India needs to evolve comprehensive privacy laws that protect individual rights before implementing a framework for legal interception, argues Ranjeet Rane, who works with the Public Affairs team at Edelman India and is a Research Assistant at Takshashila Institution.
In my previous post, I had stressed on the need for an urgent debate between the government and citizens on privacy rights and limitations in India, given the recently implemented Centralized Monitoring System (CMS). A counter agreement being presented is that the CMS will be a better option for the Indian citizen as it provides a legal framework for lawful interception, against the current practice of content monitoring and filtering through unregulated, ad-hoc processes involving intermediaries such as telecom companies and ISPs.
The CMS is intended to ensure that each interception request is tracked and the recorded content duly destroyed within six months as required under law. In this post, however, I will try to present a case against the implementation of the CMS by looking at the existing provisions in the Information Technology Act 2000 (and subsequent amendments) that make an effort to address issues of privacy.
Section 72 of the Information Technology Act 2000 in its original form penalized the breaches of confidentiality and privacy of data. Essentially, the scope of the provision covered those empowered by the Act to gain access to any electronic record, book, register, correspondence, information document or other material seized for investigation. It was aimed at preventing accidental leaks of such information during the course of investigations.
This was later amended to include Section 72A to penalize “any person” (including an intermediary) who has obtained personal information while providing services under a lawful contract and discloses the personal information without consent of the person, with the intent to cause, or knowing it is likely to cause wrongful gain or wrongful loss.
When this clause is read together with Section 69B of the Act, it squarely puts the responsibility of securing personal data on the intermediary, which in this case could be a wide spectrum of actors from cyber cafes to telecom companies and ISPs. Indeed, if this Act is used to justify the implementation of CMS, it would need significant amendments to clearly identify those central and state agencies authorized to access such information. The recent case of National Technical Research Organization being at the forefront of snooping activities is still fresh in public memory.
The next set of amendments came into force by the addition Section 43A which obliges corporate bodies which possess, deal or handle any sensitive personal data to implement and maintain “reasonable security practices,” failing which they would be liable for disclosure. The Act defines “corporate bodies” as those involved in “commercial or professional activities.”
The definitions of “sensitive personal data” and “reasonable security practices” are narrow and hence prevents courts from interpreting a contextual definition. Most importantly, government agencies and non-profit organizations are entirely excluded from the ambit of this section.
The act further lays down the Rules for:
- Collection of Information
- Transfer of Information
- Reasonable Security Practices and Procedures
Elaborate rules to address the points above are still only in draft phrase.
It is only in the Section 66E (Violation of Privacy) that we find privacy concerns addressed. The euphoria doesn’t last long as this section only covers electronic voyeurism and penalizes acts of capturing, publishing and transmission of images of the “private area” of any person without their consent, “under circumstances violating the privacy” of that person.
This section falls short of acknowledging the importance of protecting personally identifiable information (name, passport number, date of birth, biometric information, etc.) and deals only with disclosure of potentially compromising photographs.
It is clear that the status of a legal framework to protect the privacy of citizens in India is inadequate. The Information Technology Act does not have any provision for penalizing government agencies for overreach. Implementing any program like the CMS in the absence of clauses on privacy, regulation and oversight over government conduct will be concerning. Indeed, recent media controversies point to the possibility of political misuse of new tools and resources.
The government ought to consider bringing a comprehensive Privacy Bill to the floor for debate, instead of piecemeal additions to the Information Technology Act. This Bill should ensure adequate oversight for all activities of surveillance. This oversight should be coupled with providing information in public domain about convictions happening through such monitoring.
This will not only make it mandatory for the agencies concerned to justify their actions but will also lead to more efficient results than those expected from blanket monitoring. Such a bill will seek to also limit political abuse of resources at the disposal of national security & investigation agencies.
The United Nations Declaration of Human Rights mentions under Article 12 that:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.
As a signatory and one of the founding nations behind the UN Human Rights Declaration, we haven’t set the kind of example in our commitment to individuals’ privacy expected from a liberal democracy like ours. The need of the hour is for India to develop adequate and effective privacy legislation based on a set of clearly defined principles. Privacy as an entitlement ought to be an end result of this comprehensive reform.