Need for surveillance reform stronger than ever in light of the Draft Data Protection Bill, 2021 #SaveOurPrivacy

The Draft Data Protection Bill, 2021 is here but does it protect Indian citizens against over-broad government surveillance? The answer is a disappointing no.

21 December, 2021
8 min read

tl;dr

The Joint Parliamentary Committee Report on the Personal Data Protection Bill, 2019 (PDP Bill) is here. The report, however, fails to tackle head-on one of the most pressing issues facing the country presently: surveillance reform. This leaves out any regulation or oversight over projects such as the National Intelligence Grid (NatGrid) or the CCTNS (Crime and Criminal Tracking Network System) which has databases on lakhs of Indians.

Why should surveillance be regulated?

Surveillance refers to the continuous or intermittent monitoring of a person or a group of people, usually without their knowledge, for the purpose of gathering information about their activities. There are two forms of surveillance, first targeted surveillance (Example: spyware such as Pegasus) and second, mass surveillance (Example: NatGrid, CCTNS, CMS & AFRS).  

Regulation of the surveillance by government authorities is an oft-debated topic. While one constituency argues for national security, the other places individual privacy as a more important priority. However, these interests can be reconciled by specific legislative choices which have been ignored by the Joint Parliamentary Committee in the proposed Data Protection Bill, 2021 (read our explainer here). Surveillance regulation when well crafted does not harm national security, but enhances our fundamental rights along with institutional processes that ensure such capabilities are not used for political purposes. This principle of accountability and oversight in surveillance practices has been recognised by many liberal democracies.

Past attempts at surveillance regulation

While data protection and surveillance reform have often been treated as interrelated, they have proceeded on separate legislative or regulatory paths in several foreign jurisdictions. However, prior legislative and legal attempts towards a data protection regime in India looked at both together. There is a good reason for this as we lack legal mechanisms for either.

For instance, a prior attempt at a privacy law which was being led by the Department of Personnel and Training included both data protection and surveillance reform. This becomes clear on the basis of the then Attorney General, Mr. Goolam Vahanvati’s opinion on the Right to Privacy Bill (link) that, “conditions under which interception of communications could be permitted should be spelt out… in the Bill…” (link at Page 2). This has further found reflection in a leaked draft of the Privacy Bill, 2011 (link) and the Report of the Justice A.P. Shah Committee of Experts (link). Justice A.P. Shah Committee of Experts explains this by stating:

“With the initiation of national programmes like Unique Identification number, NATGRID, CCTNS, RSYB, DNA profiling, Reproductive Rights of Women, Privileged communications and brain mapping, most of which will be implemented through ICT platforms, and increased collection of citizen information by the government, concerns have emerged on their impact on the privacy of persons.”

Due to these reasons surveillance reform provisions were also included as one of the 7 privacy principles in the #SaveOurPrivacy campaign. On the basis of this a model draft law titled ‘the Indian Privacy Code’ was proposed as a civil society draft through a collaborative and transparent drafting process. Specific policy choices within it created oversight and accountability for surveillance. Two different versions of the ‘Indian Privacy Code’ have been filed as private member bills in Parliament by Dr. Ravi Kumar (link) and Dr. Shashi Tharoor (link). We must also note here that a separate private member’s bill on surveillance reforms and oversight on intelligence agencies has been filed by Manish Tiwari in the Lok Sabha (link).

Deviation in the Personal Data Protection Bill, 2018

During the midst of hearings on a batch of petitions concerning a dispute raised on the fundamental right to privacy, Justice B.N. Srikrishna Committee of Experts on Privacy (link) was constituted. This was noticed in the judgement of K.S. Puttaswamy v. Union of India (link) by Justice Dr. D.Y. Chandrachud who states:

“We commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state. The legitimate aims of the state would include for instance protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits. These are matters of policy to be considered by the Union government while designing a carefully structured regime for the protection of the data. Since the Union government has informed the Court that it has constituted a Committee chaired by Hon’ble Shri Justice B N Srikrishna, former Judge of this Court, for that purpose, the matter shall be dealt with appropriately by the Union government having due regard to what has been set out in this judgment.” (emphasis added)

