Madhya Pradesh High Court
Case BriefsHigh Courts

   

Madhya Pradesh High Court: G.S. Ahluwalia, J. dismissed a petition which was filed against the order passed by Twelfth Civil Judge, Class II by which the application filed by the petitioner for conducting DNA test of Hemlata Yadav had been rejected.

Husband of the petitioner had filed a civil suit against the respondents/defendants for partition but during the pendency of this suit, he died. Application for bringing the petitioner as legal representative on record was moved but respondent 2 raised objections stating that Hemlata Yadav should’ve been impleaded as the legal representative as she was the daughter of the Petitioner’s husband. The petitioner then moved an application under Order 26 Rule 10 (A) CPC read with Section 45 of Evidence Act, 1872 on the ground that she had never given birth to any child and accordingly, it was prayed that the DNA test of Hemlata Yadav may be conducted so that it could be ascertained that Hemlata Yadav was not the daughter of her husband.

Counsel for the petitioner submitted that where the question of property is involved and the paternity of the person is also in dispute, then a direction for DNA test may be issued.

The Court put forward judgment of the Supreme Court where it was held that the courts in India cannot order blood test as a matter of course. There must be a strong prima-facie case to the effect that the husband had no access in order to dispel the presumption arising under Section 112 of Evidence Act and the court must carefully examine as to what would be the consequence of ordering the blood test i.e. whether it will have the effect of branding a child as a illegitimate child or mother as an unchaste woman. Banarsi Dass v. Teeku Dutta, (2005) 4 SCC 449

Directions for conducting the DNA test is also violative of privacy of a individual.

The Court further reiterated the Supreme Court judgment of Ashok Kumar v. Raj Gupta, (2022) 1 SCC 20.

The Court dismissed the appeal upholding the order of the Trial Court explaining that it is not the case of the petitioner that Hemlata Yadav was born prior to her marriage with late husband of the petitioner. The presumption as provided under Section 112 of Evidence Act is a rebuttable presumption and the petitioner will get every opportunity to rebut the said presumption in the trial.

[Urmila Singh v. Saudan Singh, Writ Petition No. 4131 of 2017, decided on 26-07-2022]


Advocates who appeared in this case :

Mr P.C. Chandil, Advocate, for the Petitioner;

None for the respondents.


*Suchita Shukla, Editorial Assistant has reported this brief.

Privacy & Technology Law
Interviews

Jade J. Lyngdoh is a National Law University, Jodhpur, honours candidate in constitutional law. Jade is a Facebook India Tech Scholars scholar, and as part of that programme, he is undertaking research on the intersection between freedom of expression and intermediary liability. He has also filed a public interest litigation before his home State’s High Court to challenge the State Government’s illegal use of COVID-19 contact tracing apps for violating citizens’ privacy. Jade has been interviewed by Nisha Gupta, EBC/SCC Online Student Ambassador who is currently pursuing her law from NLU Jodhpur.

1. Before I begin, the team at EBC-SCC Online extends warm greetings and welcomes you. It is indeed a privilege for me to interview you on behalf of the team for our readers. Before proceeding further with the interview, would you please take a moment to tell our readers about yourself?

My name is Jade Lyngdoh, and I am from Shillong, Meghalaya. Aside from work, I enjoy exploring new food and coffee, watching films and TV shows, and travelling. I am a huge fan of Anthony Bourdain. If you have not watched any of his work on TV, I strongly advise you to do so — there is so much we can learn from his shows.

2. You recently became a Facebook India Tech Scholar (FITS). Can you take us through the application procedure and tell us about how you landed this opportunity?

Yes, I was honoured to be chosen for the Facebook India Tech Scholars (FITS) program’s inaugural cohort. Eight scholars were chosen from four law schools in India for the inaugural 2021-2022 edition of the programme: NLSIU, NLUD, NUJS, and my university, NLUJ. When the initiative was announced, Meta and SAM, a law firm that is a knowledge partner of the programme, contacted our universities to invite students to apply. There were two steps to the selection process: the first was an essay-based round, followed by an interview round with the FITS Committee.

I would strongly encourage students to apply for future editions of the FITS programme. Students who intend on applying should generally aim to acquire an interest in topics of tech law and policy. It would be useful to have some experience working in the field, including with digital rights organisations, litigators specialising in digital rights, law firms or think tanks. By doing that, students cannot only learn a lot from their experience, but they can also contribute to some impactful work on issues which affect our society.

[Meta’s official press release about the programme can be found here.]

3. As a FITS scholar at NLUJ Jodhpur, what exactly does your work entail?

As part of the FITS program, each scholar is expected to work on a research paper which is based on a topic in the field of tech law and policy. Apart from this, scholars are also tasked with writing articles or making podcasts based on relevant areas of their research. Each scholar is placed under a think tank during the program, and the think tank acts as a mentoring institution for the scholar. This provides scholars an opportunity to be mentored by some of the leading folks in the tech law and policy in the region.

For the 2021-2022 edition of the FITS program, I have been placed under Software Freedom Law Center (SFLC.in). SFLC is an organisation which works on some incredible projects in support of digital rights, so it truly is an honour to be mentored by it.

4. Apart from being a FITS scholar, you have done multiple internships in the field of digital rights, very different from the usual corporate law pursuit. Can you tell us about them?

Yes, indeed. While in law school, I chose to work on projects that I suppose differ from those chosen by my peers on campus.

I have been fortunate enough to engage and work with people not only in the legal community, but also in civil society, academia, industry, and government. Among the numerous projects to which I have been able to contribute to, I could note my experience advocating against India’s disturbing trend of internet shutdowns. I have also had the chance to learn about the need for robust data protection legislations in the Asia-Pacific region. In addition to these, I was part of an excellent research team that helped me understand the impact of the misuse of laws to restrict media freedom. These have all had an influence on the person I am now, and I am thankful to have had these opportunities.

5. Your public interest litigation (PIL) in Meghalaya paved the way for change in your home State. Can you tell us about the filing, Jade Jeremiah Lyngdoh v. Union of India? 

That is an incredibly generous statement.

Well, I filed the PIL (public interest litigation) before the High Court of Meghalaya during the height of the COVID-19 Pandemic. If one recalls, that was a time when we noticed authorities rushing to create contact tracing apps which supposedly allowed them to limit the spread of COVID-19.

At that point, the State Government took a decision to enforce mandatory contact tracing apps. That was concerning to me because the Government began these initiatives in the absence of a legal framework and without setting any data privacy protocols in place. Because of the serious risks these indicatives posed to our rights to privacy, I decided to file a PIL before the High Court.

In its final judgment, the High Court of Meghalaya held that data privacy safeguards were an essential condition, especially in instances where the State required us to use a particular mobile app. I believe the petition was successful because shortly after the petition was filed, the State came on record to note that it had stopped using the apps which the petition challenged. Regardless of that, the High Court directed the State Government to conduct a thorough investigation into the concerns which my petition outlined, so I believe it was a win for all of us. I must convey my gratitude to Mr Kaustav Paul (Senior Advocate) and his colleagues in Shillong for their efforts to assist me with the petition.

6. You were always inclined towards community rights and seem to have made the best use of your work in the privacy/tech field. Could you tell us more about your work?

In the recent past, I have been able to work on some exciting projects in collaboration with colleagues in the legal community. In 2021, I sent a legal notice to the State Government of Meghalaya over its unlawful use of facial recognition technology. The State Government decided to use facial recognition in a mobile app to verify the identities of old-age pensioners, and I believed that this posed a risk to their rights to privacy. With assistance from the Internet Freedom Foundation (IFF), I sent a legal notice to the State and this outlined several points of concern which needed to be immediately addressed. Soon after the legal notice was sent, we received a response from the State Government and that response revealed several shortcomings in the State Government’s understanding of our rights.

In addition to raising concerns on the unlawful use of facial recognition, I have been able to work on documenting the extent of internet shutdowns in my State. By using requests filed under the Right to Information Act, we now understand that Meghalaya ordered six internet shutdowns since the Anuradha Bhasin1 judgment was rendered by the Indian Supreme Court in 2020.

When coupled with additional public data, we now understand that the internet was shut off 14 times in the State since 2015. If this figure is compared with those of other States in the region, it becomes clear that Meghalaya orders the most internet shutdowns in the North-East. In my opinion, this is an important reminder that authorities should not shut down the internet. These internet shutdowns have a huge impact on our human rights, and authorities can never justify such abuse.

7. Even as law student, you continue to write columns for Hindustan Times, The Telegraph, The Wire, etc. Can you tell us more about it?  

Because I only started writing about a year ago, I may not be the ideal person to give advice on how to write columns. What I can tell you is that it is essential for lawyers to write more columns, particularly for a non-specialised readership. Far too often, the columns and blogs we write are overly complicated, making it impossible to reach a larger readership. We must aim to reduce legalese and make it easier for our communities to grasp the law and how it affects them.

8. Keeping in mind your academic background, what are your views on the concept of “exhaustion of a search”? 

If I understand the term right, it might relate to a moment in research where a writer is unable to make further progress owing to a lack of primary or secondary data. As someone who is currently writing a research paper, my advice in such an instance would be to admit the limitations of research. As someone once said to me, writing does not necessarily have to be about expressing the right statements, it could also me about asking the right questions.


1. Anuradha Bhasin v. Union of India, (2020) 3 SCC 637.

Kerala High Court
Case BriefsHigh Courts

Kerala High Court: The Division Bench comprising A. Muhamed Mustaque and Sophy Thomas, JJ., held that cruelty has to be assessed from the perspective of a spouse, i.e., how he/she would perceive the conduct of the other spouse.

Reversing the impugned judgment of the Family Court, the Court held,

“Mere attempt by the mediators cannot save the laches which otherwise looms large to strain such relationship. She had felt neglect and a sense of insecurity which prompted her to seek divorce.”

Factual Matrix

The marriage between the appellant-wife and the respondent-husband was solemnised on 17-03-2010. It was the case of the appellant that they have lived as husband and wife only for 24 after which the respondent left for his employment in Abu Dhabi. The appellant contended that after reaching Abu Dhabi, the respondent never cared to contact her nor inquired about her well-being.

Further, the appellant alleged that the respondent always suspected her chastity and fidelity; and had even asked her to keep her mobile phone on loudspeaker mode to enable him to listen to the incoming calls. On the contrary, the respondent denied all the allegations and contended that though they had lived as husband and wife only for 24 days, it was the appellant who left the matrimonial home of her own volition and failed to return to the matrimonial home in spite of intervention of many well-wishers.

Findings of the Family Court

The Family Court found that the appellant failed to make out a case for divorce on the ground of cruelty and desertion. The Family Court relied on an excerpt of the diary of the appellant, wherein she had written:

“I always like his presence. His absence pains me. I pray that Sun will not rise today, with the Sunset I remain alone without his presence, without his smile and soft look.”

Thus, the Family Court held that the diary entries did not reflect any bitter experience by the appellant from her husband and that those are the words of the wife who is craving for the presence of her loved husband. Consequently, the Family Court refused to believe the case of cruelty.

The Family Court also noted that the appellant left the matrimonial home for employment and therefore, it could not be construed as desertion. Hence, the case of divorce was dismissed also on the ground of desertion.

Analysis and Findings

Whether the husband going abroad for employment amounts to desertion?

Concurring with the finding of the Family Court dismissing the petition on the ground of desertion, the High Court noted that the respondent left for Abu Dhabi for his job. He had no intention to abandon the marriage. He had also not refused to cohabit with the appellant. The Court expressed,

“There must be an element on the part of the party alleging to be deserted either to abandon the marriage or to forsake the cohabitation permanently. In the absence of those elements, any sort of separation cannot be construed as a ground constituting desertion.”

Cruelty as a Ground for Divorce

Referring to the diary entries, the High Court opined that it portrayed reflection of the mind of a person who felt isolated for want of the presence of her husband. The Court observed,

“Being a lady, she appears to be one who was looking forward to the care and love of her beloved husband. There was no contact from the side of the respondent.”

The Court noted that the diary itself would show that the appellant was longing to live with her husband which never happened and no attempt was made by the respondent to be in her company. Opining that one would not refuse to return to the matrimonial home for no reason, the Court held that there must be some reason that persuaded the appellant to remain at the parental house.

With regard to the ground canvassed by the appellant as cruelty, the Court noted that it was not a singular incident of misconduct that mattered for consideration, but the approach should be to consider the whole conduct of the spouse to analyse if cruelty is meted out or not.

The appellant had a case that she was promised that she would be taken to gulf country and, on that pretext, gold ornaments belonging to her were collected by the respondent. It was only when her hope to live together came to an end, that she decided to have a separation.

Resultantly, the Court held that cruelty has to be assessed from a perspective in which a spouse would perceive the relationship with the other spouse. The Court remarked,

If he cannot nurse the feelings of the spouse and live up to her expectation, that would result in mental frustration.

Conclusion

In the backdrop of above, the Court concluded that since the parties had been living separately for more than a decade, the marriage had become deadwood for all practical purposes. Consequently, the appeal was allowed and the impugned judgment was set aside. The marriage between the petitioner and the respondent was declared dissolved.

[Subhi N. v. Sreeraj E., 2021 SCC OnLine Ker 12117, decided on 25-11-2021]


Advocates who appeared in this case :

Cibi Thomas, Advocate, for the Appellant;

Bindumol Joseph and Advocate B.S. Syamanthak, Advocates, for the Respondent;


*Kamini Sharma, Editorial Assistant has reported this brief.

Case BriefsTribunals/Commissions/Regulatory Bodies

First Appellate Authority, Insolvency and Bankruptcy Board of India (IBBI): Santosh Kumar Shukla, First Appellate Authority, observed that the name and designation of Officers of IBBI as requested is exempted under Section 8(1)(j) of the RTI Act.

The appellant had filed the present appeal challenging the communication of the respondent regarding his RTI Application filed under the Right to Information Act, 2005 (RTI Act).

On perusal of the RTI Application, the appellant had requested certain information regarding the NCLT Order, Mumbai.

Further, the respondent had provided information on certain points and claimed exemption under Section 8(1)(j) of the RTI Act on points (b), (d) and (e). Aggrieved by the same, the appellant had filed the present appeal challenging the exemption taken by the respondent.

Analysis and Decision

The Bench stated that if the public authority holds any information in the form of data, statistics, abstracts, etc. an applicant can have access to the same under the RTI Act subject to exemptions under Section 8.

It was noted that the respondent did not give any reason or justification for invoking Section 8(1)(j) of the RTI Act.

Section 8(1)(j) exempts information which relates to personal information, the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless a larger public interest justifies the disclosure of such information.

Further, the Appellate Authority expressed that it deems it fit to deal with the request on merits in the interests of the right to information and scope of information disclosures under the RTI Act.

Appellant’s first contention was that the disclosure of the name and designation of the person who uploaded the order/Form A was not exempted under Section 8(1)(j).

With regard to the above, Authority observed that, if the information sought for is personal and has no relationship with any public activity or interest or it will not sub-serve larger public interest, the respondent is not legally obliged to provide that information.

Bench held that the name and designation of Officers of IBBI as requested is exempted under Section 8(1)(j) of the RTI Act. Further, the appellate authority was not satisfied with how a larger public interest was involved.

In the opinion of the Appellate Authority, the respondent was not bound to respond to such inquisitions under the RTI Act.

With respect to the above, the decision which was referred was, Dr D.V. Rao v. Yashwant Singh, wherein it was observed that:

“the RTI Act does not cast on the public authority any obligation to answer queries in which a petitioner attempts to elicit answers to his questions with prefixes, such as, ‘why’, ‘what’, ‘when’ and ‘whether’. The petitioner’s right extends only to seeking information as defined in section 2 (f) either by pinpointing the file, document, paper or record, etc., or by mentioning the type of information as may be available with the specified public authority.”

In view of the above, the appeal was disposed of. [Ishrat Ali v. CPIO, IBBI; decided on 17-5-2022]

 

Case BriefsSupreme Court

Supreme Court: In a landmark ruling on COVID-19 vaccination drive, the bench of L. Nageswara Rao* and BR Gavai, JJ has held that bodily integrity is protected under Article 21 of the Constitution of India and no individual can be forced to be vaccinated.

The Court, however, cautioned that,

“This judgment is not to be construed as impeding, in any manner, the lawful exercise of power by the executive to take suitable measures for prevention of infection and transmission of the virus in public interest, which may also take the form of restrictions on unvaccinated people in the future, if the situation so warrants. Such restrictions will be subject to constitutional scrutiny to examine if they meet the threefold requirement for intrusion into rights of individuals.”

The ruling came in the writ petition wherein the Petitioner highlighted the adverse consequences of emergency approval of vaccines in India, the need for transparency in publishing segregated clinical trial data of vaccines, the need for disclosure of clinical data, lack of transparency in regulatory approvals, minutes and constitution of the expert bodies, imperfect evaluation of Adverse Events Following Immunisation (AEFIs) and vaccine mandates in the absence of informed consent being unconstitutional. The Petitioner further stated in the Writ Petition that coercive vaccination would result in interfering with the principle of informed self-determination of individuals, protected by Article 21 of the Constitution of India.

Is the Vaccination Drive Arbitrary?

On the basis of substantial material reflecting the near-unanimous views of experts on the benefits of vaccination in addressing severe disease from the infection, reduction in oxygen requirement, hospital and ICU admissions, mortality and stopping new variants from emerging, the Court was satisfied that the current vaccination policy of the Union of India is informed by relevant considerations and cannot be said to be unreasonable or manifestly arbitrary.

Personal autonomy and public health

  1. Bodily integrity is protected under Article 21 of the Constitution of India and no individual can be forced to be vaccinated.
  2. Personal autonomy of an individual involves the right of an individual to determine how they should live their own life, which consequently encompasses the right to refuse to undergo any medical treatment in the sphere of individual health.
  3. Persons who are keen to not be vaccinated on account of personal beliefs or preferences, can avoid vaccination, without anyone physically compelling them to be vaccinated. However, if there is a likelihood of such individuals spreading the infection to other people or contributing to mutation of the virus or burdening of the public health infrastructure, thereby affecting communitarian health at large, protection of which is undoubtedly a legitimate State aim of paramount significance in this collective battle against the pandemic, the Government can regulate such public health concerns by imposing certain limitations on individual rights that are reasonable and proportionate to the object sought to be fulfilled.

Restrictions on unvaccinated persons and impeding their right to access public resources

Neither the Union of India nor the State Governments produced any material to justify the discriminatory treatment of unvaccinated individuals in public places by imposition of vaccine mandates.

“No doubt that when COVID-19 vaccines came into the picture, they were expected to address, and were indeed found to be successful in dealing with, the risk of infection from the variants in circulation at the time. However, with the virus mutating, we have seen more potent variants surface which have broken through the vaccination barrier to some extent.”

Hence, the restrictions on unvaccinated individuals imposed through vaccine mandates cannot be considered to be proportionate, especially since both vaccinated and unvaccinated individuals presently appear to be susceptible to transmission of the virus at similar levels.

It has, hence, been directed that till the infection rate and spread remains low, as it is currently, and any new development or research finding comes to light which provides the Government due justification to impose reasonable and proportionate restrictions on the rights of unvaccinated individuals in furtherance of the continuing efforts to combat this pandemic, all authorities in the country, including private organisations and educational institutions, should review the relevant orders and instructions imposing restrictions on unvaccinated individuals in terms of access to public places, services and resources.

