Foreign LegislationLegislation Updates

On September 3, 2021, the Surveillance Legislation Amendment (Identify and Disrupt) Act, 2021 has come into force in Australia. The Surveillance Legislation Amendment (Identify and Disrupt) Act, 2021 amends the Surveillance Devices Act 2004 and Telecommunications (Interception and Access) Act 1979.

 

Key amendments are as follows:

  • The Act provides extraordinary powers to Australian Police (the Australian Federal Police and the Australian Criminal Intelligence Commission) by introducing “Data Disruption warrants” to disrupt data by modifying, adding, copying or deleting data in order to avoid the commission of serious offences online and make minor technical corrections.
  • The Act also introduces Network Activity warrants” to enable the Australian Police to intercept data on serious criminal activity by permitting access to the devices and networks used to facilitate criminal activity.
  • Lastly, the Act introduces “Account Takeover warrants to enable the Australian Police to take over a person’s online account for the purposes of gathering evidence to further a criminal investigation and make minor amendments to the controlled operations regime to ensure controlled operations can be conducted effectively in the online environment.
  • An “emergency authorisation” procedure is also introduced which shall the above actions without a warrant under certain circumstances.

 


*Tanvi Singh, Editorial Assistant has reported this brief.

Case BriefsForeign Courts

Constitutional Court of South Africa: In a significant judgment delivered last month, the South African Apex Court, with a ratio of 8:2, declared the Regulation of Interception of Communications and Provision of Communication-Related Information Act (hereinafter RICA) to be unconstitutional, due to lack of privacy safeguards. The Court also held that that collection and monitoring of individuals’ communications under RICA contravened Section 14 of the Constitution of the Republic of South Africa. Having declared RICA unconstitutional, the Court limited the retrospectivity of its declaration of invalidity and suspended its declaration of invalidity for three years in order to allow Parliament adequate time to proceed with its investigations and develop suitable remedial legislation.

Background

 The Regulation of Interception of Communications and Provision of Communication-Related Information Act was passed in order to regulate the interception of communications and associated processes, such as, applications for and authorisation of interception of communications. RICA was enacted to control the interception of both direct and indirect communications, which are defined broadly to include oral conversations, email and mobile phone communications (including data, text and visual images) that are transmitted through a postal service or telecommunication system

Some of the key provisions of RICA that were focused on by the Constitutional Court were–

  • Section 2- prohibits all forms of interception and monitoring of communications, unless they take place under one of the recognised exceptions under this provision.
  • Sections 16 to 18 and 20 to 23- these provisions direct that without a “designated Judge” RICA would be substantially inoperable. With the exception of only one type, at the centre of all surveillance directions issued under RICA is a designated Judge; she or he must authorise all directions that fall within the purview of functions of a designated Judge. Surveillance under sections 16 to 18 and 20 to 23 covers almost the entire spectrum of State surveillance.

AmaBhungane Centre for Investigative Journalism NPC and its managing partner, Stephen Patrick Sole (also an investigative journalist who was under State- surveillance), had approached the High Court of South Africa (Gauteng Division, Pretoria), challenging the constitutionality of RICA, wherein Mr. Sole recapitulated his first hand experience with RICA. In 2008 he suspected that his communications were being monitored and intercepted. In 2009 he took steps to obtain full disclosure of the details relating to the monitoring and interception of his communications from the Office of the Inspector-General of Intelligence. The efforts proved to be fruitless because the Inspector-General had found the National Intelligence Agency (NIA) and the crime intelligence division of the police not guilty of any wrongdoing. It was stated that RICA prohibits disclosure of information relating to surveillance; therefore Mr Sole could not be furnished with the information. Stephen Sole was thus left in the dark as to whether his communications had in fact been intercepted and, if so, what the basis for interception was.

