Print This Post
13 June 2014, Gateway House

Policy Catalyst: India’s Privacy Law

Edward Snowden’s revelations about the U.S.’s PRISM surveillance raised many issues related to espionage, electronic surveillance and privacy. It brought home the lack of strong privacy laws in India. As the country sets up its own domestic surveillance system, it must also quickly enact statutory privacy legislation

Former Fellow, International Security Studies Programme

post image

Edward Snowden’s exposé of the U.S. government’s PRISM surveillance programme last year came as a rude shock to many nations around the world whose leaders and governments were under surveillance. The exposé raised grave concerns related to national security – specifically espionage, surveillance, cyber-security and privacy.

These concerns have once again come to the fore with Telecom giant Vodafone admitting in a report on June 7, that it regularly concedes customer information at government request without prior warrant in nearly 29 countries, including India.1

The linkages between espionage, surveillance, cyber-security, and privacy are complex.

Espionage is mostly directed at foreign governments and nationals. It is inherently covert and illegal. India was allegedly the fifth most-spied-upon country by PRISM.

Surveillance (monitoring of individuals, their movement and communications) is a critical means of espionage. Yet, nations also frequently monitor their own citizens for national security reasons.

Unlike external surveillance however, domestic surveillance can be regulated to ensure that citizens’ privacy rights are not violated. Regulation of domestic surveillance also minimises abuses and provides legal recourse to the affected citizens. In the past, absence of safeguards on surveillance had created controversies such as the Niira Radia phone-tapping case and the National Technical Research Organisation’s ‘off the air’ surveillance of politicians and officials – which raised suspicions in peoples’ minds about surveillance, and impaired the security agencies’ legitimate surveillance conducted for counter-terrorism purposes.

Typically, surveillance is carried out by mining critical personal information which is widely available in the cyber-world, particularly within email and social networking sites used increasingly by our vast, youthful population.2 This raises issues of cyber-security.

Lastly, privacy is linked with personal autonomy and is affected by all three of the above – espionage, surveillance and cyber-security.

While strong laws are required for all three, the natural starting point should be to create strong privacy legislation as it remains at the core of the issue. This will not only mitigate concerns of foreign or domestic surveillance but also address issues of cyber-security related to personal data protection.

Privacy is hard to define. It can be bodily (in relation to the body), biometric (DNA and fingerprints), territorial (private property), physical (surveillance through CCTV cameras) or digital (electronic communications). 3 Depending on a community’s cultural preferences, there are differing perceptions on how much privacy an individual is entitled to and what represents an invasion of privacy.

Globally, countries have attempted to address these concerns through specific statutory privacy legislation or an omnibus of laws. These legislations have covered two main dimensions of privacy: surveillance (criminal law) and personal data (such as emails, phone conversations, age or bank account number) and protection (civil law).

Since Snowden’s revelations, countries affected by PRISM have focused on the privacy of their citizens. In Brazil, for instance, the government has passed the ‘Internet Bill of Rights.’4  It covers freedom of expression and the right to privacy, assuring Brazilians’ the confidentiality of their digital communications and makes spying and surveillance by foreign governments, illegal. Germany, which has stronger domestic laws on surveillance, is prodding the European Union (EU) to update its existing privacy rules to better protect digital personal information. Since then, pressed by the EU, some companies like Google have released a new policy to address privacy concerns of European citizens.

In comparison, India lags behind in addressing privacy concerns.

While Right to Privacy has not been explicitly stated in the Indian Constitution, the Supreme Court (SC), in 1963 in the Kharak Singh vs. State of U.P. case had interpreted the right as one of the fundamental rights under Article 21 of the Constitution.5 Explaining this right, the SC in 1994 had remarked that the Right to Privacy is a “right to be let alone”. It added that a citizen has a “right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters”.6 The right is also guaranteed under the tort of defamation whereby an individual can take remedial measures to prevent violation of his/her privacy.

Beyond constitution and tort law, there is no statutory privacy legislation at present that comprehensively protects privacy. Rather, a combination of laws – the Indian Penal Code, 1860, the Indian Contract Act, 1872, the Copyright Act, 1957 and the Information Technology Act, 2000 (IT Act, 2000) – covers different aspects of privacy such as private defence of the body and of property, penalty for unauthorised circulation of intercepted telegraphic signals, and breach of confidentiality.

This is not enough to address current and upcoming challenges such as those raised by PRISM.

Now as India raises its own domestic surveillance program called Centralised Monitoring System (CMS) which covers digital and mobile communications, it has become more important to have privacy legislation in place.7 Currently, the CMS operates through enabling provisions under the Indian Telegraph Act, 1885 and the IT Act, 2000, which authorises surveillance but has no provision to protect personal data. India regulates surveillance within the powers of the Executive branch itself, unlike the United States, where there is judicial oversight through the Foreign Intelligence Surveillance Court.

