INTRODUCTION

“If the right to privacy means anything, it is the right of the individual, married or single, to be free from unwarranted governmental intrusion” – William J. Brennan, Jr.

The Indian Constitution guarantees its citizens the protection of certain basic human rights. In the twisted fabric of democratic governance, fundamental rights are the threads that safeguard the sanctity of one’s thoughts and actions from unwarranted intrusion and represent the basic values cherished by the people of this country since the Vedic times. The right to privacy has been recognized as a fundamental and inalienable right. Though it has developed after much delay through judicial interpretations, it continues to be eclipsed by the State’s duty to guard itself and its people.

Surveillance was realized as a key tool for ensuring national security and safeguarding the unity and integrity of the nation in the backdrop of the Mumbai terror attack. But it faltered profoundly when it shifted its approach from targeted to mass surveillance, leading to the curtailing of the fundamental right to privacy of individuals. The onus to establish that the fundamental rights of citizens are not infringed and that the restrictions imposed upon the people fall within the ambit of “reasonable restrictions” as mentioned in Article 19(2) of the Constitution, is on the State.

The tussle between the citizen’s right to privacy and the need for state surveillance is not new. However, with the advent of digital mass surveillance and contempt thereof, as well as the beginning of enactment of privacy-related laws with the recent enactment of the Digital Personal Data Protection Act, of 2023, it becomes essential to view this debate in the light of these developments.

THE RIGHT TO PRIVACY: AN INDISPENSABLE INNOVATION

In the dynamic realms of Indian Jurisprudence, where traditions and modernity collide, the right of privacy prevails, disposing of a vast tapestry of judicial interpretations and legislative intricacies. Right to Privacy has a long history in India. Common Law prevalent in pre-independence India, from which Indian law as it is today                                                                                                                                                                                                                                                                                              find its foundations, did not have a clearly articulated privacy doctrine. Therefore, when attempts were made to frame India’s own Constitution such as The Constitution of India Bill (1895), The Nehru Report (1928), M.N. Roy’s Draft Constitution, (1944), Constituent Assembly Debates and finally The Constitution of India (1950), the possibility of privacy as a right was not given much attention. A close scrutiny of the debates reveals that the Constituent Assembly only considered whether there should be an express provision guaranteeing the right to privacy in the limited context of “searches” and “secrecy” of correspondence, whereas on the other larger dimensions of the right to privacy were not thoroughly examined during the debates as the Constitution makers could not have possibly imagined the technological advancement, incessant rise of social media platforms, etc. Analogous to the American Fourth Amendment, the Indian Courts opined that there is no justification for importing a different fundamental right by some process of ‘strained construction’.

Privacy as a fundamental right has, therefore, not been expressly enshrined in the Indian Constitution. It has been innovated and introduced into the list of constitutionally protected rights by judicial pronouncements and the ensuing interpretation of constitutional provisions. Privacy is the right to be free from restrictions or encroachments on the person, whether those restrictions or encroachments are directly imposed or indirectly brought about by calculated measures. Privacy has been held to be the “right to be let alone” and an important part of Article 21 of the Indian Constitution. Today, privacy is a prerequisite to dignity and to life itself.

The right to privacy is a basic human right accepted internationally. Article 12 of the Universal Declaration of Human Rights recognizes the right to protection from arbitrary interference to privacy. Article 8(1) of the European Convention on Human Rights (ECHR) provides a right to protection of one’s private and family life.

A much-needed development in the realm of fundamental rights was made with the unanimous nine-judge bench judgment of the Hon’ble Supreme Court in Justice K. S. Puttaswamy (Retd.) and Anr. v. Union of India (hereinafter referred to as Puttuswamy) holding that “the right to privacy is an integral part of both “life” and “personal liberty” under Article 21, the constitutional values expressed in the Preamble. Hereinafter, the stature of the right to privacy as a fundamental right was affirmed, leaving no room for any doubt.

The Right to Privacy, however, is not absolute in natureand is subject to “reasonable restrictions.” However, any encroachment on the Right to Privacy will have to withstand the touchstone of permissible restrictions on fundamental rights and should follow a fair, just and reasonable process. Exactly how reasonable the restrictions are is left to the discretion of the State, however arbitrary they may be.

The State itself is thus an impediment to the right to privacy following the negative aspect of the Right to Privacy as the negative content restrains the state from committing an intrusion upon the life and personal liberty of a citizen. This may take innumerable forms, such as collecting personal data, seizure of personal devices, preventive action, surveillance of citizens’ whereabouts and digital footprints, etc.

