CJEU sets limits on Mass Communications Surveillance – A Win for Privacy in the EU and Possibly Across the World

This post has been authored by Swati Punia

On 6th October, the European Court of Justice (ECJ/ Court) delivered its much anticipated judgments in the consolidated matter of C-623/17, Privacy International from the UK and joined cases from France, C-511/18, La Quadrature du Net and others, C-512/18, French Data Network and others, and Belgium, C-520/18, Ordre des barreaux francophones et germanophone and others (Collectively “Bulk Communications Surveillance Judgments”). 

In this post, I briefly discuss the Bulk Communication Surveillance Judgments, their significance for other countries and for India. 

Through these cases, the Court invalidated the disproportionate interference by Member States with the rights of their citizens, as provided by EU law, in particular the Directive on privacy and electronic communications (e-Privacy Directive) and European Union’s Charter of Fundamental Rights (EU Charter). The Court assessed the Member States’ bulk communications surveillance laws and practices relating to their access and use of telecommunications data. 

The Court recognised the importance of the State’s positive obligations towards conducting surveillance, although it noted that it was essential for surveillance systems to conform with the general principles of EU law and the rights guaranteed under the EU Charter. It laid down clear principles and measures as to when and how the national authorities could access and use telecommunications data (further discussed in the sections ‘The UK Judgment’ and ‘The French and Belgian Judgment’). It carved a few exceptions as well (in the joined cases of France and Belgium) for emergency situations, but held that such measures would have to pass the threshold of being serious and genuine (further discussed in the section ‘The French and Belgian Judgment’). 

The Cases in Brief 

The Court delivered two separate judgments, one in the UK case and one in the joined cases of France and Belgium. Since these cases had similar sets of issues, the proceedings were adjoined. The UK application challenged the bulk acquisition and use of telecommunications data by its Security and Intelligence Agencies (SIAs) in the interest of national security (as per the UK’s Telecommunication Act of 1984). The French and Belgian applications challenged the indiscriminate data retention and access by SIAs for combating crime. 

The French and Belgian applications questioned the legality of their respective data retention laws (numerous domestic surveillance laws which permitted bulk collection of telecommunication data) that imposed blanket obligations on Electronic Communications Service Providers (ECSP) to provide relevant data. The Belgian law required ECSPs to retain various kinds of traffic and location data for a period of 12 months. Whereas, the French law provided for automated analysis and real time data collection measures for preventing terrorism. The French application also raised the issue of providing a notification to the person under the surveillance. 

The Member States contended that such surveillance measures enabled them to inter alia, safeguard national security, prevent terrorism, and combat serious crimes. Hence, they claimed inapplicability of the e-Privacy Directive on their surveillance laws/ activities.

The UK Judgment

The ECJ found the UK surveillance regime unlawful and inconsistent with EU law, and specifically the e-Privacy Directive. The Court analysed the scope and scheme of the e-Privacy Directive with regard to exclusion of certain State purposes such as national and public security, defence, and criminal investigation. Noting the importance of such State purposes, it held that EU Member States could adopt legislative measures that restricted the scope of rights and obligations (Article 5, 6 and 9) provided in the e-Privacy Directive. However, this was allowed only if the Member States complied with the requirements laid down by the Court in Tele2 Sverige and Watson and Others (C-203/15 and C-698/15) (Tele2) and the e-Privacy Directive. In addition to these, the Court held that the EU Charter must be respected too. In Tele2, the ECJ held that legislative measures obligating ECSPs to retain data must be targeted and limited to what was strictly necessary. Such targeted retention had to be with regard to specific categories of persons and data for a limited time period. Also, the access to data must be subject to a prior review by an independent body.

The e-Privacy Directive ensures the confidentiality of electronic communications and the data relating to it (Article 5(1)). It allows ECSPs to retain metadata (context specific data relating to the users and subscribers, location and traffic) for various purposes such as billing, valued added services and security purposes. However, this data must be deleted or made anonymous, once the purpose is fulfilled unless a law allows for a derogation for State purposes. The e-Privacy Directive allows the Member States to derogate (Article 15(1)) from the principle of confidentiality and corresponding obligations (contained in Article 6 (traffic data) and 9 (location data other than traffic data)) for certain State purposes when it is appropriate, necessary and proportionate. 

The Court clarified that measures undertaken for the purpose of national security would not make EU law inapplicable and exempt the Member States from their obligation to ensure confidentiality of communications under the e-Privacy Directive. Hence, an independent review of surveillance activities such as data retention for indefinite time periods, or further processing or sharing, must be conducted for authorising such activities. It was noted that the domestic law at present did not provide for prior review, as a limit on the above mentioned surveillance activities. 

The French and Belgian Judgment

While assessing the joined cases, the Court arrived at a determination in similar terms as the UK case. It reiterated that the exception (Article 15(1) of the e-Privacy Directive) to the principle of confidentiality of communications (Article 5(1) of the e-Privacy Directive) should not become the norm. Hence, national measures that provided for general and indiscriminate data retention and access for State purposes were held to be incompatible with EU law, specifically the e-Privacy Directive.

The Court in the joined cases, unlike the UK case, allowed for specific derogations for State purposes such as safeguarding national security, combating serious crimes and preventing serious threats. It laid down certain requirements that the Member States had to comply with in case of derogations. The derogations should (1) be clear and precise to the stated objective (2) be limited to what is strictly necessary and for a limited time period (3) have a safeguards framework including substantive and procedural conditions to regulate such instances (4) include guarantees to protect the concerned individuals against abuse. They should also be subjected to an ‘effective review’ by a court or an independent body and must be in compliance of general rules and proportionality principles of EU law and the rights provided in the EU Charter. 

The Court held that in establishing a minimum threshold for a safeguards framework, the EU Charter must be interpreted along with the European Convention on Human Rights (ECHR). This would ensure consistency between the rights guaranteed under the EU Charter and the corresponding rights guaranteed in the ECHR (as per Article 52(3) of the EU Charter).

The Court, in particular, allowed for general and indiscriminate data retention in cases of serious threat to national security. Such a threat should be genuine, and present or foreseeable. Real-time data collection and automated analysis were allowed in such circumstances. But the real-time data collection of persons should be limited to those suspected of terrorist activities. Moreover, it should be limited to what was strictly necessary and subject to prior review. It even allowed for general and indiscriminate data retention of IP addresses for the purpose of national security, combating serious crimes and preventing serious threats to public security. Such retention must be for a limited time period to what was strictly necessary. For such purposes, the Court also permitted ECSPs to retain data relating to the identity particulars of their customers (such as name, postal and email/account addresses and payment details) in a general and indiscriminate manner, without specifying any time limitations. 

The Court allowed targeted data retention for the purpose of safeguarding national security and preventing crime, provided that it was for a limited time period and strictly necessary and was done on the basis of objective and non-discriminatory factors. It was held that such retention should be specific to certain categories of persons or geographical areas. The Court also allowed, subject to effective judicial review, expedited data retention after the initial retention period ended, to shed light on serious criminal offences or acts affecting national security. Lastly, in the context of criminal proceedings, the Court held that it was for the Member States to assess the admissibility of evidence resulting from general and indiscriminate data retention. However, the information and evidence must be excluded where it infringes on the right to a fair trial. 

Significance of the Bulk Communication Surveillance Judgments

With these cases, the ECJ decisively resolved a long-standing discord between the Member States and privacy activists in the EU. For a while now, the Court has been dealing with questions relating to surveillance programs for national security and law enforcement purposes. Though the Member States have largely considered these programs outside the ambit of EU privacy law, the Court has been expanding the scope of privacy rights. 

Placing limitations and controls on State powers in democratic societies was considered necessary by the Court in its ruling in Privacy International. This decision may act as a trigger for considering surveillance reforms in many parts of the world, and more specifically for those aspiring to attain an EU adequacy status. India could benefit immensely should it choose to pay heed. 

As of date, India does not have a comprehensive surveillance framework. Various provisions of the Personal Data Protection Bill, 2019 (Bill), Information Technology Act, 2000, Telegraph Act, 1885, and the Code of Criminal Procedure, 1973 provide for targeted surveillance measures. The Bill provides for wide powers to the executive (under Clause 35, 36 and 91 of the Bill) to access personal and non-personal data in the absence of proper and necessary safeguards. This may cause problems for achieving the EU adequacy status as per Article 45 of the EU General Data Protection Regulation (GDPR) that assesses the personal data management rules of third-party countries. 

Recent news reports suggest that the Bill, which is under legislative consideration, is likely to undergo a significant overhaul. India could use this as an opportunity to introduce meaningful changes in the Bill as well as its surveillance regime. India’s privacy framework could be strengthened by adhering to the principles outlined in the Justice K.S. Puttaswamy v. Union of Indiajudgment and the Bulk Communications Surveillance Judgments.

Reflections on Personal Data Protection Bill, 2019

By Sangh Rakshita and Nidhi Singh

Image result for data protection"

 The Personal Data Protection Bill, 2019 (PDP Bill/ Bill) was introduced in the Lok Sabha on December 11, 2019 , and was immediately referred to a joint committee of the Parliament. The joint committee published a press communique on February 4, 2020 inviting comments on the Bill from the public.

The Bill is the successor to the Draft Personal Data Protection Bill 2018 (Draft Bill 2018), recommended by a government appointed expert committee chaired by Justice B.N. Srikrishna. In August 2018, shortly after the recommendations and publication of the draft Bill, the Ministry of Electronics and Information Technology (MeitY) invited comments on the Draft Bill 2018 from the public. (Our comments are available here.)[1]

In this post we undertake a preliminary examination of:

  • The scope and applicability of the PDP Bill
  • The application of general data protection principles
  • The rights afforded to data subjects
  • The exemptions provided to the application of the law

In future posts in the series we will examine the Bill and look at the:

  • The restrictions on cross border transfer of personal data
  • The structure and functions of the regulatory authority
  • The enforcement mechanism and the penalties under the PDP Bill

Scope and Applicability

The Bill identifies four different categories of data. These are personal data, sensitive personal data, critical personal data and non-personal data

Personal data is defined as “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling. (emphasis added)

The addition of inferred data in the definition realm of personal data is an interesting reflection of the way the conversation around data protection has evolved in the past few months, and requires further analysis.

