LSAT
LSAT

Conflict and Scope of Fundamental Right to Privacy: Who’s Watching You?

vFlat - Smart & Quick  scanning experience
vFlat - Smart & Quick  scanning experience

If George Orwell were to rewrite 1984 today, he would probably rewrite the conflicts to the fundamental right to privacy that the sovereign states offer. The challenge to the right to privacy presents itself as an excuse to safeguard ambiguous threats and interests. Between this or that and ‘public interest’ or ‘individual privacy, the fundamental right gets neglected. Thus, these ambiguities often favour the state and its negotiation of rights instead of individuals. Shiv Chhatrala and Saloni Pradhan write about the changing meaning and conception of the right to privacy. They also attend to challenges posed by conflicting rights through examples from recent privacy lapses in India. This article is part of the Constitutional Rights Series.

fundamental right to privacy

By Shiv Chhatrala and Saloni Pradhan. Shiv and Saloni are Bachelor’s in Media Studies, Economics, Political Science from Christ (Deemed to be University), Bengaluru

Introduction

In a digital economy like India, collecting personal information and sensitive data is the new normal. Everything from our debit card details, passwords, fingerprints to social media accounts and locations are afloat in cyberspace, and not so surprisingly, there are many takers for it too.

Such sensitive information is often misused, manipulated and archived as an extension of your identity. Thus, we and our data often immortalise despite its purpose or need. The Aadhar Card data breach is a case in point for such a violation of privacy.

The lack of protectionist legislative measures enables a surveillance state run by both the government and chronic capitalism. Especially during an emergency such as the Covid pandemic, boundaries are blurred.

During the Covid-19 pandemic, contact tracing apps became a norm in many countries. Similarly, India had its own version,  the Aarogya Setu App (App). The Ministry of Home Affairs had made it mandatory to download the App, especially for travels etc. Despite several challenges to the same, the right to health and privacy were often pitted against each other.

Apart from the exception of the pandemic, today, governments are innately intrusive in procuring information using facial recognition and other means in the name of national security.

Although the Supreme Court has read the right to privacy as a part of the fundamental right to life and liberty promised under Article 21. However, the lack of comprehensive legislation that offers protection without bargaining only reinforces the Indian state’s intrusion.

The recent scoop by more than eighty journalists on the Pegasus data leak by NSO Group, an Israel-based company selling surveillance software, only proves that privacy is precarious. India was one among other countries allegedly associated with the NSO group for ordering such information. Amidst this scoop and increased curb on dissent in recent years, the Personal Data Protection Bill introduced in 2019 seems like a trite exercise.

But more so than ever, these data leaks and unfettered state control over information calls for a nuanced discussion. Thus, in the light of the pandemic, the Data Protection bill, the Aarogya Setu App and other instances that project the state’s insecurity and data intrusion, this article will elucidate the importance of protecting the right to privacy.

The article will trace back the first inference to privacy in the Constituent Assembly Debates to the making of privacy jurisprudence in India. It will then understand the tiff between the fundamental right to privacy and health, and how in the name of a public health emergency, the Aarogya Setu App invaded privacy. Then the article will challenge the inverted logic of the Indian state where it demands privacy but simultaneously refrains from sharing accountability. Finally, the piece will see the Data Protection Bill in the light of the Aadhar data breach and increasing surveillance tendencies of the state.

Validating the Fundamental Right to Privacy: From Constitutional History to History in Making

 Simply put, the right to privacy refers to the legal framework that provides legal protection to individuals and their data. Internationally, the right to privacy is prescribed in Article 12 of the United Nations Declarations of Human Rights (UDHR) 1948 and Article 17 of the International Convention on Civil and Political Rights (ICCPR) 1966. The right to privacy legally protects an individual against ‘arbitrary interference’.[1] India is committed to ICCPR as well as UDHR.

The right to privacy made its first appearance in the Constituent Assembly Debates when Kazi Syed Karimuddin, a member of the Constituent Assembly and Rajya Sabha in independent India, moved clause (4) under Article 14.

On December 3, 1948, KS Karimuddin proposed protection against unreasonable searches of houses, papers and persons. He argued against such searches because laws like the ‘Goonda Act’ or ‘Public Safety Act’ gave excessive power to the executive. These acts offered no legal representation and required no warrant for arrest. [2]

His argument stemmed from his concern for the Muslim minority groups who had faced the wrath of unfounded suspicion earlier. Additionally, as part of the ‘States and Minorities Report’, Dr B.R. Amedkar, KM Munshi and Harman Singh strongly voiced the need to include privacy as a fundamental right. Plus, Somnath Lahiri, a member of the Constituent Assembly from West Bengal, favoured protecting citizens’ right to privacy. Lahiri had also objected against the curtailment of freedom even during grave emergencies

In his book, ‘Privacy 3.0: Unlocking Our Data-Driven Future’, Rahul Matthan states how the many Constituent Assembly members were against making privacy a  fundamental right, including BN Rau and Alladi Krishnaswamy Ayyar. He writes,

“One of the more vocal critics was Alladi Krishnaswamy Ayyar, who voiced his vehement dissent in his comments on the draft”

Matthan continues to expound on BN Rau’s reservation with the inclusion of the right to privacy,

“According to him (BN Rau), such a right could place impediments in the way of law enforcement, particularly given the fact that India was a large country where the administration of criminal justice was bound to be difficult… His principal objection to the inclusion of privacy as a fundamental right seemed to stem from a concern that allowing for such a right would make the administration of justice in a country as large as India difficult.”

