Introduction and Background
A lot changed on July 16, 2020, when the Court of Justice of the European Union (“CJEU”) issued its judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (“Schrems II”). This decision invalidated the EU-US Privacy Shield, on the basis that the national security laws of the United States of America interfered with the fundamental rights of EU data subjects and prevented them from equivalent protection as that offered in the EU. This set into motion a ripple effect that has altered the way data transfers are undertaken from the EU.
If surveillance laws in U.S.A are invasive, the question arises as to which other countries’ laws are similarly intrusive, and if the transfer of EU citizens data to the said country should be restricted.
Following Schrems II, the European Commission (“EC”) and European Data Protection Board (“EDPB”) released measures for EU-based entities to undertake prior to transferring data outside the European Economic Area (“EEA”). One of the steps is to assesses the proposed transfer under the lens of the surveillance laws of the recipient country to determine whether an adequate level of protection is afforded against data access requests.[1] This assessment is to be carried out as per the European Essential Guarantees for Surveillance Measures Recommendations issued by the EDPB in November 2020[2] (“Essential Guarantees”).
In November 2021, the EDPB also released its report on Government access to data in third countries (“Report”). The Report covered three (3) countries, i.e., Russia, India, and China. In respect of India, it concluded that EU data subjects have very limited rights to challenge the Indian Government’s data access requests, and that redress is possible only in a few cases.
We are not sure if Indian data privacy experts would agree wholeheartedly.
While the state of informational privacy in India is very nascent, and in many aspects not ideal, it may not be correct to conclude that there are no fetters at all on the Indian Government’s surveillance powers. Doing so ignores the historical background of Indian surveillance and data access laws, as well as continuing judicial efforts to protect citizens and non-citizens alike against state overreach.
In this piece, we analyze the EDPB Report’s India focused analysis conclusions, testing it against the historical context in India relating to the Government’s investigation and access initiatives. In particular, we look at Indian case laws and judicial precedents on this topic that were not perhaps not fully addressed in the EDPB’s Report.
Indian surveillance laws – A Historical Primer
The grundnorm source law on electronic surveillance in India is Section 5(2) of the Indian Telegraph Act, 1885 (“Telegraph Act”) read with the Indian Telegraph Rules, 1951 (“Telegraph Rules”, and collectively with Telegraph Act, “Telecom Regulations”). This law allows interception and disclosure of telecom messages “on the occurrence of any public emergency or in the interest of public safety’.
While the telegraph law itself is an almost 150 years old British Raj relic, Section 5(2) was formulated in 1972 to facilitate surveillance by way of telephone tapping. In 1996, a case was brought by the People’s Union for Civil Liberties v. Union of India[3] (“PUCL Ruling”), challenging the Indian Government’s telephone tapping activities.
The Supreme Court Judge Kulpdip Singh, one of India’s stalwart jurists, noted that telephone tapping is a serious invasion of privacy, and held in Paragraph 166:
“We, therefore, recommend that telephones may not be tapped except in the interest of national security, public order, investigation of crime and similar objectives, under orders made in writing by the Minister concerned or an officer of rank to whom the power in that behalf is delegated.
The order should disclose reasons.
An order for tapping of telephones should expire after three months from the date of the order.
Moreover, within a period of six weeks the order should come up for review before a Board constituted on the lines prescribed in statutes providing for preventive detention. It should be for the Board to decide whether tapping should continue any longer. The decision of the Board should be binding on the Government. It may be added that the Minister or his delegates will be competent to issue a fresh order for tapping of the telephone if circumstances call for it. The Telegraph Act should contain a clause to give effect to this recommendation.”
The learned Judge issued nine (9) rules and directions on telephone taping, including a sunset on any interception orders, and an internal review committee to oversee such orders. This ruling forms the basis for a 2007 amendment where a new Rule 419A was added to the Telegraph Rules. The same legal reasoning (and text) was adapted for surveilling computer records in later laws. Section 69 of the Information Technology Act, 2000 (“IT Act”) mirrors Section 5(2) of the Telegraph Act. And like Rule 419A, the Information Technology (Procedures and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009 (“Interception Rules”) allow data access on the same basis[4].
