Surveillance vs Proportionality: Weighing the Indian Data Protection Framework
Across the world, the gap between the government and its people continues to widen. Today, technology plays a crucial role in the lives of people. This warrants attention of policymakers to all such concerns that people might have in respect to regulation of their data or information in public spaces. Yet, past evidence records data of citizens being utilized for more harm than good. Furthermore, these circumstances marginalise the already existing vulnerable populations. For example, if sensitive personal data of a trans-person is leaked during recruitment, they are more likely to be discriminated against. Such intersectional factors impede bridging this rift. In India, the Joint Parliamentary Committee Report on the Data Protection Bill, 2021 [hereinafter referred to as ‘DPB’] made an active step to chart a data protection framework to provide citizens with a sense of security over their data. The initial purposive aim of Personal Data Protection Bill, 2019 was to protect the personal data of individuals that could lead to ‘profiling’. However, with personal and non-personal data being clubbed under one framework [DPB], the initial purposive aim for creating a personal data protection bill post the Puttaswamy judgment in 2017 is now challenged. Through this note, we evaluate the surveillance legislations vis-a-vis proportionality test.
Laws Related to Surveillance
In the wake of the Mumbai terror attacks, India launched a Central Monitoring System coordinating actions between the law enforcement and security agencies to protect the state of security of the country and prevent any future attacks. However, with no existing data protection law, interception was allowed in cases of public emergency and interest of public safety through written government orders. The condition set for this was to be “necessary and expedient” to the aims of interception. Provisions of the Information Technology Act, 2000 [‘IT Act’] and the Indian Telegraph Act, 1885 provided for the interception of data and interception of callsrespectively. Yet, while the interception under Telegraph Act is only to be utilised in absolute necessity of ‘public safety’ and ‘public emergency’, the IT Act has a broader ambit including those of preventing the incitement to an offense or the investigation of an offense. This has been further widened with the inclusion of ‘public order’ under Clause 35 of the DPB, 2021.
Rule 3 of IT Rules, 2009 lays down the directions for monitoring of information on issues of cybersecurity by a competent authority. It also sets certain safeguards, including periodic oversight by the Review Committee. In spite of the safeguards provided, notable privacy concerns emerged over the amount of information to be intercepted. In 2012, the Group of Experts on Privacy [Chaired by Justice AP Shah] highlighted the absence of remedy to the ‘aggrieved parties’. Furthermore, in PUCL v. Union Of India, the court observed that the Telegraph Act only allowed for the revocation of an interception order. It provided no action against state officials in case of a wrongful breach committed on interception of calls or data of the individuals. Furthermore, the non-obstante clause included in the DPB poses a threat to few transparency and accountability mechanisms like Right to Information that citizens possess.
National security concerns noted by the JPC report on issues of terrorism cannot be contested. However, the challenge lies in the pre-emptory evaluation of events such as legitimate peaceful protests being termed as issues of national security. The vague definition of national security might lead to space for personal biases to proliferate and negligence over interception orders. Even today, despite earnest efforts of the law enforcement agencies in tackling crimes, lack of clearly defined standards and protocols cast a veil on credibility of work conducted by them. For example, under Section 91 of the Code on Criminal Procedure, these agencies can access potentially stored data over computer network and systems through summon orders, raising concerns beyond national security under DPB, 2021. These could possibly lead to infringement of the rights of citizens. It might promote self-censorship when people perceive that the disproportionate powers are utilised by the state in accessing private information, thereby, creating a new kind of citizenry.
Challenges in Applying the Proportionality Test
The recent DPB tabled by the JPC encouraged discussions in public forums on privacy concerns and if they were addressed by the new Bill. Civil society organisations identified that while the DPB imposes onerous obligations on the private entities to protect individual rights, there continue to be broad exemptions provided to the government. Privacy was held to be a fundamental right by the Apex Court in Justice K. S. Puttaswamy v. Union of India. To evaluate the legislation vis-a-vis the privacy concerns, a four pronged test was laid down as follows:
‘(a) A measure restricting a right must have a legitimate goal (legitimate goal stage).
(b) It must be a suitable means of furthering this goal (suitability or rationale connection stage).
(c) There must not be any less restrictive but equally effective alternative (necessity stage).
(d) The measure must not have a disproportionate impact on the right holder (balancing stage).’