The High Court upon perusal of the facts and the relevant provisions, declared RICA to be unconstitutional based on some of the following grounds (these grounds also formed the core issues which were then addressed by the Constitutional Court)-

  • RICA makes no provision for a subject of surveillance to be notified that he or she has been subjected to surveillance.
  • RICA permits a member of the Executive unfettered discretion to appoint and renew the term of the designated Judge (the functionary responsible for issuing directions for the interception of private communications), and thus fails to ensure the independence of the designated Judge.
  • RICA lacks any form of adversarial process or other mechanism to ensure that the intended subject of surveillance is protected in the ex parte application process.
  • RICA lacks adequate safeguards for examining, copying, sharing, sorting through, using, destroying and/or storing the surveillance data (management of information issue); and fails to provide any special circumstances where the subject of surveillance is a journalist or practising lawyer.

However, the declaration of invalidity was suspended for two years to allow Parliament to cure the defects. Interim relief, in the form of reading-in, was granted in respect of the notification issue (i), the independence issue (ii) and the practising lawyers and journalists issue (iv).

Observations

The Majority judgment was authored by Madlanga J., (with Khampepe J, Majiedt J, Mathopo AJ, Mhlantla J, Theron J, Tshiqi J and Victor AJ concurring). The Majority observed that that interception and surveillance of an individual’s communications under RICA provisions are highly invasive of privacy, and thus infringes Section 14 of the Constitution. Acknowledging the constitutional importance of privacy, the Bench noted that Right to Privacy is tied to dignity. Analyzing impugned legislation in the backdrop of Section 36(1) of the Constitution, the Court observed that even though one of the important purposes of State surveillance is to investigate and combat serious crime, guarantee national security, maintain public order, thereby ensuring the safety of the Republic and its people, however in light of the intrusive nature of the limitation, the Court must question that whether RICA is doing enough to reduce the risk of unnecessary intrusions? In other words, are there safeguards that acceptably minimise the trampling of the privacy right, thereby meeting the standards of reasonableness and justifiability?

On the notification issue (i), the Majority held that such a blanket prohibition facilitates the abuse of interception directions, which are applied for, granted and implemented in complete secrecy. The fact that the subject never knows whether they are under observation and thus there is no opportunity to seek legal redress for the violation of her or his right to privacy. This renders the rights guaranteed the Constitution to approach a court to seek appropriate relief for the infringement of the right to privacy, as illusory and, promotes impunity.

Dealing with the independence issue (ii), the Court observed that that the open-ended discretion in respect of appointments and their renewal could raise a reasonable apprehension that the independence of the Designated Judge may be undermined by external interference by the Executive. As a result, RICA does not allow the Designated Judge an adequate level of structural, operational or perceived independence. RICA was therefore declared unconstitutional to the extent that it fails to ensure adequate safeguards for an independent judicial authorisation of interception.

Dealing with the issue of inadequate safeguards (iv), the Court considered the applicant’s concerns revolving around the lack of regulation as to how intercepted information is handled, stored and eventually destroyed and how this deficiency exposes subjects of interceptions to even more aggravated intrusions into their privacy. The Court noted that RICA provisions do not prescribe the relevant procedures, and that they allow the Director of the Office for Interception Centres an unacceptable unrestrained discretion to regulate the management of information. Thus RICA was declared unconstitutional to the extent that it fails adequately to prescribe procedures to ensure that data obtained pursuant to the interception of communications is managed lawfully and not used or interfered with unlawfully.

Regarding the lawyers and journalists issue (also iv), the Majority acknowledged that the confidentiality of journalists’ sources is protected by the rights to freedom of expression and the media. The Court also acknowledged that legal professional privilege is an essential part of the rights to a fair trial and fair hearing. These rights weigh in favour of special consideration being given to the importance of the confidentiality of lawyer-client communications and journalists’ sources, in order to minimise the risk of infringement of this confidentiality. RICA’s failure to provide such special circumstances makes it violative of the Constitution.

The Dissenting opinion penned by Jafta J., (with Mogoeng CJ., concurring) noted that that RICA does not empowers the Minister of Justice to designate a judge for the purposes of determining applications for authorisation to intercept private communications and also to perform other functions. It was held that the definition in Section 1 of RICA does not include a provision that the Minister has the power to designate but merely defines the meaning of the term “designated judge”. Consequently, it was held that the suspension of the declaration of invalidity proposed as a remedy is inappropriate as it will not cure the problem of the lack of power to designate. This kind of problem can only be remedied by Parliament granting the Minister the relevant power.[AmaBhungane Centre for Investigative Journalism NPC v. Minister of Justice and Correctional Services, 2021 SCC OnLine CCSA 1, decided on 04-02-2021]


Sucheta Sarkar, Editorial Assistant has reported this brief.