TRAVERSING THE LEGAL LANDSCAPE OF SURVEILLANCE

In the Colonial era, surveillance constituted a prerogative of the State characterized by the deployment of few intrusive measures against citizens, often with scant oversight. An array of colonial-era legislation originated in the 19th century during the British Raj permitted colonial authorities to monitor communications, such as postal and telegraphic transmissions. Notably, the Indian Telegraph Act of 1885 persisted until December 1996 when the Supreme Court of India intervened in the landmark case of People’s Union for Civil Liberties (PUCL) v. Union of India and laid down detailed guidelines to curb unlawful or excessive state surveillance, emphasizing that telephone tapping violated Article 21 of the Indian Constitution unless permitted by due legal procedure.

Surveillance means closely observing an individual or a group of individuals, especially those suspected by law enforcement agencies. Surveillance exerts a profound influence on the fundamental right to privacy, particularly intellectual privacy, which means ‘the liberty to foster thoughts devoid of scrutiny by the State and informational privacy, encompassing the principles of confidentiality, autonomy and obscurity. The swift shift from targeted to mass surveillance has led to widespread concerns. In mass surveillance, the State has unrestricted access to communication content and associated data, enabling the mining of all communication data for specific keywords or other information that may lead to the identification of potential targets. Similar to the USA PATRIOT, enacted shortly after the 9/11 attacks on USA empowering investigating agencies to employ surveillance measures to counter terrorist activities, the Indian Government has also enacted Prevention of Terrorism Act (hereinafter referred to as POTA) after the attacks on Indian Parliament (2001) which is graced with Section 45that provides for the admissibility of evidence collected through the interception of communication.

Contemporary society has witnessed an unprecedented growth in surveillance into the social fabric of human lives where even minute parts of the person are subject to the same. Even if we contend that no external force is looking at us or observing our actions, the digital footprints complemented by the most intimate facets of our lives are burgeoning in nature. There is no denying the fact that surveillance should be done to protect the citizens from external disturbances as well as internal disturbances. Oftentimes, people contend that they do not have anything to hide, the basic premise in this argument being flawed as they are arguing that they do not have any private space or that the people doing illegitimate exercises have to be surveilled and shouldn’t be granted privacy rights. Another reason is most people in society lack a comprehensive understanding of the probable ramifications that stem from the breach of their personal information. 

Subba Rao J. touched upon the question of surveillance in Kharak Singh wherein it was observed that the right to move freely throughout the territory of India under Article 19(1)(d) is infringed by surveillance, with an emphasis on “freely.” However, this right too is subject to reasonable restrictions under Article 19(5).

The legal landscape for governing and overseeing surveillance in India mainly hinges upon two primary laws, i.e., the Indian Telegraph Act, 1885 (hereinafter referred to as Telegraph Act) and the Information Technology Act, 2000 (hereinafter referred to as “IT Act”). The Indian Telegraph Act regulates telephonic communications,  which was recently repealed by the Telecommunications Act, 2023 (hereinafter referred to as Telecom Act) whereas the IT Act confers upon the government the authority to intercept, monitor, or decrypt any data within computer resources to ensure public safety, public order, etc.

Section 5 of the Telegraph Act, 1885 endows the government with the authority to issue directives for the interception of messages, specifically in cases of public emergency or to uphold public safety. Section 20 of the Telecom Act deals with the interception of messages in cases of public emergency, etc. by the central or the State Government. The term ‘public emergency’ has not been clearly defined in the legislation and is particularly susceptible to challenge on the grounds of arbitrariness and potential violation of Article 14 of the Indian Constitution. However, the Apex Court, in its earnest attempt, tried to demarcate what constitutes an ‘emergency’ to the situation pertaining to the sovereignty, integrity, public order, etc.

In contrast, Rule 419A of the Telegraph Rules, 1951 places constraints on the Government’s authority restricting it to the Union Home Secretary, and for state law enforcement agencies, it is vested in the Home Secretary to the State Government, following a prescribed procedure. Rule 419 B was added to the Indian Telegraph Rules, 1951 in the year 2007, which permitted an officer who is not below the rank of a Joint Secretary to the Government of India to pass an order for interception in unavoidable circumstances.

Section 69 of the IT Act, 2000 states that only the competent authority can issue an order for the interception, monitoring or decryption of information- whether generated, transmitted, received, or stored within computer resources, including mobile phones. Section 69B enables surveillance and collection of information for addressing cyber threats, allowing the Central government to monitor and collect traffic information through any resource from the computer.