Though privacy wasn’t accepted as one of the fundamental rights but only four years into independence, it was mentioned again. As a result, the Indian judiciary had to deal with questions regarding privacy.

In 1954, in M.P. Sharma v. Satish Chandra,  the Supreme Court made a passing mention on the right to privacy. In this case, the Court had to decide whether search and seizures were unreasonable and offered restrictions on various petitioners’ rights.

In Kharak Singh v. the State of Uttar Pradesh (1962), the petitioner was first released in a dacoity case. However, despite his release, the police classified him as a ‘Class A history-sheeter’, putting him under surveillance.

The petitioner Kharak Singh challenged the constitutionality of the Police Regulations and argued that the same inflicted his right to personal liberty under Article 21 and his right to privacy. However, the Court did not consider ‘privacy’ as a right under the Constitution. Hence, its violation in the particular case was not considered an infringement. But Justice Subba Rao, one amongst the six judges, opined that the right to privacy was an ‘essential ingredient of personal liberty. He stated:

“It is true our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty.”

After more than a decade to Kharak Singh Judgment, a three-judge bench in Govind v. State of Madhya Pradesh & Anr faced a similar issue.

In this case, The petitioner Govind challenged the validity of Regulations 855 and 856 of the Madhya Pradesh Police Regulations under the Police Act. The petitioner alleged that he was framed and put under surveillance, violating his rights under Article 19 (1) (d) and 21 of the Constitution.

Despite giving ample space to the discussion on the right to privacy, the Court held that the procedures challenged by the petitioner were reasonable. Still, even if granted, the right to privacy was not absolute. The Court said:

“Even if we hold that Article 19(1)(d) guarantees to a citizen a right to privacy in his movement as an emanation from that Article and is itself a fundamental right, the question will arise whether regulation 856 is a law imposing reasonable restriction in public interest on the freedom of movement falling within Article 19 (5); or, even if it be assumed that Article 19(5) does not apply in terms, as the right to privacy of movement cannot be absolute, a law imposing reasonable restriction upon it for compelling interest of State must be upheld as valid.”

Among other judgements that dealt with privacy include T Sareetha v. T. Venkata Subbaiah (1983). This judgment connected privacy with one’s body. In this case, Venkata Subbaiah filed a petition for restitution of conjugal rights under the Hindu Marriage Act with film actress T. Sareetha. The judgment stressed that restituting conjugal rights against the will of T. Sareetha would be a violation of her mind and body. Hence,  a violation of her right to privacy.

After the T Sareetha case, several other judgments spoke of privacy. But Naz Foundation vs Government Of Nct Of Delhi (2009) deserves a notable mention here.

Justice Ajit Prakash Shah, who was among the two judges presiding over a petition seeking decriminalisation of section 377, spoke of privacy in detail. In a compelling judgment, J. Shah stated that Section 377 invaded an individual’s rights to dignity and privacy. Advancing that the state must not interfere with ‘consensual sexual acts between adults in private on the ground of public morality’.

Read more on decriminalisation of Section 377 here.

While several cases after the Naz Foundation case deliberated on the right to privacy, but this article directly engage with the historical case, KS. Puttaswamy (retd) Vs. The Union of India. On August 24, 2017, a nine-judge bench recognised the right to privacy as a fundamental right under Article 21 of the Indian Constitution.[3] 

The KS. Puttaswamy Judgement has an expansive scope of protecting the fundamental right to privacy of an individual. The case first came to Court in 2012, when Justice K.S. Puttaswamy, a retired High Court Judge, challenged the validity of the Aadhaar Scheme for the first time.

In 2015, a three-judge bench referred the matter to a larger bench for establishing whether the right to privacy was a fundamental right. The case was first placed ahead of a five-judge bench. And Again, ahead of a nine-judge bench, which considered Aadhaar as obstructing an individual’s fundamental right to privacy.

Six separate but concurring decisions unanimously agreed that the right to privacy was a fundamental right under Article 21. The Judgement pronounced is considered prolific and nuanced, most of which was authored by Justice D.Y. Chandrachud.

Justice D.Y Chadrachud stated that privacy was innately connected to the right to personal liberty. He further stated that without privacy, an individual exercised futile control over their own personality. Thus, according to him, privacy is an inherent natural right, ‘inseparable from human personality’.