Case BriefsHigh Courts

Telangana High Court: P. Naveen Rao, J., while addressing the instant matter observed that,

“When a citizen comes to the High Court alleging infringement of his right to life, liberty and privacy by opening a rowdy sheet, the Court can look into whether the decision of the police to have surveillance on the petitioner is justified and supported by the material on a record or it was initiated only to harass and humiliate the individual.

It is to be noted that mere involvement in a crime may not per se require surveillance on that person.”

Kasula Nandam is said to be the protected tenant and in possession of land to an extent, Acs.6.32 guntas in Sy. No. 170 of Kapra village, having obtained occupancy rights certificate in the year 1979.

The petitioner who used to run a cloth shop was appointed as the General Power of Attorney holder to look after the above-stated property. Further, he stated that there are several bogus claimants over the said land.

Petitioner added that several false claims on the land were made by lodging complaints against the petitioner over a period of time.

On the ground of registration of crimes, and pending trial before the Criminal Courts, rowdy sheet is opened and in the guise of the opening of the rowdy sheet, respondent-Police are keeping close surveillance on the movements of the petitioner, affecting his right, liberty and privacy.

Respondent-Police alleged that there is ample evidence alleging that the petitioner has been grabbing private and Government Lands by way of illegal means, that due to fear of the petitioner, no one is coming forward to lodge a complaint.

Hence, in view of the public interest and to safeguard the residents of the area, where the petitioner is residing, and to curb his unlawful activities, the rowdy sheet is opened.

Whether the Police are justified in opening the rowdy sheet against the petitioner?

Enforcement of law and order is the most important state function. Enforcement of law and order includes taking all preventive measures to ensure that no untoward incident happens and peace and tranquillity is not affected. To prevent a breach of peace and tranquillity, it is permissible for the police to take all measures possible.

It was noted that for the purpose of keeping surveillance, Police Standing Order 601 enables opening a Rowdy Sheet in the concerned police station. After the opening of the rowdy sheet, close surveillance is enforced on the concerned person

Court observed that,

Opening of Rowdy Sheet and thereon keeping close surveillance on the person would certainly infringe upon the right to life, liberty and privacy of the individual concerned.

A person is entitled to lead his life with dignity and self-respect and does not want an outsider to intrude in his private affairs and to probe into his movements.

Thus, there are two competing interests in preventive measures. On the one side is right guaranteed by Article 21 of the Constitution of India, which is sacrosanct and on the other side is the primacy of enforcement of law and order, maintenance of peace and tranquillity, which is the primary responsibility of the State through its police force. Compelling public interest may require intrusion into the privacy of a person.

Bench further observed that the principles governing the opening of Rowdy Sheet vis-a-vis the right to life and liberty, it is necessary to consider whether by opening rowdy sheet against the petitioner, respondent police have violated the mandate of Article 21 of the Constitution of India and whether their decision is supported by reasons warranting requirement to open rowdy sheet.

Crimes that the petitioner was involved in included Sections 447 IPC (criminal trespass); 427 IPC (Mischief); 506 IPC (criminal intimidation); 420 IPC (cheating and dishonestly inducing delivery of property); 468 IPC (forgery for purpose of cheating); 471 IPC (using as genuine a forged document); 452 IPC (House trespass after preparation for hurt, assault or wrongful restraint); 120-B IPC (criminal conspiracy) and 34 IPC (Act done by several persons in furtherance of common intention).

The above-stated would show that the petitioner was in the habit of being involved in crimes, disturbing peace and tranquillity.

Hence, the Court held that,

Having regard to the crimes registered against the petitioner and that he was facing trial in five cases, it cannot be said that the Police action in opening rowdy sheet amounts to abuse or misuse of power and authority, and cannot be said as one made in the illegal exercise of power and without application of mind.

