Wide powers to restrict access to the internet as a whole, as well as specific services can therefore significantly restrict the fundamental rights of users.
You can read CCG’s full submission to the DoT here.
This blog post has been authored by Shrutanjaya Bhardwaj.
On 28th October 2021, the Supreme Court passed an order in the “Pegasus” case establishing a 3-member committee of technical experts to investigate allegations of illegal surveillance by hacking into the phones of several Indian citizens, including journalists. This post analyses the Pegasus order. Analyses by others may be accessed here, here and here.
Overview
The writ petitioners alleged that the Indian Government and its agencies have been using a spyware tool called “Pegasus”—produced by an Israeli technology firm named the NSO Group—to spy on Indian citizens. As the Court notes, Pegasus can be installed on digital devices such as mobile phones, and once Pegasus infiltrates the device, “the entire control over the device is allegedly handed over to the Pegasus user who can then remotely control all the functionalities of the device.” Practically, this means the ‘Pegasus user’ (i.e., the infiltrator) has access to all data on the device (emails, texts, and calls) and can remotely activate the camera and microphone to surveil the device owner and their immediate surroundings.
The Court records some basic facts that are instructive in understanding its final order:
The NSO Group itself claims that it only sells Pegasus to governments.
In November 2019, the then-Minister of Electronics and IT acknowledged in Parliament that Pegasus had infected the devices of certain Indians.
In June-July 2020, reputed media houses uncovered instances of Pegasus spyware attacks on many Indians including “senior journalists, doctors, political persons, and even some Court staff”.
Foreign governments have since taken steps to diplomatically engage with Israel or/and internally conduct investigations to understand the issue.
Despite repeated requests by the Court, the Union Government did not furnish any specific information to assist the Court’s understanding of the matter.
These facts led the Court to conclude that the petitioners’ allegations of illegal surveillance by hacking need further investigation. The Court noted that the petitioners had placed on record expert reports and there also existed a wealth of ‘cross-verified media coverage’ coupled with the reactions of foreign governments to the use of Pegasus. The Court’s order leaves open the possibility that a foreign State or perhaps a private entity may have conducted surveillance on Indians. Additionally, the Union Government’s refusal to clarify its position on the legality and use of Pegasus in Court raised the possibility that the Union Government itself may have used the spyware. As discussed below, this possibility ultimately shaped the Court’s directions and relief.
The Pegasus order is analysed below along three lines: (i) the Court’s acknowledgement of the threat to fundamental rights, (ii) the Union Government’s submissions before the Court, and (iii) the Court’s assertion of its constitutional duty of judicial review—even in the face of sensitive considerations like national security.
Acknowledging the risks to fundamental rights
While all fundamental rights may be reasonably restricted by the State, every right has different grounds on which it may be restricted. Identifying the precise right under threat is hence an important exercise. The Court articulates three distinct rights at risk in a Pegasus attack. Two flow from the freedom of speech under Article 19(1)(a) of the Constitution and one from the right to privacy under Article 21.
The first right, relatable to Article 19(1)(a), is journalistic freedom. The Court noted that the awareness of being spied on causes the journalist to tread carefully and think twice before speaking the truth. Additionally, when a journalist’s entire private communication is accessible to the State, the chances of undue pressure increase manifold. The Court described such surveillance as “an assault on the vital public watchdog role of the press”.
The second right, also traced to Article 19(1)(a), is the journalist’s right to protect their sources. The Court treats this as a “basic condition” for the freedom of the press. “Without such protection, sources may be deterred from assisting the press in informing the public on matters of public interest,” which harms the free flow of information that Article 19(1)(a) is designed to ensure. This observation and acknowledgment by the Court is significant and it will be interesting to see how the Court’s jurisprudence develops and engages with this issue.The third right, traceable to Article 21 as interpreted in Puttaswamy, is the citizen’s right to privacy (see CCG’s case brief on the CCG’s Privacy Law Library of Puttaswamy). Surveillance and hacking are prima facie an invasion of privacy. However, the State may justify a privacy breach as a reasonable restriction on constitutional grounds if the legality, necessity, and proportionality of the State’s surveillance measure is established.
Court’s response to the Government’s “conduct” before the Court
The Court devotes a significant part of the Pegasus order to discuss the Union Government’s “conduct”in the litigation. The first formal response filed by the Government, characterised as a “limited affidavit”, did not furnish any details about the controversy owing to an alleged “paucity of time”. When the Court termed this affidavit as “insufficient” and demanded a more detailed affidavit, the Solicitor General cited national security implications as the reason for not filing a comprehensive response to the surveillance allegations. This was despite repeated assurances given by both the Petitioners and the Court that no sensitive information was being sought, and the Government need only disclose what was necessary to decide the matter at hand. Additionally, the Government did not specify the national security consequences that would arise if more details were disclosed. (The Court’s response to the invocation of the national security ground on merits is discussed in the next section.)
In addition to invoking national security, the Government made three other arguments:
The press reports and expert evidence were “motivated and self-serving” and thus of insufficient veracity to trigger the Court’s jurisdiction.
While all technology may be misused, the use of Pegasus cannot per se be impermissible, and India had sufficient legal safeguards to guard against constitutionally impermissible surveillance.
The Court need not establish a committee as the Union Government was prepared to constitute its own committee of experts to investigate the issue.
The Court noted that the nature and “sheer volume” of news reports are such that these materials “cannot be brushed aside”. The Court was unwilling to accept the other two arguments in part due to the Union Government’s broader “conduct” on the issue of Pegasus. It noted that the first reports of Pegasus use dated back to 2018 and a Union Minister had informed Parliament of the spyware’s use on Indians in 2019, yet no steps to investigate or resolve the issue had been taken until the present writ petitions had been filed. Additionally, the Court ruled that the limited documentation provided by the Government did not clarify its stand on the use of Pegasus. In this context, and owing to reasons of natural justice (discussed below), the Court opined that independent fact finding and judicial review were warranted.
Assertion of constitutional duty of judicial review
As noted above, the Union Government invoked national security as a ground to not file documentation regarding its alleged use of Pegasus. The Court acknowledged that the government is entitled to invoke this ground, and even noted that the scope of judicial review is narrow on issues of national security. However, the Court held that the mere invocation of national security is insufficient to exclude court intervention. Rather, the government must demonstrate how the information being withheld would raise national security concerns and the Court will decide whether the government’s concerns are legitimate.
The order contains important observations on the Government’s use of the national security exception to exclude judicial scrutiny. The Court notes that such arguments are not new; and that governments have often urged constitutional courts to take a hands-off approach in matters that have a “political” facet (like those pertaining to defence and security). But the Court has previously held, and also affirmed in the Pegasus order, that it will not abstain from interfering merely because a case has a political complexion. The Court noted that it may certainly choose to defer to the Government on sensitive aspects, but there is no “omnibus prohibition” on judicial review in matters of national security. If the State wishes to withhold information from the Court, it must “plead and prove” the necessary facts to justify such withholding.
The Government had also suggested that the Court let the Government set up a committee to investigate the matter. The Supreme Court had adopted this approach in the Kashmir Internet Shutdowns case by setting up an executive-led committee to examine the validity and necessity of continuing internet shutdowns. That judgment was widely criticised (see here, here and here). However, in the present case, as the petitions alleged that the Union Government itself had used Pegasus on Indians, the Court held that allowing the Union Government to set up a committee to investigate would violate the principle of bias in inquiries. The Court quoted the age-old principle that “justice must not only be done, but also be seen to be done”, and refused to allow the Government to set up its own committee. This is consistent with the Court’s assertion of its constitutional obligation of judicial review in the earlier parts of the order.
Looking ahead
The terms of reference of the Committee are pointed and meaningful. The Committee is required to investigate, inter alia, (i) whether Pegasus was used to hack into phones of Indian citizens, and if so which citizens; (ii) whether the Indian Government procured and deployed Pegasus; and (iii) if the Government did use Pegasus, what law or regulatory framework the spyware was used under. All governmental agencies have been directed to cooperate with the Committee and furnish any required information.
Additionally, the Committee is to make recommendations regarding the enactment of a new surveillance law or amendment of existing law(s), improvements to India’s cybersecurity systems, setting up a robust investigation and grievance-redressal mechanism for the benefit of citizens, and any ad-hoc arrangements to be made by the Supreme Court for the protection of citizen’s rights pending requisite action by Parliament.
