Case BriefsSupreme Court

Supreme Court: A 3-Judge Bench comprising of Sanjay Kishan Kaul, Dinesh Maheshwari and Hrishikesh Roy, JJ. has held that representatives of Facebook will have to appear before the Committee on Peace and Harmony constituted by the Delhi Legislative Assembly. At the same time, the Court felt constrained to put certain fetters qua the exercise sought to be undertaken by the Committee.

The instant petition challenged the notices issued by the Committee directing the petitioners to appear before it. The Conclusion of the Court is delineated below, after which follows a detailed analysis of the controversy and the Court’s discussion and opinion.

(i) There is no dispute about the right of the Delhi Assembly or the Committee to proceed on grounds of breach of privilege per se.

(ii) The power to compel attendance by initiating privilege proceedings is an essential power.

(iii) Members and non-Members (like the petitioners) can equally be directed to appear before the Committee and depose on oath.

(iv) In the given facts of the case, the issue of privileges is premature. Having said that, the insertion of para 4(vii) of the Terms of Reference of the Committee taken along with the press conference of the Chairman of the Committee could legitimately give rise to apprehensions in the mind of the petitioners on account of which a caveat has been made.

(v) Canvassing a clash between privilege powers and certain fundamental rights is also preemptory in the present case.

(vi) In any case, the larger issue of privileges vis-a-vis the right of free speech, silence, and privacy in the context of Part III of the Constitution is still at large in view of the reference to the larger Bench in N. Ravi v. T.N. Legislative Assembly, (2005) 1 SCC 603.

(vii) The Delhi Assembly admittedly does not have any power to legislate on aspects of law and order and police in view of Entries 1 and 2 of List II in the Seventh Schedule inter alia being excluded. Further, regulation of intermediaries is also subject matter covered by the Information and Technology Act, 2000.

(viii) The Assembly does not only perform the function of legislating; there are many other aspects of governance which can form part of the essential functions of the Legislative Assembly and consequently the Committee. In the larger context, the concept of peace and harmony goes much beyond law and order and police, more so in view of on the ground governance being in the hands of the Delhi Government.

(ix) Para 4(vii) of the Terms of Reference does not survive for any opinion of the Committee. It will not be permissible for the Committee to encroach upon any aspects strictly within the domain of Entries 1 and 2 of List II of the Seventh Schedule. As such, any representative of the petitioners would have the right to not answer questions directly covered by these two fields.

Disruptive Potential of Social Media

In the opening paras, the Court noted that,

“[W]hile social media, on the one hand, is enhancing equal and open dialogue between citizens and policy makers; on the other hand, it has become a tool in the hands of various interest groups who have recognised its disruptive potential. This results in a paradoxical outcome where extremist views are peddled into the mainstream, thereby spreading misinformation.

Established independent democracies are seeing the effect of such ripples across the globe and are concerned. Election and voting processes, the very foundation of a democratic government, stand threatened by social media manipulation. This has given rise to significant debates about the increasing concentration of power in platforms like Facebook, more so as they are said to employ business models that are privacy-intrusive and attention soliciting. The effect on a stable society can be cataclysmic with citizens being ‘polarized and parlayzed’ by such ‘debates’, dividing the society vertically. Less informed individuals might have a tendency to not verify information sourced from friends, or to treat information received from populist leaders as the gospel truth.”

Later, the Court also said that the unprecedented degree of influence of social media necessitates safeguards and caution in consonance with democratic values. Platforms and intermediaries must subserve the principal objective as a valuable tool for public good upholding democratic values. Our country has a history of what has now commonly been called ‘unity in diversity’. This cannot be disrupted at any cost or under any professed freedom by a giant like Facebook claiming ignorance or lack of any pivotal role.

Use of Algorithms and the Role of Facebook

The Court rejected the simplistic approach adopted by Facebook ─ that it is merely a platform posting third party information and has no role in generating, controlling or modulating that information. The Court said that companies like Facebook cannot deny that they use algorithms (sequences of instructions) with some human intervention to personalise content and news to target users. The algorithms select the content based on several factors including social connections, location, and past online activity of the user. These algorithms are often far from objective with biases capable of getting replicated and reinforced. The role played by Facebook is, thus, more active and not as innocuous as is often presented when dealing with third party content.

Factual Context and the Writ Petition

The backdrop of the present case is set in the unfortunate communal riots in different parts of North-East Delhi in February, 2020. In the wake of these riots, the Legislative Assembly of NCT of Delhi resolved to constitute a Committee on Peace and Harmony to a “consider the factors and situations which have the potential to disturb communal harmony in the National Capital Territory of Delhi and suggest measures to eliminate such factors and deal with such situations so as to establish harmony among different religious or linguistic communities or social groups.”

The Committee received thousands of complaints which suggested that Facebook had been used as a platform for fomenting hate and jeopardising communal harmony. This was further fuelled by an article published in the Wall Street Journal on 14-8-2020 titled “Facebook’s Hate-Speech Rules Collide with Indian Politics” suggesting that there was a broad pattern of favouritism towards the ruling party and Hindu hardliners. The Article also made serious allegations of lapses on the part of Facebook India in addressing hate speech content.

Subsequently, the Delhi Assembly issued notice for appearance (“first summons”) to the Mr Ajit Mohan, Vice President and Managing Director of Facebook India. Mr Mohan was the first petitioner in the instant writ petition. The first summons highlighted the factum of numerous complaints alleging intentional omission and deliberate inaction on the part of Facebook in tackling hate speech online. It was clearly stated that he was being called as a witness for testifying on oath before the Committee on 15-9-2020. Significantly, no consequences in the form of breach of parliamentary privilege were intimated in case Mr Mohan refused to appear.

In its reply, Facebook objected to the first summons and requested to recall it. This was rejected by the Delhi Assembly, and a second summons was issued. It is at this stage that a perceived element of threat was held out to Mr Mohan stating that his refusal to appear was inconsistent with the law of privileges of a legislature (which extends to the Committee and its members). He was asked to appear before the Committee on 23-9-2020 in the “spirit of democratic participation and constitutional mandates.” Importantly, it was clearly stated that non-compliance would be treated as breach of privilege of the Committee and necessary action would be taken.

It is this second summons which triggered the filing of the instant proceedings under Article 32 of the Constitution of India. It was prayed that (a) the first and the second summons be set aside; (b) the Delhi Assembly be restrained from taking any coercive action against the petitioners in furtherance of the impugned summons. Notably, during pendency of the proceedings, the two summonses issued to Mr Mohan were withdrawn and a new summons dated 3-2-2021 was issued to Facebook India alone.

Analysis and Opinion

Contradictory stand in different jurisdictions not acceptable

“Facebook has the power of not simply a hand but a fist, gloved as it may be.”

The Court was not convinced by the simplistic approach of Facebook, and was of the view that the business model of intermediaries like Facebook being one across countries, they cannot be permitted to take contradictory stands in different jurisdictions. Thus, for example in the USA, Facebook projected itself in the category of a publisher, giving them protection under the ambit of the First Amendment of its control over the material which are disseminated in their platform. This identity has allowed it to justify moderation and removal of content. Conspicuously in India, however, it has chosen to identify itself purely as a social media platform, despite its similar functions and services in the two countries. Thus, dependent on the nature of controversy, Facebook having almost identical reach to population of different countries seeks to modify its stand depending upon its suitability and convenience. The Court said:

Role of Facebook need to be looked into

Turning to the incident at hand, the Court said that the capital of the country can ill-afford any repetition of the occurrence and thus, the role of Facebook in this context must be looked into by the powers that be. It is in this background that the Assembly sought to constitute a peace and harmony committee. The Assembly being a local legislative and governance body, it cannot be said that their concerns were misconceived or illegitimate. It is not only their concern but their duty to ensure that “peace and harmony” prevails.

Three broad heads

(a) Issue of Privilege

The privilege issue arose out of the plea advanced by the petitioners that both, the first and the second summons, were to summon petitioners with a threat of “privilege”. This argument was coupled with a plea that such power of privilege cannot extend to compel an individual, who is not a member of the House, into giving evidence/opinion that he is not inclined to state.

While on this, the Court noted that the wordings of Article 194(3) of the Constitution of India are unambiguous and clear. It was the Court’s opinion that it would be a monumental tragedy to conclude that the legislature is restricted to the function of enacting laws. The legislature debates many aspects, and at times records a sense of the House. This is not unusual or without precedent. Further, once the wider array of functions performed by an elected Parliament or Assembly, not confined to only enacting laws is recognised, any act in furtherance of this wider role and any obstruction to the same will certainly give rise to an issue of parliamentary privilege.

The Court saw no merit in the line of argument that no non-member could be summoned if they had not intruded on the functioning of the Assembly; or that the non-participation of the petitioner would not have adverse consequences as it did not disrupt the functioning of the Committee. The petitioners, more so with their expanded role as an intermediary, can hardly contend that they have some exceptional privilege to abstain from appearing before a committee duly constituted by the Assembly.

Noting that only a summons has been issued for appearance before the Committee and the question of any privilege power being exercised is yet far away; the Court observed:

“This case is a preventive endeavour by the petitioner to preclude the respondents from even considering the aspect of privilege by seeking this Court’s intervention at a pre-threshold stage, only on the premise of the absence of legislative power.”

The Court was not impressed by the argument that the privilege powers of the Assembly are not constitutional in character but flow only from the Government of National Capital Territory of Delhi Act, 1991. It was Court’s opinion that the scheme of privilege has to be seen in the context of provisions of Article 239-AA of the Constitution, as well as the GNCTD Act. They are not divorced from each other.

The Court held the power of the Assembly to summon in the format it sought to do is beyond exception and in accordance with law; and that the stage for any possible judicial intervention had not arisen in the instant case.

(b) Privileges, Free Speech and Privacy

Petitioners sought to pit the expanded right of free speech and privacy against privilege, emphasising that the petitioner had a right to remain silent. It was submitted that the mere threat of “necessary action” i.e., the possibility of a breach of privilege, was enough to infringe both the right to free speech and privacy. Thus, “the threatened invasion of the right” could be “removed by restraining the potential violator”.

The Court refrained from entering into any substantial discussion on this point, as such issue is also a subject of reference pending consideration before a 7-Judge Bench.

(c) Legislative Competence

This head dealt with the perceived remit of the Committee and whether the remit has the sanction of the Constitution in the context of division of subject matter under the three Lists of the Seventh Schedule. The bedrock of petitioner’s submissions was based on the alleged lack of legislative competence of the Delhi Assembly and consequently of the Committee to look into the subject matter qua which the notice had been issued to the petitioners. The submission, thus, was that in the absence of any such legislative competence, the petitioners were entitled to approach the Court at this stage itself rather than being compelled to wait for further progress in the proceedings.

On this, the Court reiterated the proposition that the division of powers between the Centre and the State Assemblies must be mutually respected. The concept of a wide reading of Entries (in the three Lists) cannot be allowed to encroach upon a subject matter where there is a specific entry conferring power on the other body. The Court was of the view that the recourse to Entries 1 and 2 of List III cannot be said to include what has been excluded from the powers of List II, i.e., Entries 1, 2 and 18. Similarly, Entry 45 of List III relating to inquiries would again not permit the Assembly or the Committee to inquire into the aspects of public order or police functions. That a law and order situation arose was not disputed by anyone, and that this law and order issue related to communal riots also could not be seriously disputed. That the Assembly cannot deal with the issue of law and order and police is also quite clear.

“Peace and Harmony” as opposed to “Law and Order”

The respondent’s argument was premised on a broader understanding of the expression “peace and harmony”, as opposed to it being restricted to law and order.

The moot point was whether the expression “peace and harmony” can be read in as expanded a manner as respondent sought to do by relying a on a number of Entries in List II and List III. The Court had no doubt that peace and harmony, whether in the National Capital or in a State context, is of great importance. But it would be too much to permit the argument that peace and harmony would impact practically everything and thus, gives power under different entries across the three lists.

The divergent contentions lead the Court to conclude that the Committee can trace its legitimacy to several Entries in List II and List III without encroaching upon the excluded fields of public order or police to undertake a concerted effort albeit not to the extent as canvassed by the respondents. Facebook cannot excuse themselves from appearing pursuant to the new summons issued to them on 3-2-2021. Areas which are not otherwise available to the legislature for its legislative exercise may, however, be legitimately available to a committee for its deliberations. This is so in the context of a broad area of governmental functions. Ultimately, it is the State Government and the State Assembly which has to deal with the ground reality even in the dual power structure in Delhi. The complexity of communal tensions and their wide-ranging ramifications is a matter affecting citizens of Delhi and it cannot be said that the Government of NCT of Delhi cannot look into the causal factors in order to formulate appropriate remedial measures. Appropriate recommendations made by the State Government in this regard could be of significance in the collaborative effort between the Centre and the State to deal with governance issues.

The Court was of the view that because of the pervasive impact of the riots, the Committee could legitimately attend to such grievances encompassing varied elements of public life. Thus, it would be entitled to receive information and deliberate on the same to examine their bearing on peace and harmony without transgressing into any fields reserved for the Union Government in the Seventh Schedule.

Terms of Reference of the Committee on Peace and Harmony

The Court discussed that a part of the Terms of Reference of the Committee on Peace and Harmony was clearly outside the purview of the powers vested with the Assembly. This problem was compounded by what transpired in the press conference held by the Chairman of the Committee. Speaking on behalf of the members of the Committee, the Chairman made certain statements that assume greater significance by virtue of being in the public domain.

While respecting the right of the Committee to the extent that there exists an obligation on the petitioners to respond to the summons, the Court was of the view that it could not permit the proceedings to go on in a manner that encroaches upon the prohibited entries. The Court did not seek to control how the Committee proceeds. In fact, the Committee was yet to proceed. But certain provisions of the Terms of Reference coupled with the press conference is what persuaded the Court to say something more than simply leaving it to the wisdom of the Committee to proceed in the manner they deem fit.

The Court found that para 4(vii) of the Terms of Reference was a troublesome aspect. It read: “(vii) to recommend action against such persons against whom incriminating evidence is found or prima facie case is made out for incitement to violence”.

It was held by the Court that clearly it is not within the remit of the Assembly to recommend action against such persons against whom incriminating evidence is found or prima facie case is made out for incitement of violence. This is an aspect purely governed by policing. It is the function of the police to locate the wrong doer by investigation and charge them before a competent court.

In order to justify the legislative competence and the remit of the Committee, the respondents practically gave up this para 4(vii) and the Court made it clear that this cannot be part of the remit of the Committee.  It was also recorded that by issuing the new summons which withdrew the earlier summons, fallacies in the notices stood removed.

Press-conference by Chairman of the Committee

The Court noticed that the statements made by the Chairman of the Committee during the press conference on 31-8-2020 could not be diluted or brushed aside. It was stated by the Chairman that the material placed before the Committee had resulted in a “preliminary conclusion”. Thereafter it was stated that “prima facie it seems that Facebook has colluded with vested interests during Delhi riots”. He further said: “Facebook should be treated as a co-accused and investigated as a co-accused in Delhi riots investigation”, and “As the issue of Delhi riots is still going in the court, a supplementary chargesheet should be filed considering Facebook as a co-accused”.

Such statements and conclusions, as per the Court, were completely outside the remit of the Committee and should not have been made. That it may give rise to apprehension in the minds of the petitioners could also not be doubted. Such statements are hardly conducive to fair proceedings before the Committee and should have been desisted from. This is especially so as that was not even the legislative mandate, and the Assembly or the Committee had no power to do any of these things.

Putting fetters qua the exercise undertaken by the Committee

In view of the aforesaid, while giving the widest amplitude in respect of inquiry by a legislative committee, the Court was constrained to put certain fetters in the given factual scenario otherwise tomorrow the proceedings itself could be claimed to be vitiated.

The Court said that the Committee cannot have a misconception that it is some kind of a prosecuting agency which can embark on the path of holding people guilty and direct the filing of supplementary chargesheet against them. This aspect has to be kept in mind by the Committee so as to not vitiate future proceedings and give rise to another challenge.

In any eventuality, as speculative as it may be, if the Committee seeks to traverse the path relating to the excluded Entries, i.e. law and order and police, any representative of Facebook who would appear before the Committee would be well within their right to refuse to answer the query and such an approach cannot be taken amiss with possibility of inviting privilege proceedings.

The Court expressed its confidence that such an eventuality will not arise, given the important role that the Committee is performing and that it will accept the sagacious advice. So much and not further.

The writ petition was accordingly dismissed. [Ajit Mohan v. Delhi Legislative Assembly, 2021 SCC OnLine SC 456, decided on 8-7-2021]


Tejaswi Pandit, Senior Editorial Assistant has reported this brief.


 

Case BriefsForeign Courts

Supreme Court of The United States (SCOTUS): On April 1st, the 9 Judge Bench of the Court while looking into the allegations levelled against Facebook for violating the Telephone Consumers Protection Act, 1991 (hereinafter TCPA), held that the Court cannot rewrite the TCPA to update it for modern technology. Congress’ cho­sen definition of an autodialer requires that the equipment in question must use a random or sequential number generator. That definition excludes equipment like Facebook’s login notification system, which does not use such technology. The Court held that in order to qualify as an “automatic telephone dialing system” under the TCPA, a device must have the capacity either to store a telephone number using a random or sequential number generator, or to produce a telephone number using a random or sequential number generator.

The facts as they stood; popular social media platform Facebook, as a security feature, allows users to elect to receive text messages when someone attempts to log in to the user’s account from a new device or browser. Noah Duguid was sent such texts by Facebook which alerted him to a login his Facebook account linked to his mobile number. The twist in the tale came up when Duguid stated that he never created that particular account or for that matter any other account on Facebook.