Non-disclosure of segregated clinical trial data in public domain

The results of Phase III clinical trials of the vaccines in question have been published, in line with the requirement under the statutory regime in place, the GCP guidelines and the WHO Statement on Clinical Trials. The material provided by the Union of India, comprising of minutes of the meetings of the SEC, do not warrant the conclusion that restricted emergency use approvals had been granted to COVISHIELD and COVAXIN in haste, without thorough review of the relevant data. Relevant information relating to the meetings of the SEC and the NTAGI are available in public domain and therefore, challenge to the procedures adopted by the bodies while granting regulatory approval to the vaccines on the ground of lack of transparency cannot be entertained.

However, subject to the protection of privacy of individual subjects and to the extent permissible by the 2019 Rules, the relevant data which is required to be published under the statutory regime and the WHO Statement on Clinical Trials shall be made available to the public without undue delay, with respect to the ongoing post-marketing trials of COVAXIN and COVISHIELD as well as ongoing clinical trials or trials that may be conducted subsequently for approval of other COVID19 vaccines / vaccine candidates.

Monitoring of Adverse Events Following Immunisation (AEFIs)

The Court refused to accept the sweeping challenge to the monitoring system of AEFIs being faulty and not reflecting accurate figures of those with severe reactions or deaths from vaccines.

“The role of the Pharmacovigilance Programme of India and the CDSCO, as elaborated upon by the Union of India, collates and studies previously unknown reactions seen during monitoring of AEFIs at the time of vaccine administration and we trust the Union of India to ensure that this leg of the AEFI surveillance system is not compromised with, while meeting the requirements of the rapid review and assessment system followed at the national level for AEFIs.”

Information relating to adverse effects following immunisation

Information relating to adverse effects following immunisation is crucial for creating awareness around vaccines and their efficacy, apart from being instrumental in further scientific studies around the pandemic.

Recognising the imperative need for collection of requisite data of adverse events and wider participation in terms of reporting, the Union of India has been directed to facilitate reporting of suspected adverse events by individuals and private doctors on an accessible virtual platform. These reports shall be made publicly accessible, without compromising on protecting the confidentiality of the persons reporting, with all necessary steps to create awareness of the existence of such a platform and of the information required to navigate the platform to be undertaken by the Union of India at the earliest.

Paediatric vaccination

The decision taken by the Union of India to vaccinate children in India is in tune with global scientific consensus and expert bodies like the WHO, the UNICEF and the CDC and it is beyond the scope of review for this Court to second-guess expert opinion, on the basis of which the Government has drawn up its policy.

Keeping in line with the WHO Statement on Clinical Trials and the extant statutory regime, the Court directed the Union of India to ensure that key findings and results of the relevant phases of clinical trials of vaccines already approved by the regulatory authorities for administration to children, be made public at the earliest, if not already done.

[Jacob Puliyel v. Union of India, 2022 SCC OnLine SC 533, decided on 02.05.2022]


*Judgment by: Justice L. Nageswara Rao


Counsels

For Petitioner: Advocate Prashant Bhushan,

For UOI: Solicitor General Tushar Mehta

For Respondent No. 4: Senior Advocate S. Guru Krishnakumar

For Tamil Nadu: Additional Advocate General Amit Anand Tiwari

For Maharashtra: Advocate Rahul Chitnis

For Madhya Pradesh: Advocate Mrinal Gopal Elker,

For Respondent no. 5: Advocate Shyel Trehan

Experts CornerKhaitan & Co

The Joint Parliamentary Committee (JPC) recently submitted its report to the Parliament on the Personal Data Protection Bill, 2019[1] . With that, the JPC also presented a revised bill i.e. the Data Protection Bill, 2021 (Bill). This was after a deliberation of almost 2 years by the JPC, during which time the businesses and civil society were all getting anxious on the outcome of such a long deliberation period. It is undeniable that at this hour, India needs a comprehensive data protection legislation if it aims to harness the growth of digital economy. The draft Bill is expected to be laid down before the Parliament for its passage soon, but in its existing form there are a number of uncertainties on key issues. This article is an attempt to set out a brief analysis of the hits and misses of the JPC and the way forward for businesses.

Hits and misses

Non-personal data – Half legislation? The JPC has included non-personal data within the purview of the Bill. It recommends that as soon as the provisions to regulate non-personal data are finalised, there may be a separate regulation on non-personal data in the Data Protection Act. The inclusion of non-personal data at this stage is perhaps a bit premature for India especially for the business ecosystem here. Businesses have been shaken with the news and are grappling to understand the nuances of this inclusion. A better solution in this regard could be to have a single regulator (i.e. the Data Protection Authority) which could be the regulator for the presently crafted personal data protection law and, subsequently, also the regulator for the non-personal data law that is to be crafted in future.

Clarity on implementation – Much needed: Business organisations will now have a period of 24 months from the date of enforcement of the law for transitioning. This provides them the much-needed room to realign their internal practices and policies.

Cross-border data transfers and localisation – A right approach? The JPC has recommended that the Data Protection Authority should ensure consultation with the Central Government for granting approval to the cross-border transfer of sensitive personal data either through contract or an intra-group scheme or transfers for specific purposes. Additionally, such contract or an intra-group scheme should not be approved if it is against “public” or “State” policy. It is likely that the process for approval of cross-borders transfers will become cumbersome with the involvement of the Central Government. Further, the JPC has recommended that the Central Government should ensure that a mirror copy of the sensitive personal data and critical personal data stored abroad is brought back to India. While the thrust on localisation in the absence of adequate infrastructure in India may hurt businesses of all stature, it may prove to be beneficial in the longer run.

Processing children’s personal data: The JPC has accorded due importance to protection of children’s privacy in the digital world. It has recommended that a data fiduciary (akin to data controller) must verify the age of the child and obtain the consent of child’s parent or guardian. It also recommends that a data fiduciary should inform the child 3 months before attaining majority (i.e. 18 years) for providing fresh consent. Further, in terms of the Bill, all data fiduciaries are now barred from profiling, tracking, behaviourally monitoring children and their data, or targeting advertisements at children, or processing any personal data that can cause significant harm to the child. As a consequence, all data fiduciaries, irrespective of their level of engagement with children or children’s offerings will have to verify the age of its users and it has the potential to age gate the internet. Additionally, children-centric businesses will have to devote considerable resources towards ensuring compliance with the Bill.

Social media platforms – Legitimate concern, wrong place: To counter problems like prevalence of fake accounts, propagating hate speech, etc., the JPC has recommended that social media platforms must set up an office in India and they will be held accountable for the content they host from unverified accounts. This may be considered by social media platforms as a hindrance to the safe harbour provisions that are prevalent today. While the concern relating to social media may be well founded, however the JPC may not have taken the correct approach to address this concern in a data protection law.

There are several other recommendations that the JPC has proposed, which are improvements to the previous iteration of the Bill. In its previous iteration, the Bill mirrored a broad consensus on the key issues concerned with regulation of personal data. However, the JPC has opened the floodgates for businesses with the inclusion of aspects such as non-personal data, social media regulations and other non-contextual issues, in what was expected to lay down a basic framework for regulation of personal data. Despite all these hits and misses, businesses are now eagerly looking forward to the last mile that is to be covered by the Bill. It is expected that this umbrella legislation on data protection would soon be debated in the Parliament and rolled out as a landmark global gold standard law.


Partner, Khaitan & Co.

[1]See HERE

Op EdsOP. ED.

The Code of Criminal Procedure[1] now has a new leg to stand on[2]. Bill 93 of  2022 intends to entirely replace the existing “Identification of Prisoners Act, 1920”[3]. The Bill as it stands on the day of presentation to Parliament, gives the enabling provisions in Section 3(c) as produced below, which poses a particular conundrum:

“Any person, who has been, … or (c) arrested in connection with an offence punishable under any law for the time being in force or detained under any preventive detention law, shall, if so required, allow his measurement to be taken by a police officer or a prison officer in such manner as may be prescribed by the Central Government or the State Government:”

This poses a two-pronged conundrum, each considered individually or even if they were to be ascertained collectively:

(1) The emphasis is on “any person”, mentioned in Section 3(c) of the Bill intends to cover any person irrespective of the acquittal or conviction. This contrasts with “the Identification of Prisoners Act, 1920″ which intended to cover only convicts or persons falling under the erstwhile Section 118 of the Code of Criminal Procedure, 1898[4].

This poses a constitutional issue and derogation of the established jurisprudence in criminal law that any person is reasonably assumed to be innocent until convicted. This has not only been found in the “Universal Declaration of Human Rights”[5] (UDHR), the Supreme Court of United States’ jurisprudence on the “Coffin case[6] and the contemporary Indian jurisprudence which reiterated in numerous instances including Rajesh Prasad v. State of Bihar[7].

(2) “Arrested under any law” apropos is an event which is pre-trial and not adjudicated. Technically, a person could be arrested under any law and discharged without a conviction. This could very well be an error in the arrest procedure as established in Section 41[8] of the Code of Criminal Procedure. This was analysed in Roshan Beevi v. Govt. of T.N.[9] The obligation in this proposed Bill, is being cast on the person to prove that their “measurement” should not be taken.

This effectively enables a police officer relying on Sections 53[10] and 53-A[11] of the Code of Criminal Procedure to obtain not only photograph but history of behaviour of the person. Section 2(b)[12] of the proposed Bill defines measurement as:

“‘measurements’ includes finger impressions, palm print impressions, footprint impressions, photographs, iris and retina scan, physical, biological samples and their analysis, behavioural attributes including signatures, handwriting or any other examination referred to in Section 53 or Section 53-A of the Code of Criminal Procedure, 1973;”

Comparing this to the definition of measurement, as seen in the Oxford Dictionary as “a unit used for stating the size, quantity or degree of something, a system, or a scale of these units, weights and measures”, one can reasonably comprehend the conundrum of why the term “measurement” was used in the Bill.

 The intention of the Criminal Procedure Code to be updated with this, as proposed by the Bill, is to enable the National Crime Bureau to effectively store and retain the records and for 75 years as can be seen in Section 4(2) of the proposed Bill[13]. This is a glaring view and points to the International Covenant on Civil and Political Rights[14], which proposes in Article 17[15] that “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation”. India is party to the covenant. A further reading into the Criminal Procedure (Identification) Bill and especially the proviso to Section 4(2) states that the person, for the purposes of deleting their record and consequently being subjected to this “measurement” process must “exhaust all remedies” of trial before seeking protection from the inapplicability of this “measurement” by the police. This too is caveated by the provision that the Magistrate has to satisfy himself to that effect. As if this did not have enough teeth, if one looks at Section 6(2)[16] of the Bill which makes resistance to such measurement an offence, the law enforcement itself would be puzzled by the inherent self-defeat of the Bill. To hypothesise the scenario, by resisting to take measurement under the fundamental rights of the Constitution[17], one may commit an offence under this Bill and thereby resulting in a reasonable claim by law enforcement that they should be subjected to “measurement”.  This unambiguously casts the obligation on the accused or arrestee to present beyond reasonable doubt, their case that they have exhausted all remedies. This, again, is derogating the established criminal jurisprudence that the person accusing must prove beyond reasonable doubt and not the person accused.

Turning to international norms, it is an established principle under international law that right to privacy is a jus cogens or pre-emptory norm. It cannot be derogated by any legislation and an actionable claim lies against it. Surveillance, as it stands now, is limited to the Telegraph Act, 1885[18] and the Information Technology Act, 2000[19]. However, this is limited to the online/cyber infrastructure. Insofar as the Criminal Procedure (Identification) Bill which has been tabled, the concept of surveillance has gained wider ambit as compared to the law that it intends to replace i.e. the Identification of Prisoners Act, which restricted itself to convicts and preventive detainees.

The Magistrate Courts (lower judiciary) are already burdened with a host of criminal cases coupled with the fact that the number of Public Prosecutors available are fifty per cent of the capacity. Adding to their burden, is the administration of this enabling provision in the Bill, in which the Magistrate must make a determination on a case-by-case basis.

This neither stands the test of the Constitution of India nor the international covenants. Another question before the law enforcement is the territorial reach of the law insofar as convicts who have been released after their sentence and perhaps residing in another country. The law is ambiguous on the extent to which the law enforcement can reach to take the “measurement” of the person. Adding to the intrigue is the provision of “measurement” which has to be taken and preserved for 75 years in Section 4(2). The length of the preservation of records and intent is unclear. To contextualise, various High Courts in India preserve their records for 30 years. The period of limitation for a criminal case is infinite for serious offences but has been prescribed between 6 months to 3 years for certain offences. In this instance, the evidence that could be adduced for an offence, including behavioural pattern of an arrestee has been given the high latitude of 75 years. This is more or less the average life span of a person in India.

This said, the obligation now, is on the municipal jurisdictions i.e. the High Courts and the Magistrate Courts to amend their manuals to accommodate this. The obligation is also cast on the States to enact a supplementary law in their own “Police Act”. While all of this is being done, the fundamental test of this law is awaiting at the corridors of the Supreme Court of India and in International Court of Justice.


* Professor of International Law and an alumnus of The Hague Academy, Netherlands. Author can be reached at casrikantparth@gmail.com.

** Amirthalakshmi R, Principal Counsel, Chambers of Dr. Srikant Parthasarathy 

[1] Criminal Procedure Code, 1973.

[2] Criminal Procedure (Identification) Bill, 2022.

[3] Identification of Prisoners Act, 1920.

[4] Identification of Prisoners Act, 1920, S. 3(b), “(b) ordered to give security for his good behaviour under S. 118 of the Code of Criminal Procedure, 1898 (5 of 1898)”.

[5] United Nations — Universal Declaration of Human Rights, Art. 11.

[6] Coffin v. United States, 1895 SCC OnLine US SC 53 : 39 L Ed 481 : 156 US 432 (1895).

[7] 2022 SCC OnLine SC 23.

[8] Code of  Criminal Procedure, S. 41.

[9] 1983 SCC OnLine Mad 163 : 1984 Cri LJ 134.

[10] Criminal Procedure Code, 1973, S. 53.

[11] Criminal Procedure Code, 1973, S. 53-A.

[12]  Criminal Procedure (Identification) Bill, 2022.

[13]  Criminal Procedure (Identification) Bill, 2022.

[14] International Covenant on Civil and Political Rights, 1966.

[15]  International Covenant on Civil and Political Rights, 1966, Art. 17.

[16]  Criminal Procedure (Identification) Bill, 2022.

[17] Constitution of India.

[18] Telegraph Act, 1885.

[19] Information Technology Act, 2000.

Case BriefsForeign Courts

United Kingdom Supreme Court: The Bench of Lord Reed, President and Lord Lloyd-Jones, Lord Sales, Lord Hamblen and Lord Stephens, held that in general, a person under criminal investigation has, prior to being charged, a reasonable expectation of privacy in respect of the information that relates to that investigation.

Central Issue

Whether a person under criminal investigation has, prior to being charged, a reasonable expectation of privacy in respect of information relating to that investigation?

Bloomberg LP is the appellant and ZXC, is the claimant.

The claimant’s claim was with regard to misuse of private information arising out of an article published by Bloomberg in 2016 relating to the activities of X Ltd. in a particular country for which the claimant’s division (foreign state) was responsible and the said activities had been the subject of a criminal investigation by a UK Law enforcement body (UKLEB) since 2013.

The information in the Article was almost exclusively drawn from a confidential letter of request sent by UKLEB to the foreign state.

Expectation of the Claimant

Claimant had a reasonable expectation of privacy in information published in the Article and in particular the details of the UKLEB investigation into the claimant, its assessment of the evidence, the fact that it believed that the claimant had committed specified criminal evidence and its explanation of how the evidence it sought would assist its investigation into that suspected offending.

Hence, claimant submitted that Bloomberg misused his private information by publishing the Article and sought damages and injunctive relief.

Issue wise Court’s Opinion

  1. Whether the Court of Appeal was wrong to hold that there is a general rule, applicable in the present case, that a person under criminal investigation has, prior to being charged, a reasonable expectation of privacy in respect of information relating to that investigation?

Supreme Court expressed that for some time, Judges have voiced concerns as to the negative effect on an innocent person’s reputation of the publication that he or she is being investigated by the police or an organ of the state.

“…the person’s reputation will ordinarily be adversely affected causing prejudice to personal enjoyment of the right to respect for private life such as the right to establish and develop relationships with other human beings.” 

Bench accepted that the status of the claimant as a businessman actively involved in the affairs of a large public company means that the limits of acceptable criticism of him are wider than in respect of a private individual. However, it does not mean that there was no limit, nor does it mean that this circumstance is determinative.

“The ordinary conclusion in relation to the effect of publication of information that an individual is under criminal investigation is that damage occurs whatever his characteristic or status.”

Court found that the information contained an attack on the claimant’s reputation which attained a level of seriousness sufficient for Article 8 of the ECHR to come into play. There was no prejudice to personal enjoyment of the right to respect for private life caused by the manner of attack on the claimant’s reputation.

Hence, this Court found that the Courts below were correct to hold that, as a legitimate starting point, a person under criminal investigation has, prior to being charges, a reasonable expectation of privacy in respect of information relating to that investigation and that in all the circumstances the present case is the one in which that applies and there is such an expectation.

  1. Whether the Court of Appeal was wrong to hold that, in a case in which a claim for breach of confidence was not pursued, the fact that information published by Bloomberg about a criminal investigation originated from a confidential law enforcement document rendered the information private and/or undermined Bloomberg’s ability to rely on the public interest in its disclosure?

For the said issue, neither the Judge nor the Court of Appeal held that the fact that the information originated from a confidential document rendered the information private or meant that Bloomberg could not rely on the public interest in its disclosure.

Elaborating further, the Court added that if the information is confidential that is likely to support the reasonableness of an expectation of privacy.

In the instant case, there was a general public interest in the observance of the duties of confidence and a specific public interest in maintaining the confidence of the Letter of Request so as not to prejudice the criminal investigation. As was stated in the Letter of Request, disclosure of its contents “will pose a material risk of prejudice to a criminal investigation”. As a suspect in the investigation, the claimant also had a particular interest in avoiding prejudice to, and maintaining the fairness and integrity of, that investigation.

  1. Whether the Court of Appeal was wrong to uphold the findings of Nicklin J that the claimant had a reasonable expectation of privacy in relation to the published information complained of, and that the article 8/10 balancing exercise came down in favour of the claimant?

Lastly, the Court held that the said ground of appeal was dependent upon Bloomberg establishing that the Court of Appeal erred in law on Issues 1 and 2, which it had not done, hence the Judge’s decision in relation to balancing exercise did not require any interference.

Therefore, the above appeal was dismissed. [Bloomberg LP v. ZXC, (2022) 2 WLR 424, decided on 16-2-2022]

Experts CornerSanjay Vashishtha

Today, the world is plainly under the grasps of social media. The foundation of an individual is evaluated on the anvil of his/her presence at the virtual world. Google has become synonymous to “search” and it is perhaps the virtual world that decides the credibility of an individual or an institution alike.

 

The unparalleled growth of information and technology had made us privy to the most intricate details of human lives – both good and bad. The boundaries of privacy are blurring more than ever. We enjoy the latest controversies with a cup of tea but have we ever thought what would things be like if we were placed in their shoes? Think of the most embarrassing thing you have ever done, now conjure a reality where everybody in the world knows about it, it is tough, right?

