Written by Amlan Mishra

In December 2018, India’s Home Ministry released a notification which was condemned by the civil society as establishing a ‘surveillance state’.  It empowers ten government agencies to intercept, monitor or decrypt any information generated, transmitted, received or stored in any computer resource, such as social media. The authorisation for such surveillance must be given by the Home Secretary, who works directly under the politically elected government. This has sparked a debate about Indian privacy regime and its discontents. This article will seek to identify the problems of this surveillance regime and situate them in the international context. This contribution argues in favour of a ‘comprehensive privacy law’ drafted by Indian privacy activists.

Proportionality Test

The celebrated General Data Protection Regulation (GDPR) provides a list of reasons, such as national security, for which states can curtail privacy. However, the restrictions must be ‘necessary and proportionate’. This proportionality test warrants that the act which infringes privacy must have a legitimate aim and must be the least restrictive way of achieving that aim. Indian courts have paid lip service to this test. In contrast, US courts’ standard of ‘reasonable expectation of privacy’, protects only a socially accepted standard of privacy. Daniel J. Solove, in his book ‘Understanding Privacy’, argues that reasonable expectations of privacy if based on society’s expectation will be problematic, as most people in the society do not understand the full consequences of the breach of their personal information. Indeed, governments may condition people overtime to accept a huge infringement of their privacy as ‘reasonable’. Solove suggests that a better test is to look at not just how much infringement is reasonable (an empirical test), but how much should be considered reasonable or proportionate (a normative test). The proportionality test meets this higher threshold by allowing only the least possible infringement.  In India,  though courts have accepted the proportionality test, they have occasionally entered into the question of ‘empirical reasonable expectation by society’ (a vestige of the reasonable expectations of privacy test), thus wrongly applying proportionality test and thereby creating uncertainty.

Under the present law, the authorising agency for surveillance is the Home Secretary (both at the centre and the state) who also supervises all law enforcement agencies. The Secretary cannot be expected to apply an impartial judicial mind. In the recently concluded Aadhaar case on the constitutionality of India’s biometric database, the court read down the ‘national sec­urity’ exception which provided access to the biometric database to the investigative agencies on authorisation by the joint secretary. In holding that the joint secretary – a bureaucrat under the government of the day – is not the proper authority to decide whether such access should be given, the court hinted that instead a judicial officer should be consulted. Data collection without effective judicial checks, with only minimal executive oversight falls foul of the proportionality test.

Illegal search and seizure

In India, the right to privacy is recognised as a facet of personal liberty. Yet, courts have held that documents emanating from privacy violations (like illegal surveillance or search and seizure) can be admissible in trial if they are relevant to the case. This dichotomy incentivises investigative agencies to carry out illegal surveillance. In contrary examples, such as the US, if privacy violation is shown, the evidence becomes non-admissible and the trial becomes illegal for violating the fourth amendment. Thus in India, illegal surveillance has a direct impact on the criminal justice system.

Curiously, in India, the courts have imagined privacy as belonging to ‘people’ and not ‘places’ and have held that collection of personal information amounts to a privacy violation irrespective of the location (private or public) of such information (District Registrar v. Canara Bank). This is the opposite of the third-party doctrine prevalent in the US, which does not consider information about a person collected from a third party or public place, a Fourth Amendment violation. Such an approach is wrong because it conceives privacy as confined to four walls of one’s house, without recognising that we may still expect privacy in public or once we have made something known to a select group of people. For instance, a person in a public place may feel his right to privacy violated upon being stared at continuously or overheard. Individuals, not just places are the repository of privacy rights. Thus while the Indian Courts’ privacy jurisprudence is more perceptive, its application is yet to be extended to the criminal justice system or to the cyber laws.

Use Restriction

Indian laws remain scant with reference to the use of collected data. The rule of destroying collected information within nine months is subject to vague exceptions like ‘functional necessity’ and ‘ongoing investigation’. Investigations sometimes run into years with little stopping investigative agencies from information storing and processing by creating digital dossiers or databases on vague pretexts. In September 2018, the ECHR held that the UK’s surveillance database violated privacy as it could reveal ‘an intimate picture’ of individuals by using and processing data that was collected and stored overtime. The Aadhaar case in India, similarly found storage of biometric information by agencies for seven years disproportionate, recognising the problem of unregulated data storing. A group of privacy activists have drafted a comprehensive privacy law for India, which addresses the above mentioned deficits. It stresses independent commissions, judicial and legislative oversight and data use restrictions to uphold privacy. Despite this development, lack of political will has stalled the process of its adoption.