Can I have some privacy, please?

WhatsApp and Facebook

The right to privacy, and the debate over it, has never been more relevant. The Delhi High Court’s ruling over WhatsApp’s change in policy, the State’s deliberate push towards Aadhar-linked schemes, the imposition and subsequent overturning of prohibition in Bihar, and a host of legislative and policy changes have pushed privacy legislation into the limelight.

This right, first enunciated by Warren and Bandeis in the Harvard Law Review in 1890, has been examined by the Supreme Court of India time and again. In the landmark judgment of Kharak Singh v State of UP, the Supreme Court held that the words “protection of life and personal liberty” in Article 21 include within itself, the “right to privacy”.

Thereafter, in 1994, in R. Rajagopal vs. State Of Tamil Nadu the apex court remarked that the right to privacy is a “right to be let alone”.

It added that a citizen has,

[A] right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters”.

Unlike the EU and a number of other countries, India does not have a legislation on data protection. This could explain the differing treatment meted out to WhatsApp’s new privacy policy. Hamburg’s data protection commissioner recently ordered Facebook to stop collecting and storing data on WhatsApp users in Germany and to delete all information already forwarded from WhatsApp on roughly 35 million German users.

The right to privacy, however, is well engrained in the Constitution, the International Covenant on Civil and Political Rights (to which Indian is a signatory) and (some) other sector-specific legislations.

Indian laws on privacy

As for Indian legislation on data protection, albeit insufficient, contain certain provisions in the Information Technology Act, 2001 (IT Act) and Indian Contract Act, 1872 (Contract Act).

Sections 43A and 72A of the IT Act and rules made thereunder, particularly, deal with data protection to some extent. While Section 43A provides for compensation to be paid by body corporates that have been negligent in implementation or maintenance of reasonable safety procedures for sensitive personal data, Section 72A provides for punishment of persons (including intermediaries) for disclosure of information in breach of lawful contracts.

On a more general note, as per Section 73 of the Contract Act, the injured party is entitled to receive compensation for any loss or damage caused to it on account of a breach committed by the defaulting party, or the “specific performance” of the contract against the party in default.

Hence, Indian companies acting as ‘data importers’ may enter into contracts with ‘data exporters’ to adhere to a high standard of data protection. These contracts are binding and may fulfil the requirements of overseas customer(s) national legislations.

In order to fill this legislative lacunae, the Department of Personnel and Training introduced the Privacy Bill, 2011. Thereafter, a ‘Group of Experts’ was constituted to study the best international privacy laws and make recommendations in the Indian context.

This group, led by Justice A.P. Shahsubmitted its report in October 2012, following which modifications were made to the draft bill of 2011 and the Privacy (Protection) Bill, 2013 was released.

The report recognised nine principles in line with global standards including the EU, OECD, and APEC principles on privacy, and include: notice, choice & consent, collection limitation, purpose limitation, access and correction, accountability, openness, disclosure of information, security. Unfortunately, the Privacy Bill 2013 was not taken forward by the government and has yet to be tabled before Parliament.

Part of the problem lies in our own perception of the very concept of ‘privacy’.

A report on personal data protection laws [pdf] revealed that when Indian subjects are questioned about the word ‘privacy’, the first thing that comes to their mind is privacy in terms of personal space and subjects. Participants from the US though, mention information privacy, financial information and identity theft. And when it comes to privacy issues related to  technology, a minority of Indian subjects (21%) are concerned about keeping digital information secure.

More often that not, Indians don’t seem to have a problem with government snooping on their data- “I don’t have anything to hide” is a common response. The larger debate, however, is not whether one has something to hide from the government, it’s about one’s right to privacy- a fundamental right of that must be exercised whether or not one has something to hide from the Government.

Today, every digital transaction that you undertake leaves a digital footprint which will stay forever, and this is not something which should be taken lightly.

Big brother is watching

This need for awareness has never been more pressing, especially given the recent actions of the Indian state.

As reported in Live Mint, the Government’s Central Monitoring System (CMS) , built on an estimated cost of 400 crores, allows the State to snoop on all communications across all phone networks. The CMS will be able to access Internet data – not just what sites you visit but even build a cache of your inbox, allowing leisurely decryption. The system will be brought under the Department of Telecom (DoT) and managed by the Intelligence Bureau.