 

At a point in time, where artificial intelligence has advanced to the point of retaining and interpreting data, study behavioural patterns and automate human responses, we need to think about the kind of huge impact our digital footprint has on the web.

 

The personal information of an individual at this point not confined to just papers, official and government records. It can now be easily assessed by an individual from anywhere around the world through web or search engines. This incomparable change in both the nature and the expanse of personal information accessible online is an underlining issue. An individual need not be grounded or an overachiever to be in the list items of Google or any other search engine for that matter.

 

Background

In 1998, Mario Costeja González, a Spaniard, had run into financial difficulties and was in severe need of funds. As a result, he advertised a property for auction in the newspaper, and the advertisement ended up on the internet by chance. Mr Gonzáles, unfortunately, was not forgotten by the internet. As a result, news about the sale was searchable on Google long after he had fixed his financial issue, and everyone looking him up assumed he was bankrupt. Understandably, this resulted in severe damage to his reputation, prompting him to take up the matter to the court. Ultimately, this case gave birth to the concept of the “right to be forgotten”.

The European Court of Justice ruled against the search engine giant Google, declaring that under certain circumstances, European Union residents could have personal information removed or deleted from search results and public records databases.[1]

 

However, in 2019 the EU Court restricted the ruling only to the European Union, saying Google does not have to apply the “right to be forgotten outside Europe”.

 

The concept of the right to be forgotten, also known as the right to erasure, is that individuals have a civil right to have their personal information removed from the internet. Likewise, a traceable procedure must be in place to ensure that removed data is also erased from backup storage media.

 

India, at present does not have any statutory provision that provides for right to be forgotten (RTBF). The Indian security system has seen an alternate wave with the presentation of the new Personal Data Protection Bill (PDP Bill)[2] in 2018. The Bill envisage many changes with respect to data handling and security privileges of an individual.

 

However, the Bill guises to fetch in the right to be forgotten which is not accessible in the current legitimate system under the Information Technology Act, 2000 and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

 

In simple terms, the “right to be forgotten” is the right to have publicly available personal information removed from the internet, search, databases, websites or any other public platforms, once the personal information in question is no longer necessary, or relevant.

 

However, there is an intricate system envisaged under the Section 20 of PDP Bill for setting off the right to be forgotten. The Bill articulates that the right can be sanctioned only on the order of an adjudicating officer after an application recorded by the data principal. Whereas, the choice on whether the right to be forgotten can be granted with respect to any information will rely upon “the right to the right to freedom of speech and expression and the right to information of some other citizen”.

 

Keeping in view the laws of other countries, the European Union’s (EU) General Data Protection Regulation (GDPR) permit individuals to have their personal data erased, but the authorities noted that “organisations do not always have to do it”.

 

The GDPR provisions read like a master for the Indian PDP Bill and it further expresses that an individual can look for the eradication of their information when “there are serious inaccuracies in the data or they believe information is being retained unnecessarily, they no longer consent to processing”.

 

Furthermore, EU noticed that the right to be forgotten is “not an absolute right”. Consequently, in situations where the information is being utilised to practise the right to freedom and expression or for consenting to a lawful decision or commitment, an appeal for eradication may not be engaged. Additionally, where public interest is included or when an association is utilising information while practicing its authority, it can refuse to delete any information that it considers to be significant for its purposes.

 

Today, at this point it is not simple to get away from one’s past when one’s personal information can be easily circulated around the web or stay on the internet endlessly, accessible through speedy search results. For people who wish to start afresh, the right to be forgotten remains essentially important and all the more necessary given the expand of our digital footprint. The essential query that encompasses the commencement and nature of the right to be forgotten is: would it be a good idea for us to reserve the right to be forgotten?

 

In India, the first question previously came up before the judiciary in Dharamraj Bhanushankar Dave v. State of Gujarat[3], before the Gujarat High Court. In its judgment the court did not acknowledge the so-called “right to be forgotten”. Here, in this case the petitioner had been charged with criminal conspiracy, murder, and kidnapping, among others and was acquitted by the Sessions Court, which was further supported by a Division Bench of the Gujarat High Court. The petitioner had claimed that since the judgment was non-reportable, respondent should be banned from publishing it on the internet because it would jeopardise the petitioner’s personal and professional life. The High Court, on the other hand, found that such publication did not violate Article 21 of the Indian Constitution, and that the petitioner had presented no legal basis to prevent the respondents from publishing the judgment.

 

Subsequently, In V. v. High Court of Karnataka[4], , the Karnataka High Court recognised right to be forgotten. The purpose of this case was to remove the name of the petitioner’s daughter from the cause title since it was easily accessible and defame her reputation. The court held in favour of the petitioner and ordered that the name of the petitioner’s daughter to be removed from the cause title and the orders. The court held that “this would be consistent with the trend in western countries, where the ‘right to be forgotten’ is applied as a rule in sensitive cases concerning women in general, as well as particularly sensitive cases involving rape or harming the modesty and reputation of the individual concerned”.

 

Noticeably, the right to be forgotten has now been perceived as a basic face of the right to privacy.

 

Furthermore, in the landmark case of K.S. Puttaswamy v. Union of India[5], the Supreme Court recognised the right to be forgotten as part of the right to life under Article 21.

 

The Supreme Court had stated that the right to be forgotten was subject to certain restrictions, and that it could not be used if the material in question was required for the—

  1. exercise of the right to freedom of expression and information;
  2. fulfilment of legal responsibilities;
  3. execution of a duty in the public interest or public health;
  4. protection of information in the public interest;
  5. for the purpose of scientific or historical study, or for statistical purposes; or
  6. the establishment, executing, or defending of legal claims.

 

Recently, a Single Judge Bench of the Madras High Court headed by Mr Justice N. Anand Venkatesh, had given an important order regarding “right to be forgotten” (RTBF) or right to erasure as a facet of the fundamental “right to privacy”.

 

In this case, the petitioner’s name continued to appear in the High Court’s verdict and was freely available to anyone who would type their name into Google search. Despite the fact that the petitioner was acquitted, they were named as an accused throughout the preceding judgment. Therefore, the petitioner contends that this has a negative influence on his public image. As a result, the petitioner requests the High Court to issue an order redacting their name from the verdict.

The Madras High Court ruled that the “right to be forgotten” cannot exist in the administration of justice, especially when it comes to court judgments.

 

“Right to be forgotten does not exist in case of court judgments, rules Madras HC”

It is innocuous to conclude that RTBF is still in its preliminary stage in India. To effectively enforce this right in India, the following should be proposed:

  1. A robust data protection law would go a long way in effectively imbibing this right in every citizen. RTBF can be restructured to further help in protecting the privacy of individuals.

The current events show just how much this Bill needs to be enacted into an act. The need of the hour is to protect people against attacks through digital platforms. Additionally, a clause that clarifies different situations with certain outcomes is also essential, so as not to give rise to any potential conflict between the two fundamental rights.

  1. Even though the PDP Bill has not been implemented, several courts have recognised the RTBF in their judgments, keeping international jurisprudence in mind. Whilst the Delhi and Karnataka High Court have recognised the right and judicially enforced it, there is still a long way for a systematic method which effectively safeguards RTBF in a way that right to information and right to freedom of speech and expression are not violated. Filing a petition for defamation to invoke their fundamental right to privacy can be used in the meantime.
  2. Lastly, search engines and major digital platforms can alter their policies and determine the eradication of personal data through de linking. However, big giants like Google have continued to retain certain information even when taken to court by a petitioner in Kerala HC. This goes to show that this method is the least effective way to enforce the right.

 

However, applying the three cumulatively and in a systemic manner could help to properly establish and implement RTBF in India.

Lastly, it would be interesting to note the development of right to be forgotten in other jurisdictions.

 

Comparative analysis of the concept of right to be forgotten

 

European Union (EU)

The concept of the right to be forgotten has elicited conflicting reactions from various jurisdictions around the globe. The EU, in particular, has seen rapid development. The European Union (EU) – several maneuvers have been made in the European Union to consolidate the right to be forgotten. The Data Protection Directive was a European Union directive passed in 1995 to govern the exemption of personal data within the EU. It is a crucial part of EU privacy and human rights law. Following that, in April 2016, the General Data Protection Regulation (GDPR) was enacted, superseding the Data Protection Directive, 1995.

 

In accordance with Article 17 which states that the data subject has the right to request the erasure of personal data relating to them on a variety of grounds, including non-conformity with Article 6(1) (lawfulness), which includes a case if the controller’s sincere interests are overshadowed by the data subject’s interests or fundamental rights and freedoms, which require the protection of personal data. As a result, GDPR Article 17 has defined the situations in which European Union citizens can exercise their right to be forgotten or erasure.

 

The article gives citizens of the European Union the right to have their personal data erased under six conditions, including the withdrawal of consent to use data or the data no longer being relevant for the purpose for which it was gathered. However, the request may be denied in certain circumstances, such as when it contradicts the right to free expression and information, or when it is conflicting to public interest in the areas of public health, scientific or historical research, or statistical drives. As a result, Article 17 of the GDPR of 2016 includes a specific protection in the right to be forgotten.

 

When a member of the public requests for the erasure of the information, the European Court of Justice in Google Spain SL v. Agencia Española de Protección de Datos[6] ordered Google to delete “inadequate, irrelevant, or no longer relevant” material from its search results. The judgment, dubbed the “right to be forgotten” by the public, was crucial in enforcing the EU’s data protection laws and regulations, particularly the EU’s General Data Protection Regulation.

 

Mario Costeja González, a Spaniard, was dissatisfied when a Google search for his name turned up a newspaper article from 1998. Gonzalez approached the newspaper in 2009 to have the article removed, but the newspaper refused, so González went to Google to have the article removed when his name is searched.

 

To exercise one’s right to be forgotten and have one’s information removed from a search engine, fill out a form on the search engine’s website.

 

Google’s removal request process requires the applicant to identify their country of residence, provide personal information, provide a list of URLs to be removed along with a brief description of each one, and attach legal identification. The form allows users to enter the name for which they want search results to be removed. If a search engine refuses to delink material, EU citizens can file an appeal with their local data protection agency.

 

Google may face legal action if it objects to a data protection agency decision. The European Union has requested that Google implement delinking requests from EU citizens across all international domains.

 

United States (US)

The United States of America has an evolved general set of laws that defends its residents’ protection. The State of New York was quick to acquaint a draft “right to be forgotten” Bill A05323 in its State Assembly, named “An act to amend the civil rights law and the civil practice law and rules, in relation to creating the right to be forgotten act.” Moreover, in March 2017, New York State representative Tony Avella and assemblyman David Weprin introduced legislation that would permit people to require web search tools and online speakers to eliminate data that is “inaccurate,” “irrelevant,” “inadequate,” or “excessive,” that is “no longer material to current public debate or discourse,” and that is causing evident harm to the subject.

 

The Bill was written mainly along the lines of the European Court of Justice’s decision in Google Spain SL v. Agencia Española de Protección de Datos[7].

 

Two significant cases to be specific Melvin v. Reid[8] and Sidis v. FR Publishing Corpn.[9] are somewhat pertinent. The court contemplated, “Any individual who leads a moral life has the option to joy, which remembers the independence from unmerited assaults for his character, social standing, or notoriety.” While the plaintiff in the case, William James Sidis, was a former child prodigy who wish to spend his adult life discreetly and undetected, subsequently, an article in The New Yorker disrupted this. In this case, the court resolute that the option to control one’s own life and realities about oneself has limits, that there is social worth in distributed realities, and that an individual cannot overlook their celebrity status basically in light of the fact that they need to.” Despite these slow developments, the prospects of a federal law or a constitutional amendment providing for a standalone. Right to be forgotten in the United States are very faint, particularly regardless of the solid resistance in light of the fact that it is conflicting with the first amendment to the United States Constitution, which ensures freedom of speech and expression. Thus, it is contended, the right will viably bring about another type of restriction.

 

These criticisms, however, are consistent with the proposal that the only information that can be removed at the user’s request is content that the user has uploaded.


Sanjay Vashishtha is a practicing counsel at the Supreme Court of India, LLM in Comparative Criminal Law from McGill University, Canada and MSc, Criminology and Criminal Justice from University of Oxford. He is serving as a counsel/special counsel and consultant for several law enforcement and public sector institutions.

[1] C-507/17, Google LLC, successor in law to Google Inc., v Commission nationale de l’informatique et des libertés (CNIL) can be accessed HERE

[2] Personal Data Protection Bill accessible Here

[3] 2017 SCC OnLine Guj 2493.

[4] 2017 SCC OnLine Kar 424.

[5] (2019) 1 SCC 1.

[6] Case C‑131/12, decided on 13-5-2014.

[7] Case C‑131/12, decided on 13-5-2014.

[8] 112 Cal App 285: 297 P 91 (1931).

[9] 85 L Ed 462 : 61 S Ct 393 : 311 US 711 (1940).

Op EdsOP. ED.

In the 18th century, one of the social theorists, Jeremy Bentham, developed the concept of panopticon, which brought in an institutional design to establish control. While this shows that surveillance of any form is not a new phenomenon, recent technological developments have completely changed the surveillance architecture. It has paved the way for the development of surveillance tools that are more intrusive and damaging to our democratic safeguards.

In addition to targeted surveillance (which was debated as part of the Pegasus snoopgate controversy 1 , other forms of surveillance such as mass and lateral surveillance are performed in India, which equally curb the right to privacy and freedom of expression.

 

Surveillance as a craft has a long-standing history, with various social theorists contributing over time; thus, this article will explore recent developments in India regarding various forms of surveillance that call for robust reform.


Mass surveillance


In India, the State and non-State actors have been using various digital panoptican tools such as artificial intelligence, facial recognition, CCTV cameras, integrated database systems, social media analytics, etc., to monitor and surveil.

Recently, India bagged a couple of top ranks in the Forbes list[2] of most surveilled cities globally, where Delhi stood at rank one. While Delhi CM alluded to Forbes recognition, this would have a chilling effect on privacy and freedom of expression without surveillance reform. In addition, CCTV cameras equipped with other AI-based technology such as facial recognition have been extensively used in India to tackle various social problems despite global criticism on facial recognition malfunctions, accuracy rate and innate discrimination of minorities and women. Besides, it has been reported that drones with cameras are used for monitoring purposes, but it is unclear how video footage will be used later.

On the other hand, the State has made various efforts to integrate databases and analytics tools to monitor people and their actions. For instance, the Central Government has equipped a technology called Advanced Application for Social Media Analytics (AASMA[3]); this tool will aid both Central and State Governments to monitor social media. But in 2018 Supreme Court of India stopped a similar project of the Central Government titled social media communication hub (SMCH), stating it to be a step to the surveillance State and problematic in the absence of a data protection regime.

Similarly, as citizens use Aadhaar-based authentication systems for any service enrollment or transaction, the information on the authentication process, transaction details, etc., are recorded at a central database. While the Government states that profiling citizens enable better welfare delivery, it has been criticised for its potential to cause exclusion[4] and surveillance[5], which is not accounted for. Though Unique Identification Authority of India (UIDAI) has been commissioned as the custodian of Aadhaar data, it is also the regulator of Aadhaar infrastructure, which does not create any meaningful and independent accountability in case of misuse. Besides, in the Aadhaar judgment (2018)[6], while the Supreme Court provided constitutional validation to the Aadhaar scheme, it has also struck down various provisions on the grounds of proportionality, data security, and privacy. The judgment pushed for the development of a data protection regime and also struck down the provision on data sharing on national security grounds.

 


Targeted surveillance


Targeted surveillance in the form of interception has a long-standing history predating any of the recent technological developments. Under legal grounds of the Telegraph Act, 1885 [Section 5(2)] and Information Technology Act (Section 69), the Government can intercept, monitor, and decrypt any information for protecting sovereignty, national security, friendly relations with international States, public order, etc.

There are various non-State lawful interception systems[7] available in the Indian market which are installed into the networks of telecom services and internet services by the Government through the licence agreement. While most of the details on the operations of these systems are confidential, spy files[8] project by WikiLeaks, which created a revelation, revealed that the capacity of these Indian lawful interception systems is way beyond what is available publicly in terms of surveillance.

However, there are also other not entirely lawful interception mechanisms in the market, like Pegasus. The Pegasus controversy is not a new thing, and it first broke in 2019 when WhatsApp reported[9] that Pegasus targeted 1400 phone numbers of its users. While the Indian Government asserted to investigate this matter, the recent Expert Committee constituted by the Supreme Court on the Pegasus allegation[10] will be probing the steps/actions taken by the Government after reports were published.

In addition, like PRISM in the USA, in India, we have a similar system called Central Monitoring System (CMS) and it was implemented in 2015.[11] While the CMS system still relies on lawful interceptors for interception and monitoring, its operations highlight surveillance capacities as they cut the line of the process to automatically retrieve information from the network of telecom service providers or the internet without approaching them.

Besides, non-State actors like digital platforms perform targeted surveillance to promote business interest and to cater better service to the users without any legal grounds and guidelines for securing user privacy.

 


Lateral surveillance


While a traditional surveillance set-up involves two actors at different power levels i.e. the State or non-State actor can watch citizens; lateral surveillance[12] breaks this code by enabling peer-to-peer surveillance.

In response to the pandemic, the Government had resorted to various technological measures to tackle the spread of the virus and for administering the vaccination. One of the most sought out measures globally was the contact tracing app and quarantine monitoring apps. These apps can majorly cause lateral surveillance due to the high chances of data breaches[13]. In addition, at the aggregate level, these apps encourage “watch over others” culture, where the people from a particular area might watch out for the neighbouring areas, leading towards exclusion and other unintended impacts.

Contact tracing apps are new in the game; apps that stimulate lateral surveillance have been there for some time now. Some of the prominent lateral surveillance apps are HawkEye, C-Plan, RajCop Citizen, etc. Also, to monitor the digital public sphere, the cyber volunteers programme seeks citizens to report unlawful activities on the internet and social media.


Way forward


 

The Forbes list of most surveilled cities in the world shows that Indian cities have surpassed China in terms of the number of CCTV cameras installed. Being a democratic country, India surpassing/giving tough competition to an authoritarian country like China in terms of surveillance, questions the trajectory that India, as the largest democracy, wants to set for the future. Does India want to subdue its citizens or empower them?

 

While these monitoring mechanisms are instituted by State and non-State actors for different purposes, in the absence of surveillance reform and data protection, these new technological means subdue citizens by causing unaccountable surveillance, infringing citizens’ freedom of expression and privacy.

The Supreme Court of India delivered its judgment on K.S. Puttaswamy v. Union of India[14], declaring privacy as a fundamental right under Article 21 of the Indian Constitution. Therefore using this judgment as a substratum, comprehensive surveillance reform should be constituted, which gets India into the path of empowered citizenry where the right to privacy is secured from the interference of surveillance.

As the Expert Committee formed by the Supreme Court will recommend enactment/amendment to existing laws[15] around surveillance to secure privacy, it is important to have a separate/new surveillance legislation that is clearer, purposive, proportionate, and comprehensive (covering all forms of surveillance). The surveillance legislation should bring both State and non-State actors under its purview and demand a robust accountability mechanism that involves both parliamentary and judiciary oversight.

 


† Senior Research Associate at The Dialogue.

[1]The Pegasus Project (nd). Retrieved from The Guardian: See HERE.

[2] Delhi, Chennai Among Most Surveilled in the World, Ahead of Chinese Cities (2021). See Forbes India: HERE.

