Two recent notices by the government kicked up a storm over allegations that they would compromise privacy. However, they seem to be attempts to curb illegal activities on social media

 

~By Na Vijayashankar

The privacy of individuals seemed to be at stake recently. Two PILs were filed in the Supreme Court against a notification of the Union home ministry, with more promising to follow. They sought quashing of the recent order of December 20, 2018, on the grounds of violation of privacy of citizens. The order was made under Section 69 of the Information Technology Act, 2000, as amended in 2008 (ITA 2000/8) and was called a mass surveillance attempt, an assault on privacy and an attempt by the Modi government to gain advantage during the forthcoming general election over its political opponents.

Before the Court could hear these petitions, another order dated December 24, 2018, from the Ministry of Electronics and Information Technology (MeitY) amending Section 79 of ITA 2000/8 raised a storm in the media. This, too, could land in the Supreme Court shortly. It was alleged that this order violated freedom of speech and was an attempt to censor and control social media as well as facilitate snooping on citizens.

While this has understandably char­ged up opponents, even professional circles seem confused about the legality of the orders. The home ministry order (see box: Ministry of Home Affairs) is “in exercise of powers conferred under Section 69(1) of ITA 2000 read with Rule 4 of the Information Technology (Procedure and safeguard for interception, Monitoring and Decryption of Information) Rules, 2009”. However, this order is not an independent directive that can be considered actionable without reference to the restrictions under the relevant Act and Rules. This fact has been ignored in most discussions and media reports as well as the PILs. The order is only designating the agencies that can be used by a “competent authority” for exercising its powers under Section 69 (1) of ITA2000/8.

Section 69 (1) itself is providing powers only as per the constitutional propriety of “reasonable restrictions” that can be placed on fundamental rights through due process of law. The due process is represented by Section 69 and the rules made thereunder. This Section has existed in its present form since October 27, 2009, and enables the issue of directions for interception/monitoring/decryption of any information by a “competent authority” and for a “specific purpose”.

As Section 69 clearly emphasises that it can be used only when the requirement is under “Permitted Reasonable Restrictions of Fundamental Rights” under Article 19(2) of the Constitution, it is not ultra vires the Constitution. The rules under Section 69 were notified on October 27, 2009, under the title “Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009”. This contains 25 clauses which include:

• Prohibition of any person carrying out the monitoring except as provided under the regulations. In view of the prohibition, any violation of the due process would render the person who carries out such monitoring liable to be punished under other sections of ITA 2000 such as Section 66 with a possibility of imprisonment up to three years with a fine and also make him liable to the affected individual to pay civil damages.
• Designation of the competent authority, namely the Secretary, Home, in central and state government.
• Designation of agencies through which the competent authority may conduct the monitoring. It is now restricted through the ministry order to only 10 agencies. In the absence of this designation of agencies, the competent authority could have designated any official or agency of its choice for conducting the monitoring.
• The direction for monitoring to be issued in writing and should contain the reasons for it and also name a person responsible for execution of the order.
• The agencies are authorised to designate a “nodal officer” who shall be resp­onsible for implementation and will be accountable for strictly following the order.
• The orders of the competent authority to be reviewed by a review committee which is the same one constituted under Rule 419A of the Indian Telegraph Rules, 1951.
• The order of monitoring to be for specific information and shall be valid for a limited period of 60 days from the issue with a possible renewal up to 180 days.
• The information so collected to be destroyed after 180 days unless it is required for legal purposes as evidence.
• Intermediaries and computer owners to assist the monitoring agency to be co-operative, failing which they shall be liable for prosecution, which will be through a judicial process.

Thus, it is to be noted that the rules are comprehensive and fully meet the requirements of “due process”. All the excitement generated about the order being “mass surveillance” of citizens is not backed by facts.

So on what grounds were the two PILs filed? Some of the objections were:

• This is a blanket order against the public for monitoring their activities without reason: This may be unsustainable as the power to monitor can be exercised only by the competent authority through these agencies and not by the agencies themselves.
• It considers every citizen a criminal: This may not be true as the competent authority has to specify the reasons in a written order which is also subject to review by a higher authority and will also be subjected to judicial review by any person who suffers a wrongful consequence thereof.
• It is bad in law: This too may be unsustainable as it is the duty of the government to secure the State and collecting information that can lead to better security of the people is part of the expected duties of the government.
• It allows imposition of criminal punishments under several sections of ITA 2000/8: Such punishments can be imposed only against persons who are so liable for conviction and not merely because their criminal activities became known to the law enforcement authorities because of the monitoring.
• It will be used to fix innocent citizens and control the entire country under dictatorship: This is mere speculation.
• Without an FIR, the State cannot initiate any action against any citizen of India in a cognisable offence: These powers are exercisable only if the requirement is recorded in writing. Also, the person giving such an order is liable for prosecution if it is proved that he has misused the powers.