While dismissing the petition, Bench made it clear that while keeping surveillance, Police shall ensure that it is minimal, not obtrusive and not to impinge upon his privacy.[M. Laxman v. State of Telangana,  2020 SCC OnLine TS 1600, decided on 03-12-2020]

COVID 19Hot Off The PressNews

Ministry of Home Affairs (MHA) issued an Order today with Guidelines for Surveillance, Containment and Caution, which will be effective from December 1, 2020, and to remain in force up to 31-12-2020.

  • The main focus of the Guidelines is to consolidate the substantial gains that have been achieved against the spread of COVID-19 which is visible in the steady decline in number of active cases in the country. Further, keeping in view the recent spike in new cases in few States/ UTs, ongoing festival season and onset of winter, it is emphasised that to fully overcome the pandemic, there is need to maintain caution and to strictly follow the prescribed containment strategy, focussed on surveillance, containment and strict observance of the guidelines/ SOPs issued by MHA and Ministry of Health & Family Welfare (MOHFW). Local district, police and municipal authorities shall be responsible to ensure that the prescribed Containment measures are strictly followed. States and UTs, based on their assessment of the situation, may impose local restrictions, with a view to contain the spread of COVID-19.

Surveillance and Containment

  • States/ UTs to ensure careful demarcation of Containment Zones by the district authorities, at the micro level, taking into consideration the guidelines prescribed by MoHFW in this regard.  The list of Containment Zones will be notified on the websites by the respective District Collectors and by the States/ UTs. This list will also be shared with MoHFW.
  • Within the demarcated Containment Zones, containment measures, as prescribed by MoHFW, shall be scrupulously followed, which includes:
    • Only essential activities shall be allowed in the Containment Zones.
    • There shall be strict perimeter control to ensure that there is no movement of people in or out of these zones, except for medical emergencies and for maintaining supply of essential goods and services.
    • There shall be intensive house-to-house surveillance by surveillance teams formed for the purpose.
    • Testing shall be carried out as per prescribed protocol.
    • Listing of contacts shall be carried out in respect of all persons found positive, along with their tracking, identification, quarantine and follow up of contacts for 14 days (80 percent of contacts to be traced in 72 hours).
    • Quick isolation of COVID-19 patients shall be ensured in treatment facilities/ home (subject to fulfilling the home isolation guidelines).
    • Clinical interventions, as prescribed, shall be administered.
    • Surveillance for ILI/ SARI cases shall be carried out in health facilities or outreach mobile units or through fever clinics in buffer zones.
    • Awareness shall be created in communities on COVID-19 appropriate behaviour.
  • Local district, police and municipal authorities shall be responsible to ensure that the prescribed Containment measures are strictly followed and State/ UT Governments shall ensure the accountability of the officers concerned in this regard.

COVID-Appropriate behavior

  • State/ UT Governments shall take all necessary measures to promote COVID-19 appropriate behavior and to ensure strict enforcement of wearing of face masks, hand hygiene and social distancing.
  • In order to enforce the core requirement of wearing of face masks, States and UTs may consider administrative actions, including the imposition of appropriate fines, on persons not wearing face masks in public and work spaces.
  • For observance of social distancing in crowded places, especially in markets, weekly bazaars and public transport, Ministry of Health and Family Welfare (MoHFW) will issue an SOP, which shall be strictly enforced by States and UTs.
  • National Directives for COVID-19 Management shall continue to be followed throughout the country, so as to enforce COVID-19 appropriate behavior.

Strict adherence to the prescribed SOPs

  • All activities have been permitted outside Containment Zones, except for the following, which have been permitted with certain restrictions:
  1. International air travel of passengers, as permitted by MHA.
  2. Cinema halls and theatres, with upto 50 percent capacity.
  3. Swimming pools, only for training of sports persons.
  4. Exhibition halls, only for business to business (B2B) purposes.
  5. Social/ religious/ sports/ entertainment/ educational/ cultural/ religious gatherings, with upto a maximum of 50 percent of the hall capacity, with a ceiling of 200 persons in closed spaces; and keeping of the size of the ground/ space in view, in open spaces.

However, based on their assessment of the situation, State/ UT Governments may reduce the ceiling to 100 persons or less, in closed spaces.