The Court has directed the Committee to carry out its investigation “expeditiously” and listed the matter again after 8 weeks. As per the Supreme Court’s website, the petitions are tentatively to be listed on 3 January 2022.
This blog was written with the support of the Friedrich Naumann Foundation for Freedom.
In the wake of disclosures by the Pegasus Project, it has become more important than ever to understand the law which authorises the government to conduct surveillance – especially the provisions which permit non-digital phone tappings. To that end, the ‘Privacy High Court Tracker’ is an extremely useful tool developed by the Centre For Communication Governance, National Law University Delhi. The tracker enables stakeholders to analyse the evolving jurisprudence on privacy. High Courts across the country are at the forefront of this evolution. For the purposes of this piece, which discusses the law on state-mandated surveillance with a focus on phone-tappings, two judgments from the tracker are relevant – Vinit Kumar vs. CBI and Ors., 2019 (Bombay High Court) and Sanjay Bhandari and Ors. vs The Secretary of Govt. of India and Ors.2020 (Madras High Court).
But before we analyse these judgments, it is important to refer to the provisions of law that enable the government to listen to our conversations and the decision of the Supreme Court in PUCL vs. Union of India, (1997), which is the locus classicus on this subject.Section 5(2) of the Telegraph Act, 1885 (Telegraph Act) empowers the government to intercept any communication by a ‘telegraph’ from a person to another “on the occurrence of a public emergency” or “in the interest of public safety” if it is in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states or public order or to prevent incitement to the commission of an offence. Any order under Section 5(2) must be issued before the surveillance begins. Section 69 of the Information Technology Act, 2000 (IT Act) permits the government to intercept, monitor or decrypt communication generated, transmitted, received or stored in a computer.
Interestingly, Section 69 of the IT Act has not been subject to much judicial scrutiny. While challenges to its constitutionality are pending before the Supreme Court, the lack of scrutiny is perhaps because there is opacity around when, where and how this provision is used to conduct surveillance. Notably, the government has even refused to provide the total number of orders it has passed under this provision in a response to a right to information application filed by the Internet Freedom Foundation. Unlike Section 69 of the IT Act, Constitutional Courts have examined Section 5(2) of the Telegraph Act on several occasions. As mentioned above, the most notable instance is PUCL.
In PUCL, the constitutional validity of Section 5(2) of the Telegraph Act was challenged. The Supreme Court’s decision, which was subsequently affirmed in K.S. Puttaswamy vs. Union of India, , held that conversations over the telephone are private in nature. While this is significant since this judgment is from before Puttaswamy, the bite of the judgment was the Court’s interpretation of the phrases “on the occurrence of a public emergency” and “in the interest of public safety”. The Court held that public emergency would mean the prevailing of a sudden condition or state of affairs affecting the people at large, calling for immediate action. The expression “public safety” means the state or condition of freedom from danger or risk for the people at large. The Court also held that the phrases “take their colour off each other”, and that a breach of public safety/ a public emergency are evident to a reasonable person as they are not secretive conditions.
In terms of procedural safeguards, the Court, amongst other things, directed the Government to not conduct phone tapping unless there is an order from the home secretary which would ex-post be subject to review by a review committee also consisting of government officials. Notably, the Court stopped short of either prior or post judicial scrutiny.
The CCG Privacy High Court Tracker is a useful resource to examine how High Court’s have relied upon the decision in PUCL, especially after the Supreme Court’s decision in Puttaswamy. In this regard, the Bombay High Court decision in Vinit Kumar and Madras High Court’s decision in Sanjay Bhandari, offer a study in contrast.
In Vinit Kumar, the petitioner challenged three phone tapping orders issued against him, on the ground that they were ultra vires Section 5(2) of the Telegraph Act. Of course, the petitioner only found out that his conversations were being monitored after the Central Bureau of Investigation filed a charge-sheet against him in a criminal proceeding, where the petitioner was accused of bribing a public servant. The petitioner argued that there was no threat to public safety nor a public emergency to occasion such phone-tapping. The Bombay High Court agreed and noted that circumstances did not exist which “would make it evident to a reasonable person that there was an emergency or a threat to public safety”. The Court also went a step ahead and tested the phone tapping orders on the Puttaswamy proportionality standard (Kaul J, Paragraph 70) which requires the government to show – a) The action must be sanctioned by law; b) The action must be necessary in a democratic society; c) Proportionality – infringing action must be proportionate to the need for such interference; and d) Procedural safeguards. The Court found that the orders could not withstand the test and struck them down as they ‘neither had the sanction of law’ (as there was no public emergency nor a threat to public safety) nor have they been issued for a legitimate aim. (Paragraph 19)
In Sanjay Bhandari, the petitioners, who held official government positions, were accused of accepting a bribe in return for granting benefits. They found out that the Government was monitoring their conversations, and challenged the phone-tapping orders before the Madras High Court. Evidently, there was neither a public emergency nor threat to public safety that would justify the imposition of such an order. In PUCL, the Supreme Court had held that these situations are evident to a reasonable person as they are not secretive conditions. The Court also held that public emergency would mean the prevailing of a sudden condition or state of affairs affecting the people at large, calling for immediate action, and the expression “public safety” means the state or condition of freedom from danger or risk for the people at large.
The Madras High Court, going against established precedence, held that “Restricting the concept of public safety to the mere “situations that would be apparent to the reasonable persons” will exclude most of the actual threats which present the most grave circumstances like terrorist attacks, corruption at high places, economic and organised crimes, most of which are hatched in the most secretive of manners.”
Thus, the decision in Sanjay Bhandari interpreted Section 5(2) in a manner which was entirely contrary to the decision and perhaps, even legislative intent. The Court read into the provision its understanding of what constitutes “actual threats” and extended the scope of the provision to offences which do not have any bearing on public safety, as interpreted in PUCL and affirmed in Puttaswamy. And there is merit to that interpretation. The word safety follows the word ‘public’ which implies that the situation should be such that it puts at risk the people at large. Surely economic offences do not meet this criteria. There is merit to that interpretation, even from a rights perspective. Monitoring a person’s conversations constitutes a grave infringement on their right to privacy, and the need to undertake such an infringement must be proportionate to the ends sought to be achieved.
The recent revelation of the Pegasus hacks has re-ignited public discourse on privacy, surveillance and intelligence reform. As the proposed Personal Data Protection Bill, 2019 makes room for wide exemptions to military, intelligence and law enforcement agencies for the collection and processing of citizens’ data, privacy and data protection laws in their current form will be limited in their potential to enforce meaningful procedural safeguards and oversight over State surveillance.
Although these conversations are not new, we must continue to have them. At the same time, it is important to not miss the forest of State-run cybersurveillance programmes for the sprawling branches of the Pegasus tree. That the global cyber-surveillance industry thrives on State secrecy – is no secret.
While the need for and significance of surveillance reforms cannot be over-emphasized, data protection or privacy law in itself may not succeed in ensuring that Government is prohibited or restrained from acquiring Pegasus-like spyware. Nor will they ensure that the Government is obligated to disclose that such technologies that risk undermining basic fundamental freedoms of its citizenry have been procured by it, with the intent of deployment by law enforcement and/or intelligence agencies. In an earlier piece the Pegasus Hack, CCGNLUD had addressed issues in international frameworks for export controls designed for dual-use technology and their limitations in providing meaningful remedy to the aggrieved.
In this piece, the author argues that Parliamentary legislation and oversight on public procurement processes, classifications and procedures is far more likely to address the root of the multi-faceted problems we are faced with in the wake of Pegasus. Yet, public commentary or critique on the far-reaching consequences of such provisions is hard to come by. This is despite the fact that multiple estimates peg the share public procurements by Government departments and agencies as accounting for 20-30% of India’s national GDP.[1]
The argument proceeds as follows. First, we highlight the central provision that enables the Government to keep such concerning acquisitions of technology in the dark, away from Parliamentary and public scrutiny. Second, we examine the far-reaching implications of this somewhat obscure provision for the cybersecurity industry in India and the public at large. Finally, we explain how this State-sanctioned secrecy in procurement of spyware – whether from foreign or Indian vendors – could potentially deprive the aggrieved targets of surveillance through Pegasus of meaningful legal remedy before the Courts.