Duguid tried unsuccessfully to stop the unwanted messages, and eventually brought a putative class action against Facebook. He alleged that Facebook violated the TCPA by maintaining a database that stored phone numbers and programming its equipment to send automated text messages. Facebook contended that the TCPA does not apply because the technology it used to text Duguid did not use a “random or sequential number generator”. The Ninth Circuit’s however did not favour Facebook when it held that S. 227 (a) (1) of the TCPA applies to a notifica­tion system like Facebook’s that has the capacity to dial automatically stored numbers.

The Telephone Consumer Protection Act of 1991 (TCPA) forbids abu­sive telemarketing practices by, among other things, restricting cer­tain communications made with an “automatic telephone dialing sys­tem.” The TCPA defines such “autodialers” as equipment with the capacity both “to store or produce telephone numbers to be called, us­ing a random or sequential number generator,” and to dial those num­bers.

Perusing the facts and the relevant statutes, the Court observed that the issue is that whether the clause “using a random or se­quential number generator” in S. 227(a)(1)(A) modifies both of the two verbs that precede it (“store” and “produce”), or only the closest one (“produce”).  The former interpretation was adopted by Facebook in the matter. The Court noted that the most natural reading of the text and other aspects of S. 227(a)(1)(A) confirms Facebook’s view-

  1. In an ordinary case, the “series-qualifier canon” instructs that a modifier at the end of a series of nouns or verbs applies to the entire series.
  2. The modify­ing phrase immediately follows a concise, integrated clause (“store or produce telephone numbers to be called”), which uses the word “or” to connect two verbs that share a common direct object (“telephone num­bers to be called”).
  • The comma in S. 227(a)(1)(A) separating the modifying phrase from the antecedents suggests that the qualifier applies to all of the antecedents, instead of just the nearest one.

The Court further observed that the text of TCPA confirms that the statute’s definition of “autodialer” excludes equipment that does not use a random or sequential number generator. “Congress found autodialer technology harmful be­cause autodialers can dial emergency lines randomly or tie up all of the sequentially numbered phone lines at a single entity. Facebook’s interpretation of S. 227(a)(1)(A) better matches the scope of the TCPA to these specific concerns”. The Court noted that even though Duguid broadly construed the TCPA vis-à-vis privacy, however, the Congressional intent was clear about intrusive telemarketing practices, which is why the Congress ultimately chose a precise autodialer definition. [Facebook Inc. v. Duguid,  2021 SCC OnLine US SC 2, decided on 01-04-2021]


Sucheta Sarkar, Editorial Assistant has reported this brief.

Op EdsOP. ED.

Child safety: Challenges in the online ecosystem

The increased popularity of digital spaces, especially among minors, has led to them being exposed to new forms of exploitation on troubling scales. These include “made to order” services that allow the perpetrator to apply filters relating to age, gender and race of the children while requesting Child Sexual Abuse Material (CSAM)[1], services that allow the perpetrator to view child sexual abuse via live stream and, in some cases, even direct it. These are issues that need urgent attention, especially when a third of the users of the internet are children.

There is unanimous agreement on the need to protect children in digital spaces and the need to mitigate the proliferation of CSAM online on a global scale. The most common solutions offered are focused on maximising security, while privacy takes a back seat. The narrative around the right to privacy primarily focuses on adults, while minors’ right to privacy is taken for granted. This focus must shift taking into account the rights of children that, similar to human rights are “interdependent, non-hierarchical and indivisible”.[2]

Law of the land: Indian and the American regime

In an attempt to curb the increased dissemination of CSAM online, the Indian Government has introduced various provisions in the Information Technology (Intermediary and Digital Media Ethics Code) Rules, 2021 (Rules)[3]. For instance, Rule 4(2) mandates that significant social media intermediaries must enable the identification of the first originator of information on a computer resource for a prescribed number of reasons, one of which is that of CSAM. They must also endeavour to engage in proactive monitoring of CSAM per Rule 4(4).

The United States EARN IT Act of 2020 also lays down best practices in order to curb the dissemination of CSAM.[4] It mandates the creation of “backdoors” in encrypted technology so as to allow law enforcement agencies (LEAs) to access communications. In several publications, Rianna Pfefferkorn, a leading Stanford based cybersecurity expert, has highlighted the dangers such legislation poses on individual privacy.[5]

Whether it be the “originator traceability” envisaged in the IT Rules of 2021 or the “backdoors” mandated in the EARN IT Act of 2020, both are the antithesis of user privacy and free speech as they compromise the security provided by end-to-end encryption. There is a global push towards weakening end-to-end encryption be it via the EARN IT Act of 2020, the Draft Council Resolution by the Council of European Union,[6]  or the Five Eyes Communique[7]. However, there is little evidence to show that perpetrators have been caught or penalised specifically as a result of such decryption. On the contrary, Anand Venkatnarayanan explains how Governments are seeking extant surveillance by breaking end-to-end encryption behind the veneer of child safety, which is the definition of Pedophrastry.[8]

Flawed approach: Explained time and time again

It is important to note that perpetrators do everything they can to remain inconspicuous on these platforms. They may create their own encrypted platforms, or might begin using platforms that are already encrypted. Criminals and terrorists also tend to develop their own encrypted platforms or networks.[9] The technology will still be readily available on the internet, and the passing of such legislation will not be able to keep criminals from using it. If encryption is outlawed, only the outlaws will have encryption, while law-abiding citizens shall be rendered susceptible to attacks by hostile actors.

The granting of exceptional access to law enforcement agencies is challenging from a technological perspective. The deliberate introduction of a vulnerability (in this case the grant of exceptional access to LEA’s) in the system also makes it vulnerable to unauthorised access by hostile third parties,[10] including enemy States. There is also the danger of an abuse of such power by the State.[11] The chilling effect on one’s freedom of speech and expression and the dangers of surveillance has already been discussed by several. Limited use of technology like PhotoDNA on publicly available data or unencrypted data to tackle is one thing, but to conduct mass surveillance by scanning everything going on an encrypted chat is a clear violation of both free speech and user privacy.

The Telecom Regulatory Authority of India has already stated that the security architecture of end-to-end encrypted platforms should not be meddled with for now as the same may render the users susceptible to cyber vulnerabilities.[12] The Supreme Court, in K.S. Puttaswamy v. Union of India,[13] judgment highlighted that any measure infringing upon one’s right to privacy must be sanctioned by law, necessary, must have a legitimate aim and the extent of the same must be proportionate in nature. Dr Menaka Guruswamy[14], Senior Advocate – Supreme Court of India and Mr Kazim Rizvi[15] Founding Director of The Dialogue, have already discussed at length as to why the traceability mandate fails to meet the Puttaswamy test laid down by the Supreme Court.

Way forward: Ensuring privacy and security of the child

CSAM must be tackled with all the strength of the State but not in the way that it harms the best interest of the child itself. A child’s privacy is equally important. If by breaking encryption or enforcing traceability, the security architecture of the services used by the child is weakened rendering him susceptible to abuse then there is no point of this measure. The child is still rendered unsafe. Our methods must keep the interest of the child at the centre of the debate.

The CyberPeace Foundation has recommended a few solutions that attempt to strike a balance between maintaining the child’s right to privacy and the need to intervene in cases as critical as the dissemination of CSAM.[16] These include establishing a standard operating procedure, a hash register, a mandatory “report CSAM button”, etc.

Further, the Carnegie Endowment in its Working Paper on Encryption Policy stated that absolutist positions disallow policymakers from developing a nuanced approach to tackle this issue. The two positions rejected were – access to encrypted communication should never be granted and we should not look for solutions under the same; and LEA’s cannot protect the public without access to all encrypted data.[17] Policies must be subject to the principles of law, enforcement utility, limitation, transparency, evaluation and oversight, auditability, focus and specificity and equity. This will ensure that there is greater granularity of debate and allow viable solutions to be developed.

It is equally important to build the capacity of the law enforcement agencies. The American Invest in Child Safety Act is a brilliant initiative which created a mandatory funding of 5 billion dollars along with 100 FBI agents and 65 more positions in the National Center for Missing and Exploited Children to tackle online sexual abuse.[18] This along with efforts to create community level awareness about child sexual abuse is key to tackling CSAM.

Moreover, we must take more cooperative steps like building the meta-data analysis capabilities of the LEAs with support from Big Tech and academia. If end-to-end encryption is outlawed or weakened, the criminals will, as they have in the past, simply shift to unregulated end-to-end encrypted platforms or create their own platforms. Thereafter the LEAs would not even have access to the meta-data which regulated platforms provide.

The IT Rules of 2021 mandate originator traceability (tell me who the first sender is). This as the technical experts[19] and organisations[20] explain is incompatible with the very idea of end-to-end encryption. Accordingly, Rule 4(2) must not be implemented right away and a wider stakeholder consultation with technical experts must be conducted to better understand how such challenges must be tackled keeping the best interest of the child in mind.


  Programme Manager (Platform Regulation & Encryption) at The Dialogue.

†† Policy Research Associate at The Dialogue.

[1] United Nations, Office on Drugs and Crime (UNODC), “Study on the Effects of New Information Technologies on the Abuse and Exploitation of Children” (2015). <https://www.unodc.org/documents/Cybercrime/Study_on_the_Effects.pdf>.

[2] United Nations, UNICEF Office of Research – Innocenti, Florence, (2020), Encryption, Privacy and Children’s Right to Protection from Harm, Innocenti Working Papers No. 2020-2014. <https://www.unicef-irc.org/publications/pdf/Encryption_privacy_and_children’s_right_to_protection_from_harm.pdf>.

[3] <http://www.scconline.com/DocumentLink/8OCMsY3m>.

[4] Riana Pfefferkorn, The EARN IT Act is a Disaster Amid the COVID-19 Crisis, the Brookings Institution, (4-5-2020) <https://www.brookings.edu/techstream/the-earn-it-act-is-a-disaster-amid-the-covid-19-crisis/>.

[5] Riana Pfefferkorn, Client-side Scanning and Winnie-the-Pooh Redux (Plus Some Thoughts on Zoom), the Centre for Internet and Society, (11-5-2020, 4.16 p.m.) <http://cyberlaw.stanford.edu/blog/2020/05/client-side-scanning-and-winnie-pooh-redux-plus-some-thoughts-zoom>.

[6] Draft Council Resolution on Encryption by Council of EU, Security through Encryption and Security Despite Encryption <https://files.orf.at/vietnam2/files/fm4/202045/783284_fh_st12143-re01en20_783284.pdf>.

[7] The United States Department of Justice, Office of the Attorney General, Press Release No. 20-1,086, International Statement: End-to-End Encryption and Public Safety, (11-10-2020) <https://www.justice.gov/opa/pr/international-statement-end-end-encryption-and-public-safety>.

[8] Anand Venkatanarayanan, “The New Avatar of the Encryption Wars”, Hindustan Times, (4-2-2021 9.04 p.m. IST) <https://www.hindustantimes.com/opinion/the-new-avatar-of-the-encryption-wars-101612444931535.html>.

[9] Robert Graham, How Terrorists Use Encryption, CTC Sentinel, Vol. 9 Issue 6, CTCS 20 (June 2016) <https://www.ctc.usma.edu/how-terrorists-use-encryption>.

[10]  Josephine Wolff, What Exactly are the NSA Hackers Trying to Accomplish?, Slate, (17-8-2016, 4.10 p.m.) <https://slate.com/technology/2016/08/what-exactly-are-the-shadow-brokers-trying-to-accomplish.html>.

[11] CBS News, Police Sometimes Misuse Confidential Work Databases for Personal Gain: AP, CBSN, (30-9-2016) <https://www.cbsnews.com/news/police-sometimes-misuse-confidential-work-databases-for-personal-gain-ap/>.

[12] Telecom Regulatory Authority of India, Recommendations on Regulatory Framework for Over-the-Top (OTT) Communication Services, (14-9-2020)

<https://www.trai.gov.in/sites/default/files/Recommendation_14092020_0.pdf>.

[13] (2018) 1 SCC 809< http://www.scconline.com/DocumentLink/nnXl4mu5>.

[14] Faye D’Souza and Menaka Guruswamy, Are the New Digital Regulations Unconstitutional? (26-2-2021)

 <https://www.youtube.com/watch?v=bGFj-1dkffY&t=23s>.

[15] Kazim Rizvi and Shivam Singh, Does the Traceability Requirement Meet the Puttaswamy Test?, LiveLaw (15-3-2021) <https://www.livelaw.in/columns/the-puttaswamy-test-right-to-privacy-article-21-171181>.

[16] Cyber Peace Foundation, Technology Law and Policy Group, End (-to-End Encrypted) Child Sexual Abuse Material, (2020) ISBN: 978-93-5416-448-4, <https://www.cyberpeace.org/CyberPeace/Repository/End-to-end-Encrypted-CSAM-2.pdf>.

[17] The Carnegie Endowment for International Peace, Encryption Working Group, Moving the Encryption Policy Conversation Forward, (10-9-2019) <https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573#:~:text=Strong%20data%20encryption%20thwarts%20criminals,to%20move%20the%20debate%20forward>.

[18] Adi Robertson, New Bill would Put $5 Billion toward Fighting Online Child Abuse, The Verge, (6-5-2020) <https://www.theverge.com/2020/5/6/21249079/online-abuse-invest-child-safety-act-fbi-investigations-bill-wyden-eshoo>.

[19] The United States Department of Justice, Office of the Attorney General, Press Release No. 20-1,086, International Statement: End-to-End Encryption and Public Safety, (11-10-2020).

[20] Internet Society, Experts’ Workshop Series on Encryption in India, Traceability and Cybersecurity, (27-11-2020) <https://www.internetsociety.org/resources/doc/2020/traceability-and-cybersecurity-experts-workshop-series-on-encryption-in-india/>.

Hot Off The PressNews

Delhi High Court: A petition was submitted before the High Court of Delhi by Whatsapp LLC with a prayer to issue a writ of mandamus or any other appropriate writ, direction, or order to declare that (i) Impugned Rule 4(2) is violative of Articles 14, 19(1)(a), 19(1)(g), and 21 of the Constitution, ultra vires the IT Act, and illegal as to end-to-end encrypted messaging services; and (ii) criminal liability may not be imposed for noncompliance with Impugned Rule 4(2) and any attempt to impose criminal liability for non-compliance with Impugned Rule 4(2) is unconstitutional, ultra vires the IT Act, and illegal.

Petitioner WhatsApp LLC (“Petitioner”) had filed this Writ Petition challenging the requirement in the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Rules”) that intermediaries like Petitioner enable “the identification of the first originator of the information” in India on their end-to-end encrypted messaging services (commonly referred to as “traceability”), upon government or court order. Petitioner respectfully submitted that this requirement forces Petitioner to break end-to-end encryption on its messaging service, as well as the privacy principles underlying it, and infringes upon the fundamental rights to privacy and free speech of the hundreds of millions of citizens using WhatsApp to communicate privately and securely. Petition challenges Rule 4(2) of the Intermediary Rules (“Impugned Rule 4(2)”) for the reason that,

  • it infringes upon the fundamental right to privacy without satisfying the three-part test set forth by the Hon’ble Supreme Court: (i) legality; (ii) necessity; and (iii) proportionality relying heavily on S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
  • violates the fundamental right to freedom of speech and expression, as it chills even lawful speech.
  • requirement to enable the identification of the first originator of information in India is ultra vires its parent statutory provision, Section 79 of the Information Technology Act, 2000 (“IT Act”)

What is impugned Rule 4(2)?

“A significant social media intermediary providing services primarily in the nature of messaging shall enable the identification of the first originator of the information on its computer resource as may be required by a judicial order passed by a court of competent jurisdiction or an order passed under section 69 by the competent authority as per the Information Technology (Procedure and Safeguards for interception, monitoring and decryption of information) Rules, 2009, which shall be supported with a copy of such information in electronic form: Provided that an order shall only be passed for the purposes of prevention, detection, investigation, prosecution or punishment of an offence related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material, punishable with imprisonment for a term of not less than five years: Provided further that no order shall be passed in cases where other less intrusive means are effective in identifying the originator of the information: Provided also that in complying with an order for identification of the first originator, no significant social media intermediary shall be required to disclose the contents of any electronic message, any other information related to the first originator, or any information related to its other users: Provided also that where the first originator of any information on the computer resource of an intermediary is located outside the territory of India, the first originator of that information within the territory of India shall be deemed to be the first originator of the information for the purpose of this clause.”

A more detailed explanation of how Petitioner’s end-to-end encryption system works was provided in its Technical White Paper.

In Central Public Information Officer, Supreme Court v. Subhash Chandra Agrawal, (2020) 5 SCC 481 it was affirmed by the Supreme Court that the right to privacy includes the right to anonymity.

Imposing a requirement to enable the identification of the first originator of information in India would undermine all of these benefits. For example, (i) journalists could be at risk of retaliation for investigating issues that may be unpopular; (ii) civil or political activists could be at risk of retaliation for discussing certain rights and criticizing or advocating for politicians or policies; and (iii) clients and attorneys could become reluctant to share confidential information for fear that the privacy and security of their communications is no longer ensured.

In  Ram Jethmalani v. Union of India, (2011) 8 SCC 1 it was held “fundamental rights cannot be sacrificed on the anvil of fervid desire to find instantaneous solutions to systemic problems”.

In Shayara Bano v. Union of India, AIR 2017 SC 4609 the Hon’ble Supreme Court had held that laws are “manifestly arbitrary” in violation of Article 14 of the Constitution when they are “obviously unreasonable”, capricious, irrational, without adequate determining principle, or excessive and disproportionate and Rule 4(2)’s requirement to enable the identification of the first originator of information in India is “manifestly arbitrary”.