  • For the information of all, the Guidelines enclose a list of 19 SOPs that have been issued from time to time to regulate the activities that have been permitted. These SOPs shall be strictly enforced by the authorities concerned, who shall be responsible for their strict observance.

Local restrictions

  • States and UTs, based on their assessment of the situation, may impose local restrictions, with a view to contain the spread of COVID-19 such as night curfew. However, State/ UT Governments shall not impose any local lockdown (State/ District/ sub-division/City level), outside the containment zones, without prior consultation with the Central Government.
  • States and UTs also need to enforce social distancing in offices.  In cities, where the weekly Case Positivity Rate is in more than 10 percent, States and UTs concerned shall consider implementing staggered office timings and other suitable measures, with a view to reduce the number of employees attending office at the same time, thereby ensuring social distancing.

No restriction on InterState and intraState movement

  • There shall be no restriction on inter-State and intra-State movement of persons and goods including those for cross land-border trade under Treaties with neighbouring countries. No separate permission/ approval/ e-permit will be required for such movements.

Protection for vulnerable persons

  • Vulnerable persons, i.e., persons above 65 years of age, persons with co-morbidities, pregnant women, and children below the age of 10 years, are advised to stay at home, except for meeting essential requirements and for health purposes.

Use of Aarogya Setu

  • The use of Aarogya Setu mobile application will continue to be encouraged.

Ministry of Home Affairs

[Press Release dt. 25-11-2020]

[Source: PIB]

Case BriefsInternational Courts

European Court of Justice (Grand Chamber): Striking a blow on companies dependent upon the transfer of data between Europe and the US via the Privacy Shield Decision, the Court held that Privacy Shield Decision does not provide adequate data protection of European citizens from US surveillance activities. It was further observed that the Privacy Shield Decision is incompatible with Art. 45(1) of the General Data Protection Regulation (GDPR) read in the light of Arts. 7, 8 and 47 of the Charter of Fundamental Rights of the European Union and is therefore invalid. Further examining the European Commission Decision 2010/87/EU dated 05-02-2010 on ‘standard contractual clauses’ (SCCs) for the transfer of personal data to processors established in third countries, the Court agreed with the Opinion delivered on the instant matter by the CJEU Advocate General on 19-12-2019 wherein it was stated that the SCCs offer adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights as required by Art. 26(2) of Directive 95/46/EC of the European Parliament and the Council. 

As per the facts, any person residing in the European Union, who wishes to use Facebook is required to conclude, (at the time of registration) a contract with Facebook Ireland, a subsidiary of Facebook Inc., established in the United States. Some or all of the personal data of Facebook Ireland’s users residing in the European Union is transferred to servers belonging to Facebook Inc. that are located in the United States, where it undergoes processing.  Max Schrems, an Austrian Facebook user since 2008, filed a complaint with the Commissioner whereby he requested that Facebook Ireland be prohibited from transferring his personal data to the United States, on the ground that the law and practice in force in that country did not ensure adequate protection of the personal data held in its territory against the surveillance activities in which the public authorities were engaged. Mr Schrems claimed, inter alia, that United States law requires Facebook Inc. to make the personal data transferred to it available to certain United States authorities, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI).

Perusing the background of the case, the Court compared the legal mechanism of data protection vis-à-vis surveillance as prevalent in US and European Union. It was found that the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States, as assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law under Art. 52(1) of the Charter of Fundamental Rights of the European Union. It was further observed that US Government accepted that Presidential Policy Directive-28 (which imposes a number of limitations for “signals intelligence” operations and has binding force for U.S. intelligence authorities, and if particular relevance for EU data subjects) does not grant data subjects actionable rights before the courts against the US authorities. Therefore, the Privacy Shield Decision cannot ensure a level of protection essentially equivalent to that arising from the Charter of Fundamental Rights of the European Union, contrary to the requirement in Art. 45(2)(a) of the GDPR that a finding of equivalence depends, inter alia, on whether data subjects whose personal data are being transferred to the third country in question have effective and enforceable rights. [Data Protection Commissioner v. Facebook, Ireland Ltd., C-311/18, decided on 16-07-2020]

Business NewsNews

A formal Memorandum of Understanding (MOU) was signed between the Ministry of Corporate Affairs (MCA), Government of India and the Securities and Exchange Board of India (SEBI) today for data exchange between the two regulatory organizations. The MoU was signed by Shri KVR Murty, Joint Secretary, MCA and Smt. Madhabi Puri Buch, Whole Time Member, SEBI in the presence of senior officers from both the organizations.