[3] Ranjini (2020), The Government of India is Monitoring our Social Media. See Logically: HERE.

[4] Falling through the Cracks: Case Studies in Exclusion from Social Protection (2021). See Dvara Research: HERE.

[5] Parthasarathy, S. (2018), Aadhaar: Enabling a Form of Super-surveillance. See The Hindu: HERE.

[6] K.S. Puttaswamy v. Union of India, (2019) 1 SCC 1.

[7] ​​SFLC (2019), Communications Surveillance in India. See SFLC: HERE.

[8] WikiLeaks (2011), The Spy Files. See WikiLeaks: HERE.

[9] Chishti, S. (2019), WhatsApp Confirms: Israeli Spyware was Used to Snoop on Indian Journalists, Activists. See The Indian Express: HERE.

[10] Ojha, S. (2021), BREAKING: Supreme Court Constitutes Independent Expert Committee to Probe Pegasus Snooping Allegations. See HERE.

[11] Centre for Internet and Society (2014), India’s Central Monitoring System (CMS): Something to Worry About? HERE.

[12] Andrejevic, M. (2005, Surveillance & Society), The Work of Watching One Another: Lateral Surveillance, Risk, and Governance. Retrieved from Surveillance & Society: HERE.

[13] Swaminathan, M. and Saluja, S. (2020), Essay: Watching Corona or Neighbours? Introducing “Lateral Surveillance” during COVID-19. Retrieved from Centre for Internet and Society: HERE.

[14] (2017) 10 SCC 1.

[15] AK, A. (2021), Pegasus: Members and Terms of Reference of the Committee Appointed by the Supreme Court. See HERE.

Case BriefsSupreme Court

Supreme Court: The bench of Justice R. Subash Reddy and Hrishikesh Roy*, JJ has held that in a declaratory suit, where ownership over coparcenary property is claimed, the plaintiff cannot be subjected to the DNA test against his wishes.

“When the plaintiff is unwilling to subject himself to the DNA test, forcing him to undergo one would impinge on his personal liberty and his right to privacy.”

The Court explained that DNA is unique to an individual (barring twins) and can be used to identify a person’s identity, trace familial linkages or even reveal sensitive health information. The Court should therefore examine the proportionality of the legitimate aims being pursued, i.e whether the same are not arbitrary or discriminatory, whether they may have an adverse impact on the person and that they justify the encroachment upon the privacy and personal autonomy of the person, being subjected to the DNA Test.

The Court was deciding the case where, in a declaratory suit for ownership over coparcenary property, the plaintiff had already adduced ‘enough’ documentary evidence to prove relationship between the parties. The Court noticed that in such cases, the Court’s decision should be rendered only after balancing the interests of the parties, i.e, the quest for truth, and the social and cultural implications involved therein.

“The possibility of stigmatizing a person as a bastard, the ignominy that attaches to an adult who, in the mature years of his life is shown to be not the biological son of his parents may not only be a heavy cross to bear but would also intrude upon his right of privacy.”

The Court held that in such kind of litigation where the interest will have to be balanced and the test of eminent need is not satisfied our considered opinion is that the protection of the right to privacy of the Plaintiff should get precedence.

It was, hence, held that the respondent cannot compel the plaintiff to adduce further evidence in support of the defendants’ case. In any case, it is the burden on a litigating party to prove his case adducing evidence in support of his plea and the court should not compel the party to prove his case in the manner, suggested by the contesting party.

Important Rulings

Banarsi Dass v. Teeku Dutta, (2005) 4 SCC 449

DNA test is not to be directed as a matter of routine but only in deserving cases. The presumption of legitimacy is this, that a child born of a married woman is deemed to be legitimate, it throws on the person who is interested in making out the illegitimacy, the whole burden of proving it. The law presumes both that a marriage ceremony is valid, and that every person is legitimate. Marriage or filiation (parentage) may be presumed, the law in general presuming against vice and immorality.

Bhabani Prasad Jena v. Convenor Secretary, Orissa State Commission for Women, (2010) 8 SCC 633

The discretion of the court must be exercised after balancing the interests of the parties and whether a DNA Test is needed for a just decision in the matter and such a direction satisfies the test of “eminent need”.

Dipanwita Roy v. Ronobroto Roy, (2015) 1 SCC 365

In the said case the husband alleged infidelity against his wife and questioned the fatherhood of the child born to his wife. In those circumstances, it was held that when the wife had denied the charge of infidelity, the Court opined that but for the DNA test, it would be impossible for the husband to establish the assertion made in the pleadings. In these facts, the decision of the High Court to order for DNA testing was approved by the Supreme Court.

[Ashok Kumar v. Raj Gupta, 2021 SCC OnLine SC 848, decided on 01.10.2021]

___________________________________________________________________________________

Counsels:

For appellant-plaintiff: Advocate Sunieta Ojha

For respondent – defendants: Senior Advocate Rameshwar Singh Malik


*Judgment by: Justice Hrishikesh Roy

Know Thy Judge | Justice Hrishikesh Roy

Foreign LegislationLegislation Updates

The Government of California has passed Senate Bill 41 on September 9, 2021. The Bill seeks to establish Genetic Information Privacy Act (GIPA). The Bill is awaiting Governor Newsom’s assent and once signed, it will come into force on January 1, 2022. The GIPA will enforce privacy requirements on direct-to-consumer genetic testing companies (DTC Companies).

Key highlights of the Bill are:

  • The Bill aims to improve privacy protections for “genetic data” which is not protected by the Confidentiality of Medical Information Act (CMIA) or Health Insurance Portability and Accountability Act (HIPAA).
  • GIPA defines DTC Companies as entities that do any of the following:
  1. Sell, market, interpret, or otherwise offer consumer-initiated genetic testing products or services directly to consumers;
  2. Analyze genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition; or
  3. Collect, use, maintain, or disclose genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer.
  • GIPA shall impose a standard requiring that data cannot be used to infer information about, or otherwise be linked to, a particular individual and requires that DTC Companies do all of the following:
  1. Take reasonable measures to ensure that the information cannot be associated with a consumer or household.
  2. Publicly commit to maintain and use the information only in de-identified form and not to attempt to re-identify the information.
  3. Contractually obligate any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in de-identified form and not to re-identify the information.
  • GIPA would need DTC Companies to provide consumers with information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure of genetic data, and to obtain an express authorization for collection, use, or disclosure of consumers’ genetic data, subject to limited exceptions for research and educational purposes.
  • GIPA would also require DTC Companies to honor any revocation of consent to use, collect, or disclose a consumer’s genetic data and destroy a consumer’s biological sample within 30 days of their revocation of consent.
  • DTC Companies would need to implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data.
  • In contravention of the provisions under GIPA, penalties up to $10,000 per violation plus court costs, can be imposed, depending on whether negligence or willful conduct was involved.


*Tanvi Singh, Editorial Assistant has reported this brief.

Case BriefsSupreme Court

Supreme Court: A 3-Judge Bench comprising of Sanjay Kishan Kaul, Dinesh Maheshwari and Hrishikesh Roy, JJ. has held that representatives of Facebook will have to appear before the Committee on Peace and Harmony constituted by the Delhi Legislative Assembly. At the same time, the Court felt constrained to put certain fetters qua the exercise sought to be undertaken by the Committee.

The instant petition challenged the notices issued by the Committee directing the petitioners to appear before it. The Conclusion of the Court is delineated below, after which follows a detailed analysis of the controversy and the Court’s discussion and opinion.

(i) There is no dispute about the right of the Delhi Assembly or the Committee to proceed on grounds of breach of privilege per se.

(ii) The power to compel attendance by initiating privilege proceedings is an essential power.

(iii) Members and non-Members (like the petitioners) can equally be directed to appear before the Committee and depose on oath.

(iv) In the given facts of the case, the issue of privileges is premature. Having said that, the insertion of para 4(vii) of the Terms of Reference of the Committee taken along with the press conference of the Chairman of the Committee could legitimately give rise to apprehensions in the mind of the petitioners on account of which a caveat has been made.

(v) Canvassing a clash between privilege powers and certain fundamental rights is also preemptory in the present case.

(vi) In any case, the larger issue of privileges vis-a-vis the right of free speech, silence, and privacy in the context of Part III of the Constitution is still at large in view of the reference to the larger Bench in N. Ravi v. T.N. Legislative Assembly, (2005) 1 SCC 603.

(vii) The Delhi Assembly admittedly does not have any power to legislate on aspects of law and order and police in view of Entries 1 and 2 of List II in the Seventh Schedule inter alia being excluded. Further, regulation of intermediaries is also subject matter covered by the Information and Technology Act, 2000.

(viii) The Assembly does not only perform the function of legislating; there are many other aspects of governance which can form part of the essential functions of the Legislative Assembly and consequently the Committee. In the larger context, the concept of peace and harmony goes much beyond law and order and police, more so in view of on the ground governance being in the hands of the Delhi Government.

(ix) Para 4(vii) of the Terms of Reference does not survive for any opinion of the Committee. It will not be permissible for the Committee to encroach upon any aspects strictly within the domain of Entries 1 and 2 of List II of the Seventh Schedule. As such, any representative of the petitioners would have the right to not answer questions directly covered by these two fields.

Disruptive Potential of Social Media

In the opening paras, the Court noted that,

“[W]hile social media, on the one hand, is enhancing equal and open dialogue between citizens and policy makers; on the other hand, it has become a tool in the hands of various interest groups who have recognised its disruptive potential. This results in a paradoxical outcome where extremist views are peddled into the mainstream, thereby spreading misinformation.

Established independent democracies are seeing the effect of such ripples across the globe and are concerned. Election and voting processes, the very foundation of a democratic government, stand threatened by social media manipulation. This has given rise to significant debates about the increasing concentration of power in platforms like Facebook, more so as they are said to employ business models that are privacy-intrusive and attention soliciting. The effect on a stable society can be cataclysmic with citizens being ‘polarized and parlayzed’ by such ‘debates’, dividing the society vertically. Less informed individuals might have a tendency to not verify information sourced from friends, or to treat information received from populist leaders as the gospel truth.”

Later, the Court also said that the unprecedented degree of influence of social media necessitates safeguards and caution in consonance with democratic values. Platforms and intermediaries must subserve the principal objective as a valuable tool for public good upholding democratic values. Our country has a history of what has now commonly been called ‘unity in diversity’. This cannot be disrupted at any cost or under any professed freedom by a giant like Facebook claiming ignorance or lack of any pivotal role.

Use of Algorithms and the Role of Facebook

The Court rejected the simplistic approach adopted by Facebook ─ that it is merely a platform posting third party information and has no role in generating, controlling or modulating that information. The Court said that companies like Facebook cannot deny that they use algorithms (sequences of instructions) with some human intervention to personalise content and news to target users. The algorithms select the content based on several factors including social connections, location, and past online activity of the user. These algorithms are often far from objective with biases capable of getting replicated and reinforced. The role played by Facebook is, thus, more active and not as innocuous as is often presented when dealing with third party content.

Factual Context and the Writ Petition

The backdrop of the present case is set in the unfortunate communal riots in different parts of North-East Delhi in February, 2020. In the wake of these riots, the Legislative Assembly of NCT of Delhi resolved to constitute a Committee on Peace and Harmony to a “consider the factors and situations which have the potential to disturb communal harmony in the National Capital Territory of Delhi and suggest measures to eliminate such factors and deal with such situations so as to establish harmony among different religious or linguistic communities or social groups.”

The Committee received thousands of complaints which suggested that Facebook had been used as a platform for fomenting hate and jeopardising communal harmony. This was further fuelled by an article published in the Wall Street Journal on 14-8-2020 titled “Facebook’s Hate-Speech Rules Collide with Indian Politics” suggesting that there was a broad pattern of favouritism towards the ruling party and Hindu hardliners. The Article also made serious allegations of lapses on the part of Facebook India in addressing hate speech content.

Subsequently, the Delhi Assembly issued notice for appearance (“first summons”) to the Mr Ajit Mohan, Vice President and Managing Director of Facebook India. Mr Mohan was the first petitioner in the instant writ petition. The first summons highlighted the factum of numerous complaints alleging intentional omission and deliberate inaction on the part of Facebook in tackling hate speech online. It was clearly stated that he was being called as a witness for testifying on oath before the Committee on 15-9-2020. Significantly, no consequences in the form of breach of parliamentary privilege were intimated in case Mr Mohan refused to appear.

In its reply, Facebook objected to the first summons and requested to recall it. This was rejected by the Delhi Assembly, and a second summons was issued. It is at this stage that a perceived element of threat was held out to Mr Mohan stating that his refusal to appear was inconsistent with the law of privileges of a legislature (which extends to the Committee and its members). He was asked to appear before the Committee on 23-9-2020 in the “spirit of democratic participation and constitutional mandates.” Importantly, it was clearly stated that non-compliance would be treated as breach of privilege of the Committee and necessary action would be taken.

It is this second summons which triggered the filing of the instant proceedings under Article 32 of the Constitution of India. It was prayed that (a) the first and the second summons be set aside; (b) the Delhi Assembly be restrained from taking any coercive action against the petitioners in furtherance of the impugned summons. Notably, during pendency of the proceedings, the two summonses issued to Mr Mohan were withdrawn and a new summons dated 3-2-2021 was issued to Facebook India alone.

Analysis and Opinion

Contradictory stand in different jurisdictions not acceptable

“Facebook has the power of not simply a hand but a fist, gloved as it may be.”

The Court was not convinced by the simplistic approach of Facebook, and was of the view that the business model of intermediaries like Facebook being one across countries, they cannot be permitted to take contradictory stands in different jurisdictions. Thus, for example in the USA, Facebook projected itself in the category of a publisher, giving them protection under the ambit of the First Amendment of its control over the material which are disseminated in their platform. This identity has allowed it to justify moderation and removal of content. Conspicuously in India, however, it has chosen to identify itself purely as a social media platform, despite its similar functions and services in the two countries. Thus, dependent on the nature of controversy, Facebook having almost identical reach to population of different countries seeks to modify its stand depending upon its suitability and convenience. The Court said:

Role of Facebook need to be looked into

Turning to the incident at hand, the Court said that the capital of the country can ill-afford any repetition of the occurrence and thus, the role of Facebook in this context must be looked into by the powers that be. It is in this background that the Assembly sought to constitute a peace and harmony committee. The Assembly being a local legislative and governance body, it cannot be said that their concerns were misconceived or illegitimate. It is not only their concern but their duty to ensure that “peace and harmony” prevails.

Three broad heads

(a) Issue of Privilege

The privilege issue arose out of the plea advanced by the petitioners that both, the first and the second summons, were to summon petitioners with a threat of “privilege”. This argument was coupled with a plea that such power of privilege cannot extend to compel an individual, who is not a member of the House, into giving evidence/opinion that he is not inclined to state.

While on this, the Court noted that the wordings of Article 194(3) of the Constitution of India are unambiguous and clear. It was the Court’s opinion that it would be a monumental tragedy to conclude that the legislature is restricted to the function of enacting laws. The legislature debates many aspects, and at times records a sense of the House. This is not unusual or without precedent. Further, once the wider array of functions performed by an elected Parliament or Assembly, not confined to only enacting laws is recognised, any act in furtherance of this wider role and any obstruction to the same will certainly give rise to an issue of parliamentary privilege.

The Court saw no merit in the line of argument that no non-member could be summoned if they had not intruded on the functioning of the Assembly; or that the non-participation of the petitioner would not have adverse consequences as it did not disrupt the functioning of the Committee. The petitioners, more so with their expanded role as an intermediary, can hardly contend that they have some exceptional privilege to abstain from appearing before a committee duly constituted by the Assembly.

Noting that only a summons has been issued for appearance before the Committee and the question of any privilege power being exercised is yet far away; the Court observed:

“This case is a preventive endeavour by the petitioner to preclude the respondents from even considering the aspect of privilege by seeking this Court’s intervention at a pre-threshold stage, only on the premise of the absence of legislative power.”

The Court was not impressed by the argument that the privilege powers of the Assembly are not constitutional in character but flow only from the Government of National Capital Territory of Delhi Act, 1991. It was Court’s opinion that the scheme of privilege has to be seen in the context of provisions of Article 239-AA of the Constitution, as well as the GNCTD Act. They are not divorced from each other.

The Court held the power of the Assembly to summon in the format it sought to do is beyond exception and in accordance with law; and that the stage for any possible judicial intervention had not arisen in the instant case.

(b) Privileges, Free Speech and Privacy

Petitioners sought to pit the expanded right of free speech and privacy against privilege, emphasising that the petitioner had a right to remain silent. It was submitted that the mere threat of “necessary action” i.e., the possibility of a breach of privilege, was enough to infringe both the right to free speech and privacy. Thus, “the threatened invasion of the right” could be “removed by restraining the potential violator”.

The Court refrained from entering into any substantial discussion on this point, as such issue is also a subject of reference pending consideration before a 7-Judge Bench.

(c) Legislative Competence

This head dealt with the perceived remit of the Committee and whether the remit has the sanction of the Constitution in the context of division of subject matter under the three Lists of the Seventh Schedule. The bedrock of petitioner’s submissions was based on the alleged lack of legislative competence of the Delhi Assembly and consequently of the Committee to look into the subject matter qua which the notice had been issued to the petitioners. The submission, thus, was that in the absence of any such legislative competence, the petitioners were entitled to approach the Court at this stage itself rather than being compelled to wait for further progress in the proceedings.

On this, the Court reiterated the proposition that the division of powers between the Centre and the State Assemblies must be mutually respected. The concept of a wide reading of Entries (in the three Lists) cannot be allowed to encroach upon a subject matter where there is a specific entry conferring power on the other body. The Court was of the view that the recourse to Entries 1 and 2 of List III cannot be said to include what has been excluded from the powers of List II, i.e., Entries 1, 2 and 18. Similarly, Entry 45 of List III relating to inquiries would again not permit the Assembly or the Committee to inquire into the aspects of public order or police functions. That a law and order situation arose was not disputed by anyone, and that this law and order issue related to communal riots also could not be seriously disputed. That the Assembly cannot deal with the issue of law and order and police is also quite clear.

“Peace and Harmony” as opposed to “Law and Order”

The respondent’s argument was premised on a broader understanding of the expression “peace and harmony”, as opposed to it being restricted to law and order.

The moot point was whether the expression “peace and harmony” can be read in as expanded a manner as respondent sought to do by relying a on a number of Entries in List II and List III. The Court had no doubt that peace and harmony, whether in the National Capital or in a State context, is of great importance. But it would be too much to permit the argument that peace and harmony would impact practically everything and thus, gives power under different entries across the three lists.

The divergent contentions lead the Court to conclude that the Committee can trace its legitimacy to several Entries in List II and List III without encroaching upon the excluded fields of public order or police to undertake a concerted effort albeit not to the extent as canvassed by the respondents. Facebook cannot excuse themselves from appearing pursuant to the new summons issued to them on 3-2-2021. Areas which are not otherwise available to the legislature for its legislative exercise may, however, be legitimately available to a committee for its deliberations. This is so in the context of a broad area of governmental functions. Ultimately, it is the State Government and the State Assembly which has to deal with the ground reality even in the dual power structure in Delhi. The complexity of communal tensions and their wide-ranging ramifications is a matter affecting citizens of Delhi and it cannot be said that the Government of NCT of Delhi cannot look into the causal factors in order to formulate appropriate remedial measures. Appropriate recommendations made by the State Government in this regard could be of significance in the collaborative effort between the Centre and the State to deal with governance issues.