Sensitive personal data is defined as data that may reveal, be related to or constitute a number of different categories of personal data, including financial data, health data, official identifiers, sex life, sexual orientation, genetic data, transgender status, intersex status, caste or tribe, and religious and political affiliations / beliefs. In addition, under clause 15 of the Bill the Central Government can notify other categories of personal data as sensitive personal data in consultation with the Data Protection Authority and the relevant sectoral regulator.

Similar to the 2018 Bill, the current bill does not define critical personal data and clause 33 provides the Central Government the power to notify what is included under critical personal data. However, in its report accompanying the 2018 Bill, the Srikrishna committee had referred to some examples of critical personal data that relate to critical state interest like Aadhaar number, genetic data, biometric data, health data, etc.

The Bill retains the terminology introduced in the 2018 Draft Bill, referring to data controllers as ‘data fiduciaries’ and data subjects ‘data principals’. The new terminology was introduced with the purpose of reflecting the fiduciary nature of the relationship between the data controllers and subjects. However, whether the use of the specific terminology has more impact on the protection and enforcement of the rights of the data subjects still needs to be seen.

 Application of PDP Bill 2019

The Bill is applicable to (i) the processing of any personal data, which has been collected, disclosed, shared or otherwise processed in India; (ii) the processing of personal data by the Indian government, any Indian company, citizen, or person/ body of persons incorporated or created under Indian law; and (iii) the processing of personal data in relation to any individuals in India, by any persons outside of India.

The scope of the 2019 Bill, is largely similar in this context to that of the 2018 Draft Bill. However, one key difference is seen in relation to anonymised data. While the 2018 Draft Bill completely exempted anonymised data from its scope, the 2019 Bill does not apply to anonymised data, except under clause 91 which gives the government powers to mandate the use and processing of non-personal data or anonymised personal data under policies to promote the digital economy. There are a few concerns that arise in context of this change in treatment of anonymised personal data. First, there are concerns on the concept of anonymisation of personal data itself. While the Bill provides that the Data Protection Authority (DPA) will specify appropriate standards of irreversibility for the process of anonymisation, it is not clear that a truly irreversible form of anonymisation is possible at all. In this case, we need more clarity on what safeguards will be applicable for the use of anonymised personal data.

Second, is the Bill’s focus on the promotion of the digital economy. We have previously discussed some of the concerns regarding focus on the promotion of digital economy in a rights based legislation in our comments to the Draft Bill 2018.

These issues continue to be of concern, and are perhaps heightened with the introduction of a specific provision on the subject in the 2019 Bill (especially without adequate clarity on what services or policy making efforts in this direction, are to be informed by the use of anonymised personal data). Many of these issues are also still under discussion by the committee of experts set up to deliberate on data governance framework (non-personal data). The mandate of this committee includes the study of various issues relating to non-personal data, and to make specific suggestions for consideration of the central government on regulation of non-personal data.

The formation of the non-personal data committee was in pursuance of a recommendation by the Justice Srikrishna Committee to frame a legal framework for the protection of community data, where the community is identifiable. The mandate of the expert committee will overlap with the application of clause 91(2) of the Bill.

Data Fiduciaries, Social Media Intermediaries and Consent Managers

Data Fiduciaries

As discussed above the Bill categorises data controllers as data fiduciaries and significant data fiduciaries. Any person that determines the purpose and means of processing of personal data, (including the State, companies, juristic entities or individuals) is considered a data fiduciary. Some data fiduciaries may be notified as ‘significant data fiduciaries’, on the basis of factors such as the volume and sensitivity of personal data processed, the risks of harm etc. Significant data fiduciaries are held to higher standards of data protection. Under clauses 27-30, significant data fiduciaries are required to carry out data protection impact assessments, maintain accurate records, audit policy and the conduct of its processing of personal data and appoint a data protection officer. 

Social Media Intermediaries

The Bill introduces a distinct category of intermediaries called social media intermediaries. Under clause 26(4) a social media intermediary is ‘an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services’. Intermediaries that primarily enable commercial or business-oriented transactions, provide access to the Internet, or provide storage services are not to be considered social media intermediaries.

Social media intermediaries may be notified to be significant data fiduciaries, if they have a minimum number of users, and their actions have or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India.

Under clause 28 social media intermediaries that have been notified as a significant data fiduciaries will be required to provide for voluntary verification of users to be accompanied with a demonstrable and visible mark of verification.

Consent Managers

The Bill also introduces the idea of a ‘consent manager’ i.e. a (third party) data fiduciary which provides for management of consent through an ‘accessible, transparent and interoperable platform’. The Bill does not contain any details on how consent management will be operationalised, and only states that these details will be specified by regulations under the Bill. 

Data Protection Principles and Obligations of Data Fiduciaries

Consent and grounds for processing

The Bill recognises consent as well as a number of other grounds for the processing of personal data.

Clause 11 provides that personal data shall only be processed if consent is provided by the data principal at the commencement of processing. This provision, similar to the consent provision in the 2018 Draft Bill, draws from various principles including those under the Indian Contract Act, 1872 to inform the concept of valid consent under the PDP Bill. The clause requires that the consent should be free, informed, specific, clear and capable of being withdrawn.

Moreover, explicit consent is required for the processing of sensitive personal data. The current Bill appears to be silent on issues such as incremental consent which were highlighted in our comments in the context of the Draft Bill 2018.

The Bill provides for additional grounds for processing of personal data, consisting of very broad (and much criticised) provisions for the State to collect personal data without obtaining consent. In addition, personal data may be processed without consent if required in the context of employment of an individual, as well as a number of other ‘reasonable purposes’. Some of the reasonable purposes, which were listed in the Draft Bill 2018 as well, have also been a cause for concern given that they appear to serve mostly commercial purposes, without regard for the potential impact on the privacy of the data principal.

In a notable change from the Draft Bill 2018, the PDP Bill, appears to be silent on whether these other grounds for processing will be applicable in relation to sensitive personal data (with the exception of processing in the context of employment which is explicitly barred).

Other principles

The Bill also incorporates a number of traditional data protection principles in the chapter outlining the obligations of data fiduciaries. Personal data can only be processed for a specific, clear and lawful purpose. Processing must be undertaken in a fair and reasonable manner and must ensure the privacy of the data principal – a clear mandatory requirement, as opposed to a ‘duty’ owed by the data fiduciary to the data principal in the Draft Bill 2018 (this change appears to be in line with recommendations made in multiple comments to the Draft Bill 2018 by various academics, including our own).

Purpose and collection limitation principles are mandated, along with a detailed description of the kind of notice to be provided to the data principal, either at the time of collection, or as soon as possible if the data is obtained from a third party. The data fiduciary is also required to ensure that data quality is maintained.

A few changes in the application of data protection principles, as compared to the Draft Bill 2018, can be seen in the data retention and accountability provisions.

On data retention, clause 9 of the Bill provides that personal data shall not be retained beyond the period ‘necessary’ for the purpose of data processing, and must be deleted after such processing, ostensibly a higher standard as compared to ‘reasonably necessary’ in the Draft Bill 2018. Personal data may only be retained for a longer period if explicit consent of the data principal is obtained, or if retention is required to comply with law. In the face of the many difficulties in ensuring meaningful consent in today’s digital world, this may not be a win for the data principal.

Clause 10 on accountability continues to provide that the data fiduciary will be responsible for compliance in relation to any processing undertaken by the data fiduciary or on its behalf. However, the data fiduciary is no longer required to demonstrate such compliance.

Rights of Data Principals

Chapter V of the PDP Bill 2019 outlines the Rights of Data Principals, including the rights to access, confirmation, correction, erasure, data portability and the right to be forgotten. 

Right to Access and Confirmation

The PDP Bill 2019 makes some amendments to the right to confirmation and access, included in clause 17 of the bill. The right has been expanded in scope by the inclusion of sub-clause (3). Clause 17(3) requires data fiduciaries to provide data principals information about the identities of any other data fiduciaries with whom their personal data has been shared, along with details about the kind of data that has been shared.

This allows the data principal to exert greater control over their personal data and its use.  The rights to confirmation and access are important rights that inform and enable a data principal to exercise other rights under the data protection law. As recognized in the Srikrishna Committee Report, these are ‘gateway rights’, which must be given a broad scope.

Right to Erasure

The right to correction (Clause 18) has been expanded to include the right to erasure. This allows data principals to request erasure of personal data which is not necessary for processing. While data fiduciaries may be allowed to refuse correction or erasure, they would be required to produce a justification in writing for doing so, and if there is a continued dispute, indicate alongside the personal data that such data is disputed.

The addition of a right to erasure, is an expansion of rights from the 2018 Bill. While the right to be forgotten only restricts or discontinues disclosure of personal data, the right to erasure goes a step ahead and empowers the data principal to demand complete removal of data from the system of the data fiduciary.

Many of the concerns expressed in the context of the Draft Bill 2018, in terms of the procedural conditions for the exercise of the rights of data principals, as well as the right to data portability specifically, continue to persist in the PDP Bill 2019.

Exceptions and Exemptions

While the PDP Bill ostensibly enables individuals to exercise their right to privacy against the State and the private sector, there are several exemptions available, which raise several concerns.

The Bill grants broad exceptions to the State. In some cases, it is in the context of specific obligations such as the requirement for individuals’ consent. In other cases, State action is almost entirely exempted from obligations under the law. Some of these exemptions from data protection obligations are available to the private sector as well, on grounds like journalistic purposes, research purposes and in the interests of innovation.