The Telegraph Act mentions terms such as ‘public order, national security and public safety’ unlike the IT Act, but these terms appear to be very subjective and vague, enabling the government to go beyond its prescribed limits of surveillance. The General Data Protection Regulation (GDPR) delineates a comprehensive list of reasons on which States can encroach upon privacy. These restrictions imposed upon the citizens must be ‘necessary and proportionate’ as stated by the Proportionality Test, which is gaining prominence in Indian Constitutional Jurisprudence. Amid the contentious debate surrounding the delicate balance between upholding national security by the State and safeguarding the fundamental rights of the citizens, it is the Indian citizen who finds themselves entangled in an inescapable quandary.

The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 unequivocally stipulates that no entity or a person can engage in interception without the explicit direction and approval of the competent authority. The definition of the Competent Authority, as per the current regulation, rests within the precincts of inter-departmental, embodied by the Home Secretary or the Joint Secretary (in the absence of the Home Secretary). Following the footsteps of the IT Act and Telegraph Act, it permits the government to conduct surveillance. It is disconcerting as it lacks judicial oversight, considering that the fundamental breaches are against the State.

Section 26 of the Indian Post Office Act, 1898 grants the Central and State governments the authority to intercept postal articles in situations of public emergency or in the interest of public tranquility. Section 91 of the Code of Criminal Procedure (hereinafter referred to as CrPC) and Section 92 regulate targeted surveillance and the interception of documents within the custody of postal or telegraph authorities. Additionally, as per Rule 4(2) of the Information Technology (Guidelines for Cyber Cafes) Rules 2011, cyber cafes are obligated to maintain copies of user identification for a duration of one year, while Rule 5 states that these establishments must also retain records of user information and browsing history for the same one-year period.

The Unlawful Activities (Prevention) Act 1967 particularly under Section 46,  further authorizes interception by endorsing the admissibility of evidence collected from the monitoring of communications in accordance with the provisions of the Telegraph Act and IT Act.

As the Indian government addresses the evolving challenges, including cyber threats, the debate revolving around surveillance continues to strike a delicate balance between protecting national security and safeguarding the fundamental right to privacy of its citizens. This highlights the contentious issue of the careful consideration of surveillance practices and their implications on freedoms and privacy.

ONE STEP FORWARD, TWO STEPS BACK: CODIFYING PRIVACY LAW

There have been several, at least partly unsuccessful, attempts at protecting the right to privacy by the State by way of legislation – Right to Privacy Bill, 2011; Data Privacy and Protection Bill, 2017; Personal Data Protection Bill, 2019 – to name a few. These Bills, however, never saw the light of day. Finally, in August 2023, the Parliament passed the Digital Personal Data Protection Act, 2023, which, again, is a flawed attempt.

The Digital Personal Data Protection Act, 2023 (hereinafter referred to as DPDP Act) was apparently enacted with the vision of protecting the data of individuals, in turn upholding the right to privacy. Instead, it has proved to be yet another legislative attempt to shield arbitrary state actions from scrutiny, the result of which is a violation of the fundamental right to privacy as it enables and facilitates state surveillance to some extent.

Section 4 of the Act provides that a ‘person,’ the definition of which includes the state, may process personal data of the Data Principal for a lawful purpose, only with her consent and for ‘certain legitimate uses’.  The scope of ‘processing’has been kept wide and includes, inter alia, collection, recording, storage, retrieval, use, and sharing. Section 7 of the Act specifies certain “legitimate uses” for which a data fiduciary may process the personal data of an individual without their express consent, as suggested by Section 4(1)(b). Additionally, there is no provision directing data fiduciaries to inform data principals about third parties with which their data may be shared. In fact, provisions regarding the sharing of data with third parties are loosely fabricated, rendering the data principal’s data unprotected.

Like most legislations, the DPDP Act has pockets of vagueness and space for varied interpretations. It is most vulnerable to being used by the state for disguising arbitrary surveillance via the processing of personal data. The Act seems to have been tailor-made to bolster surveillance instead of its superficial objective to recognize ‘the right of individuals to protect their personal data’ as stated in the Preamble of the Act.

The likelihood of this Act being essentially an attempt to avail the defence of ‘due procedure established by law’ provided in Article 21 while infringing the fundamental right to privacy cannot be ruled out.

It can thus be seen that India’s journey in protecting the right to privacy through its various legislative attempts has fallen short of its intended objective. India can well be said to have taken one step forward and two steps back. The step forward is that the country, at long last, has a privacy law. The two steps back are: –

1. The law at hand has a limited scope, i.e., protection of digital personal data and does not specifically address the right to privacy.