In its response to the contentions raised by WhatsApp, Union of India in its press release on Wednesday, said,

“Government respects the Right To Privacy and has no intention to violate it when WhatsApp is required to disclose the origin of a Particular message. Such Requirements are only in case when the message is required for Prevention, Investigation or Punishment of Very Serious Offences related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material”

With respect to Article 21, the press note said that no Fundamental Right is absolute. Moreover, the test of proportionality laid down in KS Puttaswamyv. Union of India,(2017) 10 SCC 1,finds full applicability in the present context.

Additionally, WhatsApp’s refusal to comply with the Intermediary guidelines is a “clear act of defiance” and an “unfortunate attempt to prevent the same from coming into effect”

The press note also points out the updated privacy policy of WhatsApp hinting their malafides; “At one end, WhatsApp seeks to mandate a privacy policy wherein it will share the data of all its user with its parent company, Facebook, for marketing and advertising purposes. On the other hand, WhatsApp makes every effort to refuse the enactment of the Intermediary Guidelines which are necessary to uphold law and order and curb the menace of fake news.”

Citing International practices and norms, it is added that, “In July 2019, the governments of the United Kingdom, United States, Australia, New Zealand and Canada issued a communique, concluding that tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can gain access to data in a readable and usable format. Brazilian law enforcement is looking for WhatsApp to provide suspect IP addresses, customer information, geo-location data and physical messages. What India is asking for is significantly much less than what some of the other countries have demanded.”

Read the full Press Note: 

Click to access Press-Note-on-WhatsApp-HC-Case.pdf

[WhatsApp LLC v. Union of India, W.P. (C) NO. _______ OF 2021, dated 25-05-2021]


Suchita Shukla, Editorial Assistant has put this report together 

For the petitioner: Mr Tejas Karia,Mr Pavit Singh Katoch for Shardul Amarchand Mangaldas & Co.

Also Read

Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

 

Case BriefsHigh Courts

Delhi High Court: Anup Jairam Bhambhani, J. has held it to be an irrefutable proposition that if the name and/or likeness of a person appears on a pornographic website without the consent or concurrence of such person, such act would by and in itself amount to an offence, among others, under Section 67 of the Information and Technology Act, 2000 (“IT Act”).

During the course of the instant proceedings, it transpired that despite orders of the Court, even the respondents who were willing to comply with interim directions issued to remove offending content from the world-wide-web, expressed their inability to fully and effectively remove it in compliance with court directions; while errant parties merrily continued to repost and redirect such content from one website to another and from one online platform to another, thereby cocking a snook at directions issued against them in pending legal proceedings. The High Court, therefore, also suggested template directions that would be legal, implementable, effective and would enable meaningful compliance of the orders of a court without putting any impossible or untenable burden on intermediaries.

Petitioner’s grievance

The principle grievance of the petitioner was that her photographs and images that she had posted on her private social media accounts on Facebook and Instagram have been taken without her knowledge or consent and have been unlawfully posted on a pornographic website by an unknown entity, whereby the petitioner’s photographs and images have become offensive by association.

It was contended that even though the petitioner’s photographs and images are otherwise unobjectionable, but by placing the same on a pornographic website, the errant respondents have ex-facie committed the offence of publishing and transmitting material that appeals to the prurient interests, and which has the effect of tending to deprave and corrupt persons, who are likely to see the photographs, which is an offence under Section 67 of the IT Act. Further, the errant parties have attached captions to her photographs, which act falls within the mischief of other penal provisions of the IT Act and the Penal Code, 1860.

Need for crafting out a solution

During the preliminary hearing, it transpired that cyber crime unit of Delhi Police was ready and willing to comply with Court’s directions of removing/disabling access to the offending content relating to the petitioner, but by reason of technological limitations and impediments, it could not assure the Court that it would be able to entirely efface the offending content from the world-wide-web. While on the other hand, the petitioner complained that while the Court made interim orders for immediate removal of the offending content from the errant website, yet in brazen and blatant disregard of such directions, the errant respondents and other mischief-makers had redirected, reposted and republished the offending content onto other websites and online platforms, thereby rendering the orders of the Court ineffective.

The Court accordingly perceived that the issue of making effective and implementable orders in relation to a grievance arising from offending content placed on the world-wide-web, needed to be examined closely; and a solution to the problem needed to be crafted out so that legal proceedings of the instant nature did not become futile. For examining the statutory landscape, the technological limitations and the reality, the Court appointed Dr Pavan Duggal, Advocate, specialising in cyber law and cyber crime, as Amicus Curiae.

Discussion

Statutory Architecture

On a combined reading of Sections 1(2), 75 and 81 of the IT Act, the Court noted that the IT Act has extra-territorial and overriding application provided the computer, computer system or computer network involved are located within India.

Section 67 of the IT Act forms its parent provision which makes the publishing or transmitting of ‘obscene material in the electronic form an offence. Sections 67-A and 67-B were also noted.

2(1)(w) defines “intermediary” as a person who ‘receives, stores or transmits’ electronic records on behalf of another person or provides ‘any service’ in relation to electronic records. The definition is inclusive and includes within its ambit telecom service providers, network service providers, internet service providers, web-hosting service providers and search engines. Sections 2(1)(o) which defines “data”; 2(1)(v) which defines “information” are also important.

It was noted that though Section 79(1) exempts intermediaries from certain liability under the IT Act, what is noteworthy is that such exemption is not unqualified or unconditional and applies only if the intermediary fulfils certain conditions and obligations. The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules 2009; and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, were also considered.

The High Court placed reliance on the Supreme Court judgment Shreya Singhal v. Union of India, (2015) 5 SCC 1, where it was held that an intermediary would lose the exemption from liability that it enjoys under Section 79(1) if it does not ‘expeditiously remove or disable access to’ offending content or material despite receiving ‘actual knowledge’, which would mean knowledge by way of a court order or on being notified by the appropriate Government or its agency (which in the instant context would mean the police authorities concerned).

Lastly, the Court noted Section 85, which while dealing with contraventions of the IT Act or Rules committed by companies, also makes the directors, manager, secretary or other officer of a company liable if the contravention has been committed by reason of neglect attributable to such person. It was emphasised that what is brought within the provision is any contravention of any provision of the IT Act or any Rules made thereunder.

Breach of Privacy

According to the High Court, it is an irrefutable proposition that if the name and/or likeness of a person appears on a pornographic website (as in the instant case) without the consent or concurrence of such person, such act would by and in itself amount to an offence, among others, under Section 67 of the IT Act. This is so since Section 67 makes it an offence to publish or transmit, or causes to be published or transmitted, in the electronic form, any material which appeals to the prurient interests of those who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it. The Court said:

“The only purpose of posting the petitioner’s photograph on a pornographic website could be to use it to appeal to the prurient interests of those who are likely to see it. That apart, the inclusion of the name and/or likeness of a person on such website, even if the photograph of the person is not in itself obscene or offensive, without consent or concurrence, would at the very least amount to breach of the person’s privacy, which a court may, in appropriate cases, injunct or restrain. It is evident that such publication would likely result in ostracisation and stigmatisation of the person concerned in society; and therefore immediate and efficacious remedy is required in such cases.”

Difficulty faced by Intermediaries

The Court noted that in the first instance, an intermediary cannot be heard to say that it is unable to remove or disable access to offending content despite such actual knowledge as contemplated in law. That being said, however, the Court could not ignore the difficulties expressed by the intermediaries, in the instant case, in identifying and removing offending content, which intermediaries effectively represented the perspective and point-of-view of several other intermediaries who are similarly placed. In fact, none of the respondent intermediaries took a stand that they were not ready or willing to remove offending content if directed by a court order or by an appropriate governmental agency. The intermediaries only said that it may not be possible to identify the offending content appearing in various disguises and corrupted avatars; and further that, it would be too onerous and impractical to place upon them the responsibility to keep on a lookout for offending content resurfacing in the various different disguises and corrupted avatars at the instance of mischief-makers, on a continuing basis.

Suggested directions

In the High Court’s opinion, a fair balance between the obligations and liabilities of the intermediaries and the rights and interests of the aggrieved user/victim would be struck by issuing directions as detailed below, which would be legal, implementable, effective and would enable meaningful compliance of the orders of a court without putting any impossible or untenable burden on intermediaries:

(i) Based on a ‘grievance’ brought before it, as contemplated in Rule 2(1)(j) of the 2021 Rules or otherwise, and upon a court being satisfied in any proceedings before it, whether at the interim or final stage, that such grievance requires immediate redressal, the court may issue a direction to the website or online platform on which the offending content is hosted, to remove such content from the website or online platform, forthwith and in any event within 24 hours of receipt of the court order;

(ii) A direction should also be issued to the website or online platform on which the offending content is hosted to preserve all information and associated records relating to the offending content, so that evidence in relation to the offending content is not vitiated, at least for a period of 180 days or such longer period as the court may direct, for use in investigation, in line with Rule 3(1)(g) of the 2021 Rules;

(iii) A direction should also be issued by the court to the search engine(s) as the court may deem appropriate, to make the offending content non-searchable by ‘de-indexing’ and ‘de-referencing’ the offending content in their listed search results, including de-indexing and de-referencing all concerned web pages, sub-pages or sub-directories on which the offending content is found. The intermediary must be obliged to comply with a court order directing removal or disabling access to offending content within 24 hours from receipt of such order;

(iv) The directions issued must also mandate the concerned intermediaries, whether websites/online platforms/search engine(s), to endeavour to employ pro-active monitoring by using automated tools, to identify and remove or disable access to any content which is ‘exactly identical’ to the offending content that is subject matter of the court order, as contemplated in Rule 4(1)(d) of the 2021 Rules;

(v) Directions should also be issued to the law enforcement agencies concerned, such as the jurisdictional police, to obtain from the website or online platform concerned all information and associated records, including all unique identifiers relating to the offending content such as the URL (Uniform Resource Locator), account ID, handle name, Internet Protocol address and hash value of the actual offending content alongwith the metadata, subscriber information, access logs and such other information as the law enforcement agency may require, in line with Rule 3(1)(j) of the 2021 Rules, as soon as possible but not later than 72 hours of receipt of written intimation in this behalf by the law enforcement agency;

(vi) Also, the court must direct the aggrieved party to furnish to the law enforcement agency all available information that the aggrieved party possesses relating to the offending content, such as its file name, Image URL, Web URL and other available identifying elements of the offending content, as may be applicable; with a further direction to the law enforcement agency to furnish such information to all other entities such as websites/online platforms/search engines to whom directions are issued by the court in the case;

(vii) The aggrieved party should also be permitted, on the strength of the court order passed regarding specific offending content, to notify the law enforcement agency to remove the offending content from any other website, online platform or search engine(s) on which same or similar offending content is found to be appearing, whether in the same or in a different context. Upon such notification by the aggrieved party, the law enforcement agency shall notify the website concerned, online platform and search engine(s), who (latter) would be obligated to comply with such request; and, if there is any technological difficulty or other objection to so comply, the website, online platform or search engine(s) may approach the court concerned which passed the order, seeking clarification but only after first complying with the request made by the aggrieved party;

(viii) The court may also direct the aggrieved party to make a complaint on the National Cyber-Crime Reporting Portal (if not already done so), to initiate the process provided for grievance redressal on that portal;

(ix) Most importantly, the court must refer to the provisions of Section 79(3)(a) and (b) read with Section 85 of the IT Act and Rule 7 of the 2021 Rules, whereby an intermediary would forfeit the exemption from liability enjoyed by it under the law if it were to fail to observe its obligations for removal/access disablement of offending content despite a court order to that effect.

Orders in the instant petition

The Court was satisfied that the action of the petitioner’s photographs and images having been taken from her Facebook and Instagram accounts and having been posted on a pornographic website; and then having been reposted onto other websites and online platforms, amounts prima facie to an offence under Section 67 of the IT Act in addition to other offences under the IPC.

Accordingly, the High Court issued the following directions to the State and other respondents:

(1) The petitioner was directed to furnish in writing to the Investigating Officer of the subject FIR, all available information relating to the offending content, including the Image URL and Web URL pertaining to the offending image files, within 24 hours of receipt of a copy of the judgment, if not already done so;

(2) The Delhi Police/CyPAD Cell were directed to remove/disable access to the offending content, the Web URL and Image URL of which would be furnished by the petitioner as above, from all websites and online platforms, forthwith and in any event within 24 hours of receipt of information from the petitioner;

(3) A direction was issued to the search engines Google Search, Yahoo Search, Microsoft Bing and DuckDuckGo, to globally de-index and de-reference from their search results the offending content as identified by its Web URL and Image URL, including de-indexing and de-referencing all web-pages, sub-pages or sub-directories concerned on which the offending content is found, forthwith and in any event within 24 hours of receipt of a copy of the judgment alongwith requisite information from the Investigating Officer as directed below;

(4) A further direction was issued to the search engines to endeavour to use automated tools, to proactively identify and globally disable access to any content which is exactly identical to the offending content, that may appear on any other websites/online platforms;

(5) The Investigating Officer was directed to furnish in writing the Web URL and Image URL of the offending content to the other entities to whom directions have been issued by the court in the instant matter, alongwith a copy of the judgment, within 24 hours of receipt of such copy;

(6) The Delhi Police was directed to obtain from the pornographic website concerned and from the search engines Google Search, Yahoo Search, Microsoft Bing, DuckDuckGo (and any other search engines as may be possible) all information and associated records relating to the offending content such as the URL, account ID, handle name, Internal Protocol Address, hash value and other such information as may be necessary, for investigation in the FIR registered in the instant case, forthwith and in any event within 72 hours of receipt of a copy of the judgment, if not already done so;

(7) Furthermore, the petitioner was granted liberty to issue written communication to the Investigating Officer for removal/access disablement of the same or similar offending content appearing on any other website/online platform or search engine(s), whether in the same or in different context; with a corresponding direction to the Investigating Officer to notify such website/online platform or search engine(s) to comply with such request, immediately and in any event within 72 hours of receiving such written communication from the petitioner;

(8) Notwithstanding the disposal of the present petition by the instant order, if any website, online platform, search engine(s) or law enforcement agency has any doubt or grievance as regards compliance of any request made by petitioner as aforesaid, such entity shall be at liberty to approach the High Court to seek clarification in that behalf.

The Court made it clear that non-compliance with the foregoing directions would make the non-compliant party liable to forfeit the exemption, if any, available to it generally under Section 79(1) of the IT Act and as specified by Rule 7 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021; and shall make such entity and its officers liable for action as mandated by Section 85 of the IT Act.

The petition was disposed of in the above terms. [X v. Union of India, 2021 SCC OnLine Del 1788, dated 20-4-2021]


Advocates who appeared in this case:

Mr. Sarthak Maggon, Advocate alongwith petitioner in-person.

Dr. Pavan Duggal, Amicus Curiae.

Mr. Ajay Digpaul, CGSC with Mr. Kamal R. Digpaul, Advocate for UOI.

Ms. Gayatri Virmani, Advocate for Ms. Nandita Rao, ASC for the State. Mr. Meet Malhotra, Senior Advocate with Mr. Aditya Vaibhav Singh, Advocate for respondent No. 3.

Mr. Parag P. Tripathi, Senior Advocate with Mr. Tejas Karia, Mr. Ajit Warrier, Mr. Gauhar Mirza, Mr. Shyamal Anand, Mr. Thejesh Rajendran, Ms. Malikah Mehra and Ms. Mishika Bajpai, Advocates for respondent No. 4.

Mr. Sajan Poovayya, Senior Advocate with Ms. Mamta R. Jha, Advocate, Ms. Shruttima Ehersa, Advocate, Mr. Pratibhanu, Advocate, Ms. Raksha, Advocate and Mr. Sharan, Advocate for respondent No. 7.

Case BriefsForeign Courts

Supreme Court of Pakistan: In a significant decision, the 3 Judge Bench of the Court comprising of Manzoor Ahmad Malik, Mazhar Alam Khan Miankhel and Syed Mansoor Ali Shah, JJ., while deliberating upon issues revolving around the scientific veracity of virginity tests to ascertain rape and questioning a woman’s sexual history in order to discredit her witness; held that a woman irrespective of her sexual character or reputation, is entitled to equal protection of law. The courts should discontinue the use of painfully intrusive and inappropriate expressions, like “habituated to sex”, “woman of easy virtue”, “woman of loose moral character”, and “non-virgin”, for the alleged rape victims even if they find that the charge of rape is not proved against the accused. Such expressions are unconstitutional and illegal.

Issues: In the instant appeal filed by the rape accused, the Court upon perusing the facts and arguments presented by the parties, formulated the following issues-

  • Whether recording sexual history of the victim by carrying out “two-finger test” (TFT) or the “virginity test” has any scientific validation or evidentiary relevance to determine the commission of the sexual assault of rape.
  • Whether “sexual history”, “sexual character” or the very “sexuality” of a rape survivor can be used to paint her as sexually active and unchaste and use this to discredit her credibility.
  • Whether her promiscuous background can be made basis to assume that she must have consented to the act.

Perusing the aforementioned issues, the Court delved into the approaches of modern forensics vis-à-vis TFT and studies conducted by Pakistan’s National Commission on the Status of Women (NCSW) on the point. The Bench also took note of the approach taken by the World Health Organisation, the United Nations and United Nations Entity for Gender Equality and the Empowerment of Women on the matter. It was observed that Modern forensic science thus shows that the two finger test must not be conducted for establishing rape-sexual violence, and the size of the vaginal introitus has no bearing on a case of sexual violence. The status of hymen is also irrelevant because hymen can be torn due to several reasons such as rigorous exercising. An intact hymen does not rule out sexual violence and a torn hymen does not prove previous sexual intercourse. Hymen must therefore be treated like any other part of the genitals while documenting examination findings in cases of sexual violence. Only those findings that are relevant to the episode of sexual assault, i.e., findings such as fresh tears, bleeding, oedema, etc., are to be documented.