The MoU comes in the wake of increasing need for surveillance in the context of Corporate Frauds affecting important sectors of the economy. As the private sector plays an increasingly vital role in economic growth, the need for a robust Corporate Governance mechanism becomes the need of the hour.

The MoU will facilitate the sharing of data and information between SEBI and MCA on an automatic and regular basis. It will enable sharing of specific information such as details of suspended companies, delisted companies, shareholding pattern from SEBI and financial statements filed with the Registrar by corporates, returns of allotment of shares, audit reports relating to corporates. The MoU will ensure that both MCA and SEBI have seamless linkage for regulatory purposes. In addition to regular exchange of data, SEBI and MCA will also exchange with each other, on request, any information available in their respective databases, for the purpose of carrying out scrutiny, inspection, investigation and prosecution.

The MoU comes into force from the date it was signed and is an ongoing initiative of MCA and SEBI, who are already collaborating through various existing mechanisms. A Data Exchange Steering Group also has been constituted for the initiative, which will meet periodically to review the data exchange status and take steps to further improve the effectiveness of the data sharing mechanism.

The MoU marks the beginning of a new era of cooperation and synergy between the two regulators.


[Press Release dt. 07-06-2019]

Securities Exchange Board of India

Case Briefs

On Day 5 of the Aadhaar hearing, the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ, heard submissions of Senior Advocate Shyam Divan who continued to argue on the issue of India becoming a complete surveillance state and that Aadhaar Scheme should be done with to prevent the situation where ‘Big Brother’ is watching the people at all times. Below are the highlights of Day 5 of the Aadhaar Hearing:

Discussion on Surveillance by Senior Advocate Shyam Divan:

  • European Court of Human Rights judgments discussed wherein it was held that the data should not be stored for any longer than necessary for the purpose. The interests of the data subjects and the community might be outweighed by the interest in prevention of crime, but a Court must scrutinize it carefully.
  • UIDAI’s counter-affidavit discussed in detail. The points highlighted by Shyam Divan are:
    • “By design the technology architecture of UIDAI precludes the possibility of tracking. The system is blind to the use at the front end.”
    • “neither UIDAI nor any agency or department will be able to use Aadhaar to track or surveil. A user department of the govt or agency will only have information pertaining to its own domain. There will be no 360 degree view of an individual.”
  • Shyam Divan argued that the UIDAI has not dealt with the particulars of the affidavits filed by Kelekar and D’Souza, which specified how tracking can be done. Right from 2012, UIDAI had encouraged the establishment of State Resident Data Hubs, and there was budgetary allocation, for various State Governments.

Discussion on State Resident Data Hubs

  • He goes through the SRDH website of Madhya Pradesh and states that MP says that this will be the “single source of truth as it maintains demographic and biometric information.” So biometrics are not only with the CIDR. He also points the authorisation of seeding and reverse seeding.
  • The whole point is to store and integrate information for a 360 degree view, which is what UIDAI specifically denied on Affidavit. He shows a diagram of the 360 degree view.
  • Chandrachud, J: The diagrams show that there is a general database for the disbursement of social welfare benefits. 360 degree view may be a catchword used by consultants. In Europe you don’t have this kind of State involvement in social welfare benefits. If the government is confining itself to social welfare benefits, and checking if people receiving benefits are alive or not, and not profiling political beliefs, can’t it have a legitimate concern in ensuring that the identity of beneficiaries is maintained.
  • Shyam Divan: Concern cannot justify aggregation.
  • Chandrachud, J: Savings due to weeding out ineligible beneficiaries is what concerning the Court. The Court will have to strike a balance.
  • Shyam Divan: On the SRDH you get citizens names, location, and Aadhaar numbers. In our country, you can judge people’s communities from their names. You know all this because of Aadhaar, because the information is aggregated. You are all students of history and can anticipate the future, you know what happens when the names and location of communities in this fashion are available.
  • Khanwilkar, J: It only shows the place where you are generally resident, not resident at that particular moment.
  • Shyam Divan summarising submissions on State Resident Data Hubs:
    • They have no authority of law. These operations result in profiling and require to be removed.
    • The collation of data in state hubs enables religious, caste-based and community profiling, and potential targeting of individuals, and a pervasive loss of privacy.
    • As held in the privacy judgment, aggregation of data results in the destruction of privacy rights. There is a grave danger in allowing the State to amass this much power.