Enactment of privacy legislation also becomes critical as such legislation will enable businesses to evolve best standards on data protection. At present, in the absence of such legislation, businesses are interpreting various provisions of privacy-related acts in their own way – with its associated economic costs.

New Delhi is trying to frame a statutory privacy legislation covering electronic surveillance and data protection since 2011.8 However, due to its inability to accommodate the disparate views of various stakeholders, the government has been unable to table a final version of the bill in the Parliament.

Other government initiatives such as the National Cyber Security Policy of 2013, the Planning Commission’s Group of Experts on Privacy, and the Lok Sabha’s Standing Committee on Information Technology have also called upon the government to expedite efforts for privacy legislation. 9, 10 & 11 

Pressure now is mounting from non-government organizations such as the Centre for Internet and Society, which have proposed an alternative version of the privacy bill with stringent provisions on surveillance and data protection.12

Legal experts in India opine that statutory privacy legislation is required since it will clearly define the privacy right, specify its enforcement and mention exceptions to the right. This will render a certainty about the right by creating a referral point on privacy matters. So far individuals who have taken the judicial recourse to protect their privacy right have done so only post facto. Also, exercise and protection of this right has remained dependent on the court’s interpretation of the constitutional or tort law.

Hopefully, the new government with its clear electoral mandate will be able to formulate a consensus among the key stakeholders and proceed to enact the privacy legislation. This will regulate domestic surveillance and also send a right signal, inferentially, about its commitment to protect the privacy of Indian citizens.

Sameer Patil is Associate Fellow, National Security, Ethnic Conflict and Terrorism, at Gateway House.

This article was exclusively written for Gateway House: Indian Council on Global Relations. You can read more exclusive content here.

For interview requests with the author, or for permission to republish, please contact outreach@gatewayhouse.in.

© Copyright 2014 Gateway House: Indian Council on Global Relations. All rights reserved. Any unauthorized copying or reproduction is strictly prohibited

References:


1. Associated Press, ‘Vodafone reveals scale of government snooping in India, 28 other countries’, CNN IBN, 7 June 2014, <http://m.ibnlive.com/news/vodafone-reveals-scale-of-government-snooping-in-india-28-other-countries/477348-3.html> (accessed on 8 June 2014)

2. Lee, Timothy, ‘Here’s everything we know about PRISM to date’, The Washington Post, June 12, 2013

3. Acharya, Bhairav. ‘Privacy Law in India: A Muddled Field – I’, The Hoot,  <http://www.thehoot.org/web/freetracker/storynew.php?storyid=565§ionId=10> (accessed April 16, 2014)

4. Lopez Conde, Maria, ‘Brazil Approves Landmark Internet Rights Law’, The Rio Times, 29 April, 2014

5. Supreme Court of India, ‘Kharak Singh vs. the State Of U. P. & Others’, 18 December 1962, <http://judis.nic.in/supremecourt/imgs1.aspx?filename=3641> (accessed May 16, 2014).

6. Supreme Court of India, ‘R. Rajagopal vs. State Of T.N.’, 7 October 1994, <http://judis.nic.in/supremecourt/imgs1.aspx?filename=11212> (accessed May 16, 2014).

7. Lok Sabha, ‘Unstarred Question No. 4181’, Ministry of Communications and Information Technology, Centralised Monitoring System, 19 February 2014 <http://164.100.47.132/LssNew/psearch/QResult15.aspx?qref=150407> (accessed May 10, 2014).

8. Government of India, Department of Personnel and Training, The Privacy Bill, 2011.  <http://bourgeoisinspirations.files.wordpress.com/2010/03/draft_right-to-privacy.pdf> (accessed December 16, 2013).

9. Ministry of Communications and Information Technology, Department of Electronics and Information Technology, National Cyber Security Policy-2013, <http://deity.gov.in/content/national-cyber-security-policy-2013-1> (accessed December 16, 2013).

10 Government of India, Planning Commission, Report of the Group of Experts on Privacy, <http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf> (accessed December 16, 2013).

11. Lok Sabha, Standing Committee on Information Technology. Report on cyber crime, cyber security and right to privacy (Report no. 52). <http://164.100.47.134/lsscommittee/Information Technology/15_Information_Technology_52.pdf> (accessed April 16, 2014).

12. The Centre for Internet and Society, The Privacy (Protection) Bill, 2013. <http://cis-india.org/internet-governance/blog/privacy-protection-bill-february-2014.pdf> (accessed May 16, 2014).

TAGGED UNDER: , ,