The Court was of the view that because of the pervasive impact of the riots, the Committee could legitimately attend to such grievances encompassing varied elements of public life. Thus, it would be entitled to receive information and deliberate on the same to examine their bearing on peace and harmony without transgressing into any fields reserved for the Union Government in the Seventh Schedule.

Terms of Reference of the Committee on Peace and Harmony

The Court discussed that a part of the Terms of Reference of the Committee on Peace and Harmony was clearly outside the purview of the powers vested with the Assembly. This problem was compounded by what transpired in the press conference held by the Chairman of the Committee. Speaking on behalf of the members of the Committee, the Chairman made certain statements that assume greater significance by virtue of being in the public domain.

While respecting the right of the Committee to the extent that there exists an obligation on the petitioners to respond to the summons, the Court was of the view that it could not permit the proceedings to go on in a manner that encroaches upon the prohibited entries. The Court did not seek to control how the Committee proceeds. In fact, the Committee was yet to proceed. But certain provisions of the Terms of Reference coupled with the press conference is what persuaded the Court to say something more than simply leaving it to the wisdom of the Committee to proceed in the manner they deem fit.

The Court found that para 4(vii) of the Terms of Reference was a troublesome aspect. It read: “(vii) to recommend action against such persons against whom incriminating evidence is found or prima facie case is made out for incitement to violence”.

It was held by the Court that clearly it is not within the remit of the Assembly to recommend action against such persons against whom incriminating evidence is found or prima facie case is made out for incitement of violence. This is an aspect purely governed by policing. It is the function of the police to locate the wrong doer by investigation and charge them before a competent court.

In order to justify the legislative competence and the remit of the Committee, the respondents practically gave up this para 4(vii) and the Court made it clear that this cannot be part of the remit of the Committee.  It was also recorded that by issuing the new summons which withdrew the earlier summons, fallacies in the notices stood removed.

Press-conference by Chairman of the Committee

The Court noticed that the statements made by the Chairman of the Committee during the press conference on 31-8-2020 could not be diluted or brushed aside. It was stated by the Chairman that the material placed before the Committee had resulted in a “preliminary conclusion”. Thereafter it was stated that “prima facie it seems that Facebook has colluded with vested interests during Delhi riots”. He further said: “Facebook should be treated as a co-accused and investigated as a co-accused in Delhi riots investigation”, and “As the issue of Delhi riots is still going in the court, a supplementary chargesheet should be filed considering Facebook as a co-accused”.

Such statements and conclusions, as per the Court, were completely outside the remit of the Committee and should not have been made. That it may give rise to apprehension in the minds of the petitioners could also not be doubted. Such statements are hardly conducive to fair proceedings before the Committee and should have been desisted from. This is especially so as that was not even the legislative mandate, and the Assembly or the Committee had no power to do any of these things.

Putting fetters qua the exercise undertaken by the Committee

In view of the aforesaid, while giving the widest amplitude in respect of inquiry by a legislative committee, the Court was constrained to put certain fetters in the given factual scenario otherwise tomorrow the proceedings itself could be claimed to be vitiated.

The Court said that the Committee cannot have a misconception that it is some kind of a prosecuting agency which can embark on the path of holding people guilty and direct the filing of supplementary chargesheet against them. This aspect has to be kept in mind by the Committee so as to not vitiate future proceedings and give rise to another challenge.

In any eventuality, as speculative as it may be, if the Committee seeks to traverse the path relating to the excluded Entries, i.e. law and order and police, any representative of Facebook who would appear before the Committee would be well within their right to refuse to answer the query and such an approach cannot be taken amiss with possibility of inviting privilege proceedings.

The Court expressed its confidence that such an eventuality will not arise, given the important role that the Committee is performing and that it will accept the sagacious advice. So much and not further.

The writ petition was accordingly dismissed. [Ajit Mohan v. Delhi Legislative Assembly, 2021 SCC OnLine SC 456, decided on 8-7-2021]


Tejaswi Pandit, Senior Editorial Assistant has reported this brief.


 

Supreme Court of The United States
Case BriefsForeign Courts

Supreme Court of The United States (SCOTUS): On April 1st, the 9 Judge Bench of the Court while looking into the allegations levelled against Facebook for violating the Telephone Consumers Protection Act, 1991 (hereinafter TCPA), held that the Court cannot rewrite the TCPA to update it for modern technology. Congress’ cho­sen definition of an autodialer requires that the equipment in question must use a random or sequential number generator. That definition excludes equipment like Facebook’s login notification system, which does not use such technology. The Court held that in order to qualify as an “automatic telephone dialing system” under the TCPA, a device must have the capacity either to store a telephone number using a random or sequential number generator, or to produce a telephone number using a random or sequential number generator.

The facts as they stood; popular social media platform Facebook, as a security feature, allows users to elect to receive text messages when someone attempts to log in to the user’s account from a new device or browser. Noah Duguid was sent such texts by Facebook which alerted him to a login his Facebook account linked to his mobile number. The twist in the tale came up when Duguid stated that he never created that particular account or for that matter any other account on Facebook.

Duguid tried unsuccessfully to stop the unwanted messages, and eventually brought a putative class action against Facebook. He alleged that Facebook violated the TCPA by maintaining a database that stored phone numbers and programming its equipment to send automated text messages. Facebook contended that the TCPA does not apply because the technology it used to text Duguid did not use a “random or sequential number generator”. The Ninth Circuit’s however did not favour Facebook when it held that S. 227 (a) (1) of the TCPA applies to a notifica­tion system like Facebook’s that has the capacity to dial automatically stored numbers.

The Telephone Consumer Protection Act of 1991 (TCPA) forbids abu­sive telemarketing practices by, among other things, restricting cer­tain communications made with an “automatic telephone dialing sys­tem.” The TCPA defines such “autodialers” as equipment with the capacity both “to store or produce telephone numbers to be called, us­ing a random or sequential number generator,” and to dial those num­bers.

Perusing the facts and the relevant statutes, the Court observed that the issue is that whether the clause “using a random or se­quential number generator” in S. 227(a)(1)(A) modifies both of the two verbs that precede it (“store” and “produce”), or only the closest one (“produce”).  The former interpretation was adopted by Facebook in the matter. The Court noted that the most natural reading of the text and other aspects of S. 227(a)(1)(A) confirms Facebook’s view-

  1. In an ordinary case, the “series-qualifier canon” instructs that a modifier at the end of a series of nouns or verbs applies to the entire series.
  2. The modify­ing phrase immediately follows a concise, integrated clause (“store or produce telephone numbers to be called”), which uses the word “or” to connect two verbs that share a common direct object (“telephone num­bers to be called”).
  • The comma in S. 227(a)(1)(A) separating the modifying phrase from the antecedents suggests that the qualifier applies to all of the antecedents, instead of just the nearest one.

The Court further observed that the text of TCPA confirms that the statute’s definition of “autodialer” excludes equipment that does not use a random or sequential number generator. “Congress found autodialer technology harmful be­cause autodialers can dial emergency lines randomly or tie up all of the sequentially numbered phone lines at a single entity. Facebook’s interpretation of S. 227(a)(1)(A) better matches the scope of the TCPA to these specific concerns”. The Court noted that even though Duguid broadly construed the TCPA vis-à-vis privacy, however, the Congressional intent was clear about intrusive telemarketing practices, which is why the Congress ultimately chose a precise autodialer definition. [Facebook Inc. v. Duguid,  2021 SCC OnLine US SC 2, decided on 01-04-2021]


Sucheta Sarkar, Editorial Assistant has reported this brief.

Op EdsOP. ED.

Child safety: Challenges in the online ecosystem

The increased popularity of digital spaces, especially among minors, has led to them being exposed to new forms of exploitation on troubling scales. These include “made to order” services that allow the perpetrator to apply filters relating to age, gender and race of the children while requesting Child Sexual Abuse Material (CSAM)[1], services that allow the perpetrator to view child sexual abuse via live stream and, in some cases, even direct it. These are issues that need urgent attention, especially when a third of the users of the internet are children.

There is unanimous agreement on the need to protect children in digital spaces and the need to mitigate the proliferation of CSAM online on a global scale. The most common solutions offered are focused on maximising security, while privacy takes a back seat. The narrative around the right to privacy primarily focuses on adults, while minors’ right to privacy is taken for granted. This focus must shift taking into account the rights of children that, similar to human rights are “interdependent, non-hierarchical and indivisible”.[2]

Law of the land: Indian and the American regime

In an attempt to curb the increased dissemination of CSAM online, the Indian Government has introduced various provisions in the Information Technology (Intermediary and Digital Media Ethics Code) Rules, 2021 (Rules)[3]. For instance, Rule 4(2) mandates that significant social media intermediaries must enable the identification of the first originator of information on a computer resource for a prescribed number of reasons, one of which is that of CSAM. They must also endeavour to engage in proactive monitoring of CSAM per Rule 4(4).

The United States EARN IT Act of 2020 also lays down best practices in order to curb the dissemination of CSAM.[4] It mandates the creation of “backdoors” in encrypted technology so as to allow law enforcement agencies (LEAs) to access communications. In several publications, Rianna Pfefferkorn, a leading Stanford based cybersecurity expert, has highlighted the dangers such legislation poses on individual privacy.[5]

Whether it be the “originator traceability” envisaged in the IT Rules of 2021 or the “backdoors” mandated in the EARN IT Act of 2020, both are the antithesis of user privacy and free speech as they compromise the security provided by end-to-end encryption. There is a global push towards weakening end-to-end encryption be it via the EARN IT Act of 2020, the Draft Council Resolution by the Council of European Union,[6]  or the Five Eyes Communique[7]. However, there is little evidence to show that perpetrators have been caught or penalised specifically as a result of such decryption. On the contrary, Anand Venkatnarayanan explains how Governments are seeking extant surveillance by breaking end-to-end encryption behind the veneer of child safety, which is the definition of Pedophrastry.[8]

Flawed approach: Explained time and time again

It is important to note that perpetrators do everything they can to remain inconspicuous on these platforms. They may create their own encrypted platforms, or might begin using platforms that are already encrypted. Criminals and terrorists also tend to develop their own encrypted platforms or networks.[9] The technology will still be readily available on the internet, and the passing of such legislation will not be able to keep criminals from using it. If encryption is outlawed, only the outlaws will have encryption, while law-abiding citizens shall be rendered susceptible to attacks by hostile actors.

The granting of exceptional access to law enforcement agencies is challenging from a technological perspective. The deliberate introduction of a vulnerability (in this case the grant of exceptional access to LEA’s) in the system also makes it vulnerable to unauthorised access by hostile third parties,[10] including enemy States. There is also the danger of an abuse of such power by the State.[11] The chilling effect on one’s freedom of speech and expression and the dangers of surveillance has already been discussed by several. Limited use of technology like PhotoDNA on publicly available data or unencrypted data to tackle is one thing, but to conduct mass surveillance by scanning everything going on an encrypted chat is a clear violation of both free speech and user privacy.

The Telecom Regulatory Authority of India has already stated that the security architecture of end-to-end encrypted platforms should not be meddled with for now as the same may render the users susceptible to cyber vulnerabilities.[12] The Supreme Court, in K.S. Puttaswamy v. Union of India,[13] judgment highlighted that any measure infringing upon one’s right to privacy must be sanctioned by law, necessary, must have a legitimate aim and the extent of the same must be proportionate in nature. Dr Menaka Guruswamy[14], Senior Advocate – Supreme Court of India and Mr Kazim Rizvi[15] Founding Director of The Dialogue, have already discussed at length as to why the traceability mandate fails to meet the Puttaswamy test laid down by the Supreme Court.

Way forward: Ensuring privacy and security of the child

CSAM must be tackled with all the strength of the State but not in the way that it harms the best interest of the child itself. A child’s privacy is equally important. If by breaking encryption or enforcing traceability, the security architecture of the services used by the child is weakened rendering him susceptible to abuse then there is no point of this measure. The child is still rendered unsafe. Our methods must keep the interest of the child at the centre of the debate.

The CyberPeace Foundation has recommended a few solutions that attempt to strike a balance between maintaining the child’s right to privacy and the need to intervene in cases as critical as the dissemination of CSAM.[16] These include establishing a standard operating procedure, a hash register, a mandatory “report CSAM button”, etc.

Further, the Carnegie Endowment in its Working Paper on Encryption Policy stated that absolutist positions disallow policymakers from developing a nuanced approach to tackle this issue. The two positions rejected were – access to encrypted communication should never be granted and we should not look for solutions under the same; and LEA’s cannot protect the public without access to all encrypted data.[17] Policies must be subject to the principles of law, enforcement utility, limitation, transparency, evaluation and oversight, auditability, focus and specificity and equity. This will ensure that there is greater granularity of debate and allow viable solutions to be developed.

It is equally important to build the capacity of the law enforcement agencies. The American Invest in Child Safety Act is a brilliant initiative which created a mandatory funding of 5 billion dollars along with 100 FBI agents and 65 more positions in the National Center for Missing and Exploited Children to tackle online sexual abuse.[18] This along with efforts to create community level awareness about child sexual abuse is key to tackling CSAM.

Moreover, we must take more cooperative steps like building the meta-data analysis capabilities of the LEAs with support from Big Tech and academia. If end-to-end encryption is outlawed or weakened, the criminals will, as they have in the past, simply shift to unregulated end-to-end encrypted platforms or create their own platforms. Thereafter the LEAs would not even have access to the meta-data which regulated platforms provide.

The IT Rules of 2021 mandate originator traceability (tell me who the first sender is). This as the technical experts[19] and organisations[20] explain is incompatible with the very idea of end-to-end encryption. Accordingly, Rule 4(2) must not be implemented right away and a wider stakeholder consultation with technical experts must be conducted to better understand how such challenges must be tackled keeping the best interest of the child in mind.


  Programme Manager (Platform Regulation & Encryption) at The Dialogue.

†† Policy Research Associate at The Dialogue.

[1] United Nations, Office on Drugs and Crime (UNODC), “Study on the Effects of New Information Technologies on the Abuse and Exploitation of Children” (2015). <https://www.unodc.org/documents/Cybercrime/Study_on_the_Effects.pdf>.

[2] United Nations, UNICEF Office of Research – Innocenti, Florence, (2020), Encryption, Privacy and Children’s Right to Protection from Harm, Innocenti Working Papers No. 2020-2014. <https://www.unicef-irc.org/publications/pdf/Encryption_privacy_and_children’s_right_to_protection_from_harm.pdf>.

[3] <http://www.scconline.com/DocumentLink/8OCMsY3m>.

[4] Riana Pfefferkorn, The EARN IT Act is a Disaster Amid the COVID-19 Crisis, the Brookings Institution, (4-5-2020) <https://www.brookings.edu/techstream/the-earn-it-act-is-a-disaster-amid-the-covid-19-crisis/>.

[5] Riana Pfefferkorn, Client-side Scanning and Winnie-the-Pooh Redux (Plus Some Thoughts on Zoom), the Centre for Internet and Society, (11-5-2020, 4.16 p.m.) <http://cyberlaw.stanford.edu/blog/2020/05/client-side-scanning-and-winnie-pooh-redux-plus-some-thoughts-zoom>.

[6] Draft Council Resolution on Encryption by Council of EU, Security through Encryption and Security Despite Encryption <https://files.orf.at/vietnam2/files/fm4/202045/783284_fh_st12143-re01en20_783284.pdf>.

[7] The United States Department of Justice, Office of the Attorney General, Press Release No. 20-1,086, International Statement: End-to-End Encryption and Public Safety, (11-10-2020) <https://www.justice.gov/opa/pr/international-statement-end-end-encryption-and-public-safety>.

[8] Anand Venkatanarayanan, “The New Avatar of the Encryption Wars”, Hindustan Times, (4-2-2021 9.04 p.m. IST) <https://www.hindustantimes.com/opinion/the-new-avatar-of-the-encryption-wars-101612444931535.html>.

[9] Robert Graham, How Terrorists Use Encryption, CTC Sentinel, Vol. 9 Issue 6, CTCS 20 (June 2016) <https://www.ctc.usma.edu/how-terrorists-use-encryption>.

[10]  Josephine Wolff, What Exactly are the NSA Hackers Trying to Accomplish?, Slate, (17-8-2016, 4.10 p.m.) <https://slate.com/technology/2016/08/what-exactly-are-the-shadow-brokers-trying-to-accomplish.html>.

[11] CBS News, Police Sometimes Misuse Confidential Work Databases for Personal Gain: AP, CBSN, (30-9-2016) <https://www.cbsnews.com/news/police-sometimes-misuse-confidential-work-databases-for-personal-gain-ap/>.

[12] Telecom Regulatory Authority of India, Recommendations on Regulatory Framework for Over-the-Top (OTT) Communication Services, (14-9-2020)

<https://www.trai.gov.in/sites/default/files/Recommendation_14092020_0.pdf>.

[13] (2018) 1 SCC 809< http://www.scconline.com/DocumentLink/nnXl4mu5>.

[14] Faye D’Souza and Menaka Guruswamy, Are the New Digital Regulations Unconstitutional? (26-2-2021)

 <https://www.youtube.com/watch?v=bGFj-1dkffY&t=23s>.

[15] Kazim Rizvi and Shivam Singh, Does the Traceability Requirement Meet the Puttaswamy Test?, LiveLaw (15-3-2021) <https://www.livelaw.in/columns/the-puttaswamy-test-right-to-privacy-article-21-171181>.

[16] Cyber Peace Foundation, Technology Law and Policy Group, End (-to-End Encrypted) Child Sexual Abuse Material, (2020) ISBN: 978-93-5416-448-4, <https://www.cyberpeace.org/CyberPeace/Repository/End-to-end-Encrypted-CSAM-2.pdf>.

[17] The Carnegie Endowment for International Peace, Encryption Working Group, Moving the Encryption Policy Conversation Forward, (10-9-2019) <https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573#:~:text=Strong%20data%20encryption%20thwarts%20criminals,to%20move%20the%20debate%20forward>.

[18] Adi Robertson, New Bill would Put $5 Billion toward Fighting Online Child Abuse, The Verge, (6-5-2020) <https://www.theverge.com/2020/5/6/21249079/online-abuse-invest-child-safety-act-fbi-investigations-bill-wyden-eshoo>.

[19] The United States Department of Justice, Office of the Attorney General, Press Release No. 20-1,086, International Statement: End-to-End Encryption and Public Safety, (11-10-2020).

[20] Internet Society, Experts’ Workshop Series on Encryption in India, Traceability and Cybersecurity, (27-11-2020) <https://www.internetsociety.org/resources/doc/2020/traceability-and-cybersecurity-experts-workshop-series-on-encryption-in-india/>.

Hot Off The PressNews

Delhi High Court: A petition was submitted before the High Court of Delhi by Whatsapp LLC with a prayer to issue a writ of mandamus or any other appropriate writ, direction, or order to declare that (i) Impugned Rule 4(2) is violative of Articles 14, 19(1)(a), 19(1)(g), and 21 of the Constitution, ultra vires the IT Act, and illegal as to end-to-end encrypted messaging services; and (ii) criminal liability may not be imposed for noncompliance with Impugned Rule 4(2) and any attempt to impose criminal liability for non-compliance with Impugned Rule 4(2) is unconstitutional, ultra vires the IT Act, and illegal.

