On 20 December, 2018, the Ministry of Home Affairs in India issued an office order authorising a plethora of security and intelligence agencies to intercept, monitory and decrypt all personal data on computers and networks in India. The carte blanche nature of this authorisation raises significant concerns for the protection of the right to privacy in India. Particularly, in a country rattled by arbitrary internet shutdowns, targeted attacks on activists and an influential authoritarian political movement, the order may be the demolition of the last lines of defence of the rights to privacy and freedom of expression.
The Order is issued under Rule 4 of the Information Technology Act Interception Rules 2009, which gives the Home Ministry the prerogative to delegate its powers of interception, monitoring and decryption to an “agency of the Government”. The 2009 Rules institute several safeguards to constrain this power. The December order grants these powers to 10 security and intelligence agencies, which is the bulk of the Indian state’s law enforcement machinery. Arguably, this expansion transforms the nature of interception and surveillance in India from an emergency protocol in the hands of a single functionary to a widely-used tool of law enforcement. Consequently, it is concerning that an antiquated surveillance framework is being deployed by the Government at this scale. This violates core principles of Indian privacy jurisprudence.
Surveillance by law enforcement agencies has been at the heart of Indian privacy-rights jurisprudence. The early landmark cases of M.P. Sharma, Kharak Singh and Gobind were all concerned with physical surveillance by local police, and a synthesised reading of these cases establishes narrowly tailored surveillance and the need for a compelling state interest as foundational principles of Indian privacy jurisprudence. The PUCL judgment, given in the context of emergency telephone tapping, held that judicial oversight was not a necessary precondition of constitutional surveillance, despite upholding the conditions of compelling state interest and narrowly tailored surveillance. These guidelines were institutionalised in the form of the IT Act Interception Rules 2009, which provide safeguards against surveillance, and which are being claimed by the Ministry of Home Affairs as providing legal validity to this order.
However, the Ministry of Home Affairs has failed to take developments in India’s privacy jurisprudence into account. India’s privacy jurisprudence has advanced tremendously since the passing of the IT Act Interception Rules 2009 as the threshold for a constitutional privacy intrusion was increased in the Puttaswamy and Aadhar judgments of the Indian Supreme Court. Two insights from these judgments demonstrate the antiquity of India’s surveillance framework.
First, the right to privacy is now a constitutionally recognised right. In its earlier judgments, the Court was concerned with an individual’s liberty interest under Article 21 of the Constitution, which is much narrower than the current conceptualisation of the right to privacy. Consequently, safeguards which were evolved to be consistent with liberty interests are not necessarily consistent with a broader right to privacy. For example, recently recognised aspects of privacy which provide protection for the “inner domain of consciousness”, informational self-determination and decisional autonomy are violated by a surveillance regime that lacks judicial oversight or adequate transparency mechanisms. This was recognised by the Supreme Court in its 2018 Aadhar judgment, where the Court mandated judicial oversight for information sharing requests for Aadhar data, analysing the State’s imperative to access information against the parameters of the new, broad right to privacy. In doing so, the Court ruled that judicial oversight is a necessary pre-condition for limitation of privacy interests. Instead of statutorily reforming the pre-Puttaswamy Interception Rules 2009 into a constitutionally-sound surveillance framework with higher thresholds, the Government has granted its security agencies the power to operate freely within this antiquated framework.
Secondly, in both Puttaswamy and Aadhar, the Supreme Court has recognised the deeply pervasive role of the internet and computers over the last few years. People’s lives are deeply interconnected with technology, and a vast amount of personal, financial and sensitive data passes through today’s computers, at a scale incomparable to the context in which the PUCL guidelines were formulated. Further, the nature of technological interactions today allows for very precise inferences to be drawn about people on the basis of their activity on the internet. This presents serious dangers for freedom of expression, dissent and activism on the internet, especially with all of India’s law enforcement watching. Consequently, it appears unwise to deploy a framework developed in the telephone-era to modern surveillance.