2. Even within this limited scope, it has managed to allow state surveillance with minimal restrictions on such surveillance, due to which the country is facing significant delays and roadblocks in enacting comprehensive privacy legislation, which is the need of the hour.

THE UNACHIEVABLE EQUIPOISE

While the country has scattered surveillance provisions across various laws, there is a lack of corresponding laws that protect the right to privacy. It cannot be denied that a balance between the individual’s right to privacy and surveillance in the national interest is impracticable. Several attempts by way of legislation have failed at achieving this equilibrium. The crucial question in this backdrop is that of the State’s priority in this context: Should the right to privacy be given precedence over the need for state surveillance? Or should it be the other way round, where surveillance leads the way and privacy right takes a secondary position?

In 2013, the whistleblower Edward Snowden revealed how the U.S. Government utilized phone companies to gather pertinent data on millions of its citizens. He let the cat out of the bag by informing people about the “Prism” surveillance Programme of the NSA. This took a tussle between the right to privacy and surveillance by the State to the international dias, implying that citizens’ privacy is subject to intrusion by the Government. The Indian Government implemented a series of surveillance policies following the 2008 Mumbai Terror attacks, such as the National Intelligence Grid (NATGRID), Crime And Criminal Tracking Network and Systems (CCTNS), Lawful Intercept and Monitoring (LIN), Network Traffic Analyzing System (NETRA), Centra Monitoring System (CMS) to enhance public safety, counter-terrorism and combat crime. However, these projects have faced utter disregard and criticism from the general populace. Once fully implemented, CMS will allow the government to “listen and tape phone conversations, read e-mails and text messages, monitor posts on Facebook, Twitter, or LinkedIn, and track searches on Google.” Currently, the PILfiled by the NGOs (CPIL and SFLC) is pending before the Delhi High Court as these surveillance systems allows investigative agencies for mass surveillance.

The recent conundrum over Pegasus spyware, an Israeli innovation of NSO Group, a Cyber- Security Company raised significant concerns over the surveillance by the State. On 18 July 2021, a consortium of 17 journalist organisations, including one from India, disclosed an alleged revelation pointing out that Pegasus hacked and extracted their personal data. The report allegedly revealed that Pegasus spyware illicitly and unlawfully infiltrated Indian smartphones to gain access to the complete data within these devices, subsequently selling this information to Government Officials.  

The Aadhar scheme under which the government established a centralized biometric and demographic database of its residents and authorized disclosure of such information in the national interest was challenged before the Apex Court in 2012as it raised alarming questions about the mass surveillance by the State and consequently violating the privacy right. The scheme was held to be constitutional, and certain provision were struck down, but this case explicitly recognized the harms of surveillance, especially in the digital age.

These examples and many others demonstrate an alarming trend whereby the privacy and dignity of our citizens are being whittled away by sometimes imperceptible steps.

The answer to the significant questions posed above thus becomes quite evident that the right to privacy should be given preference over the requirements of State surveillance. While surveillance may be necessary in contemporary times, it is imperative to keep a check on it.

In our country that prides itself on its diversity, privacy is one of the most important rights to be protected against State and non-state actors. It is crucial to rebalance this equation and give the fundamental right to privacy the importance it deserves within the framework of a democratic society. The State should resort to surveillance only if other methods are not reasonably open, and in so doing, should infringe privacy minimally. Arbitrary surveillance, among other arbitrary state actions that discourteously violate fundamental rights, just because a not-so-limited defence in the pretext of reasonable restrictions exists, is not welcome.

CONCLUSION

Fundamental rights serve as the bedrock for all other institutions in a democratic nation, as they collectively work towards achieving the goals of the country. The interests of human personality are deducted from the qualities of man in the abstract or from the formula of right and justice. The right to privacy has been endowed with the status of a fundamental right by the Indian Courts.

The government has undertaken various attempts to legislate upon the matters pertaining to the right to privacy, yet its effort has proved to be ineffectual. Further, the Act passed, i.e., the DPDP Act, exhibits elements of vagueness, leaving certain crucial aspects to the discretion of the State, entailing the saga of arbitrary surveillance without consent.

As India continues to grapple with the arduous challenge of balancing the right to privacy with reasonable surveillance, it must address issues such as mass surveillance, the anonymity of data stored in a secure format, ensuring transparency for such data collection, the establishment of a regulatory body, and maintaining overall accountability via comprehensive and effective legislation that truly upholds the right to privacy in the digital age.