Executive Regulations on Public Procurements and ‘National Security’
In the absence of a Parliamentary enactment, public procurements in general, are governed by the overarching principles and procedures codified in the General Financial Rules, 2017 (GFR). These rules were first issued after independence in 1947, and later revised in 1963 and 2005.[2]
Rule 144 of the GFR mandates that every authority procuring goods in public interest shall have the responsibility and accountability to bring efficiency, economy and transparency in matters relating to public procurement and for fair and equitable treatment of suppliers and promotion of competition in public procurement.[3] It also sets out certain ‘yardsticks’ with which procuring agencies must conform – and some are more problematic than others.
One of the most significant changes introduced in the 2017 iteration of the GFR, is the introduction of a ‘national security exception’. Under the these new provisions, Ministries/Departments may be exempted from requirement of e-procurement and e-publication of tender enquiries and bid awards, which is mandatory as a general rule. This may be permitted
In individual cases where confidentiality is required for reasons of national security, subject to approval by the Secretary of the Ministry/Department with the concurrence of the concerned Financial Advisor, [Rule 159(ii)]and
In individual case[s] where national security and strategic considerations demands confidentiality, after seeking approval of concerned Secretary and with concurrence of Financial Advisors. [Rule 160(ii)]
This indicates that the ‘national security exception’ is intended to apply to non-military procurements, expanding the realm of secrecy in procurements far beyond military matters with direct adverse consequences for the civilian realm of affairs. This is supported by the fact that Rule the procurement of goods for the military is excluded from the scope of the GFR by Rule 146. This rule prescribes that the procurement of goods required on mobilisation and/or during the continuance of military operations shall be regulated by special rules and orders issued by the Government from time to time.
Thus, the acquisition of spyware as a product to enhance India’s cybersecurity posture—which can easily be proved to implicate strategic considerations that demand confidentiality—could be exempted from mandatory obligations of e-procurement through the central portal and e-publication of the tender inquiry as well as the bid award, after approval from the concerned Secretary and/or Financial Advisors. Although the rule also obliges the Finance Ministry to maintain statistical information on cases where such an exemption is granted, and the value of the contract,[4] whether or not such statistics are amenable to public disclosure through Right to Information (RTI) applications remains unclear at the time of writing.
What Implications for the Cybersecurity Industry?
In addition to spyware and malware, we can expect that even legitimate cybersecurity products and services when procured by Government could also be caught within the above mentioned clause for exempting an ‘individual case where national security and strategic considerations demands confidentiality’.
Given the current state of India’s information security, the acquisition of legitimate cybersecurity products and services will, and should be conducted across Ministries including but not limited to the Ministry of Defence or even law enforcement.
The demand and market for cybersecurity products and services in the country is burgeoning. These exceptions could also be invoked by the relevant ministry/department to keep the identity of vendors of cybersecurity products and private sector partners for the development of surveillance and other cyber capabilities outside the public domain.
The invocation of such regulatory provisions to keep details of the vendors of cybersecurity products and service providers as confidential may create information asymmetries about Government’s needs and preferences among private players in the market. This will not be conducive for creating a competitive market for cybersecurity products and services. These asymmetries can then distort the market with far-reaching implications for the health and growth of the cybersecurity and IT industry at large.
It also militates against the objective of promoting fair competition and transparency in the public procurement process. Adopting the right blend of rules to encourage competition in industry is crucial to fostering a healthy ecosystem for the cybersecurity industry in India, which is still in its infancy.
The Courts will Protect Us?
In other words, through the 2017 amendment of the GFRs, Government of India’s executive branch gave to itself–the power to procure goods and services ‘in the interest of national security’– whie remaining sheltered from the public gaze. This was the first time such a provision was inserted into the GFR – the language of its 2005, 1963 and 1947 iterations make no mention of ‘national security’ whatsoever.
It is pertinent to point out that the term ‘national security’ is an extra-constitutional one – it does not occur anywhere in the Constitution of India. Instead, the Constitution refers only to ‘security of the State’ or ‘defence of India’, or ‘sovereignty and integrity of India’. In recent years, the Executive has co-opted the term ‘national security’ as a catch-all phrase to encompass everything from serious threats of cross-border terrorism and acts of foreign aggression, to issues like organised protests which were traditionally considered as falling under ‘public order’ – a category clearly distinguished from ‘security of the State’ as early as 1966 by the Supreme Court of India in Ram Manohar Lohia v. State of Bihar AIR 1966 SC 740.
A more recent order of the Supreme Court in dated December 14, 2018, in Manohar Lal Sharma v. Narendra Damodardas Modi (The Rafale Case) underlines the Court’s reluctance to hold the Executive accountable for procurements and public spending in domains like defence. The Court stated,
“We also cannot lose sight of the tender in issue. The tender is not for construction of roads bridges et cetera it is a defence tender for the procurement of aircrafts. The parameters of scrutiny would give far more leeway to the government keeping in mind the nature of the procurement itself.”[5]
Additionally, the emergence of the Supreme Court’s “sealed cover” jurisprudence, although recent in its origins –is testament to the growing shadow of secret executive action pervading the judicial sphere with opacity as well. In this context, it is relevant that recent coverage of the award of the “all-India tender” for the provision of a video conferencing platform for the Supreme Court of India does not yet disclose which entity or corporation was awarded this contract.
Coming back to the Pegasus, should the aggrieved persons targeted with this spyware seek judicial remedy, Section 123 of the Indian Evidence Act, 1872 prohibits Government officials from providing evidence “derived from unpublished official records relating to any affairs of State, except with the permission of the officer at the head of the department concerned, who shall give or withhold such permission as he thinks fit.” (emphasis added)
This means that if a case relating to procurements exempted from e-publication is brought before courts, the appropriate authority to give or withhold permission for disclosure to court would be the same Secretary and Financial Advisors who permitted the procurement to be exempted from publication requirements in the first place. Section 124 further prohibits compelled disclosure of official communications made to a Government official in confidence.
And thus, the conspiracy of silence on potentially criminal acts of Government officials could easily escape judicial scrutiny. This will invariably create a challenging situation for individuals impacted by the use of the Pegasus spyware to effectively seek judicial redressal for violation of their right to privacy and hold the government accountable.
Without an explicit acknowledgment from the Government of the fact that the spyware was in fact procured by it – questions on the legality of procedures that resulted in its targeted deployment against citizens and judicial remedies for violations of due process in criminal investigation remains a moot point. In their current form, the applicable rules permit the Government to enable secret procurement of goods and services for non-military purposes under the GFR’s ‘national security exception’, and also permits the Government to disallow disclosure of this information in judicial proceedings.
Given the lower level of judicial scrutiny that such procurements will likely be subjected to, the doctrine of checks and balances and the doctrine of separation of powers necessitates that appropriate parliamentary mechanisms be set up to ensure effective oversight over all government procurements. Presently, the legal framework for procurements is comprised almost exclusively of executive-issued regulations.Constitutionalism requires that no organ of government should be granted or allowed to exercise unfettered discretion and is always held accountable by the other organs of the government.
This is an essential element of the Rule of Law and can only be ensured by way of a Parliamentary enactment on procurement procedures and concomitant disclosure requirements as well as effective Parliamentary oversight mechanisms to enforce accountability on public spending incurred for procurements in the name of national security.
[1]Government Procurement in India : Domestic Regulations and Trade Prospects, CUTS International, October 2012,p. 33, accessible at http://www.cuts-citee.org/pdf/Government-Procurement-in-India_Domestic-Regulations-Trade-Prospects.pdf. CUTS’ analysis draws upon reports and estimates in various reports of the World Bank, Planning Commission of India, the Central Vigilance Commission along with the Reserve Bank of India’s GDP Data on Macro-Economic Aggregates.
On 6th October, the European Court of Justice (ECJ/ Court) delivered its much anticipated judgments in the consolidated matter of C-623/17,Privacy International from the UK and joined cases from France, C-511/18, La Quadrature du Net and others, C-512/18, French Data Network and others, and Belgium, C-520/18,Ordre des barreaux francophones et germanophone and others (Collectively “Bulk Communications Surveillance Judgments”).
In this post, I briefly discuss the Bulk Communication Surveillance Judgments, their significance for other countries and for India.
Through these cases, the Court invalidated the disproportionate interference by Member States with the rights of their citizens, as provided by EU law, in particular the Directive on privacy and electronic communications (e-Privacy Directive) and European Union’s Charter of Fundamental Rights (EU Charter). The Court assessed the Member States’ bulk communications surveillance laws and practices relating to their access and use of telecommunications data.
