Where’s the Line in the Sand?

Tl;dr

In Part 7 of the #DataProtectionTop 10 series, we discuss the provisions in the Bill which enable the State to engage in surveillance of the people. Clause 35 of the Bill gives blanket exemption to the State from the application of the Bill on the grounds of national security. This blanket exemption without any sound oversight and review mechanism raises concerns of abuse of power by the State. Hence, we recommend that a chapter on surveillance reforms be inserted in the Bill.

Background

Last week we discussed how voluntary verification of social media accounts leads to data maximisation, and is a threat to informational privacy of users (Part 5) and how local storage of the data creates roadblocks to the free flow of data and debilitates the open nature of the internet (Part 6). In today’s post, we unpack the most debated issue with the will: the exemptions granted to the State for surveillance.

Security of the State and law enforcement have historically been a grey area and a stranglehold of the State, which it uses as a shield for surveilling its people. For example, India got its own monitoring program; the Central Monitoring System after the 26/11 Mumbai terrorist attacks, since a need was felt for greater coordination between law enforcement and security agencies in order to protect the security of the country. Currently, India has a host of surveillance programs, both in operation as well as in the pipeline, like the Centralised Monitoring System (CMS), The National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network System (CCTNS), National Automated Facial Recognition System (NAFRS) etc. What is most striking is that there are no comprehensive or robust surveillance laws in the country to effectively check the working of these projects. All we have are a few provisions under the The Indian Telegraph Act, 1885, and the Information Technology (IT) Act, 2000, and the Rules made under these statutes.

Section 5 sub-section 2 of The Indian Telegraph Act, 1885 deals with interception of communications. In times of public emergency or in the interest of public safety the government may order for the interception of communications such as your phone calls if it is satisfied that it is ‘necessary or expedient’ to do so in the interests of the sovereignty and integrity of India, the security of the State etc. A similar (probably broader) provision for interception, decryption and monitoring of our activities on the internet is contained in section 69 of the Information Technology (IT) Act, 2000. Section 69B of the Information Technology (IT) Act, 2000, on the other hand, deals with surveillance of traffic data such as the IP addresses, location, the time, date and duration of communications etc. These provisions are supplemented by the Rules: Rule 419A of Indian Telegraph (Amendment) Rules, 2007 and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, and Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009. In addition to these sections and the Rules framed thereunder, the license agreements between the Department of Telecommunications and telecom service providers require telecom service providers to assist the government in conducting surveillance.

Issues: Overbroad exemptions and no safeguards

The main issues with these provisions are that a) they do not provide for an oversight mechanism for surveillance and b) that there is no review of the order for surveillance. The orders are issued by the executive and oversight of the implementation of these orders, if any, is also by the executive. The current laws on surveillance in India are fraught with several legal and procedural infirmities and pave the path to the rise of a surveillance State. It is thus imperative for us to examine whether the Personal Data Protection Bill ameliorates the concerns around the existing regime for surveillance.

When the new draft of the Bill came in 2019, everyone wanted to see what the fate of the section on exemptions that granted the State significant discretionary power to exempt its agencies from any provisions of the Bill would be. It was however quite shocking to see that the Bill confers more power than ever to the State for surveillance.

The power of the Central Government to conduct surveillance is contained in clause 35 of the Bill. Clause 35 enables the Central Government to exempt by order any agency of the government from all or any provisions of the Bill. The order under clause 35 is passed in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, or to prevent incitement to the commission of an offence. The only safeguard given here again is that the order should be in writing and it should contain the reasons for the exemption.

The issues with clause 35 are very patent. The provision is very vague and broad to grant the State unfettered access to personal data without adequate safeguards. The Bill replaces the established principles of ‘necessity and proportionality’ with ‘necessity or expediency’, which allows the leeway to enact lower standards of protection. The State can exempt any of its agencies by passing an executive order and these orders are not subject to any review. Moreover, it is left to the State to prescribe the procedure, safeguards and oversight mechanism to be followed by the agency exempted from the Bill. This provision is a flagrant violation of the natural principle of justice- ‘no one shall be a judge in his own cause’.

The power of the State to exempt any agency of the State on very flexible grounds such as public order, or prevention of incitement to the commission of an offence by a mere executive order further increases the power of the State to surveil us. This dangerous provision can actualize our fears of the State turning into an ‘Orwellian State’. For instance, we have previously explained the possibilities of abuse of this provision in our public brief on the impact of the Personal Data Protection Bill, 2019 on the National Population Register (NPR). NPR was originally intended as a solution to the problem of infiltration at the national borders, and therefore nothing prevents the Central Government from invoking the grounds of security of the State to exempt NPR from the provisions of the Bill.