Considering the constitutional aspects, the Court stated that dragging sexual history of the rape survivor into the case by making observations about her body, is an insult to the reputation and honour of the rape survivor and violates Article 4(2)(a) of the Constitution of Islamic Republic of Pakistan. reporting sexual history of a rape survivor amounts to discrediting her independence, identity, autonomy and free choice thereby degrading her human worth and offending her right to dignity guaranteed under Article 14 of the Constitution, which is an absolute right and not subject to law. “Right to dignity is the crown of fundamental rights under our Constitution and stands at the top, drawing its strength from all the fundamental rights under our Constitution and yet standing alone and tall, making human worth and humanness of a person a far more fundamental a right than the others, a right that is absolutely non-negotiable”.

The Court also pointed out the deep gender biases and inexperience which riddle the medico-legal certificates, like- casually reporting the two finger test, to show that the vagina can admit phallus-like fingers to conclude that the survivor was sexually active at the time of the assault or a ‘virgin”; calling into question the character of the rape survivor etc. The Court stated that such callous approaches are used to support the assumption that a sexually active woman would easily consent for sexual activity with anyone. “Examination of a rape victim by the medical practitioners and use of the medical evidence collected in such examination by the courts should be made only to determine the question whether or not the alleged victim was subjected to rape, and not to determine her virginity or chastity”.

The Court also pointed out that the omission of Article 151(4) Qanun-e-Shahadat Order, 1984 (which allowed the opinion of medical experts as to the virginity tests while deciding rape cases), clearly implies a prohibition on putting questions to a rape victim in cross-examination, and leading any other evidence, about her alleged “general immoral character” for the purpose of impeaching her credibility. The said omission also indicates the legislative intent that in a rape case the accused cannot be allowed to question the complainant about her alleged “general immoral character”.

As a final point, the Bench observed that, “While allowing or disallowing such questions the court must be conscious of the possibility that the accused may have been falsely involved in the case, and should balance the right of the accused to make a full defence and the potential prejudice to the complainant’s rights to dignity and privacy, to keep the scales of justice even”.

[Atif Zareef v. The State, Criminal Appeal No.251/2020, decided on 04-01-2021]


Sucheta Sarkar, Editorial Assistant has reported this brief.


Note: The bench of Justice Ayesha A. Malik of Lahore High Court had also made similar observations in Sadaf Aziz v. Federation of Pakistan, wherein she held that virginity tests are invasive and blatantly violate the dignity of a woman.    

Case BriefsForeign Courts

Constitutional Court of South Africa: In a significant judgment delivered last month, the South African Apex Court, with a ratio of 8:2, declared the Regulation of Interception of Communications and Provision of Communication-Related Information Act (hereinafter RICA) to be unconstitutional, due to lack of privacy safeguards. The Court also held that that collection and monitoring of individuals’ communications under RICA contravened Section 14 of the Constitution of the Republic of South Africa. Having declared RICA unconstitutional, the Court limited the retrospectivity of its declaration of invalidity and suspended its declaration of invalidity for three years in order to allow Parliament adequate time to proceed with its investigations and develop suitable remedial legislation.

Background

 The Regulation of Interception of Communications and Provision of Communication-Related Information Act was passed in order to regulate the interception of communications and associated processes, such as, applications for and authorisation of interception of communications. RICA was enacted to control the interception of both direct and indirect communications, which are defined broadly to include oral conversations, email and mobile phone communications (including data, text and visual images) that are transmitted through a postal service or telecommunication system

Some of the key provisions of RICA that were focused on by the Constitutional Court were–

  • Section 2- prohibits all forms of interception and monitoring of communications, unless they take place under one of the recognised exceptions under this provision.
  • Sections 16 to 18 and 20 to 23- these provisions direct that without a “designated Judge” RICA would be substantially inoperable. With the exception of only one type, at the centre of all surveillance directions issued under RICA is a designated Judge; she or he must authorise all directions that fall within the purview of functions of a designated Judge. Surveillance under sections 16 to 18 and 20 to 23 covers almost the entire spectrum of State surveillance.

AmaBhungane Centre for Investigative Journalism NPC and its managing partner, Stephen Patrick Sole (also an investigative journalist who was under State- surveillance), had approached the High Court of South Africa (Gauteng Division, Pretoria), challenging the constitutionality of RICA, wherein Mr. Sole recapitulated his first hand experience with RICA. In 2008 he suspected that his communications were being monitored and intercepted. In 2009 he took steps to obtain full disclosure of the details relating to the monitoring and interception of his communications from the Office of the Inspector-General of Intelligence. The efforts proved to be fruitless because the Inspector-General had found the National Intelligence Agency (NIA) and the crime intelligence division of the police not guilty of any wrongdoing. It was stated that RICA prohibits disclosure of information relating to surveillance; therefore Mr Sole could not be furnished with the information. Stephen Sole was thus left in the dark as to whether his communications had in fact been intercepted and, if so, what the basis for interception was.

The High Court upon perusal of the facts and the relevant provisions, declared RICA to be unconstitutional based on some of the following grounds (these grounds also formed the core issues which were then addressed by the Constitutional Court)-

  • RICA makes no provision for a subject of surveillance to be notified that he or she has been subjected to surveillance.
  • RICA permits a member of the Executive unfettered discretion to appoint and renew the term of the designated Judge (the functionary responsible for issuing directions for the interception of private communications), and thus fails to ensure the independence of the designated Judge.
  • RICA lacks any form of adversarial process or other mechanism to ensure that the intended subject of surveillance is protected in the ex parte application process.
  • RICA lacks adequate safeguards for examining, copying, sharing, sorting through, using, destroying and/or storing the surveillance data (management of information issue); and fails to provide any special circumstances where the subject of surveillance is a journalist or practising lawyer.

However, the declaration of invalidity was suspended for two years to allow Parliament to cure the defects. Interim relief, in the form of reading-in, was granted in respect of the notification issue (i), the independence issue (ii) and the practising lawyers and journalists issue (iv).

Observations

The Majority judgment was authored by Madlanga J., (with Khampepe J, Majiedt J, Mathopo AJ, Mhlantla J, Theron J, Tshiqi J and Victor AJ concurring). The Majority observed that that interception and surveillance of an individual’s communications under RICA provisions are highly invasive of privacy, and thus infringes Section 14 of the Constitution. Acknowledging the constitutional importance of privacy, the Bench noted that Right to Privacy is tied to dignity. Analyzing impugned legislation in the backdrop of Section 36(1) of the Constitution, the Court observed that even though one of the important purposes of State surveillance is to investigate and combat serious crime, guarantee national security, maintain public order, thereby ensuring the safety of the Republic and its people, however in light of the intrusive nature of the limitation, the Court must question that whether RICA is doing enough to reduce the risk of unnecessary intrusions? In other words, are there safeguards that acceptably minimise the trampling of the privacy right, thereby meeting the standards of reasonableness and justifiability?

On the notification issue (i), the Majority held that such a blanket prohibition facilitates the abuse of interception directions, which are applied for, granted and implemented in complete secrecy. The fact that the subject never knows whether they are under observation and thus there is no opportunity to seek legal redress for the violation of her or his right to privacy. This renders the rights guaranteed the Constitution to approach a court to seek appropriate relief for the infringement of the right to privacy, as illusory and, promotes impunity.

Dealing with the independence issue (ii), the Court observed that that the open-ended discretion in respect of appointments and their renewal could raise a reasonable apprehension that the independence of the Designated Judge may be undermined by external interference by the Executive. As a result, RICA does not allow the Designated Judge an adequate level of structural, operational or perceived independence. RICA was therefore declared unconstitutional to the extent that it fails to ensure adequate safeguards for an independent judicial authorisation of interception.

Dealing with the issue of inadequate safeguards (iv), the Court considered the applicant’s concerns revolving around the lack of regulation as to how intercepted information is handled, stored and eventually destroyed and how this deficiency exposes subjects of interceptions to even more aggravated intrusions into their privacy. The Court noted that RICA provisions do not prescribe the relevant procedures, and that they allow the Director of the Office for Interception Centres an unacceptable unrestrained discretion to regulate the management of information. Thus RICA was declared unconstitutional to the extent that it fails adequately to prescribe procedures to ensure that data obtained pursuant to the interception of communications is managed lawfully and not used or interfered with unlawfully.

Regarding the lawyers and journalists issue (also iv), the Majority acknowledged that the confidentiality of journalists’ sources is protected by the rights to freedom of expression and the media. The Court also acknowledged that legal professional privilege is an essential part of the rights to a fair trial and fair hearing. These rights weigh in favour of special consideration being given to the importance of the confidentiality of lawyer-client communications and journalists’ sources, in order to minimise the risk of infringement of this confidentiality. RICA’s failure to provide such special circumstances makes it violative of the Constitution.

The Dissenting opinion penned by Jafta J., (with Mogoeng CJ., concurring) noted that that RICA does not empowers the Minister of Justice to designate a judge for the purposes of determining applications for authorisation to intercept private communications and also to perform other functions. It was held that the definition in Section 1 of RICA does not include a provision that the Minister has the power to designate but merely defines the meaning of the term “designated judge”. Consequently, it was held that the suspension of the declaration of invalidity proposed as a remedy is inappropriate as it will not cure the problem of the lack of power to designate. This kind of problem can only be remedied by Parliament granting the Minister the relevant power.[AmaBhungane Centre for Investigative Journalism NPC v. Minister of Justice and Correctional Services, 2021 SCC OnLine CCSA 1, decided on 04-02-2021]


Sucheta Sarkar, Editorial Assistant has reported this brief.

Op EdsOP. ED.

Introduction

You are not alone if you have clicked “I agree” to terms and conditions with hardly giving it a glance before launching an app on your mobile. 90 per cent of the people consented for the terms and conditions before even reading them and nearly 97 per cent of people are aged between eighteen to thirty-six years, says a Deloitte survey[2]. The identified reasons could be the lengthy and complex language used by the apps designed to ensure the users are completely aware and have knowledge upon the consequences.  This explains how easily app users are willing to risk their personal details through the app to third parties, about which they know nothing about. Here are few agreements that people come across more often:

General Avenues

E-commerce

Agreements online can be of two types:

  1. One of which where the terms and conditions (T&C) pop up before the user makes a purchase where the app/site makes the user to read and accept.
  2. Where in the second case, the T&C do not pop up but rather are written most likely at the bottom of the page where the user is assumed to have proceeded further.

However, in case a dispute arises, the courts usually consider the cases where the user clicks “I Accept” as it is a binding agreement by his conduct. These cases have better chances as there is an acceptance identified.

This is the reason why most of the apps enable clicking the accept button only after scrolling till the bottom of the terms and conditions.

Trends in Cyber Law[3]

  1. Legal approach: Cyber law has become a regulatory issue with the increasing day-to-day cybercrime. Countries have been developing in bringing up their respective cyber law legislations and securities.
  2. Internationally accepted principles: These common laws are to maintain internet stability, both nationally and internationally, with regards to cyber laws and security. This could bearranged with an International Convention on Cyber Law.
  3. Bilateral treaties and agreements: The common laws which lead to international treaties and conventions are aimed by the countries as cyber security needs an international approach, and that information shared among countries would be secured. Although it will take time for the countries to come together on this subject.
  4. Jurisdiction: Clearly, the internet jurisdiction needs to be developed as most of the criminals on the web are likely to be anonymous. Principles regarding the same are to be developed.
  5. Consumer protection: With millions of people entering into the digital world everyday, cyberspace is likely to identify and work on consumer protection related issues.
  6. Cyber risk insurance: This type of insurance will further become more common and this specific field requires specific coverage to the users rather than mere extensions and warranties.
  7. Spam: The increasing innovation of spam in targeting users, India has become one of the hotspots for spams. Efficient legislations relating to spam are to be brought.
  8. Intermediaries: The coming years would focus more on the role of intermediaries and service providers with the growing diligence requirements. The cyberspace is being watched out by the countries as the intermediaries are responsible for the data collected through apps and other mediums concerning cybersecurity and as third-party data.
  9. Encryption: Privacy to be protected through encryption. Should the States have access to encrypted data? Maintaining a ground where the data is private but the State having the right to access.

Data Retention Policy in India

Preservation and Retention of Information by Intermediaries[4]

  1. Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.
  2. Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (1) shall be punished with an imprisonment for a term which may extend to three years and also be liable to fine.

 Data retention is normal and necessary for securing the State from any threats, but is a limited process.  Problems do occur when protection against terrorism measures is used to justify mass retention of people’s data on a daily basis. This, in fact, is mass invasion of people’s private lives. Data retention laws can unknowingly become a “legal” means of violating people’s fundamental right to privacy. Defining the kinds of data retention:

  1. Mass retention of metadata: The main kind of data retention is the mass retention of metadata. Several countries today are constantly attempting to introduce and improve their respective privacy and cyber laws, which would legalise the mass retention of metadata. Metadata consists data such as time and duration of telephone calls, internet usage, IP addresses of the devices, details of senders and receivers of e-mails, credentials that are used, track of logging in and logging out, etc. Although, such retained data does not include the desired content of the e-mails or messages the Governments, however, argue that this kind of retention does not reveal personal details of the individual. It is not true that individual’s entire internet history would not be traced out using just the metadata.
  2. Mass data retention: The next kind of data retention is mass data retention. This is a crucial part in order to conduct mass protection programs hosted by the NSA, USA and CMS, India.  This kind of retention involves retention of every single piece of information about a person’s internet usage. The Government can abruptly collect any of the content of the e-mails, messages, phone calls, gallery, visit to any website, without stating any reason. This practice, however, in India or the US, is unauthorised by law. In India, Section 69 of the Information Technology Act allows the interception, monitoring and decryption of information for a mere period of 2 months.
  3. Limited data retention[5]: This kind of retention of data is allowed by Indian legislations which is mainly concerned with the retention for a specific reason and a specific time. This kind of retaining data is hardly considered as any violation. For instance, to check the data of a region which is suspected to have any threat from terrorist groups, the Government may insist the service provider to retain or decrypt such data.

Altercations

 Data Collection

Recent hearings in the Western States found the source by which large third-party data collectors track individuals through several renowned websites. Regulators have paid comparatively less attention to the mobile application concept, where current studies have shown the means by which these third parties collect data from mobile apps and highlighted legal complications around data controller status and user consent in this field.

A 2018 study by Oxford University surveyed 9,60,000 apps in Google app store and concluded that 40 to 90 per cent of all such apps are set in a way to share data with major third-party tracking companies, regardless of whether the user of the app had an account with any of those companies or not.

iOS and Android Liability and how the Device Stores, if it Does?

Deleting a file does not mean destroying the existence of the file. Whenever the delete button is pressed, the file becomes unavailable to access. There is a unit called a storage master table that keeps track of all the space that is available and used storage spaces. Whenever a delete action is performed, the space is set as free to reuse. When a new file requests for storage space, the space remained after deleting the old file will be reused. Until then, it is not accessible. Once a newer file is being replaced, the old one will be deleted permanently.

So when data is erased, what actually happens to those deleted files, is Avast’s report regarding the eBay phones.[6] The most immediately relevant analogy for defining the legal status of mobile platforms is probably not the webhosts that are the current focus of many discussions of intermediary liability. The immediate analogy for the legalities related to mobile platforms are not regarding the browsers or the software but rather the hardware. The hardware is the most immediately applicable point of reference. Under current rules, a hardware maker, an operating system, or a browser is not liable for the actions of any independent third-party apps that a user installs or loads into his system or access through the browser. Applying the same principles in the mobile context, it seems highly unlikely that courts would impose liability on the developer of a mobile hardware, operating system or browser for content or behaviour of an independent third-party app.

Data collection, mining has been happening for some time now. Most of it is usually harmless. It is now considered a way of life, which has made life so convenient that a user does not even appreciate or notice it. But sometimes it might seem forced or too much because of few companies and that is where law comes in. And hopefully people figure out to keep the privacy and convenience especially when they are all headquartered in a capitalist country and most users do not mind giving data.

How is Data Retention Different from Data Collection? Role of Government in Collecting Data

Government might not even get the user’s data. Before thinking of where the user’s data is going, where the user is giving is to be noted i.e. mobile applications, majorly. Users’ data stay in the company’s data repositories for the company’s use. The further selling of data depends on the company. For every app the user installs, there will be a blind scroll and accept button on “I agree” for any terms and conditions. If the user uses BSNL for WiFi or any public network, it is sure that the data is shared along with millions of others in government repositories. If the user, using a private broadband, they would just get what sites the user visits, what web pages he navigates, the frequency and the timeline of it. While using their network, if user visits sites like YouTube, they would not know what the user browse there. It will just be YouTube that will know what is being browsed. If all of this is done on a Chrome browser, Google will collect it. Every service that is used, every text field that is entered, every button that is clicked in a browser, amounts to the collection of data.

Does the terms and conditions mention the right of the company to sell the user’s data to third parties?

The enterprises and service-based companies can sell it to the third parties as they want, as the user agrees to the T&C, and this vastly varies based on region.

Example: After Cambridge Analytica[7] was proved helping Trump and other political companies in targeting political ads based on Facebook users, Europe introduced General Data Protection Regulation –(GDPR).[8] So, a euro citizen will have rights when it comes to his or her data.

In an Indian scenario, it is not usually the same. Despite the Government asking networks to bring down certain sites and insist the network providers to give them user data, it is still beyond the Government’s capacity over how the risks of appification and data collection are handled.