The Court recognised the importance of the State’s positive obligations towards conducting surveillance, although it noted that it was essential for surveillance systems to conform with the general principles of EU law and the rights guaranteed under the EU Charter. It laid down clear principles and measures as to when and how the national authorities could access and use telecommunications data (further discussed in the sections ‘The UK Judgment’ and ‘The French and Belgian Judgment’). It carved a few exceptions as well (in the joined cases of France and Belgium) for emergency situations, but held that such measures would have to pass the threshold of being serious and genuine (further discussed in the section ‘The French and Belgian Judgment’).
The Cases in Brief
The Court delivered two separate judgments, one in the UK case and one in the joined cases of France and Belgium. Since these cases had similar sets of issues, the proceedings were adjoined. The UK application challenged the bulk acquisition and use of telecommunications data by its Security and Intelligence Agencies (SIAs) in the interest of national security (as per the UK’s Telecommunication Act of 1984). The French and Belgian applications challenged the indiscriminate data retention and access by SIAs for combating crime.
The French and Belgian applications questioned the legality of their respective data retention laws (numerous domestic surveillance laws which permitted bulk collection of telecommunication data) that imposed blanket obligations on Electronic Communications Service Providers (ECSP) to provide relevant data. The Belgian law required ECSPs to retain various kinds of traffic and location data for a period of 12 months. Whereas, the French law provided for automated analysis and real time data collection measures for preventing terrorism. The French application also raised the issue of providing a notification to the person under the surveillance.
The Member States contended that such surveillance measures enabled them to inter alia, safeguard national security, prevent terrorism, and combat serious crimes. Hence, they claimed inapplicability of the e-Privacy Directive on their surveillance laws/ activities.
The UK Judgment
The ECJ found the UK surveillance regime unlawful and inconsistent with EU law, and specifically the e-Privacy Directive. The Court analysed the scope and scheme of the e-Privacy Directive with regard to exclusion of certain State purposes such as national and public security, defence, and criminal investigation. Noting the importance of such State purposes, it held that EU Member States could adopt legislative measures that restricted the scope of rights and obligations (Article 5, 6 and 9) provided in the e-Privacy Directive. However, this was allowed only if the Member States complied with the requirements laid down by the Court in Tele2 Sverige and Watson and Others(C-203/15 and C-698/15) (Tele2)andthe e-Privacy Directive. In addition to these, the Court held that the EU Charter must be respected too. In Tele2, the ECJ held that legislative measures obligating ECSPs to retain data must be targeted and limited to what was strictly necessary. Such targeted retention had to be with regard to specific categories of persons and data for a limited time period. Also, the access to data must be subject to a prior review by an independent body.
The e-Privacy Directive ensures the confidentiality of electronic communications and the data relating to it (Article 5(1)). It allows ECSPs to retain metadata (context specific data relating to the users and subscribers, location and traffic) for various purposes such as billing, valued added services and security purposes. However, this data must be deleted or made anonymous, once the purpose is fulfilled unless a law allows for a derogation for State purposes. The e-Privacy Directive allows the Member States to derogate (Article 15(1)) from the principle of confidentiality and corresponding obligations (contained in Article 6 (traffic data) and 9 (location data other than traffic data)) for certain State purposes when it is appropriate, necessary and proportionate.
The Court clarified that measures undertaken for the purpose of national security would not make EU law inapplicable and exempt the Member States from their obligation to ensure confidentiality of communications under the e-Privacy Directive. Hence, an independent review of surveillance activities such as data retention for indefinite time periods, or further processing or sharing, must be conducted for authorising such activities. It was noted that the domestic law at present did not provide for prior review, as a limit on the above mentioned surveillance activities.
The French and Belgian Judgment
While assessing the joined cases, the Court arrived at a determination in similar terms as the UK case. It reiterated that the exception (Article 15(1) of the e-Privacy Directive) to the principle of confidentiality of communications (Article 5(1) of the e-Privacy Directive) should not become the norm. Hence, national measures that provided for general and indiscriminate data retention and access for State purposes were held to be incompatible with EU law, specifically the e-Privacy Directive.
The Court in the joined cases, unlike the UK case, allowed for specific derogations for State purposes such as safeguarding national security, combating serious crimes and preventing serious threats. It laid down certain requirements that the Member States had to comply with in case of derogations. The derogations should (1) be clear and precise to the stated objective (2) be limited to what is strictly necessary and for a limited time period (3) have a safeguards framework including substantive and procedural conditions to regulate such instances (4) include guarantees to protect the concerned individuals against abuse. They should also be subjected to an ‘effective review’ by a court or an independent body and must be in compliance of general rules and proportionality principles of EU law and the rights provided in the EU Charter.
The Court held that in establishing a minimum threshold for a safeguards framework, the EU Charter must be interpreted along with the European Convention on Human Rights (ECHR). This would ensure consistency between the rights guaranteed under the EU Charter and the corresponding rights guaranteed in the ECHR (as per Article 52(3) of the EU Charter).
The Court, in particular, allowed for general and indiscriminate data retention in cases of serious threat to national security. Such a threat should be genuine, and present or foreseeable. Real-time data collection and automated analysis were allowed in such circumstances. But the real-time data collection of persons should be limited to those suspected of terrorist activities. Moreover, it should be limited to what was strictly necessary and subject to prior review. It even allowed for general and indiscriminate data retention of IP addresses for the purpose of national security, combating serious crimes and preventing serious threats to public security. Such retention must be for a limited time period to what was strictly necessary. For such purposes, the Court also permitted ECSPs to retain data relating to the identity particulars of their customers (such as name, postal and email/account addresses and payment details) in a general and indiscriminate manner, without specifying any time limitations.
The Court allowed targeted data retention for the purpose of safeguarding national security and preventing crime, provided that it was for a limited time period and strictly necessary and was done on the basis of objective and non-discriminatory factors. It was held that such retention should be specific to certain categories of persons or geographical areas. The Court also allowed, subject to effective judicial review, expedited data retention after the initial retention period ended, to shed light on serious criminal offences or acts affecting national security. Lastly, in the context of criminal proceedings, the Court held that it was for the Member States to assess the admissibility of evidence resulting from general and indiscriminate data retention. However, the information and evidence must be excluded where it infringes on the right to a fair trial.
Significance of the Bulk Communication Surveillance Judgments
With these cases, the ECJ decisively resolved a long-standing discord between the Member States and privacy activists in the EU. For a while now, the Court has been dealing with questions relating to surveillance programs for national security and law enforcement purposes. Though the Member States have largely considered these programs outside the ambit of EU privacy law, the Court has been expanding the scope of privacy rights.
Placing limitations and controls on State powers in democratic societies was considered necessary by the Court in its ruling in Privacy International. This decision may act as a trigger for considering surveillance reforms in many parts of the world, and more specifically for those aspiring to attain an EU adequacy status. India could benefit immensely should it choose to pay heed.
As of date, India does not have a comprehensive surveillance framework. Various provisions of the Personal Data Protection Bill, 2019 (Bill), Information Technology Act, 2000, Telegraph Act, 1885, and the Code of Criminal Procedure, 1973 provide for targeted surveillance measures. The Bill provides for wide powers to the executive (under Clause 35, 36 and 91 of the Bill) to access personal and non-personal data in the absence of proper and necessary safeguards. This may cause problems for achieving the EU adequacy status as per Article 45 of the EU General Data Protection Regulation (GDPR) that assesses the personal data management rules of third-party countries.
Recent news reports suggest that the Bill, which is under legislative consideration, is likely to undergo a significant overhaul. India could use this as an opportunity to introduce meaningful changes in the Bill as well as its surveillance regime. India’s privacy framework could be strengthened by adhering to the principles outlined in the Justice K.S. Puttaswamy v. Union of Indiajudgment and the Bulk Communications Surveillance Judgments.
The Personal Data Protection Bill, 2019 (PDP Bill/ Bill) was introduced in the Lok Sabha on December 11, 2019 , and was immediately referred to a joint committee of the Parliament. The joint committee published a press communique on February 4, 2020 inviting comments on the Bill from the public.