Disappointingly, the Draft Personal Data Protection Bill, 2018 (link) as recommended by the Justice B.N. Srikrishna Committee did not contain any provisions for surveillance reform, limiting itself to data protection. At the same time the Report of the Justice B.N. Srikrishna Committee (link) noted, “Central Government carefully scrutinizes the question of oversight of intelligence gathering and expeditiously brings in a law to this effect”. However, till date there is no proposal for surveillance reform that is being considered by the Union Government. This becomes evident from the parliamentary responses this year which make reference to provisions under the Telegraph Act and the Information Technology Act (link).

The Draft Personal Data Protection Bill, 2018 was considered by the Ministry of Electronics and IT and this was introduced on December 11, 2019 as the Personal Data Protection Bill, 2019 (link) in parliament with significant deviations (link to analysis). However, this redrafted version, did not make any attempt at surveillance reform, but even made existing provisions on consensual sharing of information worse by providing large government exemptions. The Personal Data Protection Bill, 2019 was immediately referred to a Joint Parliamentary Committee first headed by Ms. Meenakshi Lekhi, MP, Lok Sabha and then, towards its conclusion, by Mr. P.P. Chowdhury, MP, Lok Sabha (link). The JPC on the Personal Data Protection Bill, 2019 again in its recommendations and even the newly christened Data Protection Bill, 2021 (link) does not attempt nor contains any provisions for surveillance reform. Even in cases of consensual sharing of personal data it makes existing provisions far worse, principally within Clauses 35-37 (link).

Why do we need surveillance reform?

Quite simply, data protection without surveillance reform is an inadequate measure to protect any individual’s right to privacy. This is because in a digital age, personal data can be collected for security and policing interests at marginal cost and with ease for large numbers of people. Hence a form of crime control, becomes social control that has injurious impact on any democratic society. According to Solove’s ‘Taxonomy on Privacy’, “(b)ecause of its inhibitory effects, surveillance is a tool of social control, enhancing the power of social norms, which work more effectively when people are being observed by others in the community.”

A complete chapter on surveillance reform, therefore, needs to be inserted in the present Data Protection Bill, 2021 for it to be a rights respecting legislation. This must specifically define the procedure required for obtaining any exemption and includes judicial oversight. This is necessitated by the gaps in India’s present surveillance architecture, which consists of two acts and supporting rules which are:

  1. the Information Technology Act, 2000 (link) with the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (link); and
  2. the Indian Telegraph Act, 1885 (link) with the Indian Telegraph Rules, 1951 specifically Rule 419-A (link).

The Report of the Group of Experts on Privacy (link), which was chaired by Justice A.P. Shah, highlights how the varying standards and procedures for interception create similarities and differences which have led to the creation of a regulatory regime which lacks transparency, is prone to misuse, and which does not provide remedy for aggrieved individuals. As per the report:

“​​Broad similarities between the regimes include: authorization for interception must be based on executive orders, orders for interception must be reviewed by an overseeing committee, all interception orders must contain similar specified information, and every agency intercepting communications must establish similar procedures for oversight and security of the interception. Differences range from the permitted grounds for surveillance, the type of interception that is permitted to be undertaken (monitoring, tracking, intercepting etc.), the type and granularity of information that can be intercepted, the degree of assistance that authorized agencies can demand from service providers, and the destruction and retention requirements of intercepted material.” (page 72, Report of the Group of Experts on Privacy chaired by Justice A. P. Shah)

The fundamental issue with these laws are their centralisation of power with the Executive branch of government and the lack of any judicial or legislative oversight. This promotes a complete lack of accountability and quite often results in allegations of use of surveillance for political purposes. For instance this week, Former Uttar Pradesh Chief Minister, Mr. Akhilesh Yadav accused his political rival, the present Uttar Pradesh Chief Minister of illegally tapping his phones in the run up to the state assembly elections (link). Such charges undermine public confidence and also national security.