The following statement best reflects the Judgement:

The Right to privacy is inextricably bound up with all exercises of human liberty – both as it is specifically enumerated across Part III and as it is guaranteed in the residue under Article 21. It is distributed across the various articles in Part III and, mutatis mutandis, takes the form of whichever of their enjoyment its violation curtails.”[4]

Fundamental Right to Privacy Versus Public Health Emergency

The aggressive mechanism of contact tracing, revealing the name of patients in health emergencies, became a critical privacy concern at the beginning of the pandemic. Several argued that privacy could not be defended in the face of a public health emergency.

In the same vein, Vaishnavi Gholave, a law student, and Mahesh Gadekar, a farmer from Solapur, filed a Public Interest Litigation (PIL) that sought disclosure of Covid patients’ names.

Mentioning this PIL is essential as it addresses the core issue regarding the conflicting understanding of the fundamental right to privacy and health. The PIL stated that when there is a clash between the right to life and the fundamental right to privacy, courts need to prioritise the former to keep with the public interest.

In hearing the case, the division bench comprising Justice Sayed and M.S Karnik observed that there was no need to reveal the patients’ names to prevent the surge.

In fact, the government argued against revealing patients’ names as the same could have furthered the fear of stigmatisation. They argued that individuals’ right to privacy would be jeopardised if patient confidentiality was not maintained.[5]

Here KS Puttuswamy gives some wisdom.

In KS. Puttuswamy Vs. Union of India and Ors, the Supreme Court observed a difference between anonymity and privacy. Privacy prevents access to one’s information, while anonymity hides what makes it personal. Justice DY Chandrachud stated,

if the State preserves the anonymity of the individual it could legitimately assert a valid state interest in the preservation of public health to design appropriate policy interventions on the basis of the data available to it.”[6]

Aarogya Setu and the Fundamental Right to Privacy

The Indian government developed the Aarogya Setu App to track the Covid-19 pandemic. It reasoned that the same was a measure to prevent the spread of the virus. However, the application and its invasive features invited criticisms, controversies and court cases.

Many tech experts have argued that the App offers weak privacy control and collected excessive personal information from users.

On May 1, 2020, during the first wave of the Covid-19 pandemic, the Government of India made the Aarogya Setu App mandatory, especially for people residing in containment zones and for those who were travelling inter-state. The App traced one’s location continuously and used Bluetooth technology for contact tracing.

The Centre issued a directive under Section 10 of the Disaster Management Act, allowing the Centre and states to collect data.

According to Aarogya Setu’s privacy policy, the App could continuously track and collect users GPS information every 30 minutes to the server. The FAQs uploaded by the government stated that the personal information collected at the time of user registration would be:

“used by the Government of India in anonymised, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country.”

Additionally, it enables the government to collect demographic information of a person registered on the app. In case an individual is positive or ‘at-risk’, a 30-day log of their previous contacts is uploaded to the server and is further shared with the health authorities. Not only this, those without a smartphone are as much under surveillance. For non-smartphone users, the government enabled tracing using cellular triangulation.

Curious Case of Aarogya Setu App?

Furthermore, the government has been vindictively sheltered in matters concerning the Aarogya Setu App. It appears so because an RTI activist and journalist, Saurav Das, had to file a complaint with the Central Information Commission (CIC) after his request to reveal the source of the Aarogya Setu App went unanswered.

Since May 2020, Das was trying to obtain information regarding the Aarogya Setu App through several RTIs to understand the proposal for the app and various parties involved in its making. However, the Public Information Officers of the National Informatics Center (NIC) and the Ministry of Electronics and Information Technology (MeitY) said they had no information on who made the App. Therefore, in September, Das complained to the CIC owing to the silence over the origin of the app.

Attending to Das’ complaint, the CIC had issued a show-cause notice to Public Information Officers from the MeitY and NIC to explain why they must not be penalised for obstructing information. However, it didn’t allow Das to be part of the complaint hearing.

Also, though the NIC first gave an ‘evasive’ reply to the RTI filed by Das. Later, Abhishek Singh, CEO of MyGov and Digital India, clarified that the application was created by NIC and the Information Technology Ministry in partnership with a private entity.

But the question arises, why didn’t the Ministry and concerned government authorities respond to Saurav Das’ RTI in time? Also, despite recognising the government’s fault, why didn’t the CIC allow Das to be a part of the complaint hearing? As the question to these answers remains unattended, it becomes the cause for more suspicion.

Experts have also stated that the government can use this application as a surveillance tool. Even though the government boasts that the App preserves anonymity, the application’s privacy policy doesn’t explain why geolocation is linked with users demographic information.

Moreover, users do not know if the government is adhering to India’s Information Technology provisions while agreeing to the terms and conditions that don’t hold the government liable for any unauthorised access to the user’s information.