The proportionality test, adopted by countries globally, is a shield protecting the civil liberties of individuals and against transgressions committed by the state authorities. Yet, the lack of adequate structures to ensure compliance and proper implementation of these legislations, particularly those related to data and rights of individuals, defeats the requisite protection proposed by the test in its pre-enforcement. The test also does not require the legislator to undertake any research/study to map whether the proposed law would achieve the intended purpose without gravely infringing the individual’s rights. Furthermore, the legislator is not required to conduct any assessment of existing legislations to see if the legitimate goal can be fulfilled by pre-existing law.
The perplexity further follows with the widespread use of technologies and artificial intelligence (“AI”), by law enforcement agencies, in creating databases of accused persons and individuals alike. The real world biases pertaining to race, gender, religion and other socio-economic influences are inherent in the foundation of AI programmes. For instance, the Delhi Police’s Crime Mapping, Analytics and Predictive System (CMAPS) that mapped crime hotspots in the capital was found to be discriminatory. The problem is further aggravated by a black box phenomenon which makes the algorithm opaque to the users. Black box conceals the inputs and processes used by the AI to reach a particular output, thereby, absolving the authorities of liability for the accuracy and correctness in decision-making.
Clause 35 and its Intended Challenges vis-a-vis Data Protection
Clause 35 of the Data Protection Bill, allows unrestricted powers to anybody in the central government to use personal data if it is ‘necessary’ or ‘expedient’ to do so, in the interests of national security. Personal data includes all such data, online or offline, through which a person can be identified. The Bill does not define what constitutes ‘expedient’ and ‘necessary’. There need to be safeguards and oversight by an independent body for orders related to preventing incitement to cognisable offence or maintaining public order. Lack of such regulations may lead to a probable misuse of the provision and curb the civil liberties of the people.
Regarding the applicability of proportionality test, such can only take place once an individual is aware if their rights have been infringed. Would the ends for meeting national security concerns be justified if the exemptions orders are unfounded and an individual unaware that their rights are infringed? The report of the Srikrishna Committee called forth for the pillars of data protection to be not shaken by vague and nebulous exemption. The lack of safeguards and heavy burden of responsibility in processing of the data by various stakeholders needs to be revisited.
Although many countries have a similar clause in their respective data protection legislations, the clause usually restricts the power of the central government to only those situations where it is ‘necessary’. For instance, Article 23(1) of the GDPR allows member states to impose only ‘necessary and proportionate’ restrictions on privacy rights. India’s move to include ‘expedient’ as a factor gives the government overarching powers without a non-partisan body.
Need for Judicial Intervention to Balance the Existing Powers of the State
As per the recent intermediary guidelines of 2021, a moot point for conferring wide interception powers on the state already exists. The guidelines are seemingly preposterous to the proportionality test and continue to operate. The clarification released by the MEITY states that the tracing order to the intermediary would be passed only when the alternative remedies have been exhausted. Unfortunately, there is no way to find what alternative remedies have been used by the State for investigation prior to passing of the tracing order. As for the RTI, records dictate the national security lens prevails over state liability to provide information and individuals’ right to know. In the existing case of Apar Gupta v. PIO, MHA, the petitioner filed several RTIs seeking information on the ‘number’ of interception orders passed by the state over the last few years. Despite the fact the petitions did not seek actual content or reasons for surveillance, the state failed to provide such information.
Whether the Data Protection Bill satisfies the proportionality test and ensures effective implementation, can only be adequately determined when the Bill takes shape of ‘the law’ and is challenged before the Court as violative of the right to privacy enshrined under Art 21. For now, as we understand, the judiciary presupposes legislative rationality of privacy of the citizens to the legislature. However, adequate ex-ante safeguards need to be put in place so that autonomy of people vis-a-vis privacy is not trampled upon. At the end of the day, the onus lies on the judiciary to prevent any arbitrary exercise of unbridled power delegated to the executive and ensure ends of justice for its citizenry.
 1997 (1) SCC 401.
This blog has been authored by Ayesha Mohanty and Bhoomika Agarwal, students of Amity Law School, Delhi. This blog is a part of RSRR’s Blog Series on the Right to Privacy and the Legality of Surveillance, in collaboration with the Centre for Internet & Society.