Example: A user’s Twitter activity is known only to Twitter. The Government cannot retrieve Twitter data. Although, they take action on the user if he tweets hate speech or anything against the State. But that is where their power is confined to.

The Government cannot impose on Twitter to give India region data. Even if they do, for the protection of the State, Twitter has their right to reject it.

If sites like Uber[9]/FB collect any data, what will be the jurisdiction to sue for breach of privacy, since they are online services?

The user initially has agreed to do whatever the company does when clicked “I agree”. Even though the user does not read, it would display that they are going to do anything with that data including even sell it so that other companies can recommend their services and products to users. Since Cambridge Analytica, Facebook, Microsoft and Google have been facing multiple lawsuits over data privacy breach. Ever since, they have done lot of revisions and updates making their applications foolproof for further lawsuits.

But, if there is a glitch identified and a user wants to sue, he should probably make a trip to San Francisco, California and sue there in the country where their headquarter is registered, as the place of the party to the suit is a competent jurisdiction.

Till what extent does Google track us?

Gmail, Maps, Chrome and many other services of Google are widely used. Uber’s map is licensed to Google. So do many other location based apps. So, it is impossible to avoid giving data to Google if a user plans on living by normally using these services. Now, the only difference with Android is, it can even track what the user does with OS. Like frequency of app visits, duration of phone usage, app usage, etc.

The user has deleted a picture. Where does it go? Does delete mean entirely deleting it or is it there somewhere?

Here is a probable pathway.

If a user has given cloud permissions, then it is hard to say if it is ever deleted. It might go to random data collection repositories the minute the user saved it and backed up to cloud. They announce to the user that it is all gone, but they have wide number of data centers to keep all this miscellaneous data, usually said for RnD or project purpose. The user will never know for sure unless he or she is an employee in the company. Not even the Government.

The user has uploaded the picture on cloud. What is cloud?

Cloud is basically a platform where a user keeps all his data instead of using his device’s memory. In simple terms, cloud is for data, what banks are for money.

A person has a closet and a pile of money, he stores it. What if he has a truck load of money? He is likely to use a bank.

Similarly, a device is given thirty-two GB of memory but usage of at least sixty to seventy GB or in cases even higher and the user does not want to delete existing data to store new ones. So, he uses Cloud. The user just connects to his public cloud over internet and the company stores it in their data centers. Cloud is a layman word for the public to understand. Simply put, instead of keeping the user’s data on the device itself, Google, Apple or Facebook will store it for him on their databases in their data centers (which are large enough to store data for their user base) for nearly two billion people[10] and the user will be able to retrieve it whenever needed.

Are Data Collectors Intermediaries? Who are Intermediaries?

If the user accesses Uber, Uber and Google will get his data. If the user is using Amazon but later on gets a similar advertisement on Instagram, then Amazon, Facebook and Instagram are in the play. Everyone except user and the end service which recommends the user is an intermediary. Although it is nearly impossible to determine as one or more of them can make the user a target and recommend.

A User Spoke about Singapore on WhatsApp and now gets Singapore Packages Ads from Makemytrip (MMT). Did WhatsApp sell it to MMT Directly or there is an Intermediary who is Collecting and Supplying? What is Happening here?

There are two scenarios identified here.

  1. Consider that the user browsed on Google Chrome. Google might have identified the word frequency of the user and that would send a notification to MMT because they have a mutual system setup as Google can use this data and help MMT by suggesting ads because here, MMT is likely to pay Google.
  2. The user used the MMT app and they get his activity. Assuming the user did it on an iPhone, Apple has Trivago as their client but not other competitors like MMT. So the user is likely to get ads from Trivago regarding the tickets and packages, and since the user usually gets his tickets to Gmail, Google also collects this data. If the user used Google Maps to search places in Singapore, and if Google had a local business there as a client, the user gets their ad for the respective services. Endless possibilities are identified in this scenario.

In the end, no one is targeting the users by their name. No company collects and stores data under one single individual. The user is just a device name, username, location tag and criteria-based entity with a serial number, which might have a label “x” in the databases. A user is just one in a multibillion entity based analysis and profiling so that the preset algorithms can recommend ads and services.

Indian Laws on Data Protection

India has not enacted any particular legislation on protection of data. Although, the Indian Legislature did amend the Information Technology Act, 2000, to include Sections 43-A and 72-A, which give a right to compensation for improper disclosure of personal information. The Indian Central Government subsequently issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Rules”) under Section 43-A of the Information Technology Act. A clarification to the above Rules was issued on 24-8-2011. The Rules have imposed additional requirements on commercial and business entities in India relating to the collection and disclosure of sensitive personal data or information which have any similarities with the GDPR[11] and the Data Protection Directive. However, these Rules were issued in 2011.

 Beyond Challenges

 These technicalities bring up questions regarding the distribution of responsibility and legal obligations between app developers and third-party data collectors. Third-party collectors’ terms of use typically place the sole responsibility on the app developer to ensure that it has the right to collect, use and share data before providing it to the collector. For instance, Facebook’s business tools terms of use state that: In jurisdictions that require informed consent for storing and accessing cookies or other information on an end user’s device (such as but not limited to the European Union), you must ensure, in a verifiable manner, that an end user provides the necessary consent before you use Facebook Business Tools to enable us to store and access cookies or other information on the end user’s device.

But the EU authorities have not encouraged similar practices. In 2018, the Belgian Court of First Instance upheld a decision of the Belgian Data Protection Authority that found Facebook jointly responsible with website providers for its online tracking pixels and cookies. Facebook argued that its terms of service with website providers required providers to obtain necessary user consents, particularly for website visitors who were non-users of Facebook, and that Facebook, as a separate entity, could not be considered the data controller. The Court disagreed, stating “as Facebook determines both the objective and means of processing of personal data, it remains the party responsible for processing personal data via pixels and is thus, jointly responsible with the owners of the third-party websites for meeting the legal obligations”. A similar chain of judicial reasoning could apply to app tracking.

What all are the kinds of risks involved in this? How far can the risk of sharing data amounts to crime?

The kind of risk involved here is the same kind involved in any other occupation. A worker at a power plant can conduct an error and create such an event resulting in loss of life and property. But, almost all of such workers would not. It is similar here. Everyone who has access to user’s data, who understood it will have the power to do whatever they want with it, but they would not.

A data analyst or scientist has abundance of data at his fingers. Raw data, web data, user data, DoB, likes, interests, activities and a lot of areas. But, he mostly cannot do anything with it. He can only use company devices, to access them, company bought tools and software to analyse them and leave them in the company’s Cloud. Any other activity beyond his capacity will be notified and he will have to face consequences involving his team leaders.  If he still decides to go further, he might end up in jail or pay fine as he had a security breach with his company’s contract.

Looking into the kinds of risks, the involvement here is about millions/probably billion(s) of accounts and the parameters are way too large to impact just one person. There is mostly privacy, security risks and the risk of being involuntarily targeted and influenced[12]. A user is a part of millions of target groups because of his web activity. But as a user of another group, he has force fed all sponsored content from USA Elections, Trump and other similar items, before he even knew facts or thinks he does, he has already picked sides involuntarily, subconsciously. Coming to the biggest, saddest, capitalist aspect of them all, e-commerce and advertising. For instance, Maggi noodles are unhealthy, but you kept on seeing their presence everywhere and involuntarily the next day when you go to the store, you would think “this is famous, this should not be as unhealthy”.

These are mere examples. Multiplying these with every company, party, organisation that has a lot of money, there would be endless possibilities and array of activities which has led the world to what is today. Today, where data has surpassed oil in value and most of the data mankind has, was just created in the last four to five years.

 How Far can the Risk of Sharing Amount to Crime?

Patient data, credit card data, bank data, DoB, address, balance, properties, and the other thing people are usually worried about, might not be bad for them. But, they will never be targeted individually.

If an employee of a bank hacks the accounts of his bank’s clients, there should not be much of complexities here in hacking. The hacker knows what network to log in, which access to use, what credentials to enter and that is all. So depending on the kind of data, risks are determined.[13]

If an underage user creates a Facebook account there is nothing to worry about except for the content that the child will be subjected to. But using a credit card in a fake website and the device has some important material or a mail in it, the site is likely to extract the data. Then, the user needs to be cautious. It all comes down to the trustworthy services. Like someone would trust Gmail over Yahoo or Hotmail to give them their data.

Few users would keep professional and personal life separate by having family and friends on one device used on his home network and work on company devices. This way the algorithms can never link him up and the likelihood of facing threat because of the data extracted being negligible.

There is risk because there is a lack of some sort of protection. What is missing? Why is there a risk?

Most of the users are still unaware of the possibilities. Majority of the user base just bother the needs it caters to, and ignore the concerns it brings. The reason why Facebook’s stocks are going down and the big four are battling multiple lawsuits every day. When Europeans understood this, they implemented GDPR to protect its citizens from security breaches. Sadly, many other countries do not have as many constraints on these issues.

Particularly about privacy, what is the risk involved?

It is simple. A user knows how much his bank balance is, what medical ailments he has, what questionable sites he visited and all of this is personal. What if Google suggests a woman birth control pills because she was browsing about pregnancy? Google knows what kind of services to provide before we even know.[14]

Note: it is not a question of risk, but about the extent one cares about his personal information being available to an employee in a cubicle at Google or Amazon. It might range from just a phone number, email to bank activities and passwords.

Looking into workplace risks, there are a lot of important aspects to remember. If the user is not working in an established company or somewhere where the company does not worry about its digital footprint, there is a fair chance Google, Facebook knows more about the user’s work than his company. Because he is using their major services such as Gmail[15]. But if an enterprise is secured with right certifications and tools and the infrastructure to keep everything private, there got to be nothing to worry about.

What is the status of India in all of this?

At the very top, and the bottom at the same time. Majority of data scientists, analysts, experts and working professionals are from India, work from India, live in India and even workers outside of India, are mostly Indian. At the same time, the huge number of users who are indirectly responsible for profiting Amazon, Facebook, Google, Tinder, TikTok, etc. are from India too. They do not realise the monster they have been feeding to and how it is slowly killing them.

On the other hand, the elder generation who involuntarily put all their bank info, work info, personal info involuntarily is clueless of the threats and risks. Not to mention the ignorant government heads including TRAI and IT Ministry, who hardly consider and understand what Europe’s GDPR is and will turn down any proposals brought by thoughtful employees. A number of Central Government, public sector employees might not be aware of how they are dealing with the country’s data and what company’s repositories they all end up in. Although there are some smart, thoughtful young minds who come up with good ideas to make everything better, but it all comes down to the imposing authority to take decisions.

TRAI Recommendations on Data Privacy[16]

TRAI released its recommendations on the subject titled “Privacy, Security and Ownership of Data in the Telecom Sector” which are applicable for apps, browsers, operating systems and handset makers. An official of the Ministry of Electronics and Information Technology, which is tasked with drafting the data protection law, said that the Act will “prevail” over everything else. In respect of telecom matters, there will be a role for TRAI as sectoral regulator but the basics of privacy will be governed by the Data Protection Act.

Industry bodies such as Internet and Mobile Association of India (IAMAI) and the Indian Cellular Association (ICA) have also criticised TRAI, saying the recommendations were “illegal” and akin to “jumping the gun” ahead of the release of the Srikrishna Committee Report[17]. Some of the clauses such as no use of metadata to identify individuals coupled with data minimisation will be detrimental to building the data business in the country, they said.

In its recommendations, TRAI said that individual users owned their data, or personal information, and entities such as devices were “mere custodians” and do not have primary rights over that information. It also said that the current framework for protection of personal information is “not sufficient” and suggested expanding the ambit of licence conditions governing telcos to all entities handling customer information.

Procedure to Fill the Gap

How can gap between users and big companies w.r.t data protection be filled?

More people need to be optically canvassing how it indirectly impacts the lives and decisions of users. Users need to understand how precisely their data is available to corporates and be more mature in the utilisation in lieu of “I have nothing to lose”, “I do not mind” mentality. Executives in the corporations should be bringing up standards, methods and strategies on laws where human rights and privacy of users are not infringed. This is just ideal. But, the common belief being corporations endeavour their best to have it their way. The only time people had a victory was Europe’s GDPR.

 How Does the World Combine to Become an International Body in Order to Battle the Data Policies?

Though it sounds like an ideal move, it is unlikely to be practical, because a user does not confine usage of services to just one company or one country. As the law fluidity changes from nation to nation, Facebook and Microsoft made foolproof agreements that their Governments will protect them if an alien entity requests them to follow foreign regulations. The said companies amount to nearly half of US’ economy. So the solution here could be awareness. People in charge, taking decisions for public should be made aware of what is happening with their data. Leaders like J. Trudeau, B. Obama and many others used this awareness for a positive change. As long as unprogressive leaders exist, there will be no saying what is going to happen. It can either be completely shut or entirely encouraged, depending on a nation’s political agenda.

Building Privacy-Conscious Apps[18]

Though app compliance with privacy laws is developing, problems frequently come from the lack of information or non-existence of the privacy policy and from a lack of meaningful consent. Transparency is a key aspect of data protection compliance and a clear, understandable and easily accessible privacy policy is a considerable step in the right direction. Enough disclosures in the privacy policy, particularly where available to users usually stores, prior to installation, assist in ensuring users’ consents are adequately captured. The opinion also recommends seeking enough consent for categories of data access, and updated consent when changing processing purposes[19].

It is important that all stakeholders understand their privacy obligations. Privacy should be considered at all stages of development and production. Data minimisation practices particularly with regard to location, contacts and UDID data, should be observed to avoid unnecessary collection or processing. With the growth in the app industry mirrored by a marked increase in regulatory scrutiny, considerations of privacy and data protection should be upright safe and secure.

The Supreme Court of India on Privacy

It is still ambiguous to frame rules under Section 67-C of the Information Technology Act that which kind of data retention will the Indian Government choose in their current system. These rules might have high chances of violating people’s privacy. The Supreme Court, however, will support public opinion against any such laws violating privacy.

For example, interception of telephone is allowed under Section 5(2) of the Telegraph Act, 1885. The Supreme Court, by subjecting the amount of safety lacking in the said Act, upheld the validity of interception, including limiting the time and purpose of the interception. After challenging the validity of Section 69-A of the Information Technology Act, the Supreme Court upheld it on account of the number of procedural safeguards contained in its rules. Ultimately, it is the support of the Supreme Court to scrutinise in order to maintain adequate measures like it took place in the past.

Conclusion

India plays a very vital role not because of the population and the user base, but the density has the capacity to determine these companies’ success. The developers of India are integrated into the developer base and companies that build apps enable data availability and besides, the user base because of India’s over enthusiastic youth.

TikTok, YouTube, Tinder, Google Apps, Apple, Microsoft, Facebook (Instagram, WhatsApp) are off the top. India has at majority user base percentage in all of the said apps without any control, is how Indian users perform. And it is beyond the point of control and awareness. PUBG, for example, is a platform for data collection. The Government tried to shut PUBG down, which essentially affected on the freedom of users and the older generation, sadly, do not even understand what it means to the users. The smarter employees play a vital role in building these systems and integrating them internationally and are crucial people for these companies.

On the contrary, leaders occupied in higher chairs in Indian States, where half of them do not even see how companies and their systems work or even think it is as vital to think and discuss about. Although there are few thoughtful ones, which consider the proportionality, thoughtfulness and responsibility of data sharing[20], but how many are so many? So, to predict how the people’s mindset gets established over the years, it is not possible. To get better, it all comes down to the user base or the Government to implement policies such as EU’s GDPR which voice out on seven key principles[21]:

  • lawfulness, fairness and transparency;
  • purpose limitation;
  • data minimization;
  • accuracy;
  • storage limitation;
  • integrity and confidentiality (security); and

[1] Judicial Clerk, High Court of Andhra Pradesh, Amrawati.

[2] Do You Accept the Terms & Conditions … or do they Need to Change?, Lawyer Monthly, available at <https://www.lawyer-monthly.com/2018/08/do-you-accept-the-terms-conditions-or-do-they-need-to-change/> (last visited on 20-8-2019).

[3] Dr Pavan Duggal, Important Global Cyber Law Trends, Cyberlaws.Net and Pavan Duggal Associates, available at <http://cyberlawcybercrime.com/cyber-law-trends2017/> (last visited on 22-8-2019).

[4] The Information Technology Act, 2000, S. 67-C

[5] The Indian Government Proposes New Data Retention Rules: Will Privacy be Compromised?, TECH2, available at <https://www.firstpost.com/tech/news-analysis/the-indian-government-proposes-new-data-retention-rules-will-privacy-be-compromised-3690439.html> (last visited on 25-8-2019).

[6] Avast Bought your Phone on eBay & Recovered what you Thought you “Wiped” available at <https://venturebeat.com/2014/07/08/avast-bought-your-phone-on-ebay-recovered-what-you-thought-you-wiped/> (last visited on 29-8-2019).

[7] The EU General Data Protection Regulation (GDPR) is the Most Important Change in Data Privacy Regulation in 20 Years, EU GDPR.org, available at <https://eugdpr.org> (last visited on 1-9-2019).

[8] Recognising privacy and security professionals from across Europe, PrivSec 200 available at <https://gdpr.report/news/2019/08/27/privsec200-recognising-privacy-and-security-professionals-from-across-europe/> (last visited on 6-9-2019).

[9] Privacy Policy (US Only), Uber Freight, available at <https://www.uberfreight.com/privacy-policy?_ga=2.36189993.863484050.1567883547-1525969875.1567883547> (last visited on 11-9-2019).

[10]  6 Security Risks of Enterprises Using Cloud Storage and File Sharing Apps, Digital Gaurdian, available at <https://digitalguardian.com/blog/6-security-risks-enterprises-using-cloud-storage-and-file-sharing-apps> (last visited on 4-9-2019).