The purpose of the App is to make people aware if they are at risk of COVID-19. However, the App enables the government to share raw data (personal information) with other agencies for administrative purposes. Such indeterminate privacy policy allows for opacity in state functioning and a severe reduction of accountability to the citizens.

The governments’ flippant stand on the Aarogya Setu App has also swayed the needle of suspicion. For instance, in June 2020, cybersecurity activist Anivar Aravind had filed a petition against the mandatory use of the Aarogya Setu App. While responding, the Additional Solicitor general MN Nargund, speaking on behalf of the government, submitted that the app was not mandatory for a person travelling from rail or air.

However, only this year, in February, the  Ministry of Health and Family Welfare issued a set of SOPs to be mandatorily followed by all employees. And the same included installing the Aarogya Setu App. Following this order, the government has gone back and forth, making it compulsory to voluntary first and then mandatory again. Thus, further inducing confusion as to how must the App’s power and function be perceived.

Even though the government, on several occasions, countered the claim of surveillance levelled against the App, it has deviated from its reasoning several times. The most recent example is a series of judgments where the courts have asked the accused to download the Aarogya Setu App while granting bail.

For instance, in April this year, while granting bail to Umar Khalid, the Delhi Court mandated Khalid to install the Aarogya Setu App on his phone.

Public Health and Individual Privacy

The security of a nation is mainly contingent on the safety of its citizens and public health. Given that security is ensured via government regulation and laws, it is paramount that legislation in any country is comprehensive, transparent, and of the people’s general will.

Even if there are clashes, there exists machinery to interpret and settle disputes.

However, come 2020, the situation has changed. As stated above, privacy and public health have clashed where the government is involved. Since privacy is a fundamental right and intrinsic to the right to life and personal liberty, it is considered a requisite for the safety and dignity of an individual.

But does a health emergency allow the government to curb this right that is intrinsic to a person’s very being?

While no right is absolute, an injudicious infringement by the state itself in the name of public health is a serious concern.

Contact tracing apps take first place. Since the right to privacy owes its roots to the right to life and personal liberty, many have argued that contact tracing and other surveillance methods to protect public health are justified.

Article 47 of the Indian Constitution prescribes the state to protect public health. In light of this, should the right to privacy cede to the state’s duty? And is the state right in creating an App that could threaten one’s privacy?

Before answering the same, there are other factors to consider. The major one is that the Indian Council of Medical Research (ICMR) database already collected patient information, including location. Thus, the App was not needed in the first place.

Unlike ICMR’s database, which is guarded by strict medical norms, one cannot be sure of the same for the App. Therefore, the security of Aarogya Setu App data, as established above, is already questionable. Moreover, the consequences of data leaks and the data being used by other governmental agencies don’t bode well for the public.

Such data has a very high chance of being misused. For instance, it could be sold in data markets or used for surveillance by other government departments. Further, there is no legislation governing the data collected by Aarogya Setu or any other state government contact tracing apps.

The Indian government’s opportunism here is at its best. A health crisis is being used to pit laws against each other, and all the while, it is the state that takes potentially dangerous powers (data) into its hands but not the responsibility that comes with it.

Reasoning from National Security: A Little Too Convenient?

In 2020, the government decided to ban 59 Chinese apps in June, as the border tensions aggravated. After witnessing a fatal face-off between Indian and Chinese armies, the government stated that the apps were prejudicial to the sovereignty and integrity of India. Moreover, the compilation of data, mining and profiling by elements was reasoned as a threat to India’s national security and defence.

So far, 267 Chinese applications have been banned in India, including globally recognised apps like PUBG mobile, TikTok, Weibo, Wechat, AliExpress, etc.

To justify the ban, the Ministry of Electronics and Information Technology issued an official statement, saying:

“Ministry of Electronics and Information Technology has issued the order for blocking the access of these apps by users in India based on the comprehensive reports received from Indian Cyber Crime Coordination Center, and the Ministry of Home Affairs.”[7]

The Indian government used Section 69A of the Information Technology Act to issue the ban of these apps. India’s decision of proscribing Chinese apps was appreciated across the globe and seen in a positive light to protect its citizens’ privacy.

While these apps got suspended, they were once approved by the government to function in India. And Chinese apps were not the only ones collecting and storing personal data in India. So far, in India, companies are not obligated to report or justify the storage and processing of collected data. So the intent of banning apps sounds vague, and it is not a permanent solution either.

Should the government be genuinely concerned about national security and individual data privacy, it would introduce a strict regulatory framework for international and domestic players in cyberspace.

According to the government, it was an emergency that required quick decision-making. Hence banning apps was a way of protecting national security. However, no one can gauge if the app ban is indeed protecting our data.

Recently, what has come out as the Pegasus scoop stems way back to 2019. In November 2019, reports of data breaches via the messaging App WhatsApp had upsurged, alleging snooping activity in a phone of 120 activists, lawyers and journalists. Then too, the Pegasus spyware, created by an Israeli firm, the NSO Group, was used to spy on journalists, activists and the like.