The Bill is the successor to the Draft Personal Data Protection Bill 2018 (Draft Bill 2018), recommended by a government appointed expert committee chaired by Justice B.N. Srikrishna. In August 2018, shortly after the recommendations and publication of the draft Bill, the Ministry of Electronics and Information Technology (MeitY) invited comments on the Draft Bill 2018 from the public. (Our comments are available here.)[1]
In this post we undertake a preliminary examination of:
The scope and applicability of the PDP Bill
The application of general data protection principles
The rights afforded to data subjects
The exemptions provided to the application of the law
In future posts in the series we will examine the Bill and look at the:
The restrictions on cross border transfer of personal data
The structure and functions of the regulatory authority
The enforcement mechanism and the penalties under the PDP Bill
Scope and Applicability
The Bill identifies four different categories of data. These are personal data, sensitive personal data, critical personal data and non-personal data
Personal data is defined as “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling”. (emphasis added)
The addition of inferred data in the definition realm of personal data is an interesting reflection of the way the conversation around data protection has evolved in the past few months, and requires further analysis.
Sensitive personal data is defined as data that may reveal, be related to or constitute a number of different categories of personal data, including financial data, health data, official identifiers, sex life, sexual orientation, genetic data, transgender status, intersex status, caste or tribe, and religious and political affiliations / beliefs. In addition, under clause 15 of the Bill the Central Government can notify other categories of personal data as sensitive personal data in consultation with the Data Protection Authority and the relevant sectoral regulator.
Similar to the 2018 Bill, the current bill does not define critical personal data and clause 33 provides the Central Government the power to notify what is included under critical personal data. However, in its report accompanying the 2018 Bill, the Srikrishna committee had referred to some examples of critical personal data that relate to critical state interest like Aadhaar number, genetic data, biometric data, health data, etc.
The Bill retains the terminology introduced in the 2018 Draft Bill, referring to data controllers as ‘data fiduciaries’ and data subjects ‘data principals’. The new terminology was introduced with the purpose of reflecting the fiduciary nature of the relationship between the data controllers and subjects. However, whether the use of the specific terminology has more impact on the protection and enforcement of the rights of the data subjects still needs to be seen.
Application of PDP Bill 2019
The Bill is applicable to (i) the processing of any personal data, which has been collected, disclosed, shared or otherwise processed in India; (ii) the processing of personal data by the Indian government, any Indian company, citizen, or person/ body of persons incorporated or created under Indian law; and (iii) the processing of personal data in relation to any individuals in India, by any persons outside of India.
The scope of the 2019 Bill, is largely similar in this context to that of the 2018 Draft Bill. However, one key difference is seen in relation to anonymised data. While the 2018 Draft Bill completely exempted anonymised data from its scope, the 2019 Bill does not apply to anonymised data, except under clause 91 which gives the government powers to mandate the use and processing of non-personal data or anonymised personal data under policies to promote the digital economy. There are a few concerns that arise in context of this change in treatment of anonymised personal data. First, there are concerns on the concept of anonymisation of personal data itself. While the Bill provides that the Data Protection Authority (DPA) will specify appropriate standards of irreversibility for the process of anonymisation, it is not clear that a truly irreversible form of anonymisation is possible at all. In this case, we need more clarity on what safeguards will be applicable for the use of anonymised personal data.
Second, is the Bill’s focus on the promotion of the digital economy. We have previously discussed some of the concerns regarding focus on the promotion of digital economy in a rights based legislation inour comments to the Draft Bill 2018.
These issues continue to be of concern, and are perhaps heightened with the introduction of a specific provision on the subject in the 2019 Bill (especially without adequate clarity on what services or policy making efforts in this direction, are to be informed by the use of anonymised personal data). Many of these issues are also still under discussion by thecommittee of experts set up to deliberate on data governance framework (non-personal data). The mandate of this committee includes the study of various issues relating to non-personal data, and to make specific suggestions for consideration of the central government on regulation of non-personal data.
The formation of the non-personal data committee was in pursuance of a recommendation by the Justice Srikrishna Committee to frame a legal framework for the protection of community data, where the community is identifiable. The mandate of the expert committee will overlap with the application of clause 91(2) of the Bill.
Data Fiduciaries, Social Media Intermediaries and Consent Managers
Data Fiduciaries
As discussed above the Bill categorises data controllers as data fiduciaries and significant data fiduciaries. Any person that determines the purpose and means of processing of personal data, (including the State, companies, juristic entities or individuals) is considered a data fiduciary. Some data fiduciaries may be notified as ‘significant data fiduciaries’, on the basis of factors such as the volume and sensitivity of personal data processed, the risks of harm etc. Significant data fiduciaries are held to higher standards of data protection. Under clauses 27-30, significant data fiduciaries are required to carry out data protection impact assessments, maintain accurate records, audit policy and the conduct of its processing of personal data and appoint a data protection officer.
Social Media Intermediaries
The Bill introduces a distinct category of intermediaries called social media intermediaries. Under clause 26(4) a social media intermediary is ‘an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services’. Intermediaries that primarily enable commercial or business-oriented transactions, provide access to the Internet, or provide storage services are not to be considered social media intermediaries.
Social media intermediaries may be notified to be significant data fiduciaries, if they have a minimum number of users, and their actions have or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India.
Under clause 28 social media intermediaries that have been notified as a significant data fiduciaries will be required to provide for voluntary verification of users to be accompanied with a demonstrable and visible mark of verification.
Consent Managers
The Bill also introduces the idea of a ‘consent manager’ i.e. a (third party) data fiduciary which provides for management of consent through an ‘accessible, transparent and interoperable platform’. The Bill does not contain any details on how consent management will be operationalised, and only states that these details will be specified by regulations under the Bill.
Data Protection Principles and Obligations of Data Fiduciaries
Consent and grounds for processing
The Bill recognises consent as well as a number of other grounds for the processing of personal data.
Clause 11 provides that personal data shall only be processed if consent is provided by the data principal at the commencement of processing. This provision, similar to the consent provision in the 2018 Draft Bill, draws from various principles including those under the Indian Contract Act, 1872 to inform the concept of valid consent under the PDP Bill. The clause requires that the consent should be free, informed, specific, clear and capable of being withdrawn.
Moreover, explicit consent is required for the processing of sensitive personal data. The current Bill appears to be silent on issues such as incremental consent which were highlighted in our comments in the context of the Draft Bill 2018.
The Bill provides for additional grounds for processing of personal data, consisting of very broad (and much criticised) provisions for the State to collect personal data without obtaining consent. In addition, personal data may be processed without consent if required in the context of employment of an individual, as well as a number of other ‘reasonable purposes’. Some of the reasonable purposes, which were listed in the Draft Bill 2018 as well, have also been a cause for concern given that they appear to serve mostly commercial purposes, without regard for the potential impact on the privacy of the data principal.
In a notable change from the Draft Bill 2018, the PDP Bill, appears to be silent on whether these other grounds for processing will be applicable in relation to sensitive personal data (with the exception of processing in the context of employment which is explicitly barred).
Other principles
The Bill also incorporates a number of traditional data protection principles in the chapter outlining the obligations of data fiduciaries. Personal data can only be processed for a specific, clear and lawful purpose. Processing must be undertaken in a fair and reasonable manner and must ensure the privacy of the data principal – a clear mandatory requirement, as opposed to a ‘duty’ owed by the data fiduciary to the data principal in the Draft Bill 2018 (this change appears to be in line with recommendations made in multiple comments to the Draft Bill 2018 by various academics, including our own).
Purpose and collection limitation principles are mandated, along with a detailed description of the kind of notice to be provided to the data principal, either at the time of collection, or as soon as possible if the data is obtained from a third party. The data fiduciary is also required to ensure that data quality is maintained.
A few changes in the application of data protection principles, as compared to the Draft Bill 2018, can be seen in the data retention and accountability provisions.
On data retention, clause 9 of the Bill provides that personal data shall not be retained beyond the period ‘necessary’ for the purpose of data processing, and must be deleted after such processing, ostensibly a higher standard as compared to ‘reasonably necessary’ in the Draft Bill 2018. Personal data may only be retained for a longer period if explicit consent of the data principal is obtained, or if retention is required to comply with law. In the face of the many difficulties in ensuring meaningful consent in today’s digital world, this may not be a win for the data principal.
Clause 10 on accountability continues to provide that the data fiduciary will be responsible for compliance in relation to any processing undertaken by the data fiduciary or on its behalf. However, the data fiduciary is no longer required to demonstrate such compliance.
Rights of Data Principals
Chapter V of the PDP Bill 2019 outlines the Rights of Data Principals, including the rights to access, confirmation, correction, erasure, data portability and the right to be forgotten.