As such, Indian surveillance laws in their present form are rooted in a judgement of its apex court, that places limits on the Government’s surveillance and access powers. This background is vital to understanding the current state and interplay of data access laws in India, particularly when it comes to continuing judicial oversight.
Let’s take a closer look at how Indian courts have judged surveillance orders under these laws.
Continuing Judicial Oversight on Surveillance
Indian surveillance regulations itself do not contain elaborate data subject rights for redressal, but that is not to say that there are no rights available. The EDPB’s Report misses the constitutional law or administrative law challenges that may be made, even by non-citizens, when faced with surveillance orders[5].
The Supreme Court in K.S. Puttaswamy v. Union of India has confirmed that Article 21 (i.e., fundamental right to life and personal liberty) of the Constitution of India, 1950 (“Indian Constitution”), guarantees each individual the fundamental right to privacy. This judgement specifically clarified that informational privacy is one of the facets of the right to privacy, and this right can only be compromised by a state action if it satisfies the doctrine of proportionality, i.e., “(a) the action must be sanctioned by law; (b) the proposed action must be necessary in a democratic society for a legitimate aim; and (c) the extent of such interference must be proportionate to the need for such interference” (para 117). The Indian Constitution enables individuals to enforce their fundamental rights through Article 32 and 226, which allows them to file a petition seeking redressal before the Supreme Court and High Courts. As such, Indian and EU data subjects alike have a right to challenge access orders in the writ jurisdiction of courts.
While there have been few to no instances of foreigners approaching Indian courts to enforce their right to privacy, there have been numerous instances of a foreigner approaching various High Courts/ Supreme Court for enforcing their fundamental right to life[6].
A number of rulings of the Supreme Court and High Courts have quashed access orders due to their potential infringement of privacy and neglect of due process[7]. The Bombay High Court in Vinit Kumar v. CBI & Ors[8]., relying on the PUCL Ruling and the Puttaswamy ruling recognising right to privacy as a part of the fundamental right to life, observed that (a) “illegal tapping of telephone conversation violates right to privacy”; and (b) the grounds for issuance an access order under Section 5(2), such as “public safety” denote “a risk for people at large”; public emergency or public safety are not secretive conditions and are apparent to a reasonable person. Accordingly, the court concluded that the access orders issued against the petitioner did not possess the “sanction of law nor issued for a legitimate aim”, and failed to satisfy the tests of “principle of proportionality and legitimacy” laid down by the Indian Supreme Court to determine the justness of infringement of one’s right to privacy.
Access orders could also be challenged for not being compliant with Indian administrative law principles (which is an analogue of constitutional law) on the basis of ‘procedural impropriety’. The high court of a southern state in KLD Nagarsee v. Govt of India[9] set aside an access order because it was not referred before the review committee instituted under Rule 419A of the Telegraph Rules within the prescribed timeline, and it did not meet the criteria set out under Section 5(2) (such as in light of a public emergency or public safety). In this case, the court reiterated that “rule 419-A though procedural in nature is mandatory” and “non-compliance of the procedure under Rule 419-A (of the Telegraph Rules) is undoubtedly fatal”[10].
As noted earlier, the text and procedures for access orders set out under Telegraph Rules and Interception Rules are quite similar. The precedents noted above are related solely to phone-tapping, but Indian courts may very likely apply similar standards to set aside access orders under the Interception Rules.
A ’Fermi’ paradox of Indian data access requests – Where are they?
The EDPB Report’s interpretation of Indian surveillance regulations suffers from another, fairly basic, factual gap. If mass data Government surveillance is a prevalent practice in India, and if the Government can requisition the personal data of all and sundry, without any legal basis or justification, why is this not being done already at industrial scales?