Expert opinion and global best practices

In their paper titled, ‘Use of personal data by intelligence and law enforcement agencies’, the authors assert that, “(t)he absence of transparency concerning surveillance activities prevents meaningful oversight of the actions of executive agencies, and it militates against the system of checks and balances inherent in India’s constitutional make-up.” In the absence of such oversight, either by the judiciary or the parliament, unilateral power with the executive seems poised to be abused. This is because it would allow them to influence both the subject of surveillance and all classes of individuals, resulting in a chilling effect on free speech due to self-regulation to protect oneself from being targeted.

Interestingly enough, provisions related to judicial review of surveillance orders do exist in jurisdictions abroad. In R (on the application of Privacy International) v Investigatory Powers Tribunal and others, the United Kingdom Supreme Court ruled that, “(g)overnment security decisions will in future be open to challenge in the courts”. In the United States of America, all foreign surveillance orders are reviewed by the Foreign Intelligence Surveillance Court (FISC) which was established by the Congress in the Foreign Intelligence Surveillance Act (FISA), 1978 and domestic surveillance orders are reviewed under the Electronic Communication Privacy Act of 1986. The Canadian Security Intelligence Service (CSIS) has to get surveillance warrants approved by specially designated judges in the Federal Court. In Australia, under the Australian Telecommunications (Interception and Access) Act, 1979, warrants are required to access the content of messages in transit and in storage.  

It is crucial that government agencies which carry out surveillance are clearly identified and notified, however if they are being exempted from compliance then it is essential that any such determination is open to public analysis. In our brief on the Personal Data Protection Bill, the #SaveOurPrivacy campaign had stated that a procedure must be put in place for such agencies to seek permission from a judicial authority - preferably by special benches or tribunals comprising of High Court judges. Additionally, an appropriate oversight and accountability structure should be created as part of the Data Protection Authority by adding within it an office for surveillance reform and oversight. Judicial permission that may be granted for emergency surveillance and communications interception must be required to follow the necessity and proportionality principles. To administer such judicial orders, the Data Protection Authority may be allowed to determine compliance and enforcement mechanisms.

As we said in 2020 and in 2021, surveillance reform, with an emphasis on oversight of government authorities to protect against over-broad surveillance, is the need of the hour.

Important documents

  1. The Personal Data Protection Bill, 2019 (link)
  2. The report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 tabled on December 16, 2021 (link)
  3. IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
  4. Comparing the Draft Data Protection Bill, 2021 with its predecessors dated December 17, 2021 (link)
  5. Key Takeaways: The JPC Report and the Data Protection Bill, 2021 #SaveOurPrivacy (link)
  6. Our #StartfromScratch series on the PDP Bill, 2019 (link)
  7. Our #DataProtectionTop10 series, wherein we analysed the top 10 issues with the Bill in detail (link)
  8. Our #PrivacyOfThePeople series, which is looking at how the Bill will impact our daily lives by focusing on its impact on different sections of society (link)

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
Your personal data, their political campaign? Beneficiary politics and the lack of law

As the 2024 elections inch closer, we look into how political parties can access personal data of welfare scheme beneficiaries and other potential voters through indirect and often illicit means, to create voter profiles for targeted campaigning, and what the law has to say about it.

6 min read

2
Press Release: Civil society organisations express urgent concerns over the integrity of the 2024 general elections to the Lok Sabha

11 civil society organisations wrote to the ECI, highlighting the role of technology in affecting electoral outcomes. The letter includes an urgent appeal to the ECI to uphold the integrity of the upcoming elections and hold political actors and digital platforms accountable to the voters. 

2 min read

3
IFF Explains: How a vulnerability in a government cloud service could have exposed the sensitive personal data of 2,50,000 Indian citizens

In January 2022, we informed CERT-In about a vulnerability in S3WaaS, a platform developed for hosting government websites, which could expose sensitive personal data of 2,50,000 Indians. The security researcher who identified the vulnerability confirmed its resolution in March 2024.

5 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!