The most concerning of these provisions, are the exemptions granted to intelligence and law enforcement agencies under the Bill. The Draft Bill 2018, also provided exemptions to intelligence and law enforcement agencies, so far as the privacy invasive actions of these agencies were permitted under law, and met procedural standards, as well as legal standards of necessity and proportionality. We have previously discussed some of the concerns with this approach here.

The exemptions provided to these agencies under the PDP Bill, seem to exacerbate these issues.

Under the Bill, the Central Government can exempt an agency of the government from the application of this Act by passing an order with reasons recorded in writing if it is of the opinion that the exemption is necessary or expedient in the interest of sovereignty and integrity, security of the state, friendly relations with foreign states, public order; or for preventing incitement to the commission of any cognizable offence relating to the aforementioned grounds. Not only have the grounds on which government agencies can be exempted been worded in an expansive manner, the procedure of granting these exemptions also is bereft of any safeguards.

The executive functioning in India suffers from problems of opacity and unfettered discretion at times, which requires a robust system of checks and balances to avoid abuse. The Indian Telegraph Act, 1885 (Telegraph Act) and the Information Technology Act, 2000 (IT Act) enable government surveillance of communications made over telephones and the internet. For drawing comparison here, we primarily refer to the Telegraph Act as it allows the government to intercept phone calls on similar grounds as mentioned in clause 35 of the Bill by an order in writing. However, the Telegraph Act limits the use of this power to two scenarios – occurrence of a public emergency or in the interest of public safety. The government cannot intercept communications made over telephones in the absence of these two preconditions. The Supreme Court in People’s Union for Civil Liberties v. Union of India, (1997) introduced guidelines to check abuse of surveillance powers under the Telegraph Act which were later incorporated in Rule 419A of the Indian Telegraph Rules, 1951. A prominent safeguard included in Rule 419A requires that surveillance and monitoring orders be issued only after considering ‘other reasonable means’ for acquiring the required information. The court had further limited the scope of interpretation of ‘public emergency’ and ‘public safety’ to mean “the prevalence of a sudden condition or state of affairs affecting the people at large and calling for immediate action”, and “the state or condition of freedom from danger or risk at large” respectively. In spite of the introduction of these safeguards, the procedure of intercepting telephone communications under the Telegraph Act is criticised for lack of transparency and improper implementation. For instance, a 2014 report revealed that around 7500 – 9000 phone interception orders were issued by the Central Government every month. The application of procedural safeguards, in each case would have been physically impossible given the sheer numbers. Thus, legislative and judicial oversight becomes a necessity in such cases.

The constitutionality of India’s surveillance apparatus inclduing section 69 of the IT Act which allows for surveillance on broader grounds on the basis of necessity and expediency and not ‘public emergency’ and ‘public safety’, has been challenged before the Supreme Court and is currently pending. Clause 35 of the Bill also mentions necessity and expediency as prerequisites for the government to exercise its power to grant exemption, which appear to be vague and open-ended as they are not defined. The test of necessity, implies resorting to the least intrusive method of encroachment up on privacy to achieve the legitimate state aim. This test is typically one among several factors applied in deciding on whether a particular intrusion on a right is tenable or not, under human rights law. In his concurring opinion in Puttaswamy (I) J. Kaul had included ‘necessity’ in the proportionality test. (However, this test is not otherwise well developed in Indian jurisprudence).  Expediency, on the other hand, is not a specific legal basis used for determining the validity of an intrusion on human rights. It has also not been referred to in Puttaswamy (I) as a basis of assessing a privacy violation. The use of the term ‘expediency’ in the Bill is deeply worrying as it seems to bring down the threshold for allowing surveillance which is a regressive step in the context of cases like PUCL and Puttaswamy (I). A valid law along with the principles of proportionality and necessity are essential to put in place an effective system of checks and balances on the powers of the executive to provide exemptions. It seems unlikely that the clause will pass the test of proportionality (sanction of law, legitimate aim, proportionate to the need of interference, and procedural guarantees against abuse) as laid down by the Supreme Court in Puttaswamy (I).

The Srikrishna Committee report had recommended that surveillance should not only be conducted under law (and not executive order), but also be subject to oversight, and transparency requirements. The Committee had argued that the tests of lawfulness, necessity and proportionality provided for under clauses 42 and 43 (of the Draft Bill 2018) were sufficient to meet the standards set out under the Puttaswamy judgment. Since the PDP Bill completely does away with all these safeguards and leaves the decision to executive discretion, the law is unconstitutional.  After the Bill was introduced in the Lok Sabha, J. Srikrishna had criticised it for granting expansive exemptions in the absence of judicial oversight. He warned that the consequences could be disastrous from the point of view of safeguarding the right to privacy and could turn the country into an “Orwellian State”. He has also opined on the need for a separate legislation to govern the terms under which the government can resort to surveillance.

Clause 36 of the Bill deals with exemption of some provisions for certain processing of personal data. It combines four different clauses on exemption which were listed in the Draft Bill 2018 (clauses 43, 44, 46 and 47). These include processing of personal data in the interests of prevention, detection, investigation and prosecution of contraventions of law; for the purpose of legal proceedings; personal or domestic purposes; and journalistic purposes. The Draft Bill 2018 had detailed provisions on the need for a law passed by Parliament or the State Legislature which is necessary and proportionate, for processing of personal data in the interests of prevention, detection, investigation and prosecution of contraventions of law. Clause 36 of the Bill does not enumerate the need for a law to process personal data under these exemptions. We had argued that these exemptions granted by the Draft Bill 2018 (clauses 43, 44, 46 and 47) were wide, vague and needed clarifications, but the exemptions under clause 36 of the Bill  are even more ambiguous as they merely enlist the exemptions without any specificities or procedural safeguards in place.

In the Draft Bill 2018, the Authority could not give exemption from the obligation of fair and reasonable processing, measures of security safeguards and data protection impact assessment for research, archiving or statistical purposes As per the current Bill, the Authority can provide exemption from any of the provisions of the Act for research, archiving or statistical purposes.

The last addition to this chapter of exemptions is that of creating a sandbox for encouraging innovation. This newly added clause 40 is aimed at encouraging innovation in artificial intelligence, machine-learning or any other emerging technology in public interest. The details of what the sandbox entails other than exemption from some of the obligations of Chapter II might need further clarity. Additionally, to be considered an eligible applicant, a data fiduciary has to necessarily obtain certification of its privacy by design policy from the DPA, as mentioned in clause 40(4) read with clause 22.

Though well appreciated for its intent, this provision requires clarification on grounds of selection and details of what the sandbox might entail.


[1] At the time of introduction of the PDP Bill 2019, the Minister for Law and Justice of India, Mr. Ravi Shankar Prasad suggested that over 2000 inputs were received on the Draft Bill 2018, based on which changes have been made in the PDP Bill 2019. However, these comments and inputs have not been published by MeitY, and only a handful of comments have been published, by the stakeholders submitting these comments themselves.   

[September 23-30] CCG’s Week in Review: Curated News in Information Law and Policy

The deadline to link PAN cards with Aadhaar was extended to December 31 this week; the Election Commission ruled that voting rights of those excluded in the NRC process remain unaffected; the Home Minister proposed a digital census with multipurpose ID cards for 2021; and 27 nations including the US, UK and Canada issued joint statement urging for a rules-based order in cyberspace – presenting this week’s most important developments in law, technology and national security.

Aadhaar and Digital IDs

  • [Sep 23] Home Minister announces digital census in 2021, proposed multipurpose ID card, Entrackr report; Business Today report.
  • [Sep 24] NRIs can now apply for Aadhaar on arrival without 182-day wait, The Economic Times report.
  • [Sep 24] Aadhaar will be linked to driving license to avoid forgery: Ravi Shankar Prasad, The Indian Express report.
  • [Sep 24] One nation, one card? Amit Shah floats idea of all-in-one ID; here are all the problems with that idea, Medianama report; Money Control report.
  • [Sep 24] Explained: Is India likely to have a multipurpose national ID card? The Indian Express report.
  • [Sep 24] UIDAI nod to ‘voluntary’ use of Aadhaar for National Population Register rollout, The Economic Times report.
  • [Sep 24] Govt must decide on Aadhaar-social media linkage:SC, Deccan Herald report.
  • [Sep 25] New law needed for Aadhaar-social media linkage: UIDAI, The Economic Times report; Inc42 report.
  • [Sep 26] NPR process to include passport, voter ID, Aadhaar and other details, Business Standard report.
  • [Sep 27] Gang involved in making fake Aadhaar cards busted, The Tribune report.
  • [Sep 27] What will happen if you don’t link your PAN card with Aadhaar by Sep 20, The Quint report.
  • [Sep 27] Explained: The National Population Register, and the controversy around it, The Indian Express report.
  • [Sep 27] Aadhaar to weed out bogus social security beneficiaries in Karnataka, Deccan Herald report.
  • [Sep 29] Bajrang Dal wants Aadhaar mandatory at dandiya to keep ‘non-Hindus’ out, The Hindustan Times report; The Wire report.
  • [Sep 30] Kerala urges Centre to extend deadline to link ration cards with Aadhaar, The News Minute report.
  • [Sep 30] PAN-Aadhaar linking deadline extended to December 31, The Economic Times report.

Digital India 

  • [Sep 25] India’s regulatory approach should focus on the regulation of the ‘core’: IAMAI, Livemint report.
  • [Sep 27] India may have to offer sops to boost electronic manufacturing, ET Tech report; Inc42 report.
  • [Sep 27] Digital India, start-ups are priorities for $5 trillion economy: PM Modi, Medianama report.
  • [Sep 29] Tech giants aim to skill Indian govt officials in AI, cloud, ET CIO report.
  • [Sep 29] India’s share in IT, R&D biz up in 2 years: report, The Economic Times report.