[11] The Principles, ico., available at <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/> (last visited on 7-9-2019).

[12] The Risks of Data Sharing, HiRUM, available at <https://www.hirum.com.au/blog/the-risks-of-data-sharing/> (last visited on 10-9-2019).

[13] Transgender Capital One hacker threatened to ‘shoot up’ California social media company, wanted to be famous, say feds, Meaww, available at https://meaww.com/transgender-capital-one-hacker-breach-threatened-to-shoot-up-california-social-media-company-famous

[14] Data Security Challenges, Oracle9i Security Overview, available at<https://docs.oracle.com/cd/B10501_01/network.920/a96582/overview.htm> (last visited on 28-8-2019).

[15] Id., at 13.

[16] Surabhi Agarwal and Gulveen Aulakh in TRAI Recommendations on Data Privacy Raises Eyebrows, The Economic Times (18-7-2018), available at <https://economictimes.indiatimes.com/industry/telecom/telecom-policy/trai-recommendations-on-data-privacy-raises-eyebrows/articleshow/65033263.cms?from=mdr> (last visited on 6-9-2019).

[17] Ministry of Electronics & Information Technology, Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, available at <https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf> (last visited on 24-8-2019).

[18] Mobile Apps and Data Privacy: What Developers Need to Know, Silicon Republic, available at <https://www.siliconrepublic.com/enterprise/apps-development-data-privacy-protection> (last visited on 12-9-2019).

[19] Data for Public Benefit: Balancing the Risks and Benefits of Data Sharing, Understanding Patient Data, available at <https://understandingpatientdata.org.uk/news/data-public-benefit> (last visited on 1-9-2019).

[20] Id., at 18.

[21] The Principles, ico., available at <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/> (last visited on 11-9-2019).

Case BriefsForeign Courts

The High Court of Justice: It was a significant victory for the Duchess of Sussex and noted actress Meghan Markle when the Court ruled in her favour while deliberating on the question that whether Associated Newspapers misused her private information and committed breach of her data protection rights with regards to the Letter to her father. It was held that the Duchess had a reasonable expectation that the contents of the Letter would remain private and that The Mail Articles interfered with that reasonable expectation.

Background

The British Royals have a complicated relationship with the media especially tabloids and the instant case is one such example.

The claimant Meghan Markle, married HRH Prince Henry of Wales on 19th May, 2018. Being a high profile couple, they were consistently under media lens. It was reported that the relationship between the claimant and her father, Thomas Markle, was difficult and 3 months after the wedding, the claimant sent her father a five-page letter (hereinafter ‘the Letter’). In September 2018, Mr. Markle sent a letter in reply. The existence of the Letter first became public on 6th February, 2019, when it was mentioned in an eight-page article that appeared in the US magazine People under the headline “The Truth About Meghan – Her best friends break their silence”. Mr. Markle then provided the defendant with the Letter, or a copy of it. On 9 February 2019, the defendant published in hard copy and online the five articles of which the claimant complains (“the Mail Articles”). These articles quoted extensively from the Letter, under headlines the gist of which is conveyed by the one across pages 4 and 5 of the Mail on Sunday: “Revealed: the letter showing true tragedy of Meghan’s rift with a father she says has ‘broken her heart into a million pieces’”.

The instant action arose from the later reproduction of large parts of the claimant’s Letter in articles published by the defendant in the Mail on Sunday and on Mail Online (hereinafter ‘the Mail Articles’).

Contentions

The Claimant:

  • The contents of the Letter were private; this was correspondence about her private and family life, not her public profile or her work.
  • The Letter disclosed her intimate thoughts and feelings; these were personal matters, not matters of legitimate public interest; she enjoyed a reasonable expectation that the contents would remain private and not be published to the world at large by a national newspaper.
  • The defendant’s conduct in publishing the contents of the letter was a misuse of her private information.
  • The Letter is an original literary work in which copyright subsists; she is the author of that work, and of a draft she created on her phone (Electronic Draft); and the Mail Articles infringed her copyright by reproducing them in a material form, and issuing and communicating to the public, copies of a substantial part of the Electronic Draft and/or the Letter.

 The Defendant: The defendant while denying the claim made the following submissions-

  • The claimant’s right to privacy is limited given the rightful public interest in the activities of the Royal family and the claimant’s status as a “high-ranking member” of that family.
  • The article that was published in the US Magazine People, gave a misleading account of the father-daughter relationship, ‘the Letter’ and Mr. Markle’s response, such that (in all the circumstances) public disclosure of the contents of the Letter in the Mail Articles was justified to protect the rights and interests of Mr. Markle and the public at large.
  • It was further contended that the claimant intended the Letter to be publicised, and to that end disclosed information about it to the “best friends” quoted in the People Article.
  • Regarding the allegation of copyright infringement, the defendant questioned the claim of originality, subsistence of copyright etc. and relied on the defences of fair dealing and public interest.

The instant application was filed under R. 3.4(2)(a) and R. 24.2 of the Civil Procedure Rules which allows the Court to give summary judgment against a defendant on the whole of a claim, or on a particular issue, if it considers that- the defendant has no real prospect of successfully defending the claim or issue; and there is no other compelling reason why the case or issue should be disposed off at a trial.

Observations and Decision

Mark Warby, J., while considering the merits of the instant case, identified certain essential legal principles –

  • The Human Rights Act, 1998 obliges the Court to interpret, apply and develop English law in conformity with the European Convention on Human Rights (hereinafter, the Convention). Where an individual complains that their privacy has been violated by newspaper reports, the Court must ensure that its decision properly reconciles the competing Convention rights. The Domestic Law gives effect to this framework through the ‘Tort of misuse of Private Information’.
  • In the aforementioned Tort, the liability is to be determined by applying a 2 Stage Test– at Stage 1 the question is whether the claimant enjoyed a reasonable expectation of privacy in respect of the information in question; and, at Stage 2, the question is whether in all the circumstances the privacy rights of the claimant must yield to the imperatives of the freedom of expression enjoyed by publishers and their audiences.

It was observed that the defendant publisher is bound by the Editors’ Code of Conduct enforced by the Independent Press Standards Organisation (IPSO) and the Court is obliged to regard the Code. The Court scrutinized the facts, the Letter in question and the events surrounding the controversial publication of the Letter. The aforementioned 2-Stage Test was applied to the facts-

 Stage 1- Reasonable expectation of privacy: It was noted by Warby, J., that there are tow main issue in this Stage- firstly, whether the Defence sets out any case which, (assuming it to be true) would provide a reasonable basis for finding that there, no reasonable expectation of privacy; secondly, whether the defendant has any realistic prospect of successfully defending this issue at trial. Answering both the questions in negative, the Judge observed that, “Nothing that the defendant has pleaded in answer to this part of the claimant’s case provides any reasonable basis for defending the issue. I also consider that there is no real prospect of the Court concluding after a trial that, at the time the Mail Articles were published, or at any material time between then and now, the contents of the Letter were not private, or that the claimant did not enjoy a reasonable expectation that they would remain private”. The Judge explained that he is aware that the defendant’s case has its own complexities and subtleties, “But in reality, there is much that is plain and obvious”.

It was noted that the detailed contents of the Letter had entered the public domain by the time of the publication complained of, however, the People Article had disclosed the existence of the Letter, and provided a broad description, but not its detailed contents. The Court also noted that the claimant being a member of the British Royal Family is a public figure about whom much had been and continued to be written and published, but the nature of the “activity” in which she had engaged was not an aspect of her public role or functions. It was further noted that the Letter fell within the scope of Article 8 of the Convention as “correspondence” that contains matter relating to the “family life” of the claimant and her father. It was therefore concluded that, “the claimant would be bound to win at trial on this issue. It is fanciful to think otherwise”.

Stage 2- Balance between Privacy and Freedom of Expression: It was observed that in some aspects the defendant’s case is legally flimsy. Given the claimant’s status as a public figure ‘be bound to weigh heavily in the balance’ between privacy and freedom of expression. The Court noted that the defendant’s argument about the claimant having a limited right to privacy, echoes “the crude common law principle, enunciated long-ago, but since discarded, that those who seek favourable publicity somehow waive their rights, and must accept adverse publicity”.

Upon detailed perusal of the defendant’s arguments, the Court concluded that the claimant had a reasonable expectation that the contents of the Letter would remain private. The Mail Articles interfered with that reasonable expectation. The only reasonable justification for any such interference was to correct some inaccuracies about the Letter contained in the People Article. Warby, J., further noted that, “Taken as a whole the disclosures were manifestly excessive and hence unlawful. There is no prospect that a different judgment would be reached after a trial. The interference with freedom of expression which those conclusions represent is a necessary and proportionate means of pursuing the legitimate aim of protecting the claimant’s privacy”.

Issue of Copyright Infringement

The instant case also raised the matter of the claimant’s copyright infringement vis-à-vis reproduction of the ‘electronic draft’ of the Letter in material form. Regarding this matter the Court observed that, the Mail Articles proceeded on the basis that the wording of the Letter was entirely the work of the claimant. The Court stated that ‘originality’ is a key matter of consideration in this issue and to satisfy the requirement of originality; a work need not be novel or ingenious. The defendant denies that the works relied on in this case are original, asserting that the Electronic Draft and Letter are “primarily an admonishment” of Mr Markle by the claimant. Noting that it was not easy to identify the precise nature of the defendant’s argument especially when they ignored that there is of course no copyright in news, but copyright has been recognised as subsisting in the literary form of a news report. Warby, J., states that, “The defendant’s case is not that the works relied on did recite pre-existing facts. The defendant pleads that they “purported” to do so. In its pleading, it adopts an agnostic stance. If the burden of proof lies on the defendant, then its case must fail”. The Court concluded that Electronic Draft is and would inevitably be held to be the product of intellectual creativity sufficient to render it original in the relevant sense. The Court concluded that, the Mail Articles copied a substantial part of the work. It is undeniable that they reproduced a substantial part in qualitative terms and in the sense that they reproduced a substantial part of “that which is the author’s own intellectual creation”. Warby, J., pointed out that, “The defendant’s factual and legal case on this issue both seems to me to occupy the shadowland between improbability and unreality”. He was however persuaded that there should be a trial limited to issues relating to the ownership of copyright.[HRH The Duchess of Sussex v. Associated Newspapers Ltd., [2021] EWHC 273 (Ch), decided on 11-02-2021]


Sucheta Sarkar, Editorial Assistant has put this story together

Case BriefsForeign Courts

Lahore High Court: While deliberating upon the writ petitions challenging the use and conduct of ‘virginity tests’ especially “Two-finger Test” and “Hymen Examination” in cases of rape and sexual abuse, Ayesha A. Malik, J., held that the virginity tests, carried out for the purposes of ascertaining the virginity of female rape or sexual abuse victim, is unscientific and has no medical basis, therefore it is of no forensic value in cases of sexual violence. It was further held that the virginity tests offend the personal dignity of the female victim and therefore is against the right to life and right to dignity enshrined in Articles 9 and 14 of the Constitution of Islamic Republic of Pakistan, 1973.

 Contentions: The petitions were brought before the Court by a group of diverse women, who have been working in the public sphere and one of the members of the National Assembly of Pakistan. They stated before the Court that the virginity tests are done upon a victim in order to ascertain whether they are sexually active. The petitioners put forth the following contentions –

  • There is no medical or scientific basis to continue with virginity testing; that it violates the fundamental rights of the female victims such that it denies the female victim her fundamental rights of dignity and privacy that she is guaranteed under the Constitution.
  • After the omission of Section 151 (4) of the Qanun-e-Shahadat Order, 1984 under the Criminal Law (Amendment) (Offences Relating to Rape) Act, 2016, tests are irrelevant for the charge of rape or sexual abuse. The virginity tests are neither necessary nor reliable for the purpose of investigation into the incident of rape or sexual abuse.
  • Even though the consent of the victim is obtained before conducting the test, however the victim is neither aware of the reasons for carrying out either of the tests nor is she informed properly, with sufficient sensitivity, as to what the examination entails.
  • The medico-legal examination reports rely on words such as “habituated to sex” or “not a virgin” which are irrelevant for the purposes of the incident under investigation and such derogatory language stigmatizes the victim, causing social and personal trauma. There is not enough training with reference to the female medical officers appointed, who carry out the virginity tests and fill in the medico-legal report.
  • Pakistan is a signatory to several international treaties like UDHR, ICCPR, Convention against Torture and other Cruel, Inhuman or Degrading Treatment or Punishment, 1984 which denounce virginity testing. Moreover, Pakistan has also signed and ratified Convention Against Elimination of All Forms of Discrimination Against Women, 1979 (CEDAW), which prohibits all forms of discrimination against women and declares the two-finger test as discriminatory such that it amounts to a denial of rights to female victims of rape on the basis of her gender.

The respondents (Federation of Pakistan and Province of Punjab) did not dispute the contentions of the Petitioners to the extent that the two-finger test should not be conducted. They stated that the matter is under consideration with the competent authority and guidelines are in the process to be framed. It was clarified that the two-finger test is not conducted unless it is deemed necessary and that in cases of minor girls, it is mandatory to inspect the hymen in detail to determine whether it is intact and if not then the nature of the injury.

Upon perusal of the petitioners’ contentions and statements provided by the respondents vis-à-vis the prevalent scenario and after detailed scrutiny of the relevant Guidelines/ SOPs; the Court observed the Guidelines for the Examination of Female Survivors/Victims of Sexual Abuse, 2020 still calls for a virginity test albeit by confusing the issue rather forbidding it (it allows a “per-vaginum examination” where required and per-vaginum examination is understood to mean the two finger test). It was noted that a bare reading of 2020 Guidelines makes it clear that the process of virginity testing through two fingers or hymen examination are standardized and form the basis of the medical officer’s opinion or the court’s opinion on the virtue and character of the victim. Regarding the use of phrases like “habituated to sex” and “not a virgin” in medico-legal reports the Court noted that, “Often enough the opinion of the medical officer is carried into the judgments of the court and language such ashabituated to sex”, “women of easy virtue”, “habitual to sexual intercourse”, “indulging in sexual activities” are used to describe the victim. The basis being that a woman habituated to sex is likely to have raised a false charge of rape or sexual abuse”.

The High Court also referred to several decisions rendered by the Indian courts, most notably the Supreme Court of India’s judgment in Lillu v. State of Haryana, (2013) 14 SCC 643, wherein it was held that- the two finger test and its interpretation violates the right of rape survivors to privacy, physical and mental integrity and dignity; therefore, this test, even if the report is affirmative, cannot ipso facto, be given rise to presumption of consent. Judgments delivered by Allahabad HC in Akhtar v. State of U.P., 2014 SCC OnLine All 8922 and Gujarat HC in State of Gujarat v. Rameshchandra Ramabhai Panchal, 2020 SCC OnLine Guj 114  were also referred to.

It was also noted that Pakistan has signed and ratified several relevant International Treaties which cast an obligation upon the Government to ensure that all necessary steps are taken to prevent carrying out virginity testing, as globally it is accepted that virginity testing does not establish the offence of rape or sexual abuse nor does past sexual conduct have any relevance in the medico-legal examination which aims to collect evidence on the charge of sexual violence.

Judge noted that, “Virginity testing is highly invasive, having no scientific or medical requirement, yet carried out in the name of medical protocols in sexual violence cases. It is a humiliating practice. If the victim, is found to not be a virgin, it cannot and does not suggest that she was not raped or sexually abused. What it does is place the victim on trial in place of the accused and shifts the focus on her virginity status. In this regard, the victim’s sexual behaviour is totally irrelevant as even the most promiscuous victim does not deserve to be raped, nor should the incident of sexual violence be decided on the basis of a virginity test. It is a blatant violation of the dignity of a woman. The conclusion drawn from these tests about a woman’s sexual history and character is a direct attack on her dignity and leads to adverse effects on the social and cultural standing of a victim”.

With the aforementioned observations, the Court made the following declarations-

  • Virginity tests are discriminatory against the female victim as they are carried out on the basis of their gender, therefore offends Article 25 of the Constitution, 1973.
  • To the extent that the 2020 Guidelines, SOPs and the 2015 Instructions mandate the virginity tests are declared to be illegal and against the Constitution and the Federation and Provincial Government should take necessary steps to ensure that virginity tests are not carried out in medico-legal examination of the victims of rape and sexual abuse.
  • The Provincial Government should devise appropriate medico-legal protocols and guidelines, along with standard operating procedures, in line with international practice that recognize and manage sensitively the care of victims of sexual violence.

[Sadaf Aziz v. Federation of Pakistan, WP No. 13537 of 2020, decided on 04-01-2021]


Sucheta Sarkar, Editorial Assistant has put this story together


Image Credits: DAWN

Case BriefsHigh Courts

Telangana High Court: P. Naveen Rao, J., while addressing the instant matter observed that,

“When a citizen comes to the High Court alleging infringement of his right to life, liberty and privacy by opening a rowdy sheet, the Court can look into whether the decision of the police to have surveillance on the petitioner is justified and supported by the material on a record or it was initiated only to harass and humiliate the individual.

It is to be noted that mere involvement in a crime may not per se require surveillance on that person.”

Kasula Nandam is said to be the protected tenant and in possession of land to an extent, Acs.6.32 guntas in Sy. No. 170 of Kapra village, having obtained occupancy rights certificate in the year 1979.

The petitioner who used to run a cloth shop was appointed as the General Power of Attorney holder to look after the above-stated property. Further, he stated that there are several bogus claimants over the said land.

Petitioner added that several false claims on the land were made by lodging complaints against the petitioner over a period of time.

