Technological advancement in information sharing and state surveillance pose a serious threat to individual privacy. India’s lack of stringent laws in this area is a case of being behind the times.
By Rajendran Nair Karakulam
Union Finance Minister Arun Jaitley found to his horror in January 2013, that his phone was being tapped. He was leader of the opposition in the Rajya Sabha then. The tapping had not been ordered by the government, but by Delhi police personnel, who were abusing their powers in an unauthorized manner. Earlier, leaks of tapes between middlemen, politicians and businessmen confirmed that the information collected through surveillance was not in safe hands. Several individuals have also complained that their phones are being tapped.
The government usually puts the blame on the Telecom Service Providers (TSPs) for the leaks. These TSPs function within the limits of licenses issued by the government. The truth, most often, is that the government mandates the surveillance and then places the burden of ensuring privacy on the TSPs.
The state has also been arming itself with newer powers and tools for gathering information about citizens. The government announced in 2009 that it would start a Central Monitoring System (CMS) in order to do away with the intervention of TSPs in surveillance; this system commenced in 2013. The CMS ensures that all mobile calls are tapped regularly and consistently 24×7. Therefore, it is only logical to conclude that the CMS will further conceal unlawful surveillance. Surveillance systems like PRISM, prevalent in the United States, are also similar in nature, but the US privacy laws protect citizens from any arbitrary and illegal use.
Despite concerted attempts by the authorities to invade privacy, there has been hardly any demand from the civil society to reform India’s privacy laws. Privacy laws protect citizens not just from state surveillance, but also from private processing of data. Protection from private processing is becoming more crucial in the new environment of information sharing on the internet.
While using the net, we give out a lot of data about ourselves, sometimes knowingly and sometimes unknowingly. This data is available to various agencies for processing. Some forms of processing are very common and are used by companies for commercial purposes. The advertisements that pop up while you browse on Google are projected after experts study your interests through your browsing history. For example, if you are browsing for options to buy a new flat in Jaipur, you may be targeted with more real estate ads from Jaipur, or even Rajasthan. Even Facebook intends to do the same. This is called retargeting. Many countries like Canada have already started protecting its citizens against such tactics.
Currently, the center is empowered to intercept any communication on the pretext of security of the state and protection of friendly relations with foreign states. Such a power is given to the government under Section 5(2) of the Indian Telegraph Act. At present, an authorization from the home ministry is enough for the state to carry out an interception. It was this weakness of procedural requirement that enabled Gujarat government to allegedly stalk a young woman.
The Supreme Court, on a PIL filed by People’s Union for Civil Liberties (PUCL), observed that the substantive law in Section 5(2) must have a procedural backing so that the exercise of the power by the government is just, fair and reasonable. Bhairav Acharya, a Supreme Court lawyer, who has worked on privacy laws, says: “There should be judicial scrutiny in surveillance by the state and there should be a Data Protection Authority protecting collection and processing of data.”
A 2011 report by the Group of Experts on Privacy, constituted by the planning commission and headed by the former Delhi High Court Chief Justice AP Shah, highlighted the gulf between the Indian privacy regime and privacy laws across the world. Some basic principles which were proposed to be added were: notice to the subject of surveillance, consent and purpose of data collection and protection from interception.
The UPA government was working on a privacy protection bill and the NDA government may take it forward. The bill proposes stringent regulation on collection and processing of data and various procedural requirements for interception of communication and state surveillance.
This will be done by ensuring that the collection is carried out only with the notice and consent of the subject, and the processing might not go beyond the purpose of collecting data. The privacy protection bill also prohibits interception of communication and state surveillance, unless it is authorized by a data protection authority.
But, neither the public nor the lawmakers in parliament seem to be hassled by the powers of Big Brother. The harmful effects of surveillance are not direct or tangible. The basic problem with surveillance is that it puts the watcher and the watched in a position of disparity, which could lead to discrimination and coercion of the watched. Now, imagine a situation in which the state is armed with powers to identify and persecute its critics. This means that actually you do not even have to put up a status on Facebook to get arrested; your searches on the internet and your communications with your friends regarding a sensitive political issue can itself alert the government and land you in jail.
The problem is that there is very little awareness about the surveillance being carried out by the state and much less alertness about the right to privacy that we must have against such actions of the state.
Sunil Abraham, executive director of the Centre for Internet and Society, says: “There is a false dichotomy that exists due to very little public debate about state surveillance in India. Security and privacy are two sides of the same coin and neither can be achieved without securing the other.” The right to privacy issue should now become a public debate, as it affects every citizen directly.
Unlike state surveillance, protection from private data processing on the internet is a major concern. Even those who argue that the actions of a democratic state, even when it snoops, are benign, may not view the actions of Google or Facebook or those agencies which can get access to the data transmitted through Google or Facebook, as necessarily benign. Even those who are not scared of the government may be scared of these “other” agencies. And the July 2012 cyber attack on over 10,000 Indian officials working in various offices, from the PMO to the DRDO, should settle any doubts one might have had regarding the online capabilities of terrorists today.
The recent judgment on the “right to be forgotten” by the European Court has brought the issue of privacy protection back into public debate. The European Court stressed on a new right of oblivion on the internet that rests on the principle of purpose. Data and information collected with the consent of the user must not be processed after the purpose of such collection ceases to exist. This is one of the basic principles of privacy laws and has been incorporated in the Indian draft bill. At present, only “sensitive personal data”, as under the IT Rules, is protected from being processed.
The AP Shah report had highlighted the “right to be forgotten” but considered it hard to be implemented in the current environment of information sharing. But, the European Court judgment has created the possibility of such an environment where one may seek protection from processing of data on the internet. If the Indian privacy laws are made similar to the EU Directive, on which this decision was based, Indian users could also claim protection from Google’s evils and Yahoo bogeys.
The civil society needs to pressurize the state to pass legislations that protect people from surveillance and processing of data. A public hue and cry for protection from private snoopers will lead to protection from state snoopers, since the law for both would be the same.