Right to Access and Confirmation
The PDP Bill 2019 makes some amendments to the right to confirmation and access, included in clause 17 of the bill. The right has been expanded in scope by the inclusion of sub-clause (3). Clause 17(3) requires data fiduciaries to provide data principals information about the identities of any other data fiduciaries with whom their personal data has been shared, along with details about the kind of data that has been shared.
This allows the data principal to exert greater control over their personal data and its use. The rights to confirmation and access are important rights that inform and enable a data principal to exercise other rights under the data protection law. As recognized in the Srikrishna Committee Report, these are ‘gateway rights’, which must be given a broad scope.
Right to Erasure
The right to correction (Clause 18) has been expanded to include the right to erasure. This allows data principals to request erasure of personal data which is not necessary for processing. While data fiduciaries may be allowed to refuse correction or erasure, they would be required to produce a justification in writing for doing so, and if there is a continued dispute, indicate alongside the personal data that such data is disputed.
The addition of a right to erasure, is an expansion of rights from the 2018 Bill. While the right to be forgotten only restricts or discontinues disclosure of personal data, the right to erasure goes a step ahead and empowers the data principal to demand complete removal of data from the system of the data fiduciary.
Many of the concerns expressed in the context of the Draft Bill 2018, in terms of the procedural conditions for the exercise of the rights of data principals, as well as the right to data portability specifically, continue to persist in the PDP Bill 2019.
Exceptions and Exemptions
While the PDP Bill ostensibly enables individuals to exercise their right to privacy against the State and the private sector, there are several exemptions available, which raise several concerns.
The Bill grants broad exceptions to the State. In some cases, it is in the context of specific obligations such as the requirement for individuals’ consent. In other cases, State action is almost entirely exempted from obligations under the law. Some of these exemptions from data protection obligations are available to the private sector as well, on grounds like journalistic purposes, research purposes and in the interests of innovation.
The most concerning of these provisions, are the exemptions granted to intelligence and law enforcement agencies under the Bill. The Draft Bill 2018, also provided exemptions to intelligence and law enforcement agencies, so far as the privacy invasive actions of these agencies were permitted under law, and met procedural standards, as well as legal standards of necessity and proportionality. We have previously discussed some of the concerns with this approach here.
The exemptions provided to these agencies under the PDP Bill, seem to exacerbate these issues.
Under the Bill, the Central Government can exempt an agency of the government from the application of this Act by passing an order with reasons recorded in writing if it is of the opinion that the exemption is necessary or expedient in the interest of sovereignty and integrity, security of the state, friendly relations with foreign states, public order; or for preventing incitement to the commission of any cognizable offence relating to the aforementioned grounds. Not only have the grounds on which government agencies can be exempted been worded in an expansive manner, the procedure of granting these exemptions also is bereft of any safeguards.
The executive functioning in India suffers from problems of opacity and unfettered discretion at times, which requires a robust system of checks and balances to avoid abuse. The Indian Telegraph Act, 1885 (Telegraph Act) and the Information Technology Act, 2000 (IT Act) enable government surveillance of communications made over telephones and the internet. For drawing comparison here, we primarily refer to the Telegraph Act as it allows the government to intercept phone calls on similar grounds as mentioned in clause 35 of the Bill by an order in writing. However, the Telegraph Act limits the use of this power to two scenarios – occurrence of a public emergency or in the interest of public safety. The government cannot intercept communications made over telephones in the absence of these two preconditions. The Supreme Court in People’s Union for Civil Liberties v. Union of India, (1997) introduced guidelines to check abuse of surveillance powers under the Telegraph Act which were later incorporated in Rule 419A of the Indian Telegraph Rules, 1951. A prominent safeguard included in Rule 419A requires that surveillance and monitoring orders be issued only after considering ‘other reasonable means’ for acquiring the required information. The court had further limited the scope of interpretation of ‘public emergency’ and ‘public safety’ to mean “the prevalence of a sudden condition or state of affairs affecting the people at large and calling for immediate action”, and “the state or condition of freedom from danger or risk at large” respectively. In spite of the introduction of these safeguards, the procedure of intercepting telephone communications under the Telegraph Act is criticised for lack of transparency and improper implementation. For instance, a 2014 report revealed that around 7500 – 9000 phone interception orders were issued by the Central Government every month. The application of procedural safeguards, in each case would have been physically impossible given the sheer numbers. Thus, legislative and judicial oversight becomes a necessity in such cases.
The constitutionality of India’s surveillance apparatus inclduing section 69 of the IT Act which allows for surveillance on broader grounds on the basis of necessity and expediency and not ‘public emergency’ and ‘public safety’, has been challenged before the Supreme Court and is currently pending. Clause 35 of the Bill also mentions necessity and expediency as prerequisites for the government to exercise its power to grant exemption, which appear to be vague and open-ended as they are not defined. The test of necessity, implies resorting to the least intrusive method of encroachment up on privacy to achieve the legitimate state aim. This test is typically one among several factors applied in deciding on whether a particular intrusion on a right is tenable or not, under human rights law. In his concurring opinion in Puttaswamy (I) J. Kaul had included ‘necessity’ in the proportionality test. (However, this test is not otherwise well developed in Indian jurisprudence). Expediency, on the other hand, is not a specific legal basis used for determining the validity of an intrusion on human rights. It has also not been referred to in Puttaswamy (I) as a basis of assessing a privacy violation. The use of the term ‘expediency’ in the Bill is deeply worrying as it seems to bring down the threshold for allowing surveillance which is a regressive step in the context of cases like PUCL and Puttaswamy (I). A valid law along with the principles of proportionality and necessity are essential to put in place an effective system of checks and balances on the powers of the executive to provide exemptions. It seems unlikely that the clause will pass the test of proportionality (sanction of law, legitimate aim, proportionate to the need of interference, and procedural guarantees against abuse) as laid down by the Supreme Court in Puttaswamy (I).
The Srikrishna Committee report had recommended that surveillance should not only be conducted under law (and not executive order), but also be subject to oversight, and transparency requirements. The Committee had argued that the tests of lawfulness, necessity and proportionality provided for under clauses 42 and 43 (of the Draft Bill 2018) were sufficient to meet the standards set out under the Puttaswamy judgment. Since the PDP Bill completely does away with all these safeguards and leaves the decision to executive discretion, the law is unconstitutional. After the Bill was introduced in the Lok Sabha, J. Srikrishna had criticised it for granting expansive exemptions in the absence of judicial oversight. He warned that the consequences could be disastrous from the point of view of safeguarding the right to privacy and could turn the country into an “Orwellian State”. He has also opined on the need for a separate legislation to govern the terms under which the government can resort to surveillance.
Clause 36 of the Bill deals with exemption of some provisions for certain processing of personal data. It combines four different clauses on exemption which were listed in the Draft Bill 2018 (clauses 43, 44, 46 and 47). These include processing of personal data in the interests of prevention, detection, investigation and prosecution of contraventions of law; for the purpose of legal proceedings; personal or domestic purposes; and journalistic purposes. The Draft Bill 2018 had detailed provisions on the need for a law passed by Parliament or the State Legislature which is necessary and proportionate, for processing of personal data in the interests of prevention, detection, investigation and prosecution of contraventions of law. Clause 36 of the Bill does not enumerate the need for a law to process personal data under these exemptions. We hadargued that these exemptions granted by the Draft Bill 2018 (clauses 43, 44, 46 and 47) were wide, vague and needed clarifications, but the exemptions under clause 36 of the Bill are even more ambiguous as they merely enlist the exemptions without any specificities or procedural safeguards in place.
In the Draft Bill 2018, the Authority could not give exemption from the obligation of fair and reasonable processing, measures of security safeguards and data protection impact assessment for research, archiving or statistical purposes As per the current Bill, the Authority can provide exemption from any of the provisions of the Act for research, archiving or statistical purposes.
The last addition to this chapter of exemptions is that of creating a sandbox for encouraging innovation. This newly added clause 40 is aimed at encouraging innovation in artificial intelligence, machine-learning or any other emerging technology in public interest. The details of what the sandbox entails other than exemption from some of the obligations of Chapter II might need further clarity. Additionally, to be considered an eligible applicant, a data fiduciary has to necessarily obtain certification of its privacy by design policy from the DPA, as mentioned in clause 40(4) read with clause 22.
Though well appreciated for its intent, this provision requires clarification on grounds of selection and details of what the sandbox might entail.