A possible explanation of such lack of publicly reported instances may be that while such instances are indeed plentiful, they are not brought to light for various reasons. Consider, however, that a data access order of the type the EDPB is primarily concerned with would relate to the data of EU data subjects. This data is, in our experience, primarily available with Indian IT majors or other business houses who provide services to EU entities and individuals. An access requests would, therefore, be made to such Indian IT houses. Given contractual and business frameworks, it would be likely that such data access requests are (at least) notified to the customer or the EU data subject (Indian data access laws does not prohibit such notification). Even so, no such instances have come to light in the past.
Unlike in the US context, where the instances of data access requests are varied and many[11], in the Indian context there have been no publicly reported instances of data of EU subjects being compromised on account of data access requests. Another explanation, and one which we would give more credence to, is that for the reasons set out above the framework of Indian surveillance laws is not amenable to unfettered data access of foreign subjects[12].
In conclusion
The EDPB Report raises some valid concerns, like that the internal review committee reviewing access orders is appointed by the Government, which impairs its independence. But we would argue that some of its conclusions are misapplied. Not all entities holding EU subjects’ data in India would be ‘intermediaries’, subject to the new 2021 IT laws[13]. The data of all who apply to India’s Aadhaar national ID scheme may be accessible to the Government, but this is of limited relevance to the wider question on general data access processes under Indian laws. And, as we discuss above, its findings do not address or account for Indian courts’ continued willingness to push back against Government surveillance orders.
[1] Para 2.3, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Version 2.0) adopted on June 18, 2021, by the EDPB – https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf .
[2] Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data adopted on November 10, 2020, by the EDPB – https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf
[3] (1997) 1 SCC 301
[4] Apart from the Interception Rules and Telecom Regulations, Indian law enforcement agencies can compel disclosure via criminal legislations i.e., Section 91 of the Code of Criminal Proceeding, 1973. This provision enables courts/ police to require the production of “any document or thing” that is necessary or desirable for any criminal investigation, inquiry, trial or other proceedings. This is a broad ‘subpoena’ power, used mainly to build evidence in criminal cases. In practice, this power is typically used for local criminal matters, and not data access scenarios (and was not discussed in the EDPB’s Report).
[5] Please refer to paragraph 2.2.3.2 (i) of the Report.
[6] Ktaer Abbas Habib v. Union of India, 1999 CRI.L.J. 919 and Louis De Raedt v. Union of India, 1991 AIR 1886
[7] The Indian Supreme Court has confirmed that the fundamental right to life includes the right to privacy (KS Puttaswamy v Union of India, AIR 2017 SC 4161). In consonance, the SC has granted the right to life a ‘non-derogable’ status (i.e., it cannot be infringed under any circumstances) and is available to citizens as well as foreigners (Selvi & Ors. v. State of Karnataka, AIR 2010 SC 1974). In this decision, the court granted the right to life to all ‘individuals’ and did not make any distinction between foreigners and Indian citizens. Therefore, it could be argued that the fundamental right to life (thereby the right to privacy) is available to foreigners.
[8] 2019 ALLMR (Cri) 5227
[9] AIR 2007 AP 102
[11] The Office of the Director of National Intelligence’s Statistical Transparency Report issued in April 2019 reveals that surveillance orders issued under Section 702 of the Foreign Intelligence Surveillance Act, 1978 (“FISA”) has been used to target an estimated 164,770 non-US individuals in CY 2018 (See Figure 4, Page 13) – https://www.dni.gov/files/CLPT/documents/2019_ASTR_for_CY2018.pdf. Further USA has deployed surveillance programs to store internet communications transmitted via online platforms collected as per demands issued under Section 702 of FISA.
[12] Unlike the US framework, that treats data of non-US citizens on an entirely different level. For instance, the U.S. Supreme Court has consistently held that foreigners do not enjoy constitutional protection under laws of U.S.A and cannot seek protection against search and seizure requests on this basis. (Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013) and United States v. Verdugo-Urquidez 494 U.S. 259 (1990))
[13] Entities who receive, store, or transmit information on behalf of another are categorized as intermediaries (e.g., telecom service providers, network service providers, search engines, social media websites, etc.). IT service providers do not store/host data on behalf of another per se; they process data under a service contract obligation. IT companies are (arguably) not intermediaries when they process their clients’ data.