Internet Governance

  • [Sep 24] Supreme Court to MeitY: What’s the status of intermediary guidelines? Tell us by Oct 15, Medianama report.
  • [Sep 26] Will not be ‘excessive’ with social media rules, ay Govt officials, Inc42 report.
  • [Sep 26] Government trying to balance privacy and security in draft IT intermediary norms, The Economic Times report.
  • [Sep 27] Citizens, tech companies served better with some regulation: Facebook India MD Ajit Mohan, ET Tech report; Inc42 report.
  • [Sep 27] Balance benefits of internet, data security: Google CEO Sundar Pichai, ET Tech report; Business Today report.

Free Speech

  • [Sep 25] Jadavpur University calls upon ‘stakeholders’ to ensure free speech on campus, The New Indian Express report.
  • [Sep 28] RSS raises objections to uncensored content of Maoj Bajpayee’s “The Family Man”, The Hindu report; Outlook report.

Privacy and Data Protection

  • [Sep 23] A landmark decision on Tuesday could radically reshape how Google’s search results work, Business Insider report.
  • [Sep 23] Google tightens its voice assistant rules amidst privacy backlash, Wired report.
  • [Sep 24] Dell rolls out new data protection storage appliances and capabilities, ZDNet report.
  • [Sep 24] ‘Right to be forgotten’ privacy rule is limited by Europe’s top court, The New York Times report; Live Law report.
  • [Sep 27] Nigeria launches investigation into Truecaller for potential breach of privacy, Medianama report.
  • [Sep 29] Right to be forgotten will be arduous as India frames data protection law, Business Standard report.
  • [Sep 30] FPIs move against data bill, seek exemption, ET Telecom report; Entrackr report.

Data Localisation

  • [Sep 26] Reconsider imposition of data localisation: IAMAI report, The Economic Times report.
  • [Sep 27] Why data is not oil: Here’s how India’s data localisation norms will hurt the economy, Inc42 report.

Digital Payments and Fintech

  • [Sep 23] RBI rider on credit bureau data access has Fintech in a quandary, ET Tech report.

Cryptocurrencies

  • [Sep 23] Facebook reveals Libra currency basket breakdown, Coin Desk report.
  • [Sep 23] The face of India’s crypto lobby readies for a clash, Ozy report.
  • [Sep 23] Why has Brazil’s Central Bank included crypto assets in trade balance? Coin Telegraph report.
  • [Sep 24] French retailers widening crypto acceptance, Tech Xplore report.
  • [Sep 26] Why crypto hoaxes are so successful, Quartz report.
  • [Sep 26] South Africa: the net frontier for crypto exchanges, Coin Telegraph report
  • [Sep 27] The crypto wars’ strange bedfellows, Forbes report.
  • [Sep 28] Crypto industry is already preparing for Google’s ‘quantum supremacy’, Decrypt report.
  • [Sep 29] How crypto gambling is regulated around the world, Coin Telegraph report.

Tech and Law Enforcement

  • [Sep 29] New WhatsApp and Facebook Encryption ‘Backdoors’ – What’s really going on, Forbes report.
  • [Sep 28] Facebook, WhatsApp will have to share messages with UK Government, Bloomberg report.
  • [Sep 23] Secret FBI subpoenas scoop up personal data from scores of companies, The New York Times report.
  • [Sep 23] ‘Don’t transfer the WhatsApp traceability case’, Internet Freedom Foundation asks Supreme Court, Medianama report.
  • [Sep 24] China offers free subway rides to citizens who register their face with surveillance system, The Independent report.
  • [Sep 24] Facial recognition technology in public housing prompts backlash, The New York Times report.
  • [Sep 24] Facebook-Aadhaar linkage and WhatsApp traceability: Supreme Court says government must frame rules, CNBC TV18 report.
  • [ep 27] Fashion that counters surveillance cameras, Business Times report.
  • [Sep 27] Unnao rape case: Delhi court directs Apple to give Sengar’s location details on day of alleged rape, Medianama report.
  • [Sep 27] Face masks to decoy t-shirts: the rise of anti-surveillance fashion, Times of India report.
  • [Sep 30] Battle for privacy and encryption: WhatsApp and government head for a showdown on access to messages, ET Prime report.
  • [Sep 29] Improving digital evidence sharing, Scottish Government news report; Public technology report.

Internal Security: J&K

  • [Sep 23] Government launches internet facilitation centre in Pulwama for students, Times of India report; Business Standard report.
  • [Sep 23] Army chief rejects ‘clampdown’ in Jammu and Kashmir, Times of India report.
  • [Sep 24] Rising power: Why India has faced muted criticism over its Kashmir policy, Business Standard report.
  • [Sep 24] ‘Restore Article 370, 35A in Jammu and Kashmir, withdraw army, paramilitary forces’: 5-member women’s group will submit demands to Amit Shah, Firstpost report.
  • [Sep 24] No normalcy in Kashmir, says fact finding team, The Hindu report.
  • [Sep 25] End clampdown: Kashmir media, The Telegraph report.
  • [Sep 25] Resolve Kashmir issue through dialogue and not through collision: Erdogan, The Economic Times report.
  • [Sep 25] Rajya Sabha deputy chair thwarts Pakistan’s attempt at Kashmir at Eurasian Conference, The Economic Times report.
  • [Sep 25] Pakistan leader will urge UN intervention in Kashmir, The New York Times report.
  • [Sep 25] NSA Ajit Doval back in Srinagar to review security situation, The Hindustan Times report.
  • [Sep 27] Communication curbs add fresh challenge to Kashmir counter-insurgency operations, News18 report.
  • [Sep 27] Fresh restrictions in parts of Kashmir, The Hindu report.
  • [Sep 27] US wants ‘rapid’ easing of Kashmir restrictions, Times of India report.
  • [Sep 27] Kashmir issue: Rescind action on Art. 370, OIC tells India, The Hindu report.
  • [Sep 28] India objects to China’s reference to J&K and Ladakh at UNGA, The Economic Times report; The Hindu report.
  • [Sep 29] Surveillance, area domination operations intensified in Kashmir, The Economic Times report; Financial Express report.
  • [Sep 29] Police impose restrictions in J&K after Imran Khan’s speech at UNGA, India Today report.

Internal Security: NRC and the North-East

  • [Sep 23] Assam framing cyber security policy to secure data related to NRC, police, services, The Economic Times report; Money Control report.
  • [Sep 24] BJP will tell SC that we reject this NRC, says Himanta Biswa Sarma, Business Standard report.
  • [Sep 24] Amit Shah to speak on NRC, Citizenship Amendment Bill in Kolkata on Oct 1, The Economic Times report.
  • [Sep 26] ‘Expensive’ legal battle for those rejected in Assam NRC final list, The Economic Times report.
  • [Sep 27] Scared of NRC? Come back in 2022, The Telegraph report.
  • [Sep 27] Voters left out of NRC will have right to vote, rules Election Commission, India Today report; The Wire report.
  • [Sep 27] NRC: Assam government announces 200 Foreigners Tribunals in 33 districts, Times Now report; Times of India report.
  • [Sep 28] Judge urges new FT members to examine NRC claims with utmost care, Times of India report.

National Security Legislation

  • [Sep 23] Centre will reintroduce Citizenship Bill in Parliament: Himanta Biswa Sarma, The Hindu report.
  • [Sep 26] National Security Guard: History, Functions and Operations, Jagran Josh report.
  • [Sep 28] Left parties seek revocation of decision on Article 370, The Tribune India report.

Tech and National Security

  • [Sep 25] Army to start using Artificial Intelligence in 2-3 years: South Western Army commander, The Print report; India Today report; The New Indian Express report; Financial Express report.
  • [Sep 23] Modi, Trump set new course on terrorism, border security, The Hindu report.
  • [Sep 23] PM Modi in the US” Trump promises more defence deals with India, military trade to go up, Financial Express report.
  • [Sep 23] Punjab police bust terror module supplied with weapons by drones from Pak, NDTV report.
  • [Sep 26] Lockheed Martin to begin supplying F-16 wings from Hyderabad plant in 2020, Livemint report.
  • [Sep 26] Drones used for cross-border arms infiltration in Punjab a national security issues, says Randhawa, The Hindu report.
  • [Sep 27] UK MoD sets up cyber team for secure innovation, UK Authority report.
  • [Sep 29] New tri-services special ops division, meant for surgical strikes, finishes first exercise today, The Print report.
  • [Sep 30] After Saudi attacks, India developing anti-drone technology to counter drone menace, Eurasian Times report.

Tech and Elections

  • [Sep 20] Microsoft will offer free Windows 7 support for US election officials through 2020, Cyber Scoop report.
  • [Sep 26] Social media platforms to follow ‘code of ethics’ in all future elections: EC, The Economic Times report.
  • [Sep 28] Why is EC not making ‘authentic’ 2019 Lok Sabha results public? The Quint report.

Cybersecurity

  • [Sep 24] Androids and iPhones hacked with just one WhatsApp click – and Tibetans are under attack, Forbes report.
  • [Sep 25] Sharp questions can help board oversee cybersecurity, The Wall Street Journal report.
  • [Sep 25] What we know about CrowdStrike, the cybersecurity firm trump mentioned in Ukraine call, and its billionaire CEO, Forbes report.
  • [Sep 25] 36% smaller firms witnessed data breaches in 2019 globally, ET Rise report.
  • [Sep 28] Defence Construction Canada hit by cyber attack – corporation’s team trying to restore full IT capability, Ottawa Citizen report.
  • [Sep 29] Experts call for collective efforts to counter cyber threats, The New Indian Express report.
  • [Sep 29] Microsoft spots malware that turns PCs into zombie proxies, ET Telecom report
  • [Sep 29] US steps up scrutiny of airplane cybersecurity, The Wall Street Journal report.

Cyberwarfare

  • [Sep 24] 27 countries sign cybersecurity pledge urging rules-based control over cyberspace in Joint Statement, with digs at China and Russia, CNN report; IT world Canada report; Meri Talk report.
  • [Sep 26] Cyber Peace Institute fills a critical need for cyber attack victims, Microsoft blog.
  • [Sep 29] Britain is ‘at war every day’ due to constant cyber attacks, Chief of the Defence Staff says, The Telegraph report.

