Introduction
Indian surveillance laws – historical overview
Continuing judicial influence on surveillance
Lack of data access requests
Comment
In November 2021, the European Data Protection Board (EDPB) released its report on government access to data in third countries. The report covered three countries: Russia, India and China. In respect of India, it concluded that EU data subjects have very limited rights to challenge the Indian government's data access requests, and that redress is possible only in a few cases.
However, Indian data privacy experts might not fully agree with this statement.
While the state of informational privacy in India is nascent, and in many respects not ideal, it may not be correct to conclude that there are no fetters at all on the Indian government's surveillance powers. Doing so ignores the historical background of Indian surveillance and data access laws, as well as the continuing judicial efforts to protect citizens and non-citizens alike against state overreach.
This article discusses the EDPB report's focus on and analysis of India and tests its conclusions against the historical context in India relating to the government's investigation and access initiatives. In particular, this article looks at Indian case law and judicial precedent that was perhaps not fully addressed in the EDPB report.
Indian surveillance laws – historical overview
The seminal source law on electronic surveillance in India is section 5(2) of the Indian Telegraph Act 1885 (Telegraph Act) read together with the Indian Telegraph Rules 1951 (Telegraph Rules; collectively with the Telegraph Act, the Telecom Regulations). This law allows interception and disclosure of telecom messages "on the occurrence of any public emergency or in the interest of public safety".
While the telegraph law itself is an almost 150 years old British Raj relic, section 5(2) was formulated in 1972 to facilitate surveillance by way of telephone tapping. In 1996, a case was brought by the People's Union for Civil Liberties against the Union of India (PUCL Ruling),(1) challenging the Indian government's telephone tapping activities.
Supreme Court Judge Kulpdip Singh, one of India's stalwart jurists, noted that telephone tapping is a serious invasion of privacy and held in paragraph 166:
We, therefore, recommend that telephones may not be tapped except in the interest of national security, public order, investigation of crime and similar objectives, under orders made in writing by the Minister concerned or an officer of rank to whom the power in that behalf is delegated.
The order should disclose reasons.
An order for tapping of telephones should expire after three months from the date of the order.
Moreover, within a period of six weeks the order should come up for review before a Board constituted on the lines prescribed in statutes providing for preventive detention. It should be for the Board to decide whether tapping should continue any longer. The decision of the Board should be binding on the Government. It may be added that the Minister or his delegates will be competent to issue a fresh order for tapping of the telephone if circumstances call for it. The Telegraph Act should contain a clause to give effect to this recommendation."
Judge Singh issued nine rules and directions on telephone tapping, including a sunset on any interception orders, and an internal review committee to oversee such orders. This ruling forms the basis for a 2007 amendment where a new rule 419A was added to the Telegraph Rules. The same legal reasoning (and text) was adapted for surveilling computer records in later laws. Section 69 of the Information Technology Act 2000 (the IT Act) mirrors section 5(2) of the Telegraph Act. And like rule 419A, the Information Technology (Procedures and Safeguards for Interception, Monitoring, and Decryption of Information) Rules 2009 (the Interception Rules) allow data access on the same basis.(2)
As such, Indian surveillance laws in their present form are rooted in a judgment of its apex court, that places limits on the government's surveillance and access powers. This background is vital to understanding the current state and interplay of data access laws in India, particularly when it comes to continuing judicial oversight.
The following section discusses how Indian courts have judged surveillance orders under these laws.
Continuing judicial influence on surveillance
Indian surveillance regulations themselves do not contain elaborate data subject rights for redressal, but that is not to say that there are no rights available. The EDPB report misses the constitutional law or administrative law challenges that may be made, even by non-citizens, when faced with surveillance orders.(3)
The Supreme Court in KS Puttaswamy v Union of India has confirmed that article 21 (regarding the fundamental right to life and personal liberty) of the Constitution guarantees each individual the fundamental right to privacy. This judgment specifically clarified that informational privacy is one of the facets of the right to privacy, and this right can only be compromised by a state action if it satisfies the doctrine of proportionality, defined at paragraph 117 as:
(a) the action must be sanctioned by law; (b) the proposed action must be necessary in a democratic society for a legitimate aim; and (c) the extent of such interference must be proportionate to the need for such interference.
The Constitution enables individuals to enforce their fundamental rights through article 32 and 226, which allows them to file a petition seeking redressal before the Supreme Court and High Courts. As such, Indian and EU data subjects alike have a right to challenge access orders in the writ jurisdiction of courts.
While there have been few to no instances of foreigners approaching Indian courts to enforce their right to privacy, there have been numerous instances of a foreigner approaching various high courts or the Supreme Court for enforcing their fundamental right to life.(4)
A number of rulings of the Supreme Court and high courts have quashed access orders due to their potential infringement of privacy and neglect of due process.(5) The Bombay High Court in Vinit Kumar v CBI & Ors,(6) relying on the PUCL Ruling and the Puttaswamy ruling, recognising right to privacy as a part of the fundamental right to life, observed that:
- "illegal tapping of telephone conversation violates right to privacy"; and
- the grounds for issuing an access order under section 5(2), such as "public safety", denotes "a risk for people at large" – public emergency or public safety are not secretive conditions and are apparent to a reasonable person.
Accordingly, the Court concluded that the access orders issued against the petitioner did not possess the "sanction of law nor issued for a legitimate aim" and failed to satisfy the tests of "principle of proportionality and legitimacy" laid down by the Supreme Court to determine the justness of infringement of one's right to privacy.
Access orders could also be challenged for not being compliant with Indian administrative law principles (which is an analogue of constitutional law) on the basis of "procedural impropriety". The high court of a southern state in KLD Nagarsee v Govt of India (7) set aside an access order because it was not referred before the review committee instituted under rule 419A of the Telegraph Rules within the prescribed timeline, and it did not meet the criteria set out under section 5(2) (eg, in light of a public emergency or public safety). In this case, the court reiterated that "rule 419-A though procedural in nature is mandatory" and "non-compliance of the procedure under Rule 419-A (of the Telegraph Rules) is undoubtedly fatal".
As noted earlier, the text and procedures for access orders set out under Telegraph Rules and Interception Rules are quite similar. The precedents noted above are related solely to phone-tapping, but Indian courts may very likely apply similar standards to set aside access orders under the Interception Rules.
Lack of data access requests
The EDPB report's interpretation of Indian surveillance regulations suffers from another, fairly basic, factual gap. If mass data government surveillance is a prevalent practice in India, and if the government can requisition the personal data of all and sundry, without any legal basis or justification, why is this not being done already at industrial scales?
A possible explanation of such lack of publicly reported instances may be that, while such instances are indeed plentiful, they are not brought to light for various reasons. However, a data access order of the type the EDPB is primarily concerned with the data of EU data subjects. This data is primarily available with major Indian IT companies or other business houses that provide services to EU entities and individuals. An access request would, therefore, be made to such Indian IT houses. Given contractual and business frameworks, it would be likely that such data access requests are (at least) notified to the customer or the EU data subject (Indian data access laws does not prohibit such notification). Even so, no such instances have come to light in the past.
Unlike in the US context, where instances of data access requests are varied and many, in the Indian context there have been no publicly reported instances of data of EU subjects being compromised on account of data access requests. Another explanation, and one which deserves credence, is that the framework of Indian surveillance law is not amenable to unfettered data access of foreign subjects.(8)
The EDPB report raises some valid concerns, such as that the government appoints the internal review committee reviewing access orders, which impairs the committee's independence. But it can be argued that some of the report's conclusions are misapplied. Not all entities holding EU subjects' data in India would be considered as "intermediaries", subject to the new 2021 IT laws. The data of all who apply to India's Aadhaar national ID scheme may be accessible to the government, but this is of limited relevance to the wider question on general data access processes under Indian laws. Additionally, the report's findings do not address or account for the Indian courts' continued willingness to push back against government surveillance orders.
For further information on this topic please contact Vikram Jeet Singh or Kalindhi Bhatia at BTG Legal by telephone (+91 22 6177 2900) or email ([email protected] or [email protected]). The BTG Legal website can be accessed at www.btg-legal.com.
Endnotes
(1) People's Union for Civil Liberties v Union of India (1997) 1 SCC 301.
(2) Apart from the Interception Rules and the Telecom Regulations, Indian law enforcement agencies can compel disclosure via criminal legislations, namely section 91 of the Code of Criminal Proceeding 1973. This provision enables courts and police to require the production of "any document or thing" that is necessary or desirable for any criminal investigation, inquiry, trial or other proceedings. This is a broad "subpoena" power, used mainly to build evidence in criminal cases. In practice, this power is typically used for local criminal matters, and not data access scenarios (and was not discussed in the EDPB report).
(3) See paragraph 2.2.3.2(i) of the EDPB report.
(4) Ktaer Abbas Habib v Union of India, 1999 CRI L J 919 and Louis De Raedt v Union of India, 1991 AIR 1886.
(5) The Indian Supreme Court has confirmed that the fundamental right to life includes the right to privacy (KS Puttaswamy v Union of India, AIR 2017 SC 4161). In consonance, the Supreme Court has granted the right to life a "non-derogable" status (ie, it cannot be infringed under any circumstances) and is available to citizens as well as foreigners (Selvi & Ors v State of Karnataka, AIR 2010 SC 1974). In this decision, the court granted the right to life to all "individuals" and did not make any distinction between foreigners and Indian citizens. Therefore, it could be argued that the fundamental right to life (thereby the right to privacy) is available to foreigners.
(8) Entities who receive, store, or transmit information on behalf of another are categorised as intermediary IT service providers (eg, telecom service providers, network service providers, search engines and social media websites) and do not store or host data on behalf of another as such; they process data under a service contract obligation. IT companies are (arguably) not intermediaries when they process their clients' data.
An earlier version of this article was first published on Legal500.