On the ground of registration of crimes, and pending trial before the Criminal Courts, rowdy sheet is opened and in the guise of the opening of the rowdy sheet, respondent-Police are keeping close surveillance on the movements of the petitioner, affecting his right, liberty and privacy.

Respondent-Police alleged that there is ample evidence alleging that the petitioner has been grabbing private and Government Lands by way of illegal means, that due to fear of the petitioner, no one is coming forward to lodge a complaint.

Hence, in view of the public interest and to safeguard the residents of the area, where the petitioner is residing, and to curb his unlawful activities, the rowdy sheet is opened.

Whether the Police are justified in opening the rowdy sheet against the petitioner?

Enforcement of law and order is the most important state function. Enforcement of law and order includes taking all preventive measures to ensure that no untoward incident happens and peace and tranquillity is not affected. To prevent a breach of peace and tranquillity, it is permissible for the police to take all measures possible.

It was noted that for the purpose of keeping surveillance, Police Standing Order 601 enables opening a Rowdy Sheet in the concerned police station. After the opening of the rowdy sheet, close surveillance is enforced on the concerned person

Court observed that,

Opening of Rowdy Sheet and thereon keeping close surveillance on the person would certainly infringe upon the right to life, liberty and privacy of the individual concerned.

A person is entitled to lead his life with dignity and self-respect and does not want an outsider to intrude in his private affairs and to probe into his movements.

Thus, there are two competing interests in preventive measures. On the one side is right guaranteed by Article 21 of the Constitution of India, which is sacrosanct and on the other side is the primacy of enforcement of law and order, maintenance of peace and tranquillity, which is the primary responsibility of the State through its police force. Compelling public interest may require intrusion into the privacy of a person.

Bench further observed that the principles governing the opening of Rowdy Sheet vis-a-vis the right to life and liberty, it is necessary to consider whether by opening rowdy sheet against the petitioner, respondent police have violated the mandate of Article 21 of the Constitution of India and whether their decision is supported by reasons warranting requirement to open rowdy sheet.

Crimes that the petitioner was involved in included Sections 447 IPC (criminal trespass); 427 IPC (Mischief); 506 IPC (criminal intimidation); 420 IPC (cheating and dishonestly inducing delivery of property); 468 IPC (forgery for purpose of cheating); 471 IPC (using as genuine a forged document); 452 IPC (House trespass after preparation for hurt, assault or wrongful restraint); 120-B IPC (criminal conspiracy) and 34 IPC (Act done by several persons in furtherance of common intention).

The above-stated would show that the petitioner was in the habit of being involved in crimes, disturbing peace and tranquillity.

Hence, the Court held that,

Having regard to the crimes registered against the petitioner and that he was facing trial in five cases, it cannot be said that the Police action in opening rowdy sheet amounts to abuse or misuse of power and authority, and cannot be said as one made in the illegal exercise of power and without application of mind.

While dismissing the petition, Bench made it clear that while keeping surveillance, Police shall ensure that it is minimal, not obtrusive and not to impinge upon his privacy.[M. Laxman v. State of Telangana,  2020 SCC OnLine TS 1600, decided on 03-12-2020]

Case BriefsTribunals/Commissions/Regulatory Bodies

Central Information Commission (CIC): Y.K. Sinha (Information Commissioner) addressed an RTI application filed seeking the following information:

  1. Names of students of Class 8th and 12th students who were given admission under EWS Quota for the session 2017-18. Provide information in detail.
  2. Names of Class 12th students who fall under EWS Quota in the final year.
  3. Provide the names of parents/Guardians of Class 8th and 12th students who were given admission under EWS Quota in the year 2017-18.
  4. Provide copies income certificates submitted by Class 8th and 12th students who were enrolled under EWS Quota in the year 2017-18?

Applicant on being dissatisfied with the response and aggrieved with the same approached the Commission with the instant second appeal.

Respondents stated that data about online registration of students is available since the year 2018-19, while the appellant seeks information pertaining to the academic year 2017- 18, hence the information could not be readily provided.

He further explained that before the implementation of the Right to Education Act, admissions to students from economically weaker sections were given under the freeship quota. The registration of students under EWS quota is not done at the stage of class 8 or 12, hence data sought by the appellant is not readily available.

Hence, in view of the above, the information sought by the appellant could not be readily provided.

Decision

Commission noted that the reply of the respondent that information about admissions under EWS[Economically Weaker Section] quota is not available in their office is totally unacceptable.

The respondent being the regulatory authority of all educational institutions cannot remain oblivious nor avoid questions relating to such crucial information which involves the implementation of the Right to Education Act.

Further, the commission added that information about names and particulars of students is personal information held by the school in a fiduciary capacity disclosure of which would invade the privacy of the concerned children.

RTE Act makes education a fundamental right of every child between the ages of 6 and 14 and specifies minimum norms in elementary schools, requiring all private schools(except the minority institutions) to reserve 25% of seats for children belonging to the economically weaker section of society.

Respondent was directed to provide information about the total number of students, if any, admitted under EWS quota in Class 8 and Class 12 for the academic year 2017-18.

Appeal was disposed of in the above terms.[Anita Chaudhary v. PIO, DDE-ZONE II, Dte, of Education, 2020 SCC OnLine CIC 731, decided on 09-06-2020]

Hot Off The PressNews

Supreme Court: While hearing Facebook Inc’s petition asking Supreme Court to hear all cases related to demands for linking Aadhaar to social media accounts and tracing the source of WhatsApp messages, the Court said that there has to be a balance between privacy and how to govern. The court, hence, issued notice to Facebook, Twitter, Google, YouTube, the centre and Tamil Nadu asking for their response by September 13 on whether the petitions should be transferred from high courts across India to the Supreme Court. Various cases are being heard by the high courts of Madras, Bombay and Madhya Pradesh and Orissa.

The Court said,

“There is a conflict between privacy and how the government should run the country when crimes are committed. There has to be a balance… under what condition information can be given and to whom,”

Facebook and WhatsApp, asking that all petitions be transferred to the top court, said it was a matter of high magnitude and affected the privacy of the entire nation.

On Monday, the Tamil Nadu government had told the Supreme Court that social media profiles of users need to be linked with Aadhaar numbers to check the circulation of fake, defamatory and pornographic content as also anti-national and terror material. However, Facebook Inc resisted the state’s suggestion on grounds that the sharing of the 12-digit Aadhaar number, the biometric unique identity, would violate privacy policy of users.

Facebook Inc said it cannot share the Aadhaar number with a third party as the content on its instant messaging WhatsApp was end-to-end encrypted and no one can access it.

The Tamil Nadu government, which is deep into a case related to the deadly Blue Whale game, argued that the centre was struggling to find out who the creator of the game was and who gives directions. Attorney General KK Venugopal, representing Tamil Nadu, said,

“Someone says he is a young person from Russia. A number of people have died in India playing the Blue Whale. Let the Madras High Court continue with its hearing,”

The Supreme Court said,

“We are aware of Blue Whale. What is happening in dark web is worse than Blue Whale. The idea of the Madras High court expanding the issue was that if need be, shouldn’t the intermediary inform the police about details of person for crime detection? We are not examining the merits of the case, only dealing with the transfer of the cases to the Supreme Court.”

(Source: NDTV)

Case BriefsForeign Courts

Supreme Court of Pakistan: The Divison Bench of Mushir Alam and Qazi Faez Isa, JJ. allowed a petition seeking to set aside lower Court’s direction for deoxyribonucleic acid (DNA) test of a lady.

Respondent herein had filed a suit against the petitioner alleging that she was adopted by his father, late Abdul Qayum and brought up as his own daughter. However, the fact of adoption was concealed from her. In his suit, respondent sought declarations that Laila was not the real daughter of Abdul Qayum and, had no right to his legacy. Further, he filed an application seeking a DNA test to be conducted to determine whether Laila is the daughter of Abdul Qayum. The application did not, as per procedural requirement, cite any provision of law whereunder it was submitted; but the same was allowed. Aggrieved thereby, the instant petition was filed.

Petitioner’s counsel challenged respondent’s locus standi to question the petitioner’s paternity and contended that the suit filed by him was not maintainable under Sections 39 and 42 of the Specific Relief Act, 1877. He also referred to Article 128 of the Qanun-e Shahadat Order, 1984 according to which only a putative father may challenge the paternity of a child.

The Court opined that a declaration in suit can only be made in favour of a person who is entitled to any legal character or right, as to any property, which another is denying. In the instant case, petitioner had neither denied respondent’s legal character nor his right to any property. Reliance in this regard was placed on Abdur Rahman Mobashir v. Amir Ali Shah, PLD 1978 Lahore 113.

Further, Article 128 does not permit a putative brother, viz., respondent herein, to challenge his sister’s paternity. Judgment in Salman Akram Raja v. Government of Punjab, 2013 SCMR 203 was also relied on to hold that a free lady cannot be compelled to give a sample for DNA testing as it would violate her liberty, dignity and privacy guaranteed under Article 14 of the Constitution of Islamic Republic of Pakistan.

In view of the above, the impugned order was set aside. [Laila Qayyum v. Fawad Qayum, 2019 SCC OnLine Pak SC 2, Order dated 18-02-2019]

Hot Off The PressNews

Supreme Court: On a plea challenging the notification authorising 10 central agencies to intercept, monitor and decrypt any computer system, the Court sought Centre’s response within six weeks.

According to the Notification dated 20.12.2018, the Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, the Central Board of Direct Taxes (for Income Tax Department), Directorate of Revenue Intelligence, Central Bureau of Investigation, National Investigation Agency, the Research and Analysis Wing, Directorate of Signal Intelligence (in service areas of J-K, North East and Assam) and Delhi Police commissioner are empowered under the Information Technology (IT) Act for computer interception and analysis.

Petitioner ML Sharma argues that the notification gives the state the right to access every communication, computer and mobile and “to use it to protect political interest and object of the present executive political party”. By way of this PIL, he has sought to prohibit the agencies from initiating any criminal proceedings, enquiry or investigation against anybody under the provisions of the IT Act based on the notification.

However, the Central government said the rules for intercepting and monitoring computer data were framed in 2009 when the Congress-led UPA was in power and its new order only notified the designated authority which can carry out such action.

(Source: PTI)

Legislation Updates

The borderless nature of the Internet raises several jurisdictional issues in data protection. A single act of processing of personal data could very easily occur across multiple jurisdictions. Traditional principles of sovereignty and territorial jurisdiction have evolved in circumstances where such cross-border actions were uncommon. As such, it is not easy to determine the kind of application clause in which a data protection legislation is a must have.

1. Context-Setting: Several jurisdictions have deliberated on the applicability of a data protection law to individuals as well as corporate entities/juristic persons. For instance, the EU General Data Protection Regulation (GDPR) applies to ‘natural persons’, as the definition of ‘personal data’ is specifically linked to individuals and not legal/juristic persons. Data related to juristic persons such as confidential business information and corporate strategies should be protected against various types of processing activities on such data. Further, such data should be subject to data security safeguards in order to ensure that the legitimate interests of juristic persons are protected.

Most key principles of data protection such as lawful processing and individual participation are intrinsically derived from the object of protecting the autonomy and dignity of the individual. It would be difficult to extend these principles to data relating to a juristic entity.

2. Nature of Personal data: This distinction between data and information in its ordinary usage is perhaps not determinative in data protection. As the object of the law is to demarcate the sphere of information relevant to the protection of the identity of an individual, the choice of the term “data” or “information” may not matter as these terms would not be used in their ordinary sense. The definition will have to cover both data and information if it bears a connection to the identity of the individual.

This is reflected in international practice as well. It further deals with identified or identifiable individual, pseudonymisation and anonymisation, personal data and new technologies.

3. Several Exemptions: There are some activities which cannot be brought under the purview of a data protection law. In other words, a data controller can be exempted from certain obligations of a data protection law based on the nature and purpose of the processing activity. For instance, if a law enforcement officer wants to collect or use personal information for the purpose of an investigation, seeking the consent of the data subjects or allowing them to access or rectify their data would delay the process and may even defeat its purpose. Specific exemptions include personal or household purpose, journalistic/artistic/literary purposes, research/historical and statistical purposes, investigation and detection of crime, national security or security of State and other similar grounds.

4. Cross-Border Flow of Data: With the advent of the Internet, huge quantities of personal data relating to employees and customers are being transferred internationally. Such data transfers often occur between and among units of the same corporate enterprise that are located in different countries as many of these global enterprises have customer databases and storage facilities in a number of regional locations. Cross-border flow of data is vital to accessing valuable digital services.

There are two tests identified for the formation of laws related to cross-border data flow – the adequacy test and the comparable level of protection test, for personal data. In order to implement the adequacy test, there needs to be clarity as to which countries provide for an adequate level of protection for personal data. The data protection authority should be given the power to determine this. The adequacy test is particularly beneficial because it will ensure a smooth two-way flow of information, critical to a digital economy.

5. Data Localization & related Issues: Data localization requires companies to store and process data on servers physically located within national borders. Governments across the globe driven by concerns over privacy, security, surveillance and law enforcement have been enacting legislation that necessitates localization of data. A nation has the prerogative to take measures to protect its interests and its sovereignty, but it must carefully evaluate the advantages and dangers of locally storing data before taking a firm decision on an issue that has the potential to cause a major ripple effect across a number of industries. Issues such as protecting rights of data subjects, preventing foreign surveillance, easy access of data in support of law enforcement and national security, IT-BPO/BPM industrial growth, digitisation of product and service offerings, India as a capital of analytics services, cloud services brokerage, global in-house centers (GICs), etc. have been dealt with in the report.

6. Grounds of Processing, Obligation on Entities and Individual Rights (Informational Privacy): The report deals with grounds of processing, the obligation on entities and individual rights. Consent forms the foundation of data protection law in many jurisdictions. There is great value in using consent as a validating mechanism for data processing. It satisfies two needs. First, consent is intuitively considered the most appropriate method to ensure the protection of an individual’s autonomy. Allowing an individual to have autonomy over her personal information allows her to enjoy “informational privacy”. Informational privacy may be broadly understood as the individual’s ability to exercise control over the manner in which her information may be collected and used. Second, consent provides a “morally transformative” value as it justifies conduct, which might otherwise be considered wrongful.

 The report also deals with the concept of ‘Child consent’.

7. Consent: The report further throws light on the idea of ‘consent’ as is operationalised through the mechanism of “notice and choice”. The underlying philosophy is that consent through notice puts the individual in charge of the collection and subsequent use of her personal information. Notice purports to respect the basic autonomy of the individual by arming her with relevant information and placing in her hands the ultimate decision of whether or not her personal information is to be used.

8. Other grounds of Processing: Lawfulness of processing is a core principle under data protection law. The Organisation for Economic Cooperation and Development (OECD) Guidelines recognise lawfulness of processing under the collection limitation principle, which provides that collection of personal data must be limited, and any such collection should be done only by lawful and fair means, and where appropriate, with the consent of the concerned individual. Issues such as ‘requirement to have additional grounds of processing, along with consent’ and ‘lack of clarity with respect to certain grounds of processing, such as “public interest”, “vital interest” and “legitimate interest” have been dealt with.

9. Purpose specification and Use Limitation: An entire chapter deals with the Purpose Specification and Use Limitation. Purpose Specification is an essential first step in applying data protection laws and designing safeguards for the collection, use and disclosure of personal data.

10. Sensitive Personal Data: Definitions of “sensitive data”  is as per the Sensitive Personal Data Rules, 2011. The need to further examine the rationale behind certain categories of personal data, difficulty in determining the context of use which could make data sensitive, have been covered in the report.

11. Individual Participation rights: Two specific chapter deals with individual participation rights such as right to confirmation, right to access, and right to rectification, right to object to processing, right to object to processing for purpose of direct marketing, right to not be subject to a decision based solely on automated processing, right to data portability, and, right to restrict processing. Following these two, there is another chapter that deals entirely with ‘right to be forgotten’.

12. Enforcement Models: Part IV of the work deals with enforcement models. The enforcement of data protection norms is complicated primarily by two factors: first, the application of the norms across different fields, sectors, industries and contexts and, second, the rapid pace of development and change in data processing technologies. These factors produce unique enforcement problems not found in other regulatory fields. Model types such as command and control regulation, self-regulation, co-regulation are explained in brief.

13. Data Protection: Central to accountability are the concepts of ‘privacy by design’ and ‘privacy by default’ which oblige businesses to consider data privacy at the initial design stages of a project as well as throughout the life cycle of the relevant data processing. In this sense, accountability does not redefine data protection, nor does it replace existing law or regulation, since accountable organisations must comply with existing applicable law. Instead, accountability shifts the focus of privacy governance to an organisation’s ability to demonstrate its capacity to achieve specified privacy objectives.

14. The last part of the report throws light on Personal Data Breach notification, categorisation of data-controllers, Data Protection Authority.

15. Penalties: The last chapter deals with the provision of penalties. In the context of a data protection law, civil penalties may be calculated in a manner to ensure that the quantum of civil penalty imposed not only acts as a sanction but also acts as a deterrence to data controllers, which have violated their obligations under a data protection law.

Case BriefsForeign Courts

Supreme Court of United States: In a decision that is being touted as a victory for the supporters of digital privacy, the US Apex Court with a ratio of 5:4 imposed limits on the ability of police to obtain mobile phone data pinpointing the past location of criminal suspects. Furthermore while deliberating upon the question that whether access of historical cell phone records that provide a comprehensive chronicle of the user’s past movements, is a search by the Government under the Fourth Amendment, the Court in affirmation held that Government’s acquisition of cell-site records is a Fourth Amendment search.