Telecom and 5G

  • [Sep 27] Telcos’ IT investments intact, auto companies may slow pace: IBM exec, ET Tech report.
  • [Sep 29] Telecom players to lead digital transformation in India, BW Businessworld report.

More on Huawei

  • [Sep 22] Huawei confirms another nasty surprise for Mate 30 buyers, Forbes report.
  • [Sep 23] We’re on the same page with government on security: Huawei, The Economic Times report.
  • [Sep 24] The debate around 5G’s safety is getting in the way of science, Quartz report (paywall).
  • [Sep 24] Govt will take call on Huawei with national interest in mind: Telecom Secy, Business Standard report.
  • [Sep 24] Huawei enables 5G smart travel system at Beijing airport, Tech Radar report.
  • [Sep 25] Huawei 5G backdoor entry unproven, The Economic Times report.
  • [Sep 25] US prepares $1 bn fund to replace Huawei ban kit, Tech Radar report.
  • [Sep 26] Google releases large dataset of deepfakes for researchers, Medianama report.
  • [Sep 26] Huawei willing to license 5G technology to a US firm, The Hindu Business Line report; Business Standard report.
  • [Sep 26] Southeast Asia’s top phone carrier still open to Huawei 5G, Bloomberg report.
  • [Sep 29] Russia rolls out the red carpet for Huawei over 5G, The Economic Times report.

Emerging Tech and AI

  • [Sep 20] Google researchers have reportedly achieved “Quantum Supremacy”, Financial Times report; MIT Technology Review report
  • [Sep 23] Artificial Intelligence revolution in healthcare in India: All we need to know, The Hindustan Times report.
  • [Sep 23] A new joystick for the brain-controlled vehicles of the future, Defense One report.
  • [Sep 24] Computing and AI: Humanistic Perspectives from MIT, MIT News report.
  • [Sep 24] Emerging technologies such as AI, 5G posing threats to privacy, says report, China Daily report.
  • [Sep 25] Alibaba unveils chip developed for artificial intelligence era, Financial Times report.
  • [Sep 26] Pentagon wants AI to interpret ‘strategic activity around the globe, Defense One report.
  • [Sep 27] Only 10 jobs created for every 100 jobs taken away by AI, ET Tech report.
  • [Sep 27] Experts say these emerging technologies should concern us, Business Insider report.
  • [Sep 27] What is on the horizon for export controls on ‘emerging technologies’? Industry comments may hold a clue, Modaq.com report.
  • [Sep 27] India can become world leader in artificial intelligence: Vishal Sikka, Money Control report.
  • [Sep 27] Elon Musk issues a terrifying prediction of ‘AI robot swarms’ and huge threat to mankind, The Daily Express (UK) report
  • [Sep 27] Russia’s national AI Centre is taking shape, Defense One report.
  • [Sep 29] Explained: What is ‘quantum supremacy’, The Hindu report.
  • [Sep 29] Why are scientists so excited about a new quantum computing milestone?, Scroll.in report.
  • [Sep 29] Artificial Intelligence has a gender bias problem – just ask Siri, The Wire report.
  • [Sep 29] How AI is changing the landscape of digital marketing, Inc42 report.

Opinions and Analyses

  • [Sep 21] Wim Zijnenburg, Defense One, Time to Harden International Norms on Armed Drones.
  • [Sep 23] David Sanger and Julian Barnes, The New York Times, The urgent search for a cyber silver bullet against Iran.
  • [Sep 23] Neven Ahmad, PRIO Blog, The EU’s response to the drone age: A united sky.
  • [Sep 23] Bisajit Dhar and KS Chalapati Rao, The Wire, Why an India-US Free Trade Agreement would require New Delhi to reorient key policies.
  • [Sep 23] Filip Cotfas, Money Control, Five reasons why data loss prevention has to be taken seriously.
  • [Sep 23] NF Mendoza, Tech Republic, 10 policy principles needed for artificial intelligence.
  • [Sep 24] Ali Ahmed, News Click, Are Indian armed forces turning partisan? : The changing civil-military relationship needs monitoring.
  • [Sep 24] Editorial, Deccan Herald, A polity drunk on Aadhaar.
  • [Sep 24] Mike Loukides, Quartz, The biggest problem with social media has nothing to do with free speech.
  • [Sep 24] Ananth Padmanabhan, Medianama, Civilian Drones: Privacy challenges and potential resolution. 
  • [Sep 24] Celine Herwijer and Dominic Kailash Nath Waughray, World Economic Forum, How technology can fast-track the global goals.
  • [Sep 24] S. Jaishankar, Financial Times, Changing the status of Jammu and Kashmir will benefit all of India.
  • [Sep 24] Editorial, Livemint, Aadhaar Mark 2.
  • [Sep 24] Vishal Chawla, Analytics India Magazine, AI in Defence: How Indi compares to US, China, Russia and South Korea.
  • [Sep 25] Craig Borysowich, IT Toolbox, Origin of Markets for Artificial Intelligence.
  • [Sep 25] Sudeep Chakravarti, Livemint, After Assam, NRC troubles may visit ‘sister’ Tripura.
  • [Sep 25] DH Kass, MSSP Blog, Cyber Warfare: New Rules of Engagement?
  • [Sep 25] Chris Roberts, Observer, How artificial intelligence could make nuclear war more likely.
  • [Sep 25] Ken Tola, Forbes, What is cybersecurity?
  • [Sep 25] William Dixon and  Jamil Farshchi, World Economic Forum, AI is transforming cybercrime. Here’s how we can fight back.
  • [Sep 25] Patrick Tucker, Defense One, Big Tech bulks up its anti-extremism group. But will it do more than talk?
  • [Sep 26] Udbhav Tiwari, Huffpost India, Despite last year’s Aadhaar judgement, Indians have less privacy than ever.
  • [Sep 26] Sylvia Mishra, Medianama, India and the United States: The time has come to collaborate on commercial drones.
  • [Sep 26] Subimal Bhattacharjee, The Hindu Business Line, Data flows and our national security interests.
  • [Sep 26] Ram Sagar, Analytics India Magazine, Top countries that are betting big on AI-based surveillance.
  • [Sep 26] Patrick Tucker, Defense One, AI will tell future medics who lives and who dies on the battlefield.
  • [Sep 26] Karen Hao, MIT Technology Review, This is how AI bias really happens – and why it’s so hard to fix.
  • [Sep 27] AG Noorani, Frontline, Kashmir dispute: Domestic or world issue?
  • [Sep 27] Sishanta Talukdar, Frontline, Final NRC list: List of exclusion.
  • [Sep 27] Freddie Stuart, Open Democracy, How facial recognition technology is bringing surveillance capitalism to our streets.
  • [Sep 27] Paul de Havilland, Crypto Briefing, Did Bitcoin crash or dip? Crypto’s trajectory moving forward.
  • [Sep 28] John Naughton, The Guardian, Will advances in quantum computing affect internet security?
  • [Sep 28] Suhrith Parthasarathy, The Hindu, The top court and a grave of freedom.
  • [Sep 28] Kazim Rizvi, YourStory, Data Protection Authority: the cornerstone to implement data privacy.
  • [Sep 28] Shekhar Gupta, The Print, Modi has convinced the world that Kashmir is India’s internal affair – but they’re still watching.
  • [Sep 29] Indrani Bagchi, The Economic Times, Why india needs to tread carefully on Kashmir.
  • [Sep 29] Medha Dutta Yadav, The New Indian Express, Data: Brave new frontier.
  • [Sep 29] Jon Markman, Forbes, New cybersecurity companies have their heads in the cloud.
  • [Sep 29] Editorial, The New York Times, On cybersecurity: Two scoops of perspective.
  • [Sep 30] Kuldip Singh, The Quint, New IAF Chief’s appointment: Why RKS Bhadauria must tread lightly.
  • [Sep 30] Karishma Koshal, The Caravan, With the data-protection bill in limbo, these policies contravene the right to privacy.

Big Brother is Watching : The Right to Privacy for Minors

The 2017 judgement by a 9 judge bench in the case of Justice K.S. Puttaswamy vs. Union of India successfully cemented the Right to Privacy for citizens under Article 21 of the Constitution. The judgement was a turning point in the debate on the right to privacy which has been raised in court time and again starting from the 1964 judgement in the case of Kharak Singh vs. State of UP.

However, this was not the end of the conversation on the right to privacy, the recent decision of the Supreme Court in the case of Amber Tickoo vs Government of NCT of Delhi reignited the debate which surrounds the right to privacy, specifically the right to privacy of minors.

The Amber Tickoo Case

In September 2017, following the murder of a 4-year-old at Ryan International School, Delhi education minister Manish Sisodiya made the decision to install CCTV cameras in every Delhi government school. These cameras would cover not only the hallways and the common areas but also the classrooms. Further, in December of the same year it was decided that the feed from these cameras would be made available online for the parents to access.

 In July 2019, a Delhi government school in Lajpat Nagar became the first school fully equipped with CCTV cameras in all classrooms. According to the government the next step would be to provide the parents access to the live feed through a mobile app which they can access using a password.

These decisions of the Delhi government were challenged before the Supreme Court though a public interest litigation in the Amber Tickoo case. The petitioners argued that the installation of these cameras would result in an infringement of the right to privacy ensured in the Puttaswamy judgement. They also argued that making the live feed of students available online would jeopardize the safety and security of the students.

The Supreme Court dismissed the petition without granting any interim relief, and disposed of the case. Consequently, the implementation of the programme will see almost 1000 schools across Delhi equipped with CCTV camera’s by November.

Right to Privacy in Public Spaces

The Puttaswamy judgement while broadly dealing with the issue of the right to privacy, extended the right to privacy of individuals to the public space.