Clause 36 is another exemption available to the State. Law enforcement agencies are exempted from the provisions of the Bill except the obligation to process the data fairly and reasonably and to maintain security safeguards in processing the data, for law enforcement purposes such as prevention, detection, investigation and prosecution of any offence or any other contravention of any law. Here again, the Bill has failed to mandate that the exemption should be granted only when it is necessary and proportionate for the purposes of law enforcement.

Clause 35 vis-a-vis the Sri Krishna Committee Report

Clause 35 does not incorporate the recommendations of the Report of the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna (‘A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’), and is also a stark deviation from the 2018 draft of the Bill. The report warns that ‘the pillars of a data protection law should not be shaken by a vague and nebulous national security exemption’. However, it is unfortunate to note that the Bill does exactly what was feared by the Committee.

The report makes several incredible recommendations regarding surveillance provisions for a future data protection law:

The report discusses only one ground for exemptions; security of the State, as opposed to the five grounds given under clause 35. The report is emphatic that the exemptions to State should strictly adhere to the judgement of the Supreme Court of India in Justice K S Puttaswamy v. Union of India and Anr.

Any exemption from the data protection law must be ‘necessary and proportionate’ in the interest of the security of the State and such exemption should be pursuant to a law that meets the constitutionality test. Since exemptions involve the infringement of privacy of the individuals, the report mandates that the restrictions on privacy should be proportionate and narrowly tailored to the stated objectives.

The report does not envisage a blanket exemption to the State. The agencies of the State are not exempted from the obligation to maintain security safeguards in processing personal data.

The report also addresses the issue of lack of oversight of intelligence gathering and recommends that the Central Government should bring in a law to this effect. The report states that there should be ex-ante access control as well as ex-post accountability. Therefore, the law should provide for both parliamentary oversight as well as judicial approval of all requests for non-consensual access to personal data. Further, the surveillance laws should provide for measures to assess the extent of risks of a proposed measure to the privacy of the individual.

Solution: a New Chapter on Surveillance Reforms

As the fifth principle of the Indian Privacy Code, 2018 notes a complete code on data protection comes with strong surveillance reforms. Any data protection framework has to restrict mass or dragnet surveillance as it contravenes the principles of necessity, proportionality and purpose limitation. Procedural safeguards have to be in place even for individual surveillance and interception. Interception of communications has to be through an order passed by the judiciary. The principle also states that the evidence gathered illegally must be made inadmissible as evidence in legal proceedings.

It is imperative that the exemptions to the State under Bill be restricted and narrowly tailored to cater to the protection of the privacy of individuals. Surveillance and interception have serious implications on the privacy of individuals, yet it is inevitable in certain circumstances. Further, the current laws do not adequately address the privacy concerns caused by surveillance and interception of communications. Therefore, the Bill should devote a separate chapter for surveillance reforms. Moreover, the agencies of the State eligible for being exempted under clause 35 must include only those agencies that are authorised by an Act of Parliament to conduct surveillance and interception. Such agencies have to be clearly identified and notified by the Central government. Further, the Bill should also provide for procedures for such agencies to seek permission from a judicial authority, preferably by special benches or tribunals consisting of retired High Court judges.

One of the main lacunae in the current surveillance laws is that there is no proper institutional oversight and accountability mechanism. Therefore, we recommend that an oversight and accountability structure be made part of the proposed architecture of the Data Protection Authority. An ideal way to do this would be to add within the Data Protection Authority an office for surveillance reform and oversight. For emergency surveillance and interception of communications, permission may be granted through judicial orders and such orders must require the exempted agencies to follow the necessity and proportionality principles. Further, the enforcement and compliance mechanisms of such orders may be determined by the Data Protection Authority.

Mass surveillance is an egregious form of surveillance and is unsuitable in any democratic society. Therefore, there needs to be an explicit ban on mass surveillance. Clause 35 in its current form can render the rights and protections of users under the Bill redundant, and hence the Bill needs to be reviewed to make it replete with safeguards against surveillance and plug the holes in the existing laws on surveillance in the country.

This is the third post in our series on the issues with the Personal Data Protection Bill, 2019. Read part 1 here, part 2 here, part 3 here, part 4 here, part 5 here and part 6 here.

Important Documents

1. The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
2. Essential Features of a Rights Respecting Data Protection Law dated February 28, 2020 (link)
3. IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
4. The SaveOurPrivacy Campaign (link)
5. IFF’s Public Brief on the Impact of the Personal Data Protection Bill, 2019 on the National Population Register (NPR) (link)
6. IFF’s Watch The Watchmen Series (link)

This post has been largely drafted by Fathima V N, who is a 2020 graduate of the National University of Advanced Legal Studies and is currently a Daksha Fellow interning at IFF with the supervision of our staff.