Editor's Note: A nation’s legal system is integral to how its citizens look upon issues that concern the country in general and their individual lives in particular. Despite having the world’s longest Constitution — not to mention, one that has gone through numerous amendments and the many directives by the Supreme Court that have secured the stature of de facto law, the Indian law books have struggled to evolve at a pace commensurate with the rapid changes society has undergone. As the load of being archaic becomes heavier on our law system, Firstpost introduces a 10-part series titled 'Letter of the Law' to push forward the debate on legal practices and the law itself. The series will explore a variety of aspects pertaining to Indian law through opinion and analyses. *** “They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” - Benjamin Franklin Aadhaar, India’s biometric identification system, which is the largest such project in the world, is in the eye of a storm lately. Though Aadhaar has become the focal point of debate on right of privacy, threats to data security and citizens’ rights to privacy go far beyond it. The Constitution of India does not provide privacy the status of a fundamental right, however, the same comes into existence upon widening the horizons of Article 21 of the Constitution ie right to liberty which states that “No person shall be deprived of his life or personal liberty except according to procedure established by law”. Since the Constitution of India does not specifically guarantee ‘right to privacy’, the determination of privacy as a right completely rests upon the interpretation of the judiciary, and has been subject to restrictions under various provisions and judgments of the Supreme Court of India. The recognition of privacy as a right first came up in the case of Kharak Singh versus State of Uttar Pradesh, wherein the Supreme Court interpreted that right to privacy is not guaranteed under the Constitution yet the said right is an essential ingredient of personal liberty which is implicit in Article 21 of the Constitution. Life as we know is something more than one’s mere survival and existence; therefore, the right to privacy is an inherent right to every citizen of the country. As things stand today, where the Government of India is taking a stand that the right to privacy is not a fundamental right and at the same time the government is promoting digitalisation, enacting policies and regulations permitting surveillance in cyberspace, telephones, email, personal messages etc through multiple agencies under the grab of national security, implementing national programmes like Unique Identification Number etc, it is imperative for India to enact stringent privacy laws. Evidentially, there has been a rampant use of technology by the masses on daily basis and as a result, the internet giants like Google, Apple, Facebook, WhatsApp and Microsoft have vast information about us, through malware, covert eavesdropping, and the unwarranted permissions we voluntarily grant social media sites and apps. There is an immediate need for a data protection law which emphasise a person’s rights to her personal data; require her informed consent to collect, process, remove or alter such data; oblige those who deal with data to keep it secure; and have a grievance mechanism to punish violations with hefty fines and imprisonment. Growing challenges of privacy The current laws on privacy are not at par with the growing developments in technology in India. The Information Technology Act, 2000 (IT Act) and the rules made thereunder, do entail certain provisions pertaining to data protection, however as privacy is not a right per se under any law in force, these provisions appear inadequate in addressing issues relating to sharing of, disclosure and retention of data and leave room for potential abuse. The Privacy Bill, 2010 was introduced by the Department of Personnel and Training, however though the objective of the Privacy Bill was to protect individuals’ fundamental right to privacy, the Privacy Bill primarily focused on provisions pertaining protection against the use of electronic/digital recording devices in public spaces without consent and for the purpose of blackmail or commercial use. Incidentally, the National Identification Authority of India Bill, 2010, which aimed at establishing a National Identification Authority for issuance unique identification number (called Aadhaar) to every resident of India, which would be linked to a resident’s demographic and biometric information, was also introduced. Neither the Privacy Bill, 2010 nor the National Identification Authority of India Bill, 2010, were enacted. With a view to conquer growing privacy challenges in the country and in order to effectively address the privacy issues, the erstwhile Planning Commission of India had directed the constitution of a ‘Group of Experts’ to identify the privacy issues and prepare a report on the same to facilitate authoring of privacy bill for India. The Expert Committee, which submitted its report in 2012, analysed various international privacy principles and the existing privacy legislations in India. According to the recommendation of the Committee, the Privacy Act should put into place a regulatory framework for both public and private sector organisations and further aim to harmonise all statutory legislations with respect to privacy laws in India.