“If the reason for protecting privacy is the dignity of the individual, the rationale for its existence does not cease merely because the individual has to interact with others in the public arena. The extent to which an individual expects privacy in a public street may be different from that which she expects in the sanctity of the home. Yet if dignity is the underlying feature, the basis of recognising the right to privacy is not denuded in public spaces… Privacy attaches to the person and not to the place where it is associated.”

The court thus acknowledges that acts done by individuals in public spaces are not necessarily public in nature, and that individuals would still be guaranteed the right to privacy in such situations.

However, in this case, the right is not being extended to minors. In his interview, Akshay Marathe, a member of Delhi government’s Dialogue & Development Commission Task force on school education argues that classrooms cannot be considered to be private by ‘any stretch of imagination’. Following the principle laid down in the Puttaswamy judgement, despite classrooms being a public space, children still possess a right to privacy, since the right is attached to their person and not the space, they are in. The installation of CCTV cameras in classrooms would thus ignore these rights and appears to imply that minors do not possess the same right to privacy as adults.

CCTV cameras in Schools

The government has supported its decision to install security cameras inside classrooms for many reasons. The decision was made in response to incidents of violence in schools such as the assault of a 4-year-old girl . However, in addition to assuaging safety concerns, the government also states that having access to the live feeds from these cameras would bring down delinquency and truancy complaints for children. This measure is also meant to bolster the confidence of parents in the quality of education being imparted to the students as they would personally be able to judge the performance of the teachers via the live feed.

This experiment with CCTV cameras in school is not a novel concept. Several other jurisdictions have already implemented similar strategies in schools from equipping teachers with two-way radios, to installing CCTV cameras in schools, even in changing rooms. Almost 90% of secondary schools in the UK are now equipped with security cameras, and this constant surveillance has been criticized by many, including the teachers. Research suggests that pupils in UK are monitored as frequently as inmates in prisons and customers at an airport.

A study conducted on CCTV surveillance of primary school children in Israel also concludes that the cameras lead to a growing fear in the children that they were constantly being recorded everywhere. The study also revealed a tension between the normalisation of school surveillance, but increased resistance to other surveillance among children which could eventually cause behavioural problems in the children outside of school.

In addition to the previous problems faced in the implementation of CCTV systems in schools, the Delhi government also faces increased concerns about the responsibility of the government towards the children, as there are no laws which govern the use of CCTV cameras in schools in India. The question of parental access to feeds is also in question as the present digital infrastructure may not be able to support this venture, and the government has given no answers on how it intends to validate the identity of the parents on the smartphone app.

Rights of Minors

The rights of minors differ in aspect and scope from the rights provided to adult citizens of a state. As a vulnerable group of society, the state has chosen to prioritise security concerns over the right to privacy of children. While the installation of CCTV cameras in Delhi government schools is in the limelight now, this is by no means the only policy of such a nature to be implemented in the country. A bench at the Madras High Court recently directed the Tamil Nadu transport commissioner to issue orders mandating the installation of CCTV cameras and GPS in all school buses. Schools in Gurugram are now also set to follow in the footsteps of the Delhi model where the district education officer has called for all government schools to install CCTV cameras. They also allow schools with a paucity of funds to seek additional grants for the installation of these cameras.

While the installation of the cameras has generated mixed reviews with parents being generally happy with the news and teachers apprehensive about the same, the move has ignored some large concerns relating to the scrutiny of minors. The livestreaming of the classroom feeds is one such issue, due to the enormous scale of the process, it will be impossible to ensure the safety of this feed. The feed can be accessed though a mobile app and a password, which makes it vulnerable to leaks. There has also been no research done to investigate the effect of such constant scrutiny on children and teachers.

To sum up, the right to privacy of children is often considered subjugated to other concerns, this can most accurately be seen in the statement by CM Kejriwal which states that “There will be no privacy breach, children go to school for education, to learn discipline and become good citizens of the country… they do not go there for anything private”. It also fully ignores the question of illegal access to these live-feeds by unauthorized parties arguing that “Hypothetically even if one does get access, he will only see 40 kids studying. Nothing more can be obtained out of it.”

The decision to install CCTV cameras in schools ultimately made to benefit students and bolster the security in schools following recent events. However, the move to live-stream feeds from these classrooms has come under considerable scrutiny, with the Government School Teachers Association protesting the same. Following the refusal of the Supreme Court to intervene on the matter, Delhi schools are set to implement the policy, with other places following suit. 

[June 24-July 1] CCG’s Week in Review: Curated News in Information Law and Policy

With the G20 Summit in Osaka easing trade tensions between the US and China, India has seen a week of developing policy positions on data localisation, tech startups and the fate of telecom providers  — presenting this week’s most important developments in law and tech.

Aadhaar 

  • [June 24] New Aadhaar regulations by Government to bring it back in full force, will be voluntary, India Today report.
  • [June 24] Aadhaar bill introduced amid opposition protests, The Hindu report; Live Mint report.
  • [June 25] Bill on Aadhaar tabled, ‘doesn’t violate privacy’, The Tribune report.
  • [June 29] One nation, One ration card’ scheme from July 1, 2020, The Hindu report.

Internet Shutdown

  • [June 28] Myanmar: Internet Shutdown Risks Lives, Human Rights Watch report.

Free Speech

  • [June 27] Modi Government stops advertising in The Times Group, The Hindu and The Telegraph news paper, PGurus report;
  • [June 28] Modi Government freezes ads placed in Times of India, The Hindu and The Telegraph, The Wire report; The Deccan Herald report.

Data Protection

  • [June 24] UAE data protection law, similar to GDPR, likely landing this year, Tech Radar report.
  • [June 27] Home, IT Ministries discuss data protection bill, The Hindu report.
  • [June 27] National Centre being planned to hold and manage all public data, The Economic Times report; The Quint report.

Data Localisation

  • [June 26] Data storage rules out of e-commerce policy, Live Mint report; CNBC TV18 report; Medianama report.
  • [June 26] Government to decide if data issues need to be out of e-commerce policy, The Economic Times report.
  • [June 27] Personal data storage: Government not in a mood to dilute data localisation rule, Financial Express report.
  • [June 28] India stands by data localisation at G-20 summit, US opposes it, ETtech report.
  • [June 28] Data Localisation: What India can dictate, and what she can’t, Business Today report.
  • [June 29] India surrenders to US pressure on ‘data localisation’: Piyush Goyal and RBI send out confusing signals, National Herald report.

E-Commerce

  • [June 26] Not ready for global e-tail rules, India to tell G-20, ET Tech report.
  • [June 26] India to come out with national e-comm policy within 12 months: Piyush Goyal, ETtech report.
  • [June 27] The E-Commerce disaster that never was, The Economic Times report.
  • [June 30] Draft e-comm policy, data protection may figure at India-EU meet in Brussels on July 4, Your Story report.

Digital India

  • [June 26] Digital literacy drive needs more funds: MeitY, The Hindu Business Line report.
  • [June 27] RBI Committee recommends setting up Universal Enterprise ID, linkage across individual and enterprise PAN, Medianama report.
  • [June 27] MeitY expenditure under Digital India at Rs. 3,328 cr in 2018-19: Ravi Shankar Prasad, The Economic Times report.
  • [June 27] SEBI approves DVRs for tech startups, ETtech report
  • [June 28] Indian startups cheer differential voting rights, ETtech report.
  • [June 28] Nitin Gadkari proposed Alibaba like platform for MSME sector, Entrackr report.
  • [June 30] India’s OTT market will grow at 21.8% CAGR, PwC report says, ET Telecom report.

Cybersecurity

  • [June 25] Digital India’s response readiness against cyber attacks is frail, lack of online security awareness biggest weakness, Firstpost report.
  • [June 27] To avoid Huawei like situation, India plans desi WhatsApp for official communication ET Telecom report; Medianama’s take.
  • [June 28] Infosys cyber security unit sees rising demand as threats mount, ET Tech report.
  • [June 29] US FDA warns of cybersecurity risk to certain Medtronic insulin pumps. Live Mint report.
  • [June 29] Indian manufacturing industry at high cyber risk, The Asian Age report.
  • [June 29] Average DNS attack cost rises by 19% to $814,150 in APAC, ET Telecom report.
  • [July 1] As cyber attacks increase, Indian IT clients seek stricter contracts, more audits, ET Tech report.
  • [July 1] China increases cybersecurity industry development, Global Times report.

Telecom/5G

  • [June 24] DoT may move SC against Airtel, Tata Tele merger, The Economic Times report.
  • [June 26] Broadband forum seeks lower 5G spectrum prices, change in auction design, ET Telecom report.
  • [June 26] Government gets 6 proposals for 5G trials, including Huawei, The Economic Times report.
  • [June 27] Lack of 4G, staff costs slow down BSNL, MTNL, ET Telecom report.
  • [June 27] DoT, MeitY eye EU ‘toolbox’ to address 5G-related concerns, The Economic Times report.
  • [June 28] Telcos’ health needs to be vetted before 5G pricing, ET Tech report.
  • [June 28] Modi, Trump discuss India-US collaboration in 5G tech, ET Tech report.
  • [June 30] DoT will move cabinet with BSNL, MTNL package: Ravi Shankar Prasad, ET Telecom report.
  • [July 1] Ericsson, Nokia assure telcos of speedy 5G rollout, ET Telecom report.