While the MeitY had asked WhatsApp to clarify the breach of privacy in October 2019, the US-based Messaging App had responded that the government was informed regarding the same back in September.

Further, in 2020, WhatsApp denied all allegations that its data could be hacked by the Israeli Spyware Pegasus ahead of Chief Justice of India SA Bobde’s Bench. The bench was hearing a plea filed by the Rajya Sabha Member of Parliament Binoy Viswam that challenged the security of WhatsApp’s payment gateway concerning RBI regulations on data collection by UPI portals.

The collection of data by Amazon, Facebook, WhatsApp, and its eventual sharing is a blatant breach of privacy and a violation of the National Payments Corporation of India (NCPI) norms.

However, RBI and NPCI were letting these corporate giants get away with the violations, thereby risking users data privacy.

Coming back to the Chinese apps ban, the government didn’t furnish much detail. It only justified it under the IT Act owing to national security concerns. However, internet policy experts say that this trend of banning apps is dangerous because it lacks transparency.

Whenever such decisions are taken and justified ambiguously, they always lack transparency. Moreover, bans cannot always be the way to secure user’s information that has already been shared.

When speaking about the Chinese ban, Apar Gupta, a lawyer and executive director for the Internet Freedom Foundation, pressed for legislative means. He furthered that penalties must be justifiable under ‘prescriptive practice’ instead of such temporary bans.

Right To Information vs Right to Privacy: Hypocrisy?

While the government seeks openness and personal information from citizens and subjects, it hardly adheres to such transparency itself. For instance, several governments have misused Section 8(1)(e) of the Right to Information Act, the Section states:

“information available to a person in his fiduciary relationship, unless the competent authority is satisfied that the larger public interest warrants the disclosure of such information”

It often shelters under the same and Section 9 of the RTI Act. Section 9 allows any information officer to reject a request if the same would amount to infringement of copyright subsisting in a person or a state.

Section 8(1)(j) of the RTI Act provides that there can be no obligation to provide personal information, which has no relation to the public activity or interest. And also, if the same warrants an individual’s invasion of privacy.

A classic instance where the government has employed this trick to escape accountability is the non-disclosure of electoral bonds. Electoral bonds were introduced in 2017 through amendments to the Income Tax Act, RBI Act, and the People’s Representation Act. The amendments were made through the Finance Act in 2017.[8]

These amendments were challenged before the Supreme Court since they gave political parties unlimited and unchecked funding. However, during the hearing of the case in 2019, Attorney General KK Venugopal defended the scheme on behalf of the central government. He said:

“Voters have right to know what? Voters don’t neet to know where money of political parties come from.”

While the government constantly seek exceptions to the right to privacy, it left no stone unturned to facilitate non-disclosure and opacity.

On December 21, 2020, Chief Information Commissioner Suresh Chandra rejected a PIL filed by Vihar Durve, saying that there is no public interest in superseding the donors’ right to privacy and donees of electoral bonds.

The CIC stated that disclosing the information of donors and donees of electoral bonds from the books of the account will contradict sections 8 (1) (e) and (j) of the Right to Information Act. Furthermore, it stated that no citizen is obligated to reveal personal information if it has no relationship with the public sphere.[9]

In a similar case, Girish Ramchandra Deshpande v. Central Information Commission, in deciding whether the CIC could reject the personal information of a public servant, the Court said that documents such as a letter of assets, tax returns, gift received etc., and are exempted from disclosure.

The same shows a very convenient stand and makes it even harder to determine what comes under ‘public interest’.

Challenges, especially where one right is pitted against another, are complicated. In the end, the courts have to decide which one supersedes the other. Unfortunately, the government often chooses a convenient stand, constantly arguing from ‘public interest’ or ‘security’; and often misuses the same.

On the one hand, in protecting privacy, the government banned Chinese apps and veiled funding sources under the garb of electoral bonds. But, on the other hand, no regulation in cyberspace can guarantee data privacy, as it directly controls citizens’ personal information. Moreover, the government itself uses apps that collect data but do not guarantee data privacy.

When it comes to administration and governance, people helplessly give up their privacy to the state due to adversaries such as the pandemic, war or other emergencies. All this shows how the state can use the fundamental right to privacy as a tool to fulfil their motives and interests by using vague terms like ‘public emergency’, ‘public interest’ and ‘national security’ as excuses.

Surveillance and the Right to Privacy

Surveillance by law enforcement authorities in India has always been an accepted practice. In modern times surveillance is carried out via tapping or interception of telecommunication messages, etc. The two most important legislation in this context is the Indian Telegraph Act, 1885 and the Information and Technology Act, 2000.

According to both these Acts, the government can invade an individual’s privacy based on national security, friendly relations with foreign states, public order to prevent incitement and for the commission of an offence.

The Indian Telegraph Act allows the government to order the interception of messages under two conditions, public emergency or in the interest of public safety.