Reuters

The report recommended fundamental ‘privacy principles’ in line with global standards including the EU, OECD, and APEC, which included the principle of notice, choice and consent, collection and purpose limitation, disclosure of information, security and accountability. Further, the Expert Committee also recommended the establishment of privacy commissioners, self-regulating organisations and co-regulation, to ensure implementation and enforcement of policies. The draft privacy bill of 2011, was modified based on the recommendations made by the Expert Committee, however, no definite timeline has been provided by the government in relation to the introduction of legislation to protect privacy of individuals. While the enactment of much needed privacy laws seems to be not a priority, the government is uncontrollably enacting policies and regulations for surveillance through systems like the Centralised Monitoring System, NITRA, NATGRID (for collecting data from across databases) in the interest of National Security and linking citizens and databases across the unique identity number in Aadhaar. If we look at the steps being taken by the government in relation to the implementation of these programs and the powers being granted to various governmental authorities under these legislations to monitor data over the telecommunications networks including interception of calls, tracking of IP addresses etc. it becomes evident that a specific privacy legislation is imperative and urgently required in order to safe guard the privacy of individuals. Monitoring and surveillance If we look at the establishment of the Central Monitoring System (“CMS”), which is a centralised telephone interception provisioning system installed by the Centre for Development of Telematics to automate the process of lawful interception; monitoring of telecommunications, there is a lack of clarity on the scope, functions, and technical architecture of the CMS. It is worrying that there is no specific law which mandates or regulates the CMS. Surveillance in India is primarily governed by the Indian Telegraph Act, 1885 (“Telegraph Act”) and the IT Act. Section 5(2) of the Indian Telegraph Act which empowers the Indian government to intercept communications on the occurrence of any “public emergency” or in the interest of “public safety”, when it is deemed “necessary or expedient” to do so in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states, public order or for preventing incitement to the commission of an offence. On the other hand Section 69 of the IT Act (as amended in 2008) grants the government with the power to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource if it is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognisable offence relating to above or for investigation of any offence. It is relevant to note that prerequisites of ‘public emergency’ and ‘public safety’ which were earlier nearly the same in the IT Act, and the Telegraph Act, have now been removed from IT Act with which the power of the government has become more extensive in relation to interception and monitoring of telecommunications.

Getty Images

While implementing the CMS, Department of Telecommunications also amended the Unified Access Services (UAS) License Agreement executed with Telecom Service Providers by providing a right to the government to monitor all telecommunications traffic and requires the data to be automatically transmitted to the CMS from the telecom service providers. Accordingly, the government has centralised access to all communications through the telecom service providers without the government having to approach the Telecom Service Providers for access to such data.

Such a centralised access by the government to such data not only raises concerns in terms of data security but also whether such interception falls within the ambit of the Telegraph Act and/or the IT Act, since there is no clarity on the extent of surveillance (will CMS be undertaking mass surveillance) and the rationale for such surveillance is being done (being “public emergency” or in the interest of “public safety”). In addition to the implementation of the CMS, the government had also setup the National Intelligence Grid (NATGRID), which is an integrated intelligence grid connecting databases of core security agencies of the Government of India. NATGRID would provide intelligence agencies real-time access to 21 databanks, including banking, credit card, income tax, election identity card, call records, PAN card and driving licence details. Again, there is no specific law which mandates or regulates the NATGRID. Internationally, the USA, the EU and the UK provide for specific laws in relation to lawful interception and surveillance. However, globally mass surveillance activities are being challenged by Human Right activists as being violative of privacy rights of citizens. The EU had also introduced the Data Protection Directive in 2006, which mandates the retention of metadata of internet and telephone usage, which was struck down by the European Court of Justice in 2014 on the grounds of infringement of privacy.