More on Huawei

  • [June 24] Huawei offers to sign ‘no-backdoor’ pact with India govt, telcos to underline security commitment: CEO, The Economic Times report.
  • [June 24] UK’s approach to Huawei is flawed warns Ericsson’s US boss, Financial Times report.
  • [June 26] Nokia warns UK over using rival Huawei’s 5G kit, BBC report.
  • [June 26] Huawei claims 50 commercial 5G deals globally amid uncertainty in India, ET Telecom report.
  • [June 26] US-China trade war in 10 dates, ET Telecom report.
  • [June 26], Huawei’s telecom equipment is more likely to have flaws than rivals’ claims report by US cybersecurity company Finite State, Tech Radar report.
  • [June 26] India, US to discuss Huawei’s role in 5G trials, The Economic Times report.
  • [June 26] India may let Huawei conduct 5G trials defying trump ban, International Business Times report.
  • [June 27] Tech companies find legal ways around Huawei blacklist, ET Telecom report.
  • [June 27] Medianama’s Huawei roundup: Promise of ‘no backdoor’ pact, 5G trial proposal and more.
  • [June 27] Huawei personnel worked with China’s military on research projects, The Economic Times report.
  • [June 28] How the Huawei issue affects India, The Economic Times report.
  • [June 28] Nokia’s CTO slams Huawei after ‘potential backdoors’ found in 55% of its devices, Forbes report.
  • [June 29] Nokia distances itself from CTO comments about Huawei, Tech Radar report.
  • [June 28] As Trump and Xi talk trade. Huawei will loom large, The New York Times report.
  • [June 29] Trump surprises G20 with Huawei concession: US companies can sell to Huawei, Forbes report; Live Mint report.
  • [June 30] Huawei lifeline shows Trump prefers business deals over cold war, Live Mint report.
  • [July 1] Google gets nod to license Android for Huawei, ET Telecom report.

Big Tech

  • [June 26] Google accused of working to prevent Trump return in 2020, ET Tech report.
  • [June 26] Next Google Chrome browser extension to increase data protection, Mediapost report; Forbes report, Medianama report.
  • [June 26] Google and University of Chicago sued over data sharing, The New York Times report.
  • [June 28] Italy stings Facebook with $1.1 million fine for Cambridge Analytica data misuse, TechCrunch report.
  • [June 29] Google may have leveraged Android unfairly, says CCI, Inc42 report.
  • [June 30] Spotify leaking use data with music labels: Report, ET Telecom report.

Emerging Tech/ AI

  • [June 22] White House updated national artificial intelligence strategy, Defense One report.
  • [June 24] Tech Mahindra unveils AI-based Humanoid HR for its Noida facility, Business Standard report.
  • [June 25] IT firms are buying niche firms to grow in emerging areas like IOT, ET Tech report.
  • [June 27] Commission-appointed panel publishes recommendations for artificial intelligence research. Science business report. [Read the full report of the High Level Expert Group appointed by the European Commission here].

Cryptocurrencies

  • [June 26] Facebook’s crypto currency faces pre-G20 examination, Livemint report.
  • [June 27] Crypto exchange Koinex wraps up operations; laments apathy of regulators and banks, Entrackr report, ETtech report, Medianama report.

Tech and Law Enforcement

  • [June 25] Government surveillance at alarming levels: Forrester Global Map of Privacy Rights and Regulations, The Hindu Business Line report.
  • [June 28] Madras HC allows Internet freedom Foundation (IFF) to intervene to oppose plea for linking Aadhaar with social media accounts, Live Law report; Medianama report.
  • [June 29] Have social media companies helped TN Police combat cyber crimes? Affidavit in Madras HC has answers, Bar&Bench report
  • [June 30] Railway police mulls using Aadhaar to track unidentified victims, The Hindu report; Times of India report.
  • [June 30] War on fake news: Government to roll out guidelines for Google, Facebook, WhatsApp, ISPs, Financial Express report

Tech and Military

  • [June 24] Indian MoD approves procurement of 10 more P-8I aircarft for Indian navy, Jane’s Defense weekly report.
  • [June 26] Russia wants to fool its enemies by making its drones look like owls (Uri style), Newsweek report.
  • [June 26] Tatas may soon join queue for drone clearance from DGCA, ET Tech report.
  • [June 26] 41 pieces of space debris from India’s asat test still in orbit, six weeks after they were supposed to decay according to Harvard astronomer, The Independent report
  • [June 27] Defence minister to review services’ emergency weapon acquisitions for war preparedness, India Today report.
  • [June 27] India progresses import substitution projects under Make-II category, Jane’s Defence Weekly report.
  • [June 28] S-400 Triumf missile deal: India mulls Euro payments for Russian arms to escape US sanctions, Business Today report.
  • [June 28] Euro payment won’t end possibility of US sanctions on S-400 deal: Ex-Indian Defence Adviser, Sputnik International report.
  • [June 30] India signs Rs. 200 crore anti-tank missile deal with Russia, Live Mint report.

Opinions and Analyses

  • [June 23] Julian Vigo, Forbes, How cybersecurity is turning users into security experts.
  • [June 23] Nitin Pai, Live Mint, What it would take for India to become a proper space power,
  • [June 24] Satya Prakash, The Tribune, SC’s flip-flop on free speech.
  • [June 24] Tim Cushing, Tech Dirt (blog), Indian Government uses national security law, bad information to block twitter accounts all over the world.
  • [June 24] Michael Schmitt, Just Security (blog) Top Expert Backgrounder: Aborted US strike, cyber operations against Iran and International Law
  • [June 25] Rohan Choudhary, The Telegraph India, India’s strategic challenges in the near future will be naval, not continental
  • [June 25] Bryan Menegus, Gizmodo, This is how you’re being manipulated (by Big Tech)
  • [June 25] Prannv Dhawan and John Simte, Firstpost, Combating fake news: MEITY should allow legal-flexibility based on social media platforms over one-size-fits-all regulatory approach.
  • [June 25] Alon Muroch, Forbes, What’s preventing crypto from going mainstream?
  • [June 25] Geoffrey S Corn, Lawfare, The aborted Iran strike: the fine line between necessity and revenge,
  • [June 25]  Justin Sherman and Robert Morgus, Lawfare, The Confused US messaging campaign on Huawei.
  • [June 25] Live Mint Opinion, Accept Huawei’s offer.
  • [June 26] Sujan R Chinoy, IDSA Comment, Indo-US Defence Partnership: Future prospects.
  • [June 26] Lt Gen (Retd) DS Hooda, News18, India’s New Defence Cyber Agency Will have to Work Around Stovepipes Built by Army, Navy and Airforce
  • [June 26] Goutam Das and Sonal Khetrapal, Business Today,  Does the amended Aadhaar Bill circumvent Supreme Court’s order?
  • [June 26] Cameron F Kerry and Jon B Morris, The Brookings Institute, Why data ownership is the wrong approach to protecting privacy,
  • [June 27] Anirudh Rastogi and Ramani Ramachandran, ET Tech, RBI needs to overcome its fear of legitimate cryptocurrency usage
  • [June 27] Anrnab Dey, The Quint, What is India doing with all its big data?
  • [June 28] Samiksha Goel, Deccan Herald, 5G world will need new cybersecurity approach.
  • [June 28] Pravin Sawhney, The Wire, Nobody Should be surprised if this year’s defence budget hardly sees a boost.
  • [June 28] PK Vasudeva, The Statesman, A three-in-one position.
  • [June 28] Suhasini Haidar, The Hindu, At G20, India stands with developing world- not US, Japan- on 5G and data.
  • [June 29] Robert Farley, The Diplomat, Getting the world to comply with the US Huawei ban won’t be easy.
  • [June 28] Sidhant Kumar, The Economic Times (blog), Protection, or protectionist?
  • [June 29] Siddharth Sivaraman, The Sunday Guardian, Industrial development is a must for defence modernisation.
  • [June 30] Ephrat Livni, Quartz, Facebook’s Libra is spurring central banks’ interest in issuing crytpocurrency.
  • [June 30] Kamal Davar, The Sentinnel/ The Quint,  Security Agenda for Modi 2.0: A national security doctrine
  • [June 30] Arpita Mukherjee, The Pioneer, India should join e-commerce talks at WTO.
  • [June 30] Keshav Murugesh, The Hindu Business Line, Getting to the Digital Summit.
  • [June 30] Shobha Gupta, Bar & Bench, Section 66A: When a celebrated judgment of the Supreme Court cannot be implemented by the police.
  • [June 30] Nishant Sirohi, The Leaflet, AI Technologies: Putting human rights in the forefront.
  • [June 30] Eline Chivot, Financial Times, One year on, GDPR needs a reality check.
  • [June 29] Robert D Atkinson, Information Technology and Innovation Foundation, Trump was right to (Temporarily) Lift the Huawei Export Ban.
  • [June 30] Samir Saran and Richard Rahul Verma, The Print, Here’s how US and India can be major defence partners and take lead over Russia and China.

New EU-US Data Protection Agreement Imminent

Written by Siddharth Manohar

Data exchange flowing from the EU (specifically the European Economic Area) to the US currently has no legal framework regulating it. Does it mean that any data transfer from EU to US is illegal?  In my previous post on the issue I mentioned that the old agreement regulating the data transfer had been struck down at the Court of Justice of the European Union (CJEU). National data protection authorities in the EU have taken a pragmatic step by holding back on attacking all data transfer, until a new agreement is reached to replace the old Safe Harbour Agreement.

A breakthrough in this respect came about a couple of weeks back, with the European Commission announcing that they have agreed on a new framework to protect the rights of individuals who give data to US companies that process the data in their local servers. The agreement once finalised will replace the Safe Harbour principles in order to legalise the data transfer. This new framework, called the US-EU Privacy Shield, has three sets of strong obligations: data handling, transparency, and redress mechanisms.

The first major obligation is on US companies to make and publish commitments on data protection and individual rights. These commitments hold them accountable to US Federal Trade Commission (FTC), as well as the diktats of the European Data Protection Authorities (DPAs). The second consists of restrictions on surveillance practices by US state authorities. Any kind of surveillance will now be subject to clear limitations, safeguards and oversight mechanisms, and the methods will be only those that are necessary and proportionate. Mass surveillance has been completely ruled out, and meetings to review these practices have also been planned for future follow-up. The third part of this arrangement consists of a redress mechanism. European DPAs can refer cases to the US Department of Commerce and the FTC, and the option of alternate dispute resolution is also provided.