Petitioner WhatsApp LLC (“Petitioner”) had filed this Writ Petition challenging the requirement in the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Rules”) that intermediaries like Petitioner enable “the identification of the first originator of the information” in India on their end-to-end encrypted messaging services (commonly referred to as “traceability”), upon government or court order. Petitioner respectfully submitted that this requirement forces Petitioner to break end-to-end encryption on its messaging service, as well as the privacy principles underlying it, and infringes upon the fundamental rights to privacy and free speech of the hundreds of millions of citizens using WhatsApp to communicate privately and securely. Petition challenges Rule 4(2) of the Intermediary Rules (“Impugned Rule 4(2)”) for the reason that,

  • it infringes upon the fundamental right to privacy without satisfying the three-part test set forth by the Hon’ble Supreme Court: (i) legality; (ii) necessity; and (iii) proportionality relying heavily on S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
  • violates the fundamental right to freedom of speech and expression, as it chills even lawful speech.
  • requirement to enable the identification of the first originator of information in India is ultra vires its parent statutory provision, Section 79 of the Information Technology Act, 2000 (“IT Act”)

What is impugned Rule 4(2)?

“A significant social media intermediary providing services primarily in the nature of messaging shall enable the identification of the first originator of the information on its computer resource as may be required by a judicial order passed by a court of competent jurisdiction or an order passed under section 69 by the competent authority as per the Information Technology (Procedure and Safeguards for interception, monitoring and decryption of information) Rules, 2009, which shall be supported with a copy of such information in electronic form: Provided that an order shall only be passed for the purposes of prevention, detection, investigation, prosecution or punishment of an offence related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material, punishable with imprisonment for a term of not less than five years: Provided further that no order shall be passed in cases where other less intrusive means are effective in identifying the originator of the information: Provided also that in complying with an order for identification of the first originator, no significant social media intermediary shall be required to disclose the contents of any electronic message, any other information related to the first originator, or any information related to its other users: Provided also that where the first originator of any information on the computer resource of an intermediary is located outside the territory of India, the first originator of that information within the territory of India shall be deemed to be the first originator of the information for the purpose of this clause.”

A more detailed explanation of how Petitioner’s end-to-end encryption system works was provided in its Technical White Paper.

In Central Public Information Officer, Supreme Court v. Subhash Chandra Agrawal, (2020) 5 SCC 481 it was affirmed by the Supreme Court that the right to privacy includes the right to anonymity.

Imposing a requirement to enable the identification of the first originator of information in India would undermine all of these benefits. For example, (i) journalists could be at risk of retaliation for investigating issues that may be unpopular; (ii) civil or political activists could be at risk of retaliation for discussing certain rights and criticizing or advocating for politicians or policies; and (iii) clients and attorneys could become reluctant to share confidential information for fear that the privacy and security of their communications is no longer ensured.

In  Ram Jethmalani v. Union of India, (2011) 8 SCC 1 it was held “fundamental rights cannot be sacrificed on the anvil of fervid desire to find instantaneous solutions to systemic problems”.

In Shayara Bano v. Union of India, AIR 2017 SC 4609 the Hon’ble Supreme Court had held that laws are “manifestly arbitrary” in violation of Article 14 of the Constitution when they are “obviously unreasonable”, capricious, irrational, without adequate determining principle, or excessive and disproportionate and Rule 4(2)’s requirement to enable the identification of the first originator of information in India is “manifestly arbitrary”.

In its response to the contentions raised by WhatsApp, Union of India in its press release on Wednesday, said,

“Government respects the Right To Privacy and has no intention to violate it when WhatsApp is required to disclose the origin of a Particular message. Such Requirements are only in case when the message is required for Prevention, Investigation or Punishment of Very Serious Offences related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material”

With respect to Article 21, the press note said that no Fundamental Right is absolute. Moreover, the test of proportionality laid down in KS Puttaswamyv. Union of India,(2017) 10 SCC 1,finds full applicability in the present context.

Additionally, WhatsApp’s refusal to comply with the Intermediary guidelines is a “clear act of defiance” and an “unfortunate attempt to prevent the same from coming into effect”

The press note also points out the updated privacy policy of WhatsApp hinting their malafides; “At one end, WhatsApp seeks to mandate a privacy policy wherein it will share the data of all its user with its parent company, Facebook, for marketing and advertising purposes. On the other hand, WhatsApp makes every effort to refuse the enactment of the Intermediary Guidelines which are necessary to uphold law and order and curb the menace of fake news.”

Citing International practices and norms, it is added that, “In July 2019, the governments of the United Kingdom, United States, Australia, New Zealand and Canada issued a communique, concluding that tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can gain access to data in a readable and usable format. Brazilian law enforcement is looking for WhatsApp to provide suspect IP addresses, customer information, geo-location data and physical messages. What India is asking for is significantly much less than what some of the other countries have demanded.”

Read the full Press Note: 

Click to access Press-Note-on-WhatsApp-HC-Case.pdf

[WhatsApp LLC v. Union of India, W.P. (C) NO. _______ OF 2021, dated 25-05-2021]


Suchita Shukla, Editorial Assistant has put this report together 

For the petitioner: Mr Tejas Karia,Mr Pavit Singh Katoch for Shardul Amarchand Mangaldas & Co.

Also Read

Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

 

Case BriefsHigh Courts

Delhi High Court: Anup Jairam Bhambhani, J. has held it to be an irrefutable proposition that if the name and/or likeness of a person appears on a pornographic website without the consent or concurrence of such person, such act would by and in itself amount to an offence, among others, under Section 67 of the Information and Technology Act, 2000 (“IT Act”).

During the course of the instant proceedings, it transpired that despite orders of the Court, even the respondents who were willing to comply with interim directions issued to remove offending content from the world-wide-web, expressed their inability to fully and effectively remove it in compliance with court directions; while errant parties merrily continued to repost and redirect such content from one website to another and from one online platform to another, thereby cocking a snook at directions issued against them in pending legal proceedings. The High Court, therefore, also suggested template directions that would be legal, implementable, effective and would enable meaningful compliance of the orders of a court without putting any impossible or untenable burden on intermediaries.

Petitioner’s grievance

The principle grievance of the petitioner was that her photographs and images that she had posted on her private social media accounts on Facebook and Instagram have been taken without her knowledge or consent and have been unlawfully posted on a pornographic website by an unknown entity, whereby the petitioner’s photographs and images have become offensive by association.

It was contended that even though the petitioner’s photographs and images are otherwise unobjectionable, but by placing the same on a pornographic website, the errant respondents have ex-facie committed the offence of publishing and transmitting material that appeals to the prurient interests, and which has the effect of tending to deprave and corrupt persons, who are likely to see the photographs, which is an offence under Section 67 of the IT Act. Further, the errant parties have attached captions to her photographs, which act falls within the mischief of other penal provisions of the IT Act and the Penal Code, 1860.

Need for crafting out a solution

During the preliminary hearing, it transpired that cyber crime unit of Delhi Police was ready and willing to comply with Court’s directions of removing/disabling access to the offending content relating to the petitioner, but by reason of technological limitations and impediments, it could not assure the Court that it would be able to entirely efface the offending content from the world-wide-web. While on the other hand, the petitioner complained that while the Court made interim orders for immediate removal of the offending content from the errant website, yet in brazen and blatant disregard of such directions, the errant respondents and other mischief-makers had redirected, reposted and republished the offending content onto other websites and online platforms, thereby rendering the orders of the Court ineffective.

The Court accordingly perceived that the issue of making effective and implementable orders in relation to a grievance arising from offending content placed on the world-wide-web, needed to be examined closely; and a solution to the problem needed to be crafted out so that legal proceedings of the instant nature did not become futile. For examining the statutory landscape, the technological limitations and the reality, the Court appointed Dr Pavan Duggal, Advocate, specialising in cyber law and cyber crime, as Amicus Curiae.

Discussion

Statutory Architecture

On a combined reading of Sections 1(2), 75 and 81 of the IT Act, the Court noted that the IT Act has extra-territorial and overriding application provided the computer, computer system or computer network involved are located within India.

Section 67 of the IT Act forms its parent provision which makes the publishing or transmitting of ‘obscene material in the electronic form an offence. Sections 67-A and 67-B were also noted.

2(1)(w) defines “intermediary” as a person who ‘receives, stores or transmits’ electronic records on behalf of another person or provides ‘any service’ in relation to electronic records. The definition is inclusive and includes within its ambit telecom service providers, network service providers, internet service providers, web-hosting service providers and search engines. Sections 2(1)(o) which defines “data”; 2(1)(v) which defines “information” are also important.

It was noted that though Section 79(1) exempts intermediaries from certain liability under the IT Act, what is noteworthy is that such exemption is not unqualified or unconditional and applies only if the intermediary fulfils certain conditions and obligations. The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules 2009; and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, were also considered.

The High Court placed reliance on the Supreme Court judgment Shreya Singhal v. Union of India, (2015) 5 SCC 1, where it was held that an intermediary would lose the exemption from liability that it enjoys under Section 79(1) if it does not ‘expeditiously remove or disable access to’ offending content or material despite receiving ‘actual knowledge’, which would mean knowledge by way of a court order or on being notified by the appropriate Government or its agency (which in the instant context would mean the police authorities concerned).

Lastly, the Court noted Section 85, which while dealing with contraventions of the IT Act or Rules committed by companies, also makes the directors, manager, secretary or other officer of a company liable if the contravention has been committed by reason of neglect attributable to such person. It was emphasised that what is brought within the provision is any contravention of any provision of the IT Act or any Rules made thereunder.

Breach of Privacy

According to the High Court, it is an irrefutable proposition that if the name and/or likeness of a person appears on a pornographic website (as in the instant case) without the consent or concurrence of such person, such act would by and in itself amount to an offence, among others, under Section 67 of the IT Act. This is so since Section 67 makes it an offence to publish or transmit, or causes to be published or transmitted, in the electronic form, any material which appeals to the prurient interests of those who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it. The Court said:

“The only purpose of posting the petitioner’s photograph on a pornographic website could be to use it to appeal to the prurient interests of those who are likely to see it. That apart, the inclusion of the name and/or likeness of a person on such website, even if the photograph of the person is not in itself obscene or offensive, without consent or concurrence, would at the very least amount to breach of the person’s privacy, which a court may, in appropriate cases, injunct or restrain. It is evident that such publication would likely result in ostracisation and stigmatisation of the person concerned in society; and therefore immediate and efficacious remedy is required in such cases.”

Difficulty faced by Intermediaries

The Court noted that in the first instance, an intermediary cannot be heard to say that it is unable to remove or disable access to offending content despite such actual knowledge as contemplated in law. That being said, however, the Court could not ignore the difficulties expressed by the intermediaries, in the instant case, in identifying and removing offending content, which intermediaries effectively represented the perspective and point-of-view of several other intermediaries who are similarly placed. In fact, none of the respondent intermediaries took a stand that they were not ready or willing to remove offending content if directed by a court order or by an appropriate governmental agency. The intermediaries only said that it may not be possible to identify the offending content appearing in various disguises and corrupted avatars; and further that, it would be too onerous and impractical to place upon them the responsibility to keep on a lookout for offending content resurfacing in the various different disguises and corrupted avatars at the instance of mischief-makers, on a continuing basis.

Suggested directions

In the High Court’s opinion, a fair balance between the obligations and liabilities of the intermediaries and the rights and interests of the aggrieved user/victim would be struck by issuing directions as detailed below, which would be legal, implementable, effective and would enable meaningful compliance of the orders of a court without putting any impossible or untenable burden on intermediaries:

(i) Based on a ‘grievance’ brought before it, as contemplated in Rule 2(1)(j) of the 2021 Rules or otherwise, and upon a court being satisfied in any proceedings before it, whether at the interim or final stage, that such grievance requires immediate redressal, the court may issue a direction to the website or online platform on which the offending content is hosted, to remove such content from the website or online platform, forthwith and in any event within 24 hours of receipt of the court order;

(ii) A direction should also be issued to the website or online platform on which the offending content is hosted to preserve all information and associated records relating to the offending content, so that evidence in relation to the offending content is not vitiated, at least for a period of 180 days or such longer period as the court may direct, for use in investigation, in line with Rule 3(1)(g) of the 2021 Rules;

(iii) A direction should also be issued by the court to the search engine(s) as the court may deem appropriate, to make the offending content non-searchable by ‘de-indexing’ and ‘de-referencing’ the offending content in their listed search results, including de-indexing and de-referencing all concerned web pages, sub-pages or sub-directories on which the offending content is found. The intermediary must be obliged to comply with a court order directing removal or disabling access to offending content within 24 hours from receipt of such order;

(iv) The directions issued must also mandate the concerned intermediaries, whether websites/online platforms/search engine(s), to endeavour to employ pro-active monitoring by using automated tools, to identify and remove or disable access to any content which is ‘exactly identical’ to the offending content that is subject matter of the court order, as contemplated in Rule 4(1)(d) of the 2021 Rules;

(v) Directions should also be issued to the law enforcement agencies concerned, such as the jurisdictional police, to obtain from the website or online platform concerned all information and associated records, including all unique identifiers relating to the offending content such as the URL (Uniform Resource Locator), account ID, handle name, Internet Protocol address and hash value of the actual offending content alongwith the metadata, subscriber information, access logs and such other information as the law enforcement agency may require, in line with Rule 3(1)(j) of the 2021 Rules, as soon as possible but not later than 72 hours of receipt of written intimation in this behalf by the law enforcement agency;

(vi) Also, the court must direct the aggrieved party to furnish to the law enforcement agency all available information that the aggrieved party possesses relating to the offending content, such as its file name, Image URL, Web URL and other available identifying elements of the offending content, as may be applicable; with a further direction to the law enforcement agency to furnish such information to all other entities such as websites/online platforms/search engines to whom directions are issued by the court in the case;

(vii) The aggrieved party should also be permitted, on the strength of the court order passed regarding specific offending content, to notify the law enforcement agency to remove the offending content from any other website, online platform or search engine(s) on which same or similar offending content is found to be appearing, whether in the same or in a different context. Upon such notification by the aggrieved party, the law enforcement agency shall notify the website concerned, online platform and search engine(s), who (latter) would be obligated to comply with such request; and, if there is any technological difficulty or other objection to so comply, the website, online platform or search engine(s) may approach the court concerned which passed the order, seeking clarification but only after first complying with the request made by the aggrieved party;

(viii) The court may also direct the aggrieved party to make a complaint on the National Cyber-Crime Reporting Portal (if not already done so), to initiate the process provided for grievance redressal on that portal;

(ix) Most importantly, the court must refer to the provisions of Section 79(3)(a) and (b) read with Section 85 of the IT Act and Rule 7 of the 2021 Rules, whereby an intermediary would forfeit the exemption from liability enjoyed by it under the law if it were to fail to observe its obligations for removal/access disablement of offending content despite a court order to that effect.

Orders in the instant petition

The Court was satisfied that the action of the petitioner’s photographs and images having been taken from her Facebook and Instagram accounts and having been posted on a pornographic website; and then having been reposted onto other websites and online platforms, amounts prima facie to an offence under Section 67 of the IT Act in addition to other offences under the IPC.

Accordingly, the High Court issued the following directions to the State and other respondents:

(1) The petitioner was directed to furnish in writing to the Investigating Officer of the subject FIR, all available information relating to the offending content, including the Image URL and Web URL pertaining to the offending image files, within 24 hours of receipt of a copy of the judgment, if not already done so;

(2) The Delhi Police/CyPAD Cell were directed to remove/disable access to the offending content, the Web URL and Image URL of which would be furnished by the petitioner as above, from all websites and online platforms, forthwith and in any event within 24 hours of receipt of information from the petitioner;

(3) A direction was issued to the search engines Google Search, Yahoo Search, Microsoft Bing and DuckDuckGo, to globally de-index and de-reference from their search results the offending content as identified by its Web URL and Image URL, including de-indexing and de-referencing all web-pages, sub-pages or sub-directories concerned on which the offending content is found, forthwith and in any event within 24 hours of receipt of a copy of the judgment alongwith requisite information from the Investigating Officer as directed below;

(4) A further direction was issued to the search engines to endeavour to use automated tools, to proactively identify and globally disable access to any content which is exactly identical to the offending content, that may appear on any other websites/online platforms;

(5) The Investigating Officer was directed to furnish in writing the Web URL and Image URL of the offending content to the other entities to whom directions have been issued by the court in the instant matter, alongwith a copy of the judgment, within 24 hours of receipt of such copy;

(6) The Delhi Police was directed to obtain from the pornographic website concerned and from the search engines Google Search, Yahoo Search, Microsoft Bing, DuckDuckGo (and any other search engines as may be possible) all information and associated records relating to the offending content such as the URL, account ID, handle name, Internal Protocol Address, hash value and other such information as may be necessary, for investigation in the FIR registered in the instant case, forthwith and in any event within 72 hours of receipt of a copy of the judgment, if not already done so;

(7) Furthermore, the petitioner was granted liberty to issue written communication to the Investigating Officer for removal/access disablement of the same or similar offending content appearing on any other website/online platform or search engine(s), whether in the same or in different context; with a corresponding direction to the Investigating Officer to notify such website/online platform or search engine(s) to comply with such request, immediately and in any event within 72 hours of receiving such written communication from the petitioner;

(8) Notwithstanding the disposal of the present petition by the instant order, if any website, online platform, search engine(s) or law enforcement agency has any doubt or grievance as regards compliance of any request made by petitioner as aforesaid, such entity shall be at liberty to approach the High Court to seek clarification in that behalf.

The Court made it clear that non-compliance with the foregoing directions would make the non-compliant party liable to forfeit the exemption, if any, available to it generally under Section 79(1) of the IT Act and as specified by Rule 7 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021; and shall make such entity and its officers liable for action as mandated by Section 85 of the IT Act.

The petition was disposed of in the above terms. [X v. Union of India, 2021 SCC OnLine Del 1788, dated 20-4-2021]


Advocates who appeared in this case:

Mr. Sarthak Maggon, Advocate alongwith petitioner in-person.

Dr. Pavan Duggal, Amicus Curiae.

Mr. Ajay Digpaul, CGSC with Mr. Kamal R. Digpaul, Advocate for UOI.

Ms. Gayatri Virmani, Advocate for Ms. Nandita Rao, ASC for the State. Mr. Meet Malhotra, Senior Advocate with Mr. Aditya Vaibhav Singh, Advocate for respondent No. 3.

Mr. Parag P. Tripathi, Senior Advocate with Mr. Tejas Karia, Mr. Ajit Warrier, Mr. Gauhar Mirza, Mr. Shyamal Anand, Mr. Thejesh Rajendran, Ms. Malikah Mehra and Ms. Mishika Bajpai, Advocates for respondent No. 4.

Mr. Sajan Poovayya, Senior Advocate with Ms. Mamta R. Jha, Advocate, Ms. Shruttima Ehersa, Advocate, Mr. Pratibhanu, Advocate, Ms. Raksha, Advocate and Mr. Sharan, Advocate for respondent No. 7.