As per the facts of the case, the FBI identified the cell phone numbers of several robbery suspects, and prosecutors were granted court orders to obtain the suspects’ cell phone records under the Stored Communications Act. The records included the cell–site location information (CSLI) of petitioner Timothy Carpenter cataloguing his movements. The petitioner knocked the doors of the Court to suppress the data, arguing that the Government’s seizure of the records without obtaining a warrant supported by probable cause violates the Fourth Amendment. The Fourth Amendment protects “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” Carpenter’s petition was denied by the District Court and the Sixth Circuit Court stating that Carpenter lacked a reasonable expectation of privacy in the location information collected by the FBI because he had shared that information with his wireless carriers.

Delivering the majority opinion, John Roberts, C.J., and Ginsburg, Breyer, Sotomayor, and Kagan, JJ., stated that the present case made the Court confront the question of application of Fourth Amendment to a new phenomena, i.e. the ability to chronicle a person’s past movements through the record of his cell phone signals. Such tracking partakes of many of the qualities of the GPS monitoring. The majority also observed that the individual continuously reveals his location to his wireless carrier, however the third-party doctrine applies to telephone numbers and bank records, and it is not clear whether its logic extends to the qualitatively different category of cell-site records. The majority held that the Government must generally obtain a warrant supported by probable cause before acquiring cell site records. Although the ultimate measure of the constitutionality of a governmental search is reasonableness, the precedents duly establish that warrant-less searches are typically unreasonable and in the absence of a warrant, a search is reasonable only if it falls within a specific exception to the warrant requirement. The Government will generally need a warrant to access CSLI, case-specific exceptions like exigent circumstances, which may support a warrant-less search. The dissenting opinion was delivered by Kennedy, Thomas, Alito and Gorsuch, JJ.,

The Court further made it clear that the decision in the instant case does not cover conventional surveillance techniques and tools, such as security cameras; does not address other business records that might incidentally reveal location information; and does not consider other collection techniques involving foreign affairs or national security. [Timothy Carpenter v. United States, No. 16–402, decided on 22-06-2018]

Hot Off The PressNews

After hearing the much-debated Aadhaar matter for 38 days, the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ has reserved the judgment. The hearing had begun on January 17, 2018.

Below are the highlights from the arguments advanced on the last day of the Aadhaar Hearing:

  • Senior Advocate Gopal Subramanium: 
    • Is Aadhaar really affirmative action? Is the act an enabler or is it in the guise of enabler? The act is not an instrumentality to deliver services. It is only a means of identification. We have to read the true purpose of law and whether the law seeks to achieve that purpose. Dignity and autonomy is not preserved by section 7 of the Aadhaar Act.
    • Aadhaar Act does not have a proper purpose. A claim to a proper purpose is not proper purpose. Authentication is at the heart of the Act. Failure of authentication is a ground for denial of services.
  • Chandrachud, J: An act like Aadhaar needs a regulator which is absent.
  • Gopal Subramanium: The state seeks to take away our data without the backing of a strong data protection framework. Words like “grant of subsidies, benefits and services” are expressions of condescension in Section 7. They are not treated like an entitlement. The burden is on the people to authenticate and establish their identity. Should the State logically be the holder of such information?
  • Chandrachud, J: Is “subsidy” a benefit or a right, that has to be decided.
  • Gopal Subramanium: 
    • Private players have access to Aadhaar data. There is no regime of protection. There is no vertical protection.
    • Section 7 has been interpreted to be mandatory. Can’t make citizens subservient under section 7 and call rights, benefits.
    • The Act is to be struck down completely as it fails all three tests laid down in Puttaswamy. There’s no legitimate state aim as the real aim is different from the purported aim. There was no law when Aadhaar was implemented and there’s no proportionality.
    • This Court consciously overruled ADM Jabalpur. The doctrine of possibility of misuse does not apply here because there is actual denial of rights in the case of Aadhaar.
    • Aadhaar Act should be completely struck down and the architecture and database must be destroyed.

_________________________________

  • Senior Advocate Arvind P. Datar:
    • Aadhaar cannot be a money bill. At most, it can be a financial bill of category 3 under Article 117(3) of the Constitution.
    • Doctrine of severability will not apply to Aadhaar, since the doctrine is only applicable to validly enacted laws.
    • Mohd.Saeed Siddiqui and Yogendra Jaiswal should be overruled. Finality of speaker’s decision doesn’t mean that the bill cannot be subject to judicial review.
    • Under PMLA, Aadhaar is not just confined to banks but has gone beyond it’s scope. Aadhaar is needed for mutual funds, insurance policies and credit cards as well, among other things.
    • Only magic words like black money, national security and terrorism are being thrown around by the State. The justification of a law for proportionality cannot be a ritualistic exercise. Aadhaar is not justified under Article 300A of the Constitution.
    • Linking Aadhaar will never solve problems of money laundering and black money because the source of such money is different. This is colorable exercise of power. Black money and money laundering is being used as a ruse to collect people’s biometrics.
    • Section 57 should go completely. Anything outside Section 7 is completely violative of the Puttaswamy judgement. S.139AA of the income tax act is inconsistent with the Aadhaar Act.
    • There should be an option of opting out of Aadhaar.

_________________________________

  • Senior Advocate P. Chidambaram:
    • AG’s reading of the word “only” in Article 110(g) is erroneous. There is no need to tamper the language of the Article.
    • Section 57 travels beyond Article 110 of the Constitution. Clause (g) of 110 (1) must be read very restrictively. The provision has to be incidental to (a) to (f) to come under (g). Clause (g) is not a substantive provision.
    • The implications of passing a non money bill as a money bill are very serious: One half of the parliament is virtually disabled from making any amendments. It denudes the highest constitutional authority of the country, the President of India.
    • There is no provision in the Constitution which gives the court the power of severability in case of an invalidly enacted legislation. The Australian constitution has such a provision.
    • The bill was passed without the effective participation of the Rajya Sabha and without assent from the President. The court cannot save a legislation that is fundamentally unconstitutional.
    • Pith and Substance doctrine cannot be applied in cases where the applicability of Article 110 is being interpreted. Only limited to entries of legislative lists.
    • The Court must strike down the Aadhaar Act as it is not a money bill. It is a mockery of Article 110.

_________________________________

  • Senior Advocate K.V Vishwanathan: 
    • Respondents’ argument that the least intrusive method is not a facet of proportionality is completely erroneous. You can’t balance your own bundle of rights. Balancing Right to food and right to privacy is wrong.
    • Section 59 doesn’t protect Aadhaar during the time it was not an Act. Its a wrong submission made by the state. To rely on the exception handling mechanism is ultra vires the Act.
    • If it’s my rights and their duty, then they cannot discharge their duty by subjecting the poor and downtrodden of this country to a technological menace.
    • There can be no data collection and digitalization of records. The underpinning of the Aadhaar Act is authentication of individuals.
    • Harmonization of rights is being mis-applied by the respondents.

____________________________________________________________________________________________________________________________

To read the highlights from the rejoinder submitted by the petitioners, click here and here.

To read the highlights from the submissions of AG KK Venugopal on the issue of money bill, click here.

To read the highlights from the submissions of Advocate Zoheb Hossain, click here.

To read the highlights from the submissions of Advocate Gopal Sankarnarayanan and Senior Advocate Neeraj Kishan Kaul, click here.

To read the highlights from the submissions of Senior Advocate Rakesh Dwivedi, click here , here , here , here and here.

To read the highlights from the submissions by ASG Tushar Mehta, click here and here.

To read the highlights from the submissions by the Attorney General, click here, here , here and here.

To read the highlights from the PowerPoint Presentation made by the CEO of UIDAI, click here.

To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU Singh, Sanjay Hegde and Counsel Jayna Kothari, click here.

To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.

To read the highlights from Senior Advocate Arvind Datar’s submissions, click here, here and here.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click herehere and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source: twitter.com/SFLCin

Hot Off The PressNews

On the penultimate day of the Aadhaar hearing, Senior Advocate Shyam Divan continued with his rejoinder before the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ.

Below are the highlights from the arguments advanced on Day 37 of the Aadhaar Hearing:

  • Shyam Divan:
    • We’re linking Individuals Aadhaar with their bank accounts and mobile numbers without their permission. It’s called inorganic seeding. Without statutory backing UIDAI collected biometrics of hundred crore people which is the entire population of Europe and North America.
    • From the citizens perspective, there’s authentication tower and enrollment tower. IP address, ID, date, time and purpose of authentication can be known because of the architecture of Aadhaar. Source code of the Aadhaar software belongs to foreign companies. It is impossible to live in contemporary India without Aadhaar.
    • Aadhaar linking is not a one time thing. It’s a continuous process.
    • ID4D 2015 report was relied on by the Attorney General KK Venugopal. World bank had partnered with Accenture to write this report. Therefore the report is not impartial.
    • Collecting biometrics was ultra vires the 2009 notification. Assuming the notification was an act of parliament, even then it would’ve been ultra vires for collecting something as intrusive as biometrics. Also there was no informed consent and penalties that time.
    • UIDAI has been flouting the interim orders of the SC. Aadhaar schemes under section 7 should not involve children, merit education. Exclude schemes for rehabilitation and involve stigma like bonded labourers, exclude food and nutrition, matters related to health.
    • There cannot be retrogression of human rights.
    • Sarva shiksha Abhiyan and mid day meal schemes requires children to furnish Aadhaar to avail benefits of these schemes. This should be completely excluded from section 7. There should be no conditions placed on children to avail these benefits.
    • Aadhaar was even required to participate in essay competition. This is way beyond any reasonable limit of proportionality.
    • Highly vulnerable groups should not be mandated to provide Aadhaar. Even Ujjwala scheme for women rescued from trafficking requires Aadhaar.
  • Sikri, J: The problem is that wrong beneficiaries receive such benefits.
  • Shyam Divan:
    • Even tuberculosis patients were mandated to disclose Aadhaar numbers. 
    • Please don’t consider Section 7 by itself but the overall impact of the Act. This is an over extension of the coercive powers of the State. Section 7 beneficiaries are demoted to the status of second class citizens. Aadhaar authentication is a violation of personal autonomy.
    • Also, Aadhaar is probabilistic. Non retrogression of rights is an important principle of human rights law.
    • This act has a huge impact on human rights. Constitution has an intricate scheme to defend part III with the final defence lying with the SC. Cannot bypass wisdom of Rajya Sabha and Article 111 to pass Aadhaar as a money bill.
    • Demographic information in many situations is also important and should not be trivialised. People must have the choice to preserve and protect it.
    • The architecture of Aadhaar with full traceability enables mass surveillance, and profiling. There are a lot of lawyers who are doing this pro Bono because they believe this is a huge constitutional matter. There’s no commercial interest.
    • The Aadhaar Act will not survive the first five words of the preamble, “We the people of India”.

____________________________________

  • Senior Advocate Gopal Subramanium:
    • State functionaries have a continuing constitutional obligation. If the obligation is not met, it cannot be reversed and the burden of proof cannot be on Individuals to establish their identity.
    • Do children want fake mid day meals? Do poor disabled people want to fake their identity?
    • Section 33 will allow sharing of authentication records. Footprints of ones activities are known by the State. Is there any nexus between such knowledge of the State and delivery of services?
    • You need all the other identity documents like ration cards, along with Aadhaar number. A person can ping the authentication machine three times and get rejected and then get accepted on the fourth ping. How can we subject citizens to this?
    • Is Aadhaar really for the oppressed? Because everyone is now supposed to link it with banks, telecom etc. What exactly is the compelling state interest that has been demonstrated?
    • Admissions to schools is denied for lack of Aadhaar. The legislation is not an enabler, and not used for empowerment. Therefore, it falls on all grounds that is Articles 14, 19 and 21.
    • Data of citizens can be used for political exercise. Aadhaar’s preponderant nature is likely to invade. Aadhaar alters the symbiotic nature between state and citizen.
    • This law is a fetter on self actualization. However noble your intentions maybe, if you step out of the boundaries of the Constitution, then there’s no saving such legislation.

____________________________________________________________________________________________________________________________

To read the highlights from the submissions of AG KK Venugopal on the issue of money bill, click here.

To read the highlights from the submissions of Advocate Zoheb Hossain, click here.

To read the highlights from the submissions of Advocate Gopal Sankarnarayanan and Senior Advocate Neeraj Kishan Kaul, click here.

To read the highlights from the submissions of Senior Advocate Rakesh Dwivedi, click here , here , here , here and here.

To read the highlights from the submissions by ASG Tushar Mehta, click here and here.

To read the highlights from the submissions by the Attorney General, click here, here , here and here.

To read the highlights from the PowerPoint Presentation made by the CEO of UIDAI, click here.

To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU Singh, Sanjay Hegde and Counsel Jayna Kothari, click here.

To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.

To read the highlights from Senior Advocate Arvind Datar’s submissions, click here, here and here.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click herehere and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source: twitter.com/SFLCin

Hot Off The PressNews

On Day 36 of the Aadhaar Hearing, Attorney General KK Venugopal concluded his arguments on the issue of Aadhaar Act, 2016 being introduced as Money Bill before the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ. It also marked the end of the submissions of the State and the petitioners began rejoinder post lunch.

Below are the highlights from the arguments advanced on Day 36 of the Aadhaar Hearing:

  • Attorney General KK Venugopal: Article 110(1)(g) is a standalone provision. There can be a bill that does not relate to 110(1)(a)-(g) but is still covered independently under 110(1)(g). Therefore, the Aadhaar bill did not have to to be passed by the Rajya Sabha. RS could only make recommendations.
  • CJI: Section 57 is an enabling provision that allows state legislature to introduce Aadhaar for various services. The state legislature may or may not introduce it as a money bill. It’s nature will then be examined if it’s challenged in a court of law.
  • AG (On Aadhaar SIM linking):
    • Aadhaar is not mandatory to obtain a new connection ,but there will be no chance of forgery and fraud if Aadhaar is linked to SIM card.
    • Aadhaar was made optional as per the direction of the Supreme Court but it will only remain optional till the final disposal of the matter. (SC had denied a few days ago that it had issued any direction to make Aadhaar mandatory for sim in the lokniti case)
    • We are recognizing the interim order passed in the Lokniti Foundation case, and hence making Aadhaar optional for the time being.
    • No core biometrics data is shared under the Aadhaar Act.
    • The State takes offense to the fact that words such as “electronic leash” and “concentration camps” were used.

________________________________________

  • Senior Advocate Shyam Divan (Rejoinder): 
    • First time in a democracy, something like CIDR has been implemented. SC is at the vanguard of balancing human rights and new technologies.
    • Cannot have a surveillance state in this democracy. Identity of the person, date and time, and location are the three elements of surveillance.
    • On March 9, 2018, state filed an affidavit appending an expert report by Manindra Agarwal of IIT kanpur who is also a member of technology and architecture review board of Aadhaar along with the security review board.
    • UIDAI’s presentation report says that biometrics database is accessible by third party vendors like Morpho, Accenture, identity solutions and one more. Breach of verification log leaks location of places where an individual did authentication.
    • The report admits that tracking of location of a person is possible. Prof. Agarwal has admitted that last five years location data can be accessed with the verification log. Even without the verification log, current location can be tracked. UIDAI knows the location of an individual. Third parties can access the approximate location if the verification log is breached.
    • Experts on both sides now agree that surveillance is possible. It’s not just a privacy issue, it’s a limited government issue. How far does the coercive power of the state extend? Cannot extend to creating an infrastructure that is capable of tracking people.
    • Can we have a law or system that sets up an authority that does not comport with our democracy? I’m speaking about a rudimentary level of surveillance. I’m not even talking about commercial surveillance.
    • State has created a structure of not just CIDR but AUAs and KUAs where all information is being tracked including location. In terms of power and control, the existence of a body like UIDAI is beyond my wildest imagination.
    • The Maninder Agarwal affidavit is a tipping point in this case. He’s careful and says that there are laws to protect us. SC cannot permit something so deeply flawed to function in our country.
    • Is this a case of the emperor who had no clothes? On the point of balancing, I would submit that this is an impairment of Part III of the Constitution. This is a moment in time to take a firm stance.
  • Chandrachud, J: There’s an inexorable march of technology. What are the kind of safeguards that we should take while balancing these rights is something we have to consider. Not like there’s quantitative lack of food in our country. The problem is that people can’t access that food. It is the duty of the State to look into this aspect also.
  • Shyam Divan:
    • Choice and option is important in a democracy. (Jokingly says that Mr. Zoheb Hossain also does not have an Aadhaar.)
    • UIDAI in their answer have said that they do not take responsibility for correct/incorrect identification. They only provide a matching system. It’s a self certification/ declaration system. Please consider this in the context of opening and operating bank account.
    • UIDAI takes no responsibility for correct name, address, date of birth Please consider if this meets minimum standard of rationality. UIDAI hasn’t answered how many authentication rejections have taken place. If you’re successful of performing five authentications in a year, it’s considered hundred percent successful.
    • UIDAI was asked if they verify if illegal immigrants are given Aadhaar. As a 2013 SC order said that illegal immigrants should not get Aadhaar.

____________________________________________________________________________________________________________________________

To read the highlights from the submissions of Advocate Zoheb Hossain, click here.

To read the highlights from the submissions of Advocate Gopal Sankarnarayanan and Senior Advocate Neeraj Kishan Kaul, click here.

To read the highlights from the submissions of Senior Advocate Rakesh Dwivedi, click here , here , here , here and here.

To read the highlights from the submissions by ASG Tushar Mehta, click here and here.

To read the highlights from the submissions by the Attorney General, click here, here , here and here.

To read the highlights from the PowerPoint Presentation made by the CEO of UIDAI, click here.

To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU Singh, Sanjay Hegde and Counsel Jayna Kothari, click here.

To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.

To read the highlights from Senior Advocate Arvind Datar’s submissions, click here, here and here.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click herehere and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source: twitter.com/SFLCin