This development is to be read along with an innocuous looking notification [pdf] issued by the DoT in October 2013. This notification amended the Cellular Mobile Telephony Service (CMTS) Licence agreement, allowing the connection of the licensee’s interception system to the regional monitoring system This mass surveillance system, is already in place in Mumbai and Delhi as of now, and is expected to extend to other cities as well.

The CMS is a relatively recent form of surveillance; telephone tapping has been a common practice for some time now. The archaic Indian Telegraph Act of 1885 contains provisions under which the government and its agencies can tap phones, albeit under certain conditions. For instance, calls can be tapped without obtaining permission from the home secretary for a period of seven days.

The Supreme Court in People’s Union for Civil Liberties v. Union of India held that phone tapping under S. 5(2) of the Telegraph Act amounts to a violation of Article 21. The judgment created safeguards against arbitrariness in the exercise of the state’s surveillance powers. These safeguards however, continue to be violated.

The CMS will take this regime a step further, giving the government unfettered access to our content data, such as the subject line and body of an email exchanged, and non-content data such as country of residence, or gender, or system-generated data such as IP addresses.

The unanswered questions

While the objective of CMS may be noble, and in the interest of national security, certain questions remain to be answered, such as- Who can authorise the interception and access this intercepted data? Who can have access to data? Can data monitored by the CMS be shared between third parties and if so, under what conditions? Is data monitored by the CMS retained and if so, for how long and under what conditions? Do individuals have the right to be informed about their communications being monitored and about data retained about them?

There is more.

Work is already underway to develop a National Intelligence Grid (NATGRID), which would provide intelligence agencies real-time access to 21 databanks, including banking, credit card, income tax, election identity card, call records, PAN card and driving licence details.

The government’s defence is that it can anyway get access to such information under the Code of Criminal Procedure and NATGRID will expedite the process.

Meanwhile in Europe, ten organisations are taking up a landmark case against the U.K government in the European Court of Human Rights to consider the legality of mass surveillance programs adopted by the US and UK government.

In many ways, the debate over the Aadhar scheme is a repetition of that over the NATGRID.

Much has been spoken of Aadhar and the privacy concerns surrounding it. The Aadhar legislation creates a single database, a Central Identities Data Repository (CIDR), holding fingerprint, retinal scan and, eventually, full genomic information on every Indian, along with name, address, and phone number. A breach of this CIDR would be an unmitigated disaster.

Worse, even the government’s usage of this data is not strictly regulated. All that is required is an order from a district judge (the same judges responsible for over thirty internet shutdowns since 2013) or on the dangerously ambiguous ‘interests of national security’.

And it is not as if these dangers have not been highlighted.

A simple comparison of the Aadhar data collection mechanism to principles enunciated in A.P. Shah’s committee report, suggest that Aadhar fails to address several principles, some of which are:

  • No itemized declaration of contents and nature of information being collected is provided to the individual;
  • No mention of purpose of collecting the information;
  • No notice of the security standards followed at the CIDR, or the measures used by the Enrolling Agency (EA) & Requesting Entity (RE) to safeguard the data;
  • No mention of a complaint mechanism against the EA & RE, or any medium to approach in case of misuse/breach of data;
  • No mention of notification of data breaches to data subject and commissioner;
  • No mention of an option to withdraw his/her consent
  • Personal information is being stored for perpetuity

Another bone of contention is the recent constitution of a committee of experts to draft rules for data retention under Section 67C of the IT Act. These rules are expected to inter alia define what kind of information is to be stored and for how long.

Hoping for the best

Indian law enforcement agencies frequently makes requests to service providers such as Google and Microsoft for access to user data. The latest report submitted by Google states that they received 3,452 such requests during the period January-June in 2016 alone.

There is some hope though. The Data Protection Authority, to be established under the Privacy (Protection) Bill, 2013 is an institution which is expected to hopefully provide relief to us all. This long due privacy legislation, if and when implemented effectively, can be the only solace for Indians, with content and non-content data under severe threat.

The issue then, is not the collection of data, but the lack of protective measures thereof.