However, as discussed above, the terms’ public emergency’ and ‘public safety’ remain vague, permitting the government to invade an individual’s privacy under such circumstances.

There are many instances of privacy breaches by the government in the name of circumstances mentioned in the acts regarding data privacy. The Indian government, along with the private sector, continuously expands digital infrastructure to offer various services. And the same threatens the security of citizens.

So far, India doesn’t have any legislation to protect individual’s privacy when it comes to cyberspace. Instead, central and state governments create several databases for governance, taxation, financial policies and other welfare purposes.

Schemes like the Unique Identification Authority of India (UIDAI) that stores all the biometric and demographic information of Aadhar card holders allow the government to access mobile phones, the internet and landlines without any authorisation.

In this regard, India has three main surveillance systems,  Central Monitoring System (CMS), Network Traffic Analysis (NETRA) and National Intelligence Grid (NATGRID).[10]

In December 2020, the Centre for Public Interest Litigation, an NGO, filed a petition against CMS, NETRA, NATGRID, alleging that these systems enabled ‘360-degree surveillance’. It claimed that such surveillance systems allowed law enforcement agencies to intercept and monitor telecommunication data in bulk. And the same offered a severe threat to privacy. Following this, the Delhi High Court issued notice to the Ministry of Home Affairs, Information and technology seeking their stand.

The petition claimed an insufficient oversight mechanism to authorise and review the order issued by the state agencies.[11]

The Centre, in its response, repudiated any such claims, defending the need for such surveillance systems for ‘speedy collection of actionable intelligence, the government replied:

“grave threats to the country from terrorism, radicalisation, cybercrime, drug cartels, etc., cannot be understated or ignored

Surveillance can be an essential exercise of sovereignty and may be deemed a precautionary measure against national threats. However, any government can mould this practice in their favour. The same incentivises the government with a copious amount of personal information over citizens.

Data surveillance can serve as a tool for any political party, helping them strategise against or favour different target groups. And the same holds in the current polarised environment. The question remains, how far is too far?

After recognising the right to privacy as a fundamental right, there are few instances where acts of surveillance have been questioned in favour of privacy rights.

The Bombay High Court in Vinit Kumar Vs. Central Bureau of Investigation (2019) outlined the purview of the state’s power to surveil its subject, especially on the matters which do not concern the ‘public emergency’ or are not in the interest of ‘public safety’. In this case, a businessman was accused of bribing bank employees to avail credit.

The petitioner, Vinit Kumar, challenged the CBI’s orders to intercept his telephone calls issued under the interest of public safety. It was argued that such orders were ultra-vires of Section 5(2) of the Indian Telegraph Act and violated the petitioner’s fundamental rights guaranteed under Part-III of the Constitution of Inda.

The Court read and understood the meaning of ‘public emergency’. In doing so, it stated that the impugned interception orders didn’t qualify the same. Additionally, these orders couldn’t satisfy the test of ‘priciples of proportionality and legitimacy’ laid down in the Puttaswamy judgment.

In this way, it limits the power of state surveillance and protects the fundamental right to privacy.

Aadhar Data Breach Case

An example of the Indian state’s expanse of surveillance is the Aadhar data breach case.

In February 2019, the World Economic Forum (WEF) announced the Aadhar data breach in India as the largest recorded in its Global Risks Report.

What happened, you may ask? The UIDAI government ID suffered data breaches amounting to the compromise of 1 billion + citizens data. The issue came to the fore in 2018 January, when personal information of citizens was sold at a rate of INR 500. This lasted 10 minutes before the damage was too late to be mitigated. Later, such a leak crept up again in a Jharkhand, wherein users could easily download IDs and information from the site.

Aadhar Cards were created to be a unique ID for Indians. It is linked to all our bank accounts, our PAN and Voter’s Card, our job applications, and contracts. Its validity extends to buying tickets, as proof of residence and age, as an identity at hospitals, airports, banks, etc. A lot of our daily life is intricately linked with the Aadhar card. And for the same reason, the apparent lapse in cybersecurity could cost us a lot.

Personal Data Protection Bill

In India, the Personal Data Protection Bill, which stands tabled at the moment, arose from the 2017 Supreme Court ruling that stipulated privacy to be a fundamental right.

A Committee of Experts, set up in 2017 with Justice B. N. Srikrishna, came up with the Draft Personal Data Protection Bill in 2018. However, the Bill was amended and reproduced in 2019. The Bill intended to regulate the collection, processing, usage, disclosure, transfer, and storage of personal data. It will apply to Indian companies, any citizen of India or any person or body of persons incorporated in India, and foreign companies dealing with the personal data of Indians.[12]

The Bill defines the person or group whose data is processed or collected as the data principle. The data fiduciary is defined as the entity that decides the purpose and use of the data processing.

Now the data fiduciary is obliged to process the data subject to a particular purpose, collection, and storage limitations. The fiduciary is also required to organise a data protection impact assessment before processing large-scale sensitive personal data.