[1] At the time of introduction of the PDP Bill 2019, the Minister for Law and Justice of India, Mr. Ravi Shankar Prasad suggested that over 2000 inputs were received on the Draft Bill 2018, based on which changes have been made in the PDP Bill 2019. However, these comments and inputs have not been published by MeitY, and only a handful of comments have been published, by the stakeholders submitting these comments themselves.
The deadline to link PAN cards with Aadhaar was extended to December 31 this week; the Election Commission ruled that voting rights of those excluded in the NRC process remain unaffected; the Home Minister proposed a digital census with multipurpose ID cards for 2021; and 27 nations including the US, UK and Canada issued joint statement urging for a rules-based order in cyberspace – presenting this week’s most important developments in law, technology and national security.
Aadhaar and Digital IDs
[Sep 23] Home Minister announces
digital census in 2021, proposed multipurpose ID card, Entrackr report; Business Today report.
[Sep 24] NRIs can now apply for
Aadhaar on arrival without 182-day wait, The Economic Times report.
[Sep 24] Aadhaar will be linked
to driving license to avoid forgery: Ravi Shankar Prasad, The Indian Express report.
[Sep 24] One nation, one card?
Amit Shah floats idea of all-in-one ID; here are all the problems with that
idea, Medianama report; Money Control report.
[Sep 24] Explained: Is India
likely to have a multipurpose national ID card? The Indian Express report.
[Sep 24] UIDAI nod to ‘voluntary’
use of Aadhaar for National Population Register rollout, The Economic Times report.
[Sep 24] Govt must decide on
Aadhaar-social media linkage:SC, Deccan Herald report.
[Sep 25] New law needed for
Aadhaar-social media linkage: UIDAI, The Economic Times report; Inc42 report.
[Sep 26] NPR process to include
passport, voter ID, Aadhaar and other details, Business Standard report.
[Sep 27] Gang involved in making
fake Aadhaar cards busted, The Tribune report.
[Sep 27] What will happen if you
don’t link your PAN card with Aadhaar by Sep 20, The Quint report.
[Sep 27] Explained: The National
Population Register, and the controversy around it, The Indian Express report.
[Sep 27] Aadhaar to weed out
bogus social security beneficiaries in Karnataka, Deccan Herald report.
[Sep 29] Bajrang Dal wants
Aadhaar mandatory at dandiya to keep ‘non-Hindus’ out, The Hindustan Times report; The Wire report.
[Sep 30] Kerala urges Centre to
extend deadline to link ration cards with Aadhaar, The News Minute report.
[Sep 30] PAN-Aadhaar linking
deadline extended to December 31, The Economic Times report.
Digital India
[Sep 25] India’s regulatory
approach should focus on the regulation of the ‘core’: IAMAI, Livemint report.
[Sep 27] India may have to offer
sops to boost electronic manufacturing, ET Tech report; Inc42 report.
[Sep 27] Digital India, start-ups
are priorities for $5 trillion economy: PM Modi, Medianama report.
[Sep 29] Tech giants aim to skill
Indian govt officials in AI, cloud, ET CIO report.
[Sep 29] India’s share in IT,
R&D biz up in 2 years: report, The Economic Times report.
Internet Governance
[Sep 24] Supreme Court to MeitY:
What’s the status of intermediary guidelines? Tell us by Oct 15, Medianama report.
[Sep 26] Will not be ‘excessive’
with social media rules, ay Govt officials, Inc42 report.
[Sep 26] Government trying to
balance privacy and security in draft IT intermediary norms, The Economic Times
report.
[Sep 27] Citizens, tech companies
served better with some regulation: Facebook India MD Ajit Mohan, ET Tech report; Inc42 report.
[Sep 27] Balance benefits of
internet, data security: Google CEO Sundar Pichai, ET Tech report; Business Today report.
Free Speech
[Sep 25] Jadavpur University
calls upon ‘stakeholders’ to ensure free speech on campus, The New Indian
Express report.
[Sep 28] RSS raises objections to
uncensored content of Maoj Bajpayee’s “The Family Man”, The Hindu report; Outlook report.
Privacy and Data Protection
[Sep 23] A landmark decision on
Tuesday could radically reshape how Google’s search results work, Business
Insider report.
[Sep 23] Google tightens its
voice assistant rules amidst privacy backlash, Wired report.
[Sep 24] Dell rolls out new data
protection storage appliances and capabilities, ZDNet report.
[Sep 24] ‘Right to be forgotten’
privacy rule is limited by Europe’s top court, The New York Times report; Live Law report.
[Sep 27] Nigeria launches
investigation into Truecaller for potential breach of privacy, Medianama report.
[Sep 29] Right to be forgotten
will be arduous as India frames data protection law, Business Standard report.
[Sep 30] FPIs move against data
bill, seek exemption, ET Telecom report; Entrackr report.
Data Localisation
[Sep 26] Reconsider imposition of
data localisation: IAMAI report, The Economic Times report.
[Sep 27] Why data is not oil:
Here’s how India’s data localisation norms will hurt the economy, Inc42 report.
Digital Payments and Fintech
[Sep 23] RBI rider on credit
bureau data access has Fintech in a quandary, ET Tech report.
[Sep 23] The face of India’s
crypto lobby readies for a clash, Ozy report.
[Sep 23] Why has Brazil’s Central
Bank included crypto assets in trade balance? Coin Telegraph report.
[Sep 24] French retailers
widening crypto acceptance, Tech Xplore report.
[Sep 26] Why crypto hoaxes are so
successful, Quartz report.
[Sep 26] South Africa: the net
frontier for crypto exchanges, Coin Telegraph report.
[Sep 27] The crypto wars’ strange
bedfellows, Forbes report.
[Sep 28] Crypto industry is already
preparing for Google’s ‘quantum supremacy’, Decrypt report.
[Sep 29] How crypto gambling is
regulated around the world, Coin Telegraph report.
Tech and Law Enforcement
[Sep 29] New WhatsApp and
Facebook Encryption ‘Backdoors’ – What’s really going on, Forbes report.
[Sep 28] Facebook, WhatsApp will
have to share messages with UK Government, Bloomberg report.
[Sep 23] Secret FBI subpoenas
scoop up personal data from scores of companies, The New York Times report.
[Sep 23] ‘Don’t transfer the
WhatsApp traceability case’, Internet Freedom Foundation asks Supreme Court,
Medianama report.
[Sep 24] China offers free subway
rides to citizens who register their face with surveillance system, The
Independent report.
[Sep 24] Facial recognition
technology in public housing prompts backlash, The New York Times report.
[Sep 24] Facebook-Aadhaar linkage
and WhatsApp traceability: Supreme Court says government must frame rules, CNBC
TV18 report.
[ep 27] Fashion that counters
surveillance cameras, Business Times report.
[Sep 27] Unnao rape case: Delhi
court directs Apple to give Sengar’s location details on day of alleged rape,
Medianama report.
[Sep 27] Face masks to decoy
t-shirts: the rise of anti-surveillance fashion, Times of India report.
[Sep 30] Battle for privacy and
encryption: WhatsApp and government head for a showdown on access to messages,
ET Prime report.
[Sep 29] Improving digital
evidence sharing, Scottish Government news report; Public technology report.
Internal Security: J&K
[Sep 23] Government launches
internet facilitation centre in Pulwama for students, Times of India report; Business Standard report.
[Sep 23] Army chief rejects ‘clampdown’
in Jammu and Kashmir, Times of India report.
[Sep 24] Rising power: Why India
has faced muted criticism over its Kashmir policy, Business Standard report.
[Sep 24] ‘Restore Article 370,
35A in Jammu and Kashmir, withdraw army, paramilitary forces’: 5-member women’s
group will submit demands to Amit Shah, Firstpost report.
[Sep 24] No normalcy in Kashmir,
says fact finding team, The Hindu report.
[Sep 25] End clampdown: Kashmir
media, The Telegraph report.
[Sep 25] Resolve Kashmir issue
through dialogue and not through collision: Erdogan, The Economic Times report.
[Sep 25] Rajya Sabha deputy chair
thwarts Pakistan’s attempt at Kashmir at Eurasian Conference, The Economic
Times report.
[Sep 25] Pakistan leader will
urge UN intervention in Kashmir, The New York Times report.
[Sep 25] NSA Ajit Doval back in
Srinagar to review security situation, The Hindustan Times report.