The parties are now working towards the measures required to put the new agreement in place, specifically the US, who will try to formalise the commitments made in the agreement. The European Commission on the other hand is preparing a draft for an ‘adequacy decision’ that member states can adopt to formalise the process on the EU side. The full text of the agreement is expected to be made available in the coming weeks.

The agreement has also come under criticism from privacy experts, who claim that the agreement suffers from the same weaknesses of the Safe Harbour agreement. They argue that this agreement is a mere political compromise that does not help protect the rights and data of users. This would require amendments to the national laws in both locations. Controversial provisions in US law that continue to authorise infringements on users’ rights are still effective, like Section 702, which allows for surveillance of data relating to non-US persons to be carried out in the US. Executive Order 12333, which deals with surveillance outside of the US, has no legal oversight mechanism whatsoever. It is these laws that will need amendments in order to make surveillance subject to conditions of necessity and proportionality.

The other persistent problems which have remained include the provision for self-certification, which provides inadequate protection against ensuring enforcement of privacy standards. A recent amendment to a Bill which would provide redress mechanisms for EU users to enforce rights over their personal data, also adds to the problems which plague the possible effectiveness of the new agreement. The long term solution to this situation does not look like it will arise from a single event or set of negotiations, and we now await the release of the full text of the agreement to see where we can go from here.

Nsa-eagle-white

A basic right is in danger

The post originally appeared in The Hindu on 31st July 2015.

The Attorney General’s argument questioning the right of Indians to privacy is wrong on two counts. But worse, it goes against the interests of the people on every count.

“While opinions may vary about Aadhar, the government is expected to act in the best interests of the people.” Picture shows biometric particulars being collected in Tamil Nadu. Photo: K. Ananthan

“While opinions may vary about Aadhar, the government is expected to act in the best interests of the people.” Picture shows biometric particulars being collected in Tamil Nadu. Photo: K. Ananthan

The last ten days have spelt dark times for the right to privacy. On one hand, the DNA Profiling Bill, which may result in a database of sensitive personal data with little to prevent its misuse, is being tabled in Parliament. On the other hand, the Attorney General took a shocking position in the Supreme Court of disputing the very existence of the right to privacy in the Aadhar case.

Undermining decades of evolution of this right through Supreme Court judgments, Mukul Rohatgi argued that it is necessary to put together a constitutional bench to determine whether the citizens of India have a right to privacy.

He is in the wrong for two reasons. The first is technical: he is mistaken in his assertion that M.P. Sharma v Satish Chandra and Kharak Singh v. the State of U.P. created legal doctrine that is no constitutional right to privacy. The second reason is political. A lawyer holding the Attorney General’s office should consider the appropriateness of using that office and public resources when denying that Indian citizens have privacy rights, which are universally recognised human rights. This is all quite apart from the fact that India has ratified the International Covenant on Civil and Political Rights, which unequivocally supports the existence of the right to privacy. The United Nations has gone so far as to create a Special Rapporteur on the right to privacy this year. In the context of US surveillance of its citizens, the Indian government has acknowledged the existence of the right to privacy.

In the Constitution

The two decisions that Mr. Rohatgi references did not raise questions about the right to privacy as a whole. Both confined themselves to the limited question of whether principles mirroring the US Fourth Amendment may be read into the Indian Constitution, which is only one element of the right to privacy. The M.P. Sharma case did this while ascertaining if there are any constitutional limitations to the government’s search and seizure of people’s homes, persons and effects; and the Kharak Singh case did this in the context of physical surveillance of ‘history sheeters’.

In M.P. Sharma, the judgment states, “When the Constitution makers have thought fit not to subject such regulation to Constitutional limitations by recognition of a fundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it into a totally different fundamental right by some process of strained construction” (emphasis added). This makes it clear that it is not the right to privacy as a whole that is being referred to. The American Fourth Amendment pertains to the “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures”, not to the right of privacy in its entirety.

The M.P. Sharma judgment goes further to say, “It is to be remembered that searches of the kind we are concerned with are under the authority of a Magistrate… When such judicial function is interposed between the individual and the officer’s authority for search, no circumvention thereby of the fundamental right is to be assumed.” This makes it evident that the court desisted from intervening because it saw the requirement of a Magistrate’s order as safeguard enough.

Similarly, although the judgment in Kharak Singh contains the sentence with the ominous beginning “as already pointed out, the right of privacy is not a guaranteed right under our Constitution”, this sentence cannot be taken out of context. The ‘already pointed out’ refers to an earlier portion of the same judgment in which the court quotes the U.S. Fourth Amendment, and then declares that our Constitution does not confer any ‘like constitutional guarantee’. This makes it clear that it is the Fourth Amendment text specifically that the court was referring to.

The court also belied its own position by finding that unauthorised intrusion into a person’s home violates the common law principle of “every man’s house is his castle”. The judgment explicitly takes the position that Article 21 is a repository for residual personal liberty rights, leaving it open for future reading of such rights into Article 21.

It is apparent that the two cases do not rule out a broad constitutional right to privacy. It is almost impossible to consider the right to privacy in its entirety in a single case since it is a bundle of rights including everything from safeguards against unauthorised collection of personal data to restrictions on intrusion into private spaces. The cases that have emerged from the Supreme Court over the years make this apparent.

Different elements of privacy rights have been read into our right to life and our right to free expression. We have a right against untrammelled interception of our communication, and against doctors divulging personal medical information. Long before the Constitution or the Constituent Assembly came into being, the right to privacy of women in purdah was acknowledged by common law, which forbade the building of balconies above their quarters. We do, therefore, have a rich history of enforcing the right. Like many other nations, we called it by different names and have found it within legal and cultural norms unique to India.

It is common for lawyers to use every strategy they can to win cases but the Attorney General is no ordinary lawyer. S/he is a constitutional authority. It is inappropriate for someone of that stature to argue that the people of India do not have a right to privacy. Former Attorney General Niren De was criticised sharply for telling the Supreme Court that it could be helped if the right to life was violated during Emergency. Mr. Rohatgi’s argument is comparable.

This is a democracy, and while opinions may vary about Aadhar, the government is expected to act in the best interests of the people. Here, we have the Attorney General stepping away from arguing that the government’s actions are in the interests of the people to say that the people do not have rights in the first place.

It is not a case of the government’s lawyer arguing for the prevalence of the wider community’s interests over individual rights, or disputing what is in the interests of the majority of citizens. Mr. Rohatgi, on behalf of the Indian government, is making an argument that is blatantly against the rights and interests of all citizens of India.

Interestingly, the argument runs contrary also to the Minister of Communications and Information Technology’s statements recognising citizens’ right to privacy in the context of both US and Indian surveillance.

Time to clarify

This incident is about more than an argument made in court. It is a serious problem if the Union government makes statements that respect privacy and then takes actions that attempt to destroy it. It is also inconsistent for the government to argue internationally that the U.S. has violated Indian citizens’ right to privacy and then to argue before the Supreme Court that Indian citizens do not have the right to privacy.

Under the circumstances, it is necessary for the government to issue a statement clarifying its stand, which I hope will consist of some form of support for citizens’ privacy rights. Once this is clear, perhaps the Attorney General could continue the arguments that take his client’s wishes into account.

A clear statement from the Prime Minister’s office might also enable other ministries to ensure that they embed this right in their policies. This, for example, might have gone a long way in ensuring that cast-iron privacy safeguards were added to the DNA Profiling Bill.

Ignoring the right to privacy will not only affect India’s ‘global image’ more than any critical documentary does, it will also complicate international commercial relations. Who would send their information or employees to a country that disregards its residents’ right to privacy?

SC asks Govt to make sure Aadhar not mandatory to avail services

Author: Nikhil Kanekal

In a writ petition challenging the Indian government’s tacit insistence on citizens using Aadhar cards for public services,  the Supreme Court passed an interim order on Monday asking the government to make sure that no citizen is denied services for not possessing an Aadhar card.

A bench comprising justices B. S. Chauhan and S. A. Bobde directed the union government to ensure that “no person should suffer for not getting the Adhaar card inspite of the fact that some authority had issued a circular making it mandatory”.

The court also asked the government to make sure that Aadhar cards are not being given to illegal immigrants: “it may be checked whether that person is entitled for it under the law and it should not be given to any illegal immigrant.”

The government admitted before the Supreme Court that Aadhar cards were in fact not compulsory. To be sure, the Unique Identity Authority of India (UIDAI), which issues the Aadar cards as a universal identity to citizens, has said Aadhar is not mandatory for public services. However, it increasingly appears that basic public services are not available to citizens that don’t have an Aadhar card. This is being achieved by linking services with Aadhar. In some parts of India this could mean that a person needs to have a UID to get subsidized cooking gas. Although citizens are normally able to avail public services through various other forms of state-issued identification (such as passport, driver’s licence, voter ID, PAN card), the processes being followed by the central government and some state governments on certain public services (registration of marriage) and subsidies (cooking gas) has led many to believe that it is only a matter of time before Aadhar becomes mandatory in order to deal with the state.

In the instant case, a retired judge of the Karnataka High Court was told that he would not be paid his salary and dues, unless he got himself an Aadhar card. Unwilling to accept this, he filed a petition in the Bombay High Court.

An excerpt from a Press Trust of India report carried by Business Standard:

During the brief hearing, the bench of justices B S Chauhan and S A Bobde was told that despite the fact that the Aadhar card is “voluntary” in nature, an order has been issued by the Registrar of the Bombay High Court in pursuance of an order of the state government that it would be necessary for disbursal of salary of judges and staff also.

“The scheme is complete infraction of Fundamental Rights under Articles 14 (right to equality) and 21 (right to life and liberty). The government claims that the scheme is voluntary but it is not so.

“Aadhar is being made mandatory for purposes like registration of marriages and others. Maharashtra government has recently said no marriage will be registered if parties don’t have Aadhar cards,” senior advocate Anil Divan, arguing for Justice (retd) K S Puttaswamy, former judge of Karnataka High Court, said.