Similarly, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act”), was passed in the Lok Sabha, despite being opposed on numerous grounds including the concerns regarding privacy and protection of biometric information and demographic data of citizens collected by the enrolling agency for issuance of the Aadhaar number. Though the objective of the Aadhaar Act is to provide for efficient, transparent, and targeted delivery of subsidies, benefits and services to individuals residing in India through assigning of unique identity numbers to such individuals, the Aadhaar Act creates a single database, a Central Identities Data Repository (CIDR), holding bio-metric as well as demographic information on every Indian, along with name, address, and phone number. Even though the Aadhaar Act was introduced post submission of the recommendations of the Shah Committee Report, the Aadhaar Act does not address some of the key principles enumerated under the Shah Committee Report. While the question whether there is any right to privacy guaranteed under our Constitution is still pending before the Constitutional Bench of the Supreme Court, the government is proposing to make Aadhaar mandatory for obtaining a permanent account number, filing your income tax returns etc. All this while, the Supreme Court, had previously stated that Aadhaar cannot be made mandatory and the production of an Aadhaar card will not be condition for obtaining any benefits otherwise due to a citizen. However, with the Finance Act, 2017, it seems the order of the Apex Court has consciously been disregarded which has negated an individual’s freedom of voluntary enrolment. There is no doubt that people are evading taxes by maintaining multiple PAN. One estimate is that there are 19 million income taxpayers in India, whereas 250 million PAN cards are issued and Aadhaar can be an effective way to de-duplicate the PAN. Further, though the Aadhaar Act prohibits usage of bio-metric information for any other purpose other than generation of Aadhaar number and authentication, under the Aadhaar Act, Section 33(1) permits the disclosure of information including identity information or authentication records, pursuant to a judicial order by a Court not inferior to that of a District Judge. Further, Section 33(2) permits disclosure of information including identity information or authentication records (including bio-metric data) in the interest of national security if so directed by an officer not below the rank of a joint secretary to the Government of India specifically authorised in this behalf. The Section further provides that every such direction shall be reviewed by an ‘oversight committee’ consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology, before it takes effect. The Aadhaar Act permits disclosure of information for ‘national security’ purposes but there is no clarity in relation to what extent the surveillance can be exercised by the government under the guise of ‘national security’. The Aadhaar Act, has similarities to the Identity Cards Act, 2006 of United Kingdom, under which national identity cards which were a personal identification document and European Union travel document, linked to a database known as the National Identity Register, were proposed to be issued. As in the case of the Aadhaar Act, when the UK Identity Card Bill was introduced, independent studies in relation to the proposed bill strongly recommended against the centralising storage of information due to privacy concerns. The Identity Card Act, 2006 has been repealed and the National Identity Register has been destroyed, due to privacy and cost concerns. What about Big Data? With the launch of government’s digital India, which aims to transform India into a digitally empowered society and the widespread increase in the number of internet users in India, which has led to a rampant growth in the amount of data and information about an individual that is available in the hands of private enterprises and the government, the concern about privacy and security in relation to ‘big data’ analytics is discernible.

Reuters

‘Big data’ refers to substantial and complex amount of data generated primarily by through internet access and usage. The significance of such data lies in the availability of such data in such volume through various sources such as Facebook posts, tweets, clickstream, online transactions, email, uploaded images, cookies, applications, smart phones etc. Such data is not merely restricted to one’s internet usage pattern but also encompasses data collected in real time, and pertaining to highly personal, sensitive behavioural patterns such as habits, likes, and dislikes, as well as travel, movements, health statistics, among others. As per recent data available in the public domain, Government of India ranks second (the first being the US) requesting Facebook to share user data from India. Irrespective of different states having different laws on privacy, privacy has been recognised as a fundamental human right in the UN Declaration of Human Rights (“UDHR”), the International Covenant on Civil and Political Rights (“ICCPR”) and in many other international treaties. The UDHR and the ICCPR are binding upon India, as India is a signatory to both of these conventions, however no consequent and explicit legislation has been passed by India in this regard. Countries across the globe have formulated privacy laws and laid down principles in accordance with the privacy requirements that their country raises. With ‘right to privacy’ being a fundamental right being questioned, the substantial growth and development in the technology sector, widespread growth of Internet users, the digital India program, implementation of CMS, NATGRID, Aadhaar and other government initiatives, a comprehensive legal framework that governs both the private companies and the government agencies needs to be implemented in line with the global data protection policies and the international human rights standards. The lack of any comprehensive legislation in relation to privacy, surveillance, power and authorities of the government agencies to request for data and surveillance, protection and destruction of such data collected endangers the privacy of individuals as the limited provisions under the existing laws are not enough to deal with the development of the information technology sector and the government initiatives to collect, intercept, decrypt and store data in the interest of national security. Further, there is a need to amend the current regime to provide for greater transparency, accountability and clarity on the scope, functions, and technical architecture in relation to India's surveillance framework. Evidentially, the right to privacy is a right to be negotiated and more to be seen on the government initiatives as we move along. You can access the rest of the series here.