Case BriefsForeign Courts

Supreme Court of Pakistan: In a significant decision, the 3 Judge Bench of the Court comprising of Manzoor Ahmad Malik, Mazhar Alam Khan Miankhel and Syed Mansoor Ali Shah, JJ., while deliberating upon issues revolving around the scientific veracity of virginity tests to ascertain rape and questioning a woman’s sexual history in order to discredit her witness; held that a woman irrespective of her sexual character or reputation, is entitled to equal protection of law. The courts should discontinue the use of painfully intrusive and inappropriate expressions, like “habituated to sex”, “woman of easy virtue”, “woman of loose moral character”, and “non-virgin”, for the alleged rape victims even if they find that the charge of rape is not proved against the accused. Such expressions are unconstitutional and illegal.

Issues: In the instant appeal filed by the rape accused, the Court upon perusing the facts and arguments presented by the parties, formulated the following issues-

  • Whether recording sexual history of the victim by carrying out “two-finger test” (TFT) or the “virginity test” has any scientific validation or evidentiary relevance to determine the commission of the sexual assault of rape.
  • Whether “sexual history”, “sexual character” or the very “sexuality” of a rape survivor can be used to paint her as sexually active and unchaste and use this to discredit her credibility.
  • Whether her promiscuous background can be made basis to assume that she must have consented to the act.

Perusing the aforementioned issues, the Court delved into the approaches of modern forensics vis-à-vis TFT and studies conducted by Pakistan’s National Commission on the Status of Women (NCSW) on the point. The Bench also took note of the approach taken by the World Health Organisation, the United Nations and United Nations Entity for Gender Equality and the Empowerment of Women on the matter. It was observed that Modern forensic science thus shows that the two finger test must not be conducted for establishing rape-sexual violence, and the size of the vaginal introitus has no bearing on a case of sexual violence. The status of hymen is also irrelevant because hymen can be torn due to several reasons such as rigorous exercising. An intact hymen does not rule out sexual violence and a torn hymen does not prove previous sexual intercourse. Hymen must therefore be treated like any other part of the genitals while documenting examination findings in cases of sexual violence. Only those findings that are relevant to the episode of sexual assault, i.e., findings such as fresh tears, bleeding, oedema, etc., are to be documented.

Considering the constitutional aspects, the Court stated that dragging sexual history of the rape survivor into the case by making observations about her body, is an insult to the reputation and honour of the rape survivor and violates Article 4(2)(a) of the Constitution of Islamic Republic of Pakistan. reporting sexual history of a rape survivor amounts to discrediting her independence, identity, autonomy and free choice thereby degrading her human worth and offending her right to dignity guaranteed under Article 14 of the Constitution, which is an absolute right and not subject to law. “Right to dignity is the crown of fundamental rights under our Constitution and stands at the top, drawing its strength from all the fundamental rights under our Constitution and yet standing alone and tall, making human worth and humanness of a person a far more fundamental a right than the others, a right that is absolutely non-negotiable”.

The Court also pointed out the deep gender biases and inexperience which riddle the medico-legal certificates, like- casually reporting the two finger test, to show that the vagina can admit phallus-like fingers to conclude that the survivor was sexually active at the time of the assault or a ‘virgin”; calling into question the character of the rape survivor etc. The Court stated that such callous approaches are used to support the assumption that a sexually active woman would easily consent for sexual activity with anyone. “Examination of a rape victim by the medical practitioners and use of the medical evidence collected in such examination by the courts should be made only to determine the question whether or not the alleged victim was subjected to rape, and not to determine her virginity or chastity”.

The Court also pointed out that the omission of Article 151(4) Qanun-e-Shahadat Order, 1984 (which allowed the opinion of medical experts as to the virginity tests while deciding rape cases), clearly implies a prohibition on putting questions to a rape victim in cross-examination, and leading any other evidence, about her alleged “general immoral character” for the purpose of impeaching her credibility. The said omission also indicates the legislative intent that in a rape case the accused cannot be allowed to question the complainant about her alleged “general immoral character”.

As a final point, the Bench observed that, “While allowing or disallowing such questions the court must be conscious of the possibility that the accused may have been falsely involved in the case, and should balance the right of the accused to make a full defence and the potential prejudice to the complainant’s rights to dignity and privacy, to keep the scales of justice even”.

[Atif Zareef v. The State, Criminal Appeal No.251/2020, decided on 04-01-2021]


Sucheta Sarkar, Editorial Assistant has reported this brief.


Note: The bench of Justice Ayesha A. Malik of Lahore High Court had also made similar observations in Sadaf Aziz v. Federation of Pakistan, wherein she held that virginity tests are invasive and blatantly violate the dignity of a woman.    

Case BriefsForeign Courts

Constitutional Court of South Africa: In a significant judgment delivered last month, the South African Apex Court, with a ratio of 8:2, declared the Regulation of Interception of Communications and Provision of Communication-Related Information Act (hereinafter RICA) to be unconstitutional, due to lack of privacy safeguards. The Court also held that that collection and monitoring of individuals’ communications under RICA contravened Section 14 of the Constitution of the Republic of South Africa. Having declared RICA unconstitutional, the Court limited the retrospectivity of its declaration of invalidity and suspended its declaration of invalidity for three years in order to allow Parliament adequate time to proceed with its investigations and develop suitable remedial legislation.

Background

 The Regulation of Interception of Communications and Provision of Communication-Related Information Act was passed in order to regulate the interception of communications and associated processes, such as, applications for and authorisation of interception of communications. RICA was enacted to control the interception of both direct and indirect communications, which are defined broadly to include oral conversations, email and mobile phone communications (including data, text and visual images) that are transmitted through a postal service or telecommunication system

Some of the key provisions of RICA that were focused on by the Constitutional Court were–

  • Section 2- prohibits all forms of interception and monitoring of communications, unless they take place under one of the recognised exceptions under this provision.
  • Sections 16 to 18 and 20 to 23- these provisions direct that without a “designated Judge” RICA would be substantially inoperable. With the exception of only one type, at the centre of all surveillance directions issued under RICA is a designated Judge; she or he must authorise all directions that fall within the purview of functions of a designated Judge. Surveillance under sections 16 to 18 and 20 to 23 covers almost the entire spectrum of State surveillance.

AmaBhungane Centre for Investigative Journalism NPC and its managing partner, Stephen Patrick Sole (also an investigative journalist who was under State- surveillance), had approached the High Court of South Africa (Gauteng Division, Pretoria), challenging the constitutionality of RICA, wherein Mr. Sole recapitulated his first hand experience with RICA. In 2008 he suspected that his communications were being monitored and intercepted. In 2009 he took steps to obtain full disclosure of the details relating to the monitoring and interception of his communications from the Office of the Inspector-General of Intelligence. The efforts proved to be fruitless because the Inspector-General had found the National Intelligence Agency (NIA) and the crime intelligence division of the police not guilty of any wrongdoing. It was stated that RICA prohibits disclosure of information relating to surveillance; therefore Mr Sole could not be furnished with the information. Stephen Sole was thus left in the dark as to whether his communications had in fact been intercepted and, if so, what the basis for interception was.

The High Court upon perusal of the facts and the relevant provisions, declared RICA to be unconstitutional based on some of the following grounds (these grounds also formed the core issues which were then addressed by the Constitutional Court)-

  • RICA makes no provision for a subject of surveillance to be notified that he or she has been subjected to surveillance.
  • RICA permits a member of the Executive unfettered discretion to appoint and renew the term of the designated Judge (the functionary responsible for issuing directions for the interception of private communications), and thus fails to ensure the independence of the designated Judge.
  • RICA lacks any form of adversarial process or other mechanism to ensure that the intended subject of surveillance is protected in the ex parte application process.
  • RICA lacks adequate safeguards for examining, copying, sharing, sorting through, using, destroying and/or storing the surveillance data (management of information issue); and fails to provide any special circumstances where the subject of surveillance is a journalist or practising lawyer.

However, the declaration of invalidity was suspended for two years to allow Parliament to cure the defects. Interim relief, in the form of reading-in, was granted in respect of the notification issue (i), the independence issue (ii) and the practising lawyers and journalists issue (iv).

Observations

The Majority judgment was authored by Madlanga J., (with Khampepe J, Majiedt J, Mathopo AJ, Mhlantla J, Theron J, Tshiqi J and Victor AJ concurring). The Majority observed that that interception and surveillance of an individual’s communications under RICA provisions are highly invasive of privacy, and thus infringes Section 14 of the Constitution. Acknowledging the constitutional importance of privacy, the Bench noted that Right to Privacy is tied to dignity. Analyzing impugned legislation in the backdrop of Section 36(1) of the Constitution, the Court observed that even though one of the important purposes of State surveillance is to investigate and combat serious crime, guarantee national security, maintain public order, thereby ensuring the safety of the Republic and its people, however in light of the intrusive nature of the limitation, the Court must question that whether RICA is doing enough to reduce the risk of unnecessary intrusions? In other words, are there safeguards that acceptably minimise the trampling of the privacy right, thereby meeting the standards of reasonableness and justifiability?

On the notification issue (i), the Majority held that such a blanket prohibition facilitates the abuse of interception directions, which are applied for, granted and implemented in complete secrecy. The fact that the subject never knows whether they are under observation and thus there is no opportunity to seek legal redress for the violation of her or his right to privacy. This renders the rights guaranteed the Constitution to approach a court to seek appropriate relief for the infringement of the right to privacy, as illusory and, promotes impunity.

Dealing with the independence issue (ii), the Court observed that that the open-ended discretion in respect of appointments and their renewal could raise a reasonable apprehension that the independence of the Designated Judge may be undermined by external interference by the Executive. As a result, RICA does not allow the Designated Judge an adequate level of structural, operational or perceived independence. RICA was therefore declared unconstitutional to the extent that it fails to ensure adequate safeguards for an independent judicial authorisation of interception.

Dealing with the issue of inadequate safeguards (iv), the Court considered the applicant’s concerns revolving around the lack of regulation as to how intercepted information is handled, stored and eventually destroyed and how this deficiency exposes subjects of interceptions to even more aggravated intrusions into their privacy. The Court noted that RICA provisions do not prescribe the relevant procedures, and that they allow the Director of the Office for Interception Centres an unacceptable unrestrained discretion to regulate the management of information. Thus RICA was declared unconstitutional to the extent that it fails adequately to prescribe procedures to ensure that data obtained pursuant to the interception of communications is managed lawfully and not used or interfered with unlawfully.

Regarding the lawyers and journalists issue (also iv), the Majority acknowledged that the confidentiality of journalists’ sources is protected by the rights to freedom of expression and the media. The Court also acknowledged that legal professional privilege is an essential part of the rights to a fair trial and fair hearing. These rights weigh in favour of special consideration being given to the importance of the confidentiality of lawyer-client communications and journalists’ sources, in order to minimise the risk of infringement of this confidentiality. RICA’s failure to provide such special circumstances makes it violative of the Constitution.

The Dissenting opinion penned by Jafta J., (with Mogoeng CJ., concurring) noted that that RICA does not empowers the Minister of Justice to designate a judge for the purposes of determining applications for authorisation to intercept private communications and also to perform other functions. It was held that the definition in Section 1 of RICA does not include a provision that the Minister has the power to designate but merely defines the meaning of the term “designated judge”. Consequently, it was held that the suspension of the declaration of invalidity proposed as a remedy is inappropriate as it will not cure the problem of the lack of power to designate. This kind of problem can only be remedied by Parliament granting the Minister the relevant power.[AmaBhungane Centre for Investigative Journalism NPC v. Minister of Justice and Correctional Services, 2021 SCC OnLine CCSA 1, decided on 04-02-2021]


Sucheta Sarkar, Editorial Assistant has reported this brief.

Op EdsOP. ED.

Introduction

You are not alone if you have clicked “I agree” to terms and conditions with hardly giving it a glance before launching an app on your mobile. 90 per cent of the people consented for the terms and conditions before even reading them and nearly 97 per cent of people are aged between eighteen to thirty-six years, says a Deloitte survey[2]. The identified reasons could be the lengthy and complex language used by the apps designed to ensure the users are completely aware and have knowledge upon the consequences.  This explains how easily app users are willing to risk their personal details through the app to third parties, about which they know nothing about. Here are few agreements that people come across more often:

General Avenues

E-commerce

Agreements online can be of two types:

  1. One of which where the terms and conditions (T&C) pop up before the user makes a purchase where the app/site makes the user to read and accept.
  2. Where in the second case, the T&C do not pop up but rather are written most likely at the bottom of the page where the user is assumed to have proceeded further.

However, in case a dispute arises, the courts usually consider the cases where the user clicks “I Accept” as it is a binding agreement by his conduct. These cases have better chances as there is an acceptance identified.

This is the reason why most of the apps enable clicking the accept button only after scrolling till the bottom of the terms and conditions.

Trends in Cyber Law[3]

  1. Legal approach: Cyber law has become a regulatory issue with the increasing day-to-day cybercrime. Countries have been developing in bringing up their respective cyber law legislations and securities.
  2. Internationally accepted principles: These common laws are to maintain internet stability, both nationally and internationally, with regards to cyber laws and security. This could bearranged with an International Convention on Cyber Law.
  3. Bilateral treaties and agreements: The common laws which lead to international treaties and conventions are aimed by the countries as cyber security needs an international approach, and that information shared among countries would be secured. Although it will take time for the countries to come together on this subject.
  4. Jurisdiction: Clearly, the internet jurisdiction needs to be developed as most of the criminals on the web are likely to be anonymous. Principles regarding the same are to be developed.
  5. Consumer protection: With millions of people entering into the digital world everyday, cyberspace is likely to identify and work on consumer protection related issues.
  6. Cyber risk insurance: This type of insurance will further become more common and this specific field requires specific coverage to the users rather than mere extensions and warranties.
  7. Spam: The increasing innovation of spam in targeting users, India has become one of the hotspots for spams. Efficient legislations relating to spam are to be brought.
  8. Intermediaries: The coming years would focus more on the role of intermediaries and service providers with the growing diligence requirements. The cyberspace is being watched out by the countries as the intermediaries are responsible for the data collected through apps and other mediums concerning cybersecurity and as third-party data.
  9. Encryption: Privacy to be protected through encryption. Should the States have access to encrypted data? Maintaining a ground where the data is private but the State having the right to access.

Data Retention Policy in India

Preservation and Retention of Information by Intermediaries[4]

  1. Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.
  2. Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (1) shall be punished with an imprisonment for a term which may extend to three years and also be liable to fine.

 Data retention is normal and necessary for securing the State from any threats, but is a limited process.  Problems do occur when protection against terrorism measures is used to justify mass retention of people’s data on a daily basis. This, in fact, is mass invasion of people’s private lives. Data retention laws can unknowingly become a “legal” means of violating people’s fundamental right to privacy. Defining the kinds of data retention:

  1. Mass retention of metadata: The main kind of data retention is the mass retention of metadata. Several countries today are constantly attempting to introduce and improve their respective privacy and cyber laws, which would legalise the mass retention of metadata. Metadata consists data such as time and duration of telephone calls, internet usage, IP addresses of the devices, details of senders and receivers of e-mails, credentials that are used, track of logging in and logging out, etc. Although, such retained data does not include the desired content of the e-mails or messages the Governments, however, argue that this kind of retention does not reveal personal details of the individual. It is not true that individual’s entire internet history would not be traced out using just the metadata.
  2. Mass data retention: The next kind of data retention is mass data retention. This is a crucial part in order to conduct mass protection programs hosted by the NSA, USA and CMS, India.  This kind of retention involves retention of every single piece of information about a person’s internet usage. The Government can abruptly collect any of the content of the e-mails, messages, phone calls, gallery, visit to any website, without stating any reason. This practice, however, in India or the US, is unauthorised by law. In India, Section 69 of the Information Technology Act allows the interception, monitoring and decryption of information for a mere period of 2 months.
  3. Limited data retention[5]: This kind of retention of data is allowed by Indian legislations which is mainly concerned with the retention for a specific reason and a specific time. This kind of retaining data is hardly considered as any violation. For instance, to check the data of a region which is suspected to have any threat from terrorist groups, the Government may insist the service provider to retain or decrypt such data.

Altercations

 Data Collection

Recent hearings in the Western States found the source by which large third-party data collectors track individuals through several renowned websites. Regulators have paid comparatively less attention to the mobile application concept, where current studies have shown the means by which these third parties collect data from mobile apps and highlighted legal complications around data controller status and user consent in this field.

A 2018 study by Oxford University surveyed 9,60,000 apps in Google app store and concluded that 40 to 90 per cent of all such apps are set in a way to share data with major third-party tracking companies, regardless of whether the user of the app had an account with any of those companies or not.

iOS and Android Liability and how the Device Stores, if it Does?

Deleting a file does not mean destroying the existence of the file. Whenever the delete button is pressed, the file becomes unavailable to access. There is a unit called a storage master table that keeps track of all the space that is available and used storage spaces. Whenever a delete action is performed, the space is set as free to reuse. When a new file requests for storage space, the space remained after deleting the old file will be reused. Until then, it is not accessible. Once a newer file is being replaced, the old one will be deleted permanently.

So when data is erased, what actually happens to those deleted files, is Avast’s report regarding the eBay phones.[6] The most immediately relevant analogy for defining the legal status of mobile platforms is probably not the webhosts that are the current focus of many discussions of intermediary liability. The immediate analogy for the legalities related to mobile platforms are not regarding the browsers or the software but rather the hardware. The hardware is the most immediately applicable point of reference. Under current rules, a hardware maker, an operating system, or a browser is not liable for the actions of any independent third-party apps that a user installs or loads into his system or access through the browser. Applying the same principles in the mobile context, it seems highly unlikely that courts would impose liability on the developer of a mobile hardware, operating system or browser for content or behaviour of an independent third-party app.

Data collection, mining has been happening for some time now. Most of it is usually harmless. It is now considered a way of life, which has made life so convenient that a user does not even appreciate or notice it. But sometimes it might seem forced or too much because of few companies and that is where law comes in. And hopefully people figure out to keep the privacy and convenience especially when they are all headquartered in a capitalist country and most users do not mind giving data.

How is Data Retention Different from Data Collection? Role of Government in Collecting Data

Government might not even get the user’s data. Before thinking of where the user’s data is going, where the user is giving is to be noted i.e. mobile applications, majorly. Users’ data stay in the company’s data repositories for the company’s use. The further selling of data depends on the company. For every app the user installs, there will be a blind scroll and accept button on “I agree” for any terms and conditions. If the user uses BSNL for WiFi or any public network, it is sure that the data is shared along with millions of others in government repositories. If the user, using a private broadband, they would just get what sites the user visits, what web pages he navigates, the frequency and the timeline of it. While using their network, if user visits sites like YouTube, they would not know what the user browse there. It will just be YouTube that will know what is being browsed. If all of this is done on a Chrome browser, Google will collect it. Every service that is used, every text field that is entered, every button that is clicked in a browser, amounts to the collection of data.

Does the terms and conditions mention the right of the company to sell the user’s data to third parties?

The enterprises and service-based companies can sell it to the third parties as they want, as the user agrees to the T&C, and this vastly varies based on region.

Example: After Cambridge Analytica[7] was proved helping Trump and other political companies in targeting political ads based on Facebook users, Europe introduced General Data Protection Regulation –(GDPR).[8] So, a euro citizen will have rights when it comes to his or her data.

In an Indian scenario, it is not usually the same. Despite the Government asking networks to bring down certain sites and insist the network providers to give them user data, it is still beyond the Government’s capacity over how the risks of appification and data collection are handled.