All this also depends upon the consent of the data principal, and appropriate notice has to be given in this regard.

The data principals themselves have the right to ensure the completion of personal data processing. They can limit disclosure, make corrections, additions, transfer data, and demand erasure if they no longer give consent or fulfil the purpose.

At present, the regulation of data in India is undertaken by the IT Act 2000 under the Information Technology Rules, 2011. However, the B. N. Srikrishna Committee believes that the regulations need to develop alongside as the age of information advances.

Over time the definition of personal data and sensitive personal data has changed too. For example, religion, sexual orientation, beliefs, political ideologies, etc., are sensitive information, and the provisions of the IT Act leave ambiguity and loopholes for data fiduciaries to misuse data.

Although the Bill seems like a positive step, it has its loopholes. For instance, Clause 91 of the Data Protection Bill allows the Central Government to access non-personal data in the interest of the digital economy. This could further subject the person to commodification instead of protecting them. Also, Chapter VIII of the Bill states exemption. Clause 35 under Chapter VIII gives certain exemptions to the government ‘in the interest of sovereignty and integrity of India’. Again, like India’s Information Technology Act and the Telegraph Act, the Data Protection Bill is also vague when mentioning ‘public order’ or ‘security of the State’. Does similar to earlier legislation, this too gives lacunae for surveillance.

Privacy Legislation in Other Countries

Countries such as the United States of America have begun enacting legislation in many states for consumer data privacy. These legislations are an umbrella to online privacy norms, commercial data regulation, etc.

The stipulations for the 2020 version of the Bill include the prevention of businesses sharing personal information, facilitating correction of incorrect data, and limiting the usage of sensitive personal information.

Similarly, the European Union decided to strengthen data protection and privacy laws in 2018, thereby establishing the General Data Protection Regulation.

Its main objective was to offer more control to people over their personal information. Additionally, it lays stress on an equal playing field for businesses. Therefore, the protection of consumers’ privacy and sensitive personal information takes priority.

In 2020, these laws were reviewed, and the report suggested that the legislation could be successful.[13] The right of access, rectification, erasure and the right to object, portability and enhanced transparency were some of the stipulations. And there’s also a grievance redressal machinery that includes data protection authority to take fines and other measures.

In the present situation of a pandemic, the GDPR was reviewed and amended to provide guidelines for contact tracing apps in April. The countries part of this followed norms laid out by this legislation in collecting location and other private data of their citizens. Given the current health emergency worldwide, cybersecurity and the privacy of citizens were not compromised.

In fact, by May 2020, a specific toolbox and comprehensive guide were established by the GDPR to deal with location data that was to be used solely for contact tracing for Covid-19.

The approach taken by India and other countries is glaringly different. While legislation in Europe with regard to contact tracing during the pandemic is comprehensive and protectionary, India chose to delay the privacy protection legislation.

Redundancy of India’s Laws

Both the US and Europe have proved that data protection measures and increased importance to privacy laws are necessary.

Relying on rules framed in an earlier decade does not bode well for India, especially since the pandemic has furthered digitalisation.

Something as small as online proctored exams for children could be a potential threat, considering the easy access to data and personal information. Most corporates override data protection laws through contracts and fine print and the terms and conditions that no one seems to read.

As mentioned earlier, the consent of the data principal plays a decisive role in the processing of data. However, who reads the terms and conditions of every new app they download?

The pandemic allowed many countries to develop geo-tracking and contact tracing apps for citizens to keep track of the cases and curb the spread. However, the same comes with its set of privacy concerns.

While the Aarogya Setu App was set up with the intent to curb the pandemic in India, at the same time, it was invasive and unsafe. While it was common knowledge that the app collected excessive personal information, there are no regulations to oversee how such data gets processed or stored. In Europe, on the other hand, the GDPR facilitated the development of tracing apps keeping privacy at the centre. They also released specific guidelines and tools for tracing apps adhering to the data protection legislation.

India’s guidelines date back to the IT Act of 2000 and the IT Rules 2011. The digitalisation of all services also creates a looming threat of invasion of privacy. Often, data aggregators purchase location data for ad placement etc. Unsurprisingly, lack of regulation in data privacy has led to frightening consequences such as ‘customer profiles’ databases which include age, location, preferences and other sensitive information.

While the government is projecting the Data Protection Act as a possible solution, it has its own issues. As stated earlier, provisions such as punishment for breach of secrecy and confidentiality, blanket exemptions fail to provide the full extent of the right to privacy. States now have access to humongous data and often misuse its lack of materiality to curb dissent. And we have seen similar instances in the past in India.

The stored data grants a fluidity that can be accessed by all investigative agencies. For instance, the Unlawful Activities Prevention Act, National Security Act and other draconian laws often rely on electronic evidence. The enforcement agencies, especially in such cases, have unchecked power to access and control the personal data of the accused, which may provide leeways to the executive.