Discussions on unique device ID (UID):

  • Kerala Dairy Farmer Welfare board, which has a pension scheme connected to Aadhaar, has columns that include Log ID, Aadhaar Number, Validation Success (Y/N, biometric mismatch), Client IP (approximately a range of two kilometer radius can be located), request date, unique device ID (which takes you within 200 – 500m of where it is registered), UBC ID.
  • This shows you that “X” person has tried to secure an authentication from these IPs on different dates, and each time she failed. Another person “Y”, has also made three attempts, which failed. This is what UID knows. Name, number, whether it failed and reason for failure and it knows where you are located within 200 – 500 m in real time. This number has been mapped onto GoogleMaps. On these three different days, X has traveled to different parts of Kerala, trying to get authenticated. We are able to locate the dates on which she has traveled, and the time of authentication.
  • This is real-time mass surveillance being carried on by the states, and can’t be allowed.
  • Chandrachud, J: The Dairy Board may be concerned about some poor man trying to get his pension, and following it up to ensure targeted delivery. There is no surveillance in making sure that somebody gets their pension. When you have your iPhone in your pocket you can be tracked.
  • Bhushan, J: How can you have surveillance just by knowing this information?
  • Shyam Divan: Mass surveillance means that whenever an authentication takes place you can locate wherever the person is.
  • Bhushan, J: When you use ATM card, you can be tracked.
  • Shyam Divan: In the case of the ATM, only the bank knows. Under Aadhaar, you have 139 different schemes, and S. 57 allows for more – a full electronic trail from morning to evening. This would be the envy of North Korea.
  • Chandrachud, J: It is also the envy of the World Bank and The Economist. This Dairy Board example is an example of the positives of Aadhaar, because it allows for targeted delivery, and has been praised by the World Bank.
  • CJI Misra: Mr Divan is saying that the shadow is becoming larger than the man, and that man is being deprived of his solitary splendour.
  • Chandrachud, J: One should not get carried away with the rhetoric of surveillance, and everyone must come to the brass tacks.
  • Shyam Divan: Surveillance is at the core of this case. The meaning of surveillance is the tracking of citizens across the day and across their lifetimes. This is not just about the Kerala Dairy Board, but about how that is a microcosm of the program as a whole. The point is about concentration of power that is enabled through the ability to carry out surveillance. The point is not whether someone is actually sitting and tracking you, but the fact that the program enables an architecture of surveillance. If the word “surveillance” is a problem, the word “invasiveness” will also suffice.

Discussion on limited government, constitutionalism and the rule of law:

  • Limited government:
    • It stems from the preamble and the values underlying the Constitution. The State, which is created by the people, cannot expand to a point where it acquires such a huge dominance over the people.
    • The second point is about the space a person has to live.
    • Can limited government require you to identify yourself in only one manner, and that manner requires you to part with biometrics? Can the State say you must identify yourself in this one manner, or I won’t recognise you any more?
  • Dignity:
    • This program violates both individual and collective dignity. Can all these rights that we have be made conditional on forced authentication through only one method?
  • Good governance and rule of law:
    • For seven years this program functioned under administrative notification that didn’t even mention biometrics.

Bench will continue to hear the submissions today.

Also read the highlights from Day 1Day 2, Day 3 and Day 4 of the hearing.