[Sep 27] Communication curbs add
fresh challenge to Kashmir counter-insurgency operations, News18 report.
[Sep 27] Fresh restrictions in
parts of Kashmir, The Hindu report.
[Sep 27] US wants ‘rapid’ easing
of Kashmir restrictions, Times of India report.
[Sep 27] Kashmir issue: Rescind
action on Art. 370, OIC tells India, The Hindu report.
[Sep 28] India objects to China’s
reference to J&K and Ladakh at UNGA, The Economic Times report; The Hindu report.
[Sep 29] Surveillance, area
domination operations intensified in Kashmir, The Economic Times report; Financial Express report.
[Sep 29] Police impose
restrictions in J&K after Imran Khan’s speech at UNGA, India Today report.
Internal Security: NRC and the
North-East
[Sep 23] Assam framing cyber
security policy to secure data related to NRC, police, services, The Economic
Times report; Money Control report.
[Sep 24] BJP will tell SC that we
reject this NRC, says Himanta Biswa Sarma, Business Standard report.
[Sep 24] Amit Shah to speak on
NRC, Citizenship Amendment Bill in Kolkata on Oct 1, The Economic Times report.
[Sep 26] ‘Expensive’ legal battle
for those rejected in Assam NRC final list, The Economic Times report.
[Sep 27] Scared of NRC? Come back
in 2022, The Telegraph report.
[Sep 27] Voters left out of NRC
will have right to vote, rules Election Commission, India Today report; The Wire report.
[Sep 27] NRC: Assam government
announces 200 Foreigners Tribunals in 33 districts, Times Now report; Times of India report.
[Sep 28] Judge urges new FT
members to examine NRC claims with utmost care, Times of India report.
National Security Legislation
[Sep 23] Centre will reintroduce
Citizenship Bill in Parliament: Himanta Biswa Sarma, The Hindu report.
[Sep 26] National Security Guard:
History, Functions and Operations, Jagran Josh report.
[Sep 28] Left parties seek
revocation of decision on Article 370, The Tribune India report.
Tech and National Security
[Sep 25] Army to start using
Artificial Intelligence in 2-3 years: South Western Army commander, The Print report; India Today report; The New Indian Express report; Financial Express report.
[Sep 23] Modi, Trump set new
course on terrorism, border security, The Hindu report.
[Sep 23] PM Modi in the US” Trump
promises more defence deals with India, military trade to go up, Financial
Express report.
[Sep 23] Punjab police bust
terror module supplied with weapons by drones from Pak, NDTV report.
[Sep 26] Lockheed Martin to begin
supplying F-16 wings from Hyderabad plant in 2020, Livemint report.
[Sep 26] Drones used for
cross-border arms infiltration in Punjab a national security issues, says
Randhawa, The Hindu report.
[Sep 27] UK MoD sets up cyber
team for secure innovation, UK Authority report.
[Sep 29] New tri-services special
ops division, meant for surgical strikes, finishes first exercise today, The
Print report.
[Sep 30] After Saudi attacks,
India developing anti-drone technology to counter drone menace, Eurasian Times report.
Tech and Elections
[Sep 20] Microsoft will offer
free Windows 7 support for US election officials through 2020, Cyber Scoop report.
[Sep 26] Social media platforms
to follow ‘code of ethics’ in all future elections: EC, The Economic Times report.
[Sep 28] Why is EC not making
‘authentic’ 2019 Lok Sabha results public? The Quint report.
Cybersecurity
[Sep 24] Androids and iPhones
hacked with just one WhatsApp click – and Tibetans are under attack, Forbes report.
[Sep 25] Sharp questions can help
board oversee cybersecurity, The Wall Street Journal report.
[Sep 25] What we know about
CrowdStrike, the cybersecurity firm trump mentioned in Ukraine call, and its
billionaire CEO, Forbes report.
[Sep 25] 36% smaller firms
witnessed data breaches in 2019 globally, ET Rise report.
[Sep 28] Defence Construction
Canada hit by cyber attack – corporation’s team trying to restore full IT
capability, Ottawa Citizen report.
[Sep 29] Experts call for
collective efforts to counter cyber threats, The New Indian Express report.
[Sep 29] Microsoft spots malware
that turns PCs into zombie proxies, ET Telecom report.
[Sep 29] US steps up scrutiny of
airplane cybersecurity, The Wall Street Journal report.
Cyberwarfare
[Sep 24] 27 countries sign cybersecurity pledge urging rules-based control over cyberspace in Joint Statement, with digs at China and Russia, CNN report; IT world Canada report; Meri Talk report.
[Sep 26] Cyber Peace Institute fills a critical need for cyber attack victims, Microsoft blog.
[Sep 29] Britain is ‘at war every day’ due to constant cyber attacks, Chief of the Defence Staff says, The Telegraph report.
Telecom and 5G
[Sep 27] Telcos’ IT investments
intact, auto companies may slow pace: IBM exec, ET Tech report.
[Sep 29] Telecom players to lead
digital transformation in India, BW Businessworld report.
More on Huawei
[Sep 22] Huawei confirms another
nasty surprise for Mate 30 buyers, Forbes report.
[Sep 23] We’re on the same page
with government on security: Huawei, The Economic Times report.
[Sep 24] The debate around 5G’s
safety is getting in the way of science, Quartz report (paywall).
[Sep 24] Govt will take call on
Huawei with national interest in mind: Telecom Secy, Business Standard report.
[Sep 24] Huawei enables 5G smart
travel system at Beijing airport, Tech Radar report.
[Sep 25] Huawei 5G backdoor entry
unproven, The Economic Times report.
[Sep 25] US prepares $1 bn fund
to replace Huawei ban kit, Tech Radar report.
[Sep 26] Google releases large
dataset of deepfakes for researchers, Medianama report.
[Sep 26] Huawei willing to
license 5G technology to a US firm, The Hindu Business Line report; Business Standard report.
[Sep 26] Southeast Asia’s top
phone carrier still open to Huawei 5G, Bloomberg report.
[Sep 29] Russia rolls out the red
carpet for Huawei over 5G, The Economic Times report.
Emerging Tech and AI
[Sep 20] Google researchers have
reportedly achieved “Quantum Supremacy”, Financial Times report; MIT Technology Review report.
[Sep 23] Artificial Intelligence
revolution in healthcare in India: All we need to know, The Hindustan Times report.
[Sep 23] A new joystick for the
brain-controlled vehicles of the future, Defense One report.
[Sep 24] Computing and AI:
Humanistic Perspectives from MIT, MIT News report.
[Sep 24] Emerging technologies
such as AI, 5G posing threats to privacy, says report, China Daily report.
[Sep 25] Alibaba unveils chip
developed for artificial intelligence era, Financial Times report.
[Sep 26] Pentagon wants AI to
interpret ‘strategic activity around the globe, Defense One report.
[Sep 27] Only 10 jobs created for
every 100 jobs taken away by AI, ET Tech report.
[Sep 27] Experts say these
emerging technologies should concern us, Business Insider report.
[Sep 27] What is on the horizon
for export controls on ‘emerging technologies’? Industry comments may hold a
clue, Modaq.com report.
[Sep 27] India can become world
leader in artificial intelligence: Vishal Sikka, Money Control report.
[Sep 27] Elon Musk issues a
terrifying prediction of ‘AI robot swarms’ and huge threat to mankind, The
Daily Express (UK) report.
[Sep 27] Russia’s national AI
Centre is taking shape, Defense One report.
[Sep 29] Explained: What is
‘quantum supremacy’, The Hindu report.
[Sep 29] Why are scientists so
excited about a new quantum computing milestone?, Scroll.in report.
[Sep 29] Artificial Intelligence
has a gender bias problem – just ask Siri, The Wire report.
[Sep 29] How AI is changing the
landscape of digital marketing, Inc42 report.
Opinions and Analyses
[Sep 21] Wim Zijnenburg, Defense One, Time to Harden International Norms on Armed Drones.
[Sep 23] David Sanger and Julian
Barnes, The New York Times, The urgent search for a cyber silver bullet against Iran.
[Sep 23] Neven Ahmad, PRIO Blog, The EU’s response to the drone age: A united sky.
[Sep 23] Bisajit Dhar and KS
Chalapati Rao, The Wire, Why an India-US Free Trade Agreement would require New Delhi to
reorient key policies.
[Sep 23] Filip Cotfas, Money Control, Five reasons why data loss prevention has to be taken seriously.
The CCG Blog 