Apart from that, cybersecurity lapses can affect citizens alike. The Aadhar data breach and the Aarogya Setu App issue are classic examples. The Government’s inability to protect sensitive and private information leads us to whether, after identifying the right to privacy as a fundamental right, the government failed in its duty to protect it.

Conclusion

We all have our own understanding of privacy, protected by the boundaries for ourselves. However, the judicial system and the Constitution can ensure that certain basic tenets of privacy are unnegotiated. Since no right is absolute, privacy is also restricted under certain circumstances, which are not objectively defined. Thus, this subjectivity offers more complexity as to what must the state have control over.

Additionally, although the government constantly seeks allegiance and personal information from its citizen, the executive often uses the very excuse from privacy to deny accountability.

From recognising the right to privacy as a fundamental right to developing a firm jurisprudence around it, the concept of privacy is evolving. The judiciary has dealt with concerns where the right to privacy is pitted against other fundamental rights. It is a matter of priority or to find a midway when such clashes occur. Given the current situation where novel technology creates more facets to the right to privacy, the legal framework has to be moulded to support this.

In the current democratic setup, it’s a challenge for the judiciary to protect citizens’ right to privacy. And for the same reason, the Indian state may need interventions to check on its undisputed power.

This article is part of the Constitutional Rights Series, you can read more pieces from the Constitutional Rights Series, here.

Endnotes

[1] Rajagopal, K. (2017, July 29). The lowdown on the right to privacy. The Hindu. https://www.thehindu.com/news/national/the-lowdown-on-the-right-to-privacy/article19386366.ece.

[2] Constituent Assembly Of India Debates (Proceedings) – Volume VII. Constitution of India. (n.d.). https://www.constitutionofindia.net/constitution_assembly_debates/volume/7/1948-12-03#7.66.11.

[3] Legal Service India. (n.d.). Legal Analysis of Right To Privacy In India. http://www.legalserviceindia.com/legal/article-676-legal-analysis-of-right-to-privacy-in-india.html       

[4]Sharma, D., Auroshree, Indulia, B., & Editor. (2020, November 24). Government of India blocks 43 mobile apps from accessing by users in India. SCC Blog. https://www.scconline.com/blog/post/2020/11/24/government-of-india-blocks-43-mobile-apps-from-accessing-by-users-in-india/.

[5]Bar and Bench. (n.d.). No public interest overriding right to privacy of donors and donees of electoral bonds: CIC rejects RTI application. https://www.barandbench.com/news/litigation/details-of-donors-electoral-bonds-cic-rejects-rti-request       

[6]Dubey, R., & Bar and Bench. (n.d.). Privacy in a Pandemic: Is the Aarogya Setu App legal? https://www.barandbench.com/columns/privacy-in-a-pandemic-is-the-aAAarogya-setu-app-legal

[7]Sharma, D., Auroshree, Indulia, B., & Editor. (2020, November 24). Government of India blocks 43 mobile apps from accessing by users in India. SCC Blog. https://www.scconline.com/blog/post/2020/11/24/government-of-india-blocks-43-mobile-apps-from-accessing-by-users-in-india/.

[8]https://www.news18.com/news/politics/what-are-electoral-bonds-decoding-the-controversy-2099769.html

[9]Bar and Bench. (n.d.). No public interest overriding right to privacy of donors and donees of electoral bonds: CIC rejects RTI application. https://www.barandbench.com/news/litigation/details-of-donors-electoral-bonds-cic-rejects-rti-request       

[10] Advait Rao Palepu, & Bloomberg Quint. (n.d.). Read more at: https://www.bloombergquint.com/law-and-policy/a-brief-on-data-privacy-protection-and-surveillance Copyright © BloombergQuint.

[11] NDTV. (n.d.). Centre’s Reply Sought Over Plea Against NETRA, NATGRID Surveillance Systems. https://www.ndtv.com/india-news/centres-reply-sought-over-plea-against-netra-natgrid-surveillance-systems-2333014

[12] Renjith Mathew. (n.d.). Personal Data Protection Bill, 2019 –Examined through the Prism of Fundamental Right to Privacy – A Critical Study. https://www.scconline.com/blog/post/2020/05/22/personal-data-protection-bill-2019-examined-through-the-prism-of-fundamental-right-to-privacy-a-critical-study/ 

[13]What is the General Data Protection Regulation? Understanding & Complying with GDPR Requirements in 2019. Digital Guardian. (2020, September 30). https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection.

*The piece has specific content additions from the editor*

Leave a Comment


Advertisement

There are ten ways to read more.And one of them is to subscribe to our newsletter. Yes! A bit of reading never hurts.

Give it a try, you can unsubscribe anytime :)

There are ten ways to read more.And one of them is to subscribe to our newsletter. Yes! A bit of reading never hurts.

Give it a try, you can unsubscribe anytime :)

Lawctopus Law School
Lawctopus Law School
LLS
LLS