Source: twitter.com/gautambhatia88

Hot Off The PressNews

On Day 4 of the Aadhaar hearing, the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ, heard submissions of Senior Advocate Shyam Divan who continued with discussing the various provisions of the Aadhaar Act, 2016. On Day 3 of the hearing, Shyam Divan had discussed the scope and applicability of the 9-judge bench Privacy verdict on the Aadhaar issue and was taking the Court through various provisions of the Aadhaar Act, 2016 when the Bench rose for the day. Below are the highlights from Day 4 of the hearing:

Discussion on Section 59 of the Aadhaar Act, 2016:

  • Shyam DivanSection 59 of the Aadhaar Act, which validates all acts of the UIDAI prior to the Act, applies only to central government actions, as per its text. This section does not control acts of private entities, like enrolment agencies. Their actions are not protected.
  • Sikri, J: Central Government appointed UIDAI in the pre-Act era, and all the acts flow from that.
  • Shyam Divan: The notification establishing the UIDAI might protect the actions of the Central Government in entering into the MoU, but doesn’t cover the actions of the registrars.
  • Chandrachud, J: Actions of the registrars are traced back to the MoU.
  • Shyam Divan: Enrollment agencies are not covered even under the MoUs. As for the Registrars, there actions are not the actions of the central government. Therefore, the enrollment prior to the Act are not validated by Section 59. In any case, you cannot have a retrospective validation of a fundamental right violation.
  • Chandrachud, J: Privacy judgment says that there must be a basis in law. Section 59 attempts to provide that by bringing about a legal fiction. It will have to be considered how you deal with data breaches prior to the Act.
  • Shyam Divan: Informed consent is crucial, and you can’t have a retrospective validation saying that there was always consent, prior to the Act. Even if this provision is to be upheld, it should be given the narrowest reasonable construction.

Heads of challenge to the Aadhaar Act as specified and explained by Shyam Divan :

  • Surveillance: 
    • The State is empowered to collect records over the course of an individual’s lifetime. On the basis of aggregation, over time, the State acquires a profile of an individual, a community, a segment of society. The Constitution does not permit a surveillance State.
    • Every electronic device linked to the internet has a unique number. In addition when the device is linked to CIDR, the devices exchange information.The device is assigned a number qua Aadhaar. A specific ID at the first interaction. Thereafter, the transmission will be recognised as emanating from that device.
    • A unique electronic path attaches to each transmission. This identifies the links through which the transmission is done. Each link is identifiable. It is technically possible to track every transaction. It is possible to track the location of every device in real time.
    • Discussion between Chandrachud, J and Shyam Divan:
      • Chandrachud, J: To what extent the Court can go into questions of technical evidence? There is also a distinction between the existence of a mechanism and its abuse. If the distinction between fingerprints on your iPhone and Aadhaar is only if degree. Should the Court second-guess the decision of the executive government, especially when no system in the world is secure?
      • Shyam Divan: These affidavits confirm that there is a complete mapping of the electronic path, which happens in real time, and that you can track the location.
      • Chandrachud, J: Aren’t we accepting Google Maps tracking us, and other private corporations?
      • Shyam Divan: When you are tracked by the State in real time, it is tantamount to a police State. The Constitution does not allow this. Google is not the Indian State, and the issue is one of consent.  Google, powerful though it is, is not as powerful as the State.
      • Chandrachud, J: I should have no objections to the State knowing whether I’m paying my taxes. So there should be a distinction between collecting data and using it. If the use of data is limited to its purpose, then what is the problem with collection. We live in times of terrorism and money laundering and welfare expenditure, and this has to be balanced. Surveillance is about how data is used, not collected.
      • Senior Advocate Kapil Sibal: The problem is of giving the State that kind of information. ‘Big brother’ will have the information. He may use it and you won’t know it. By the time you do, he will become a bigger brother.
      • Shyam Divan: The point of this whole case is to prevent that situation where ‘Big Brother’ is watching.
  • Violation of Privacy: Between 2010 and 2016, there was no law authorising the violation of privacy. Even after the Aadhaar Act, the violation continues. The citizen is compelled to report her activities to the State through the electronic footprint. Even for availing of subsidies, an alternative means of identification should be allowed. In a digital society, an individual has the right to protect herself by maintaining control over personal information
  • Limited Government: Constitution is not about the power of the State but about limits to that power. Aadhaar allows the State to dominate the individual through an architecture that enables profiling, and by the power to cause civil death by deactivating Aadhaar. Instead of the State