Example: A user’s Twitter activity is known only to Twitter. The Government cannot retrieve Twitter data. Although, they take action on the user if he tweets hate speech or anything against the State. But that is where their power is confined to.

The Government cannot impose on Twitter to give India region data. Even if they do, for the protection of the State, Twitter has their right to reject it.

If sites like Uber[9]/FB collect any data, what will be the jurisdiction to sue for breach of privacy, since they are online services?

The user initially has agreed to do whatever the company does when clicked “I agree”. Even though the user does not read, it would display that they are going to do anything with that data including even sell it so that other companies can recommend their services and products to users. Since Cambridge Analytica, Facebook, Microsoft and Google have been facing multiple lawsuits over data privacy breach. Ever since, they have done lot of revisions and updates making their applications foolproof for further lawsuits.

But, if there is a glitch identified and a user wants to sue, he should probably make a trip to San Francisco, California and sue there in the country where their headquarter is registered, as the place of the party to the suit is a competent jurisdiction.

Till what extent does Google track us?

Gmail, Maps, Chrome and many other services of Google are widely used. Uber’s map is licensed to Google. So do many other location based apps. So, it is impossible to avoid giving data to Google if a user plans on living by normally using these services. Now, the only difference with Android is, it can even track what the user does with OS. Like frequency of app visits, duration of phone usage, app usage, etc.

The user has deleted a picture. Where does it go? Does delete mean entirely deleting it or is it there somewhere?

Here is a probable pathway.

If a user has given cloud permissions, then it is hard to say if it is ever deleted. It might go to random data collection repositories the minute the user saved it and backed up to cloud. They announce to the user that it is all gone, but they have wide number of data centers to keep all this miscellaneous data, usually said for RnD or project purpose. The user will never know for sure unless he or she is an employee in the company. Not even the Government.

The user has uploaded the picture on cloud. What is cloud?

Cloud is basically a platform where a user keeps all his data instead of using his device’s memory. In simple terms, cloud is for data, what banks are for money.

A person has a closet and a pile of money, he stores it. What if he has a truck load of money? He is likely to use a bank.

Similarly, a device is given thirty-two GB of memory but usage of at least sixty to seventy GB or in cases even higher and the user does not want to delete existing data to store new ones. So, he uses Cloud. The user just connects to his public cloud over internet and the company stores it in their data centers. Cloud is a layman word for the public to understand. Simply put, instead of keeping the user’s data on the device itself, Google, Apple or Facebook will store it for him on their databases in their data centers (which are large enough to store data for their user base) for nearly two billion people[10] and the user will be able to retrieve it whenever needed.

Are Data Collectors Intermediaries? Who are Intermediaries?

If the user accesses Uber, Uber and Google will get his data. If the user is using Amazon but later on gets a similar advertisement on Instagram, then Amazon, Facebook and Instagram are in the play. Everyone except user and the end service which recommends the user is an intermediary. Although it is nearly impossible to determine as one or more of them can make the user a target and recommend.

A User Spoke about Singapore on WhatsApp and now gets Singapore Packages Ads from Makemytrip (MMT). Did WhatsApp sell it to MMT Directly or there is an Intermediary who is Collecting and Supplying? What is Happening here?

There are two scenarios identified here.

  1. Consider that the user browsed on Google Chrome. Google might have identified the word frequency of the user and that would send a notification to MMT because they have a mutual system setup as Google can use this data and help MMT by suggesting ads because here, MMT is likely to pay Google.
  2. The user used the MMT app and they get his activity. Assuming the user did it on an iPhone, Apple has Trivago as their client but not other competitors like MMT. So the user is likely to get ads from Trivago regarding the tickets and packages, and since the user usually gets his tickets to Gmail, Google also collects this data. If the user used Google Maps to search places in Singapore, and if Google had a local business there as a client, the user gets their ad for the respective services. Endless possibilities are identified in this scenario.

In the end, no one is targeting the users by their name. No company collects and stores data under one single individual. The user is just a device name, username, location tag and criteria-based entity with a serial number, which might have a label “x” in the databases. A user is just one in a multibillion entity based analysis and profiling so that the preset algorithms can recommend ads and services.

Indian Laws on Data Protection

India has not enacted any particular legislation on protection of data. Although, the Indian Legislature did amend the Information Technology Act, 2000, to include Sections 43-A and 72-A, which give a right to compensation for improper disclosure of personal information. The Indian Central Government subsequently issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Rules”) under Section 43-A of the Information Technology Act. A clarification to the above Rules was issued on 24-8-2011. The Rules have imposed additional requirements on commercial and business entities in India relating to the collection and disclosure of sensitive personal data or information which have any similarities with the GDPR[11] and the Data Protection Directive. However, these Rules were issued in 2011.

 Beyond Challenges

 These technicalities bring up questions regarding the distribution of responsibility and legal obligations between app developers and third-party data collectors. Third-party collectors’ terms of use typically place the sole responsibility on the app developer to ensure that it has the right to collect, use and share data before providing it to the collector. For instance, Facebook’s business tools terms of use state that: In jurisdictions that require informed consent for storing and accessing cookies or other information on an end user’s device (such as but not limited to the European Union), you must ensure, in a verifiable manner, that an end user provides the necessary consent before you use Facebook Business Tools to enable us to store and access cookies or other information on the end user’s device.

But the EU authorities have not encouraged similar practices. In 2018, the Belgian Court of First Instance upheld a decision of the Belgian Data Protection Authority that found Facebook jointly responsible with website providers for its online tracking pixels and cookies. Facebook argued that its terms of service with website providers required providers to obtain necessary user consents, particularly for website visitors who were non-users of Facebook, and that Facebook, as a separate entity, could not be considered the data controller. The Court disagreed, stating “as Facebook determines both the objective and means of processing of personal data, it remains the party responsible for processing personal data via pixels and is thus, jointly responsible with the owners of the third-party websites for meeting the legal obligations”. A similar chain of judicial reasoning could apply to app tracking.

What all are the kinds of risks involved in this? How far can the risk of sharing data amounts to crime?

The kind of risk involved here is the same kind involved in any other occupation. A worker at a power plant can conduct an error and create such an event resulting in loss of life and property. But, almost all of such workers would not. It is similar here. Everyone who has access to user’s data, who understood it will have the power to do whatever they want with it, but they would not.

A data analyst or scientist has abundance of data at his fingers. Raw data, web data, user data, DoB, likes, interests, activities and a lot of areas. But, he mostly cannot do anything with it. He can only use company devices, to access them, company bought tools and software to analyse them and leave them in the company’s Cloud. Any other activity beyond his capacity will be notified and he will have to face consequences involving his team leaders.  If he still decides to go further, he might end up in jail or pay fine as he had a security breach with his company’s contract.

Looking into the kinds of risks, the involvement here is about millions/probably billion(s) of accounts and the parameters are way too large to impact just one person. There is mostly privacy, security risks and the risk of being involuntarily targeted and influenced[12]. A user is a part of millions of target groups because of his web activity. But as a user of another group, he has force fed all sponsored content from USA Elections, Trump and other similar items, before he even knew facts or thinks he does, he has already picked sides involuntarily, subconsciously. Coming to the biggest, saddest, capitalist aspect of them all, e-commerce and advertising. For instance, Maggi noodles are unhealthy, but you kept on seeing their presence everywhere and involuntarily the next day when you go to the store, you would think “this is famous, this should not be as unhealthy”.

These are mere examples. Multiplying these with every company, party, organisation that has a lot of money, there would be endless possibilities and array of activities which has led the world to what is today. Today, where data has surpassed oil in value and most of the data mankind has, was just created in the last four to five years.

 How Far can the Risk of Sharing Amount to Crime?

Patient data, credit card data, bank data, DoB, address, balance, properties, and the other thing people are usually worried about, might not be bad for them. But, they will never be targeted individually.

If an employee of a bank hacks the accounts of his bank’s clients, there should not be much of complexities here in hacking. The hacker knows what network to log in, which access to use, what credentials to enter and that is all. So depending on the kind of data, risks are determined.[13]

If an underage user creates a Facebook account there is nothing to worry about except for the content that the child will be subjected to. But using a credit card in a fake website and the device has some important material or a mail in it, the site is likely to extract the data. Then, the user needs to be cautious. It all comes down to the trustworthy services. Like someone would trust Gmail over Yahoo or Hotmail to give them their data.

Few users would keep professional and personal life separate by having family and friends on one device used on his home network and work on company devices. This way the algorithms can never link him up and the likelihood of facing threat because of the data extracted being negligible.

There is risk because there is a lack of some sort of protection. What is missing? Why is there a risk?

Most of the users are still unaware of the possibilities. Majority of the user base just bother the needs it caters to, and ignore the concerns it brings. The reason why Facebook’s stocks are going down and the big four are battling multiple lawsuits every day. When Europeans understood this, they implemented GDPR to protect its citizens from security breaches. Sadly, many other countries do not have as many constraints on these issues.

Particularly about privacy, what is the risk involved?

It is simple. A user knows how much his bank balance is, what medical ailments he has, what questionable sites he visited and all of this is personal. What if Google suggests a woman birth control pills because she was browsing about pregnancy? Google knows what kind of services to provide before we even know.[14]

Note: it is not a question of risk, but about the extent one cares about his personal information being available to an employee in a cubicle at Google or Amazon. It might range from just a phone number, email to bank activities and passwords.

Looking into workplace risks, there are a lot of important aspects to remember. If the user is not working in an established company or somewhere where the company does not worry about its digital footprint, there is a fair chance Google, Facebook knows more about the user’s work than his company. Because he is using their major services such as Gmail[15]. But if an enterprise is secured with right certifications and tools and the infrastructure to keep everything private, there got to be nothing to worry about.

What is the status of India in all of this?

At the very top, and the bottom at the same time. Majority of data scientists, analysts, experts and working professionals are from India, work from India, live in India and even workers outside of India, are mostly Indian. At the same time, the huge number of users who are indirectly responsible for profiting Amazon, Facebook, Google, Tinder, TikTok, etc. are from India too. They do not realise the monster they have been feeding to and how it is slowly killing them.

On the other hand, the elder generation who involuntarily put all their bank info, work info, personal info involuntarily is clueless of the threats and risks. Not to mention the ignorant government heads including TRAI and IT Ministry, who hardly consider and understand what Europe’s GDPR is and will turn down any proposals brought by thoughtful employees. A number of Central Government, public sector employees might not be aware of how they are dealing with the country’s data and what company’s repositories they all end up in. Although there are some smart, thoughtful young minds who come up with good ideas to make everything better, but it all comes down to the imposing authority to take decisions.

TRAI Recommendations on Data Privacy[16]

TRAI released its recommendations on the subject titled “Privacy, Security and Ownership of Data in the Telecom Sector” which are applicable for apps, browsers, operating systems and handset makers. An official of the Ministry of Electronics and Information Technology, which is tasked with drafting the data protection law, said that the Act will “prevail” over everything else. In respect of telecom matters, there will be a role for TRAI as sectoral regulator but the basics of privacy will be governed by the Data Protection Act.

Industry bodies such as Internet and Mobile Association of India (IAMAI) and the Indian Cellular Association (ICA) have also criticised TRAI, saying the recommendations were “illegal” and akin to “jumping the gun” ahead of the release of the Srikrishna Committee Report[17]. Some of the clauses such as no use of metadata to identify individuals coupled with data minimisation will be detrimental to building the data business in the country, they said.

In its recommendations, TRAI said that individual users owned their data, or personal information, and entities such as devices were “mere custodians” and do not have primary rights over that information. It also said that the current framework for protection of personal information is “not sufficient” and suggested expanding the ambit of licence conditions governing telcos to all entities handling customer information.

Procedure to Fill the Gap

How can gap between users and big companies w.r.t data protection be filled?

More people need to be optically canvassing how it indirectly impacts the lives and decisions of users. Users need to understand how precisely their data is available to corporates and be more mature in the utilisation in lieu of “I have nothing to lose”, “I do not mind” mentality. Executives in the corporations should be bringing up standards, methods and strategies on laws where human rights and privacy of users are not infringed. This is just ideal. But, the common belief being corporations endeavour their best to have it their way. The only time people had a victory was Europe’s GDPR.

 How Does the World Combine to Become an International Body in Order to Battle the Data Policies?

Though it sounds like an ideal move, it is unlikely to be practical, because a user does not confine usage of services to just one company or one country. As the law fluidity changes from nation to nation, Facebook and Microsoft made foolproof agreements that their Governments will protect them if an alien entity requests them to follow foreign regulations. The said companies amount to nearly half of US’ economy. So the solution here could be awareness. People in charge, taking decisions for public should be made aware of what is happening with their data. Leaders like J. Trudeau, B. Obama and many others used this awareness for a positive change. As long as unprogressive leaders exist, there will be no saying what is going to happen. It can either be completely shut or entirely encouraged, depending on a nation’s political agenda.

Building Privacy-Conscious Apps[18]

Though app compliance with privacy laws is developing, problems frequently come from the lack of information or non-existence of the privacy policy and from a lack of meaningful consent. Transparency is a key aspect of data protection compliance and a clear, understandable and easily accessible privacy policy is a considerable step in the right direction. Enough disclosures in the privacy policy, particularly where available to users usually stores, prior to installation, assist in ensuring users’ consents are adequately captured. The opinion also recommends seeking enough consent for categories of data access, and updated consent when changing processing purposes[19].

It is important that all stakeholders understand their privacy obligations. Privacy should be considered at all stages of development and production. Data minimisation practices particularly with regard to location, contacts and UDID data, should be observed to avoid unnecessary collection or processing. With the growth in the app industry mirrored by a marked increase in regulatory scrutiny, considerations of privacy and data protection should be upright safe and secure.

The Supreme Court of India on Privacy

It is still ambiguous to frame rules under Section 67-C of the Information Technology Act that which kind of data retention will the Indian Government choose in their current system. These rules might have high chances of violating people’s privacy. The Supreme Court, however, will support public opinion against any such laws violating privacy.

For example, interception of telephone is allowed under Section 5(2) of the Telegraph Act, 1885. The Supreme Court, by subjecting the amount of safety lacking in the said Act, upheld the validity of interception, including limiting the time and purpose of the interception. After challenging the validity of Section 69-A of the Information Technology Act, the Supreme Court upheld it on account of the number of procedural safeguards contained in its rules. Ultimately, it is the support of the Supreme Court to scrutinise in order to maintain adequate measures like it took place in the past.

Conclusion

India plays a very vital role not because of the population and the user base, but the density has the capacity to determine these companies’ success. The developers of India are integrated into the developer base and companies that build apps enable data availability and besides, the user base because of India’s over enthusiastic youth.

TikTok, YouTube, Tinder, Google Apps, Apple, Microsoft, Facebook (Instagram, WhatsApp) are off the top. India has at majority user base percentage in all of the said apps without any control, is how Indian users perform. And it is beyond the point of control and awareness. PUBG, for example, is a platform for data collection. The Government tried to shut PUBG down, which essentially affected on the freedom of users and the older generation, sadly, do not even understand what it means to the users. The smarter employees play a vital role in building these systems and integrating them internationally and are crucial people for these companies.

On the contrary, leaders occupied in higher chairs in Indian States, where half of them do not even see how companies and their systems work or even think it is as vital to think and discuss about. Although there are few thoughtful ones, which consider the proportionality, thoughtfulness and responsibility of data sharing[20], but how many are so many? So, to predict how the people’s mindset gets established over the years, it is not possible. To get better, it all comes down to the user base or the Government to implement policies such as EU’s GDPR which voice out on seven key principles[21]:

  • lawfulness, fairness and transparency;
  • purpose limitation;
  • data minimization;
  • accuracy;
  • storage limitation;
  • integrity and confidentiality (security); and

[1] Judicial Clerk, High Court of Andhra Pradesh, Amrawati.

[2] Do You Accept the Terms & Conditions … or do they Need to Change?, Lawyer Monthly, available at <https://www.lawyer-monthly.com/2018/08/do-you-accept-the-terms-conditions-or-do-they-need-to-change/> (last visited on 20-8-2019).

[3] Dr Pavan Duggal, Important Global Cyber Law Trends, Cyberlaws.Net and Pavan Duggal Associates, available at <http://cyberlawcybercrime.com/cyber-law-trends2017/> (last visited on 22-8-2019).

[4] The Information Technology Act, 2000, S. 67-C

[5] The Indian Government Proposes New Data Retention Rules: Will Privacy be Compromised?, TECH2, available at <https://www.firstpost.com/tech/news-analysis/the-indian-government-proposes-new-data-retention-rules-will-privacy-be-compromised-3690439.html> (last visited on 25-8-2019).

[6] Avast Bought your Phone on eBay & Recovered what you Thought you “Wiped” available at <https://venturebeat.com/2014/07/08/avast-bought-your-phone-on-ebay-recovered-what-you-thought-you-wiped/> (last visited on 29-8-2019).

[7] The EU General Data Protection Regulation (GDPR) is the Most Important Change in Data Privacy Regulation in 20 Years, EU GDPR.org, available at <https://eugdpr.org> (last visited on 1-9-2019).

[8] Recognising privacy and security professionals from across Europe, PrivSec 200 available at <https://gdpr.report/news/2019/08/27/privsec200-recognising-privacy-and-security-professionals-from-across-europe/> (last visited on 6-9-2019).

[9] Privacy Policy (US Only), Uber Freight, available at <https://www.uberfreight.com/privacy-policy?_ga=2.36189993.863484050.1567883547-1525969875.1567883547> (last visited on 11-9-2019).

[10]  6 Security Risks of Enterprises Using Cloud Storage and File Sharing Apps, Digital Gaurdian, available at <https://digitalguardian.com/blog/6-security-risks-enterprises-using-cloud-storage-and-file-sharing-apps> (last visited on 4-9-2019).

[11] The Principles, ico., available at <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/> (last visited on 7-9-2019).

[12] The Risks of Data Sharing, HiRUM, available at <https://www.hirum.com.au/blog/the-risks-of-data-sharing/> (last visited on 10-9-2019).

[13] Transgender Capital One hacker threatened to ‘shoot up’ California social media company, wanted to be famous, say feds, Meaww, available at https://meaww.com/transgender-capital-one-hacker-breach-threatened-to-shoot-up-california-social-media-company-famous

[14] Data Security Challenges, Oracle9i Security Overview, available at<https://docs.oracle.com/cd/B10501_01/network.920/a96582/overview.htm> (last visited on 28-8-2019).

[15] Id., at 13.

[16] Surabhi Agarwal and Gulveen Aulakh in TRAI Recommendations on Data Privacy Raises Eyebrows, The Economic Times (18-7-2018), available at <https://economictimes.indiatimes.com/industry/telecom/telecom-policy/trai-recommendations-on-data-privacy-raises-eyebrows/articleshow/65033263.cms?from=mdr> (last visited on 6-9-2019).

[17] Ministry of Electronics & Information Technology, Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, available at <https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf> (last visited on 24-8-2019).

[18] Mobile Apps and Data Privacy: What Developers Need to Know, Silicon Republic, available at <https://www.siliconrepublic.com/enterprise/apps-development-data-privacy-protection> (last visited on 12-9-2019).

[19] Data for Public Benefit: Balancing the Risks and Benefits of Data Sharing, Understanding Patient Data, available at <https://understandingpatientdata.org.uk/news/data-public-benefit> (last visited on 1-9-2019).

[20] Id., at 18.

[21] The Principles, ico., available at <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/> (last visited on 11-9-2019).