Hence, the grounds on which the PILs have been filed do not seem to be based on facts or logical reasoning. This conclusion would remain even if the landmark Puttaswamy judgment is brought into the discussion as the conditions under which privacy is a fundamental right are subject to reasonable restrictions. These are met by Section 69 and the notification which together constitute “due process of law”. In the Justice KS Puttaswamy (retd) and Anr vs Union of India and Ors judgment, it was held that the right to privacy is protected as a fundamental constitutional right under Articles 14, 19 and 21 of the Constitution.

On December 24, 2018, the government put up a draft amended rule under Section 79 of ITA 2000/8 for public comments. This is called the Information Technology [Intermediaries Guidelines (Amendment) Rules], 2018, and amends the earlier rule which was issued on April 11, 2011. The new regulations have proposed some important changes related to social issues such as prohibition of promotion of cigarettes, tobacco products, liquor, etc, which have not faced any objection in the initial media reactions. What has now attracted the adverse attention of critics are those related to the proposals to curb spread of fake news through social media.

The key provisions that have attracted attention in these guidelines are that the intermediary:

• Operate through a company incorporated in India (applicable if there are more than 50 lakh users or the government has otherwise notified the intermediary).
• Provide information and assistance to a government/investigation agency within 72 hours, when required under a “lawful order”.
• Remove objectionable information within 24 hours when receiving either a Court order or a notification from an appropriate agency.
• Deploy technical measures and controls for proactively removing unlawful content.

Like the objections raised for data localisation in respect of the proposed personal data protection law, industry players, which include international giants such as Google, Facebook, Twitter, WhatsApp, Instagram, etc, may raise their objections to resist the need to have a local company which could add to their corporate governance costs.

There is a counter view that many of these entities are today much more than communication platforms and have even ventured into be­coming financial intermediaries (GPay, WhatsApp Pay, Twitter or Facebook Banking, etc) and there is a need to bring them under tighter local regulatory supervision. The proposed measures of “management localisation” would be a step in this direction and lead to better tax and legal compliance.

As regards the need to remove content under certain circumstances, the requirement arises only when the order is “lawful” or there is a “Court order”. Hence, there is no justification for objection. The intermediary needs to put in place systems and procedures to comply with the provisions as a part of ITA 2008 compliance. Identifying what is “lawful” will be with reference to “objectionable content” referred to in the guideline itself and the information which is relatable to Article 19(2) of the Constitution.

Understanding these and translating it into necessary policies and procedures are part of the compliance process. When these intermediaries can translate complicated regulations like General Data Protection Regulation into automated technical compliance controls, converting these guidelines should not be an issue. When there is disagreement between the authority seeking removal of the content and the intermediary, it is open for either to resort to “adjudication” as provided under ITA 2000/8 or other means that may be available under law.

The technical measures and controls required to be implemented under the guidelines do not speak of any “decryption”, though this is a power available under Section 69 of the ITA 2000 and can be exercised over any IT operator, including an intermediary, subject to conditions indicated under Section 69.

On the other hand, what is required under the Section 79 guideline is a reliable identification of the origin of the message such as the IP address, mobile number, etc. These are measures which are not difficult to implement. Such requirements have come up for judicial review globally as far back as 2000 in the LICRA vs Yahoo case and courts have held that the intermediary is duty- bound to introduce adequate technical measures to comply with the legal requirements.

The amendments are, therefore, reasonable and the objections raised represent more the economic inconvenience that the intermediaries may face. They do not carry legal weight.

In short, it seems that the two notifications are a serious attempt by the government to mitigate the possibility of social media and the internet being used to carry out illegal activities. The question “why now” can only be countered with “why not now?”

Hopefully, the industry will cooperate and the courts will appreciate the need for such regulations and deal with the legal objections in an appropriate manner.

—The writer is a cyber law and techno-legal information security consultant based in Bengaluru. The views expressed are personal