By: Anirudh Vijay
A few months ago, the Indian Home Ministry issued a controversial order which authorised ten security and intelligence agencies to intercept, monitor and decrypt any information generated, transmitted, received or stored in any computer resource. Moreover, on July 3 2019, an order was released by the Indian Higher Education Secretary requesting students to link their social media accounts to all Higher Education Institutes (hereinafter ‘HEI’) as well as the HRD Ministry without any regard for the privacy of the students and its impact on their freedom of speech and expression.
This was deeply censured by civil society in India for forming a ‘surveillance state’. This led to a heavy debate on India’s absence of privacy framework and its lack of contentment towards surveillance. The present post is an attempt to put forth the various issues in the formation of a ‘surveillance state’ under the aforesaid orders and analyse them with respect to the international context.
ISSUES WITH ILLEGAL SURVEILLANCE
One of the essential features of personal liberty is the right to privacy and yet the relevant documents to any case obtained from search & seizure methods through illegal surveillance or privacy infringement are admissible in the Indian courts. Such contrariety paves a way for the State to initiate illegal surveillance. However, as per the Fourth Amendment of the US Constitution, the evidence obtained during the trial is not admissible because of the infringement of privacy. The trial also becomes illegal in such a case. Therefore, the justice delivery system is directly being influenced by illegal surveillance in India.
Interestingly, the collection of personal information is considered as privacy infringement regardless of the location of such information as privacy belongs to ‘persons and not places’. This is the opposite of the position in America. As the US Courts have repeatedly held that obtaining the information from a third party or a public place and conveying the same to the state is not an infringement of privacy under the Fourth Amendment. This approach is incorrect as it only ensures privacy within the four walls of the room and does not contemplate the expectation of a person’s privacy at any public place. Certainly, the Indian judiciary has provided an insightful privacy jurisprudence however its application is yet to be acknowledged in its entirety.
TEST OF PROPORTIONALITY
The General Data Protection Regulation (hereinafter ‘GDPR’) contains a list of grounds, like national security, based on which the state can restrict the privacy of a person. These restrictions should be ‘necessary and proportionate’. In India, the test of proportionality has been propounded by a 5 Judge bench of Supreme Court in Modern Dental College & Research Centre v State of M.P. and further elaborated in K.S. Puttaswamy v Union of India. It has been held that when a law limits a constitutional right, then such a limitation is constitutional until it is proportional. The law imposing restrictions will be treated as proportional if it is meant to achieve a proper purpose and if the measures taken to achieve such a purpose are rationally connected to the purpose, such that the measures are necessary. As per the proportionality test, any act infringing the privacy should have a legitimate aim and must be least restrictive to achieve that aim. Lately, this test has received lip service from the Indian judiciary.
In contrast, the US has recognised the standard of ‘reasonable expectation of privacy’ which covers socially accepted privacy standards. Most people do not understand the impacts of privacy infringement; hence it is complicated to have a reasonable expectation of privacy based on society’s expectation. A better approach is of the normative test, followed by the European Union, which deals with how much infringement of privacy should be considered proportionate and not an empirical test which enquires into how much infringement is proportionate. The proportionality test provides more robust protection to the right to privacy by permitting the least attainable infringement. Although the proportionality test has been accepted by the Indian judiciary, the courts have often used the issue of ‘empirical reasonable expectation by society’ (a trace of privacy test’s reasonable expectation) and have incorrectly applied proportionality test, thereby creating dubiety.
Presently, both the HRD and the Home Secretary, who oversee law enforcement agencies, are the authorising representatives for surveillance and are not expected to use unbiased judiciary’s mind. The SC, while dealing with the constitutional validity of the biometric database ‘Aadhaar’, read down the exception of ‘national security’. This exception provided the authorities to check the database after the approval of the Joint Secretary. The court indicated that data collection without any consultation with a judicial officer conflicts the proportionality test as the Joint Secretary is a part of the government. Thus, the orders are unconstitutional as they violate the court’s verdict.
LIMITATION ON THE STORAGE OF DATA
The Indian legal framework is not adequate with regards to the usage of collected information. The rule providing 9 months period for the erasure of data contains uncertain exceptions of ‘ongoing investigation’ and ‘functional necessity’. Many investigations take years of time which lead the authorities to store and process the information on vague pretexts for an uncertain duration. Last year, the European Court ruled that the U.K.’s surveillance data infringes the right to privacy as it discloses ‘an inmate picture’ which was collected, processed and stored over time. Similarly, the Indian Supreme Court in the case of Aadhar held the 7 years duration for the storage of biometric data as excessive and arbitrary.
A subset of right to privacy is the ‘right to be forgotten’. As per the Article 17 of the GDPR, right to be forgotten entitles the data subject to have the data controller erase his/her personal information, cease its further dissemination and have third parties halt its processing. This right has also been recognised by the Indian judiciary in the case of Sri Vasunathan v The Registrar General. By linking the social media accounts of the students, the authorities will get complete access to the personal information of the students. This includes their personal photos, current work & job description, where & with whom they travel, sleep or eat, etc. There is no mention in the orders regarding the de-linking of this information as well as the duration for which the personal information shall be stored or processed.
From the above analysis, it is evident that the concerned aforesaid orders issued by the state are unconstitutional and violate the verdict of the Supreme Court. The government should take a step back and recall the implementation of these orders. It is high time for the Indian government to come up with data protection laws that could match the standards of Europe’s celebrated GDPR, and thereby assist in protecting the privacy rights of the countrymen.
In addition to this, if the day to day activities of the people will come under complete state surveillance by the virtue of orders which are bad in law, then the people might feel alienated from the law itself. Certainly, it is the law which is made for the people, the people are not made for the law.
(Anirudh is currently an undergraduate at Faculty of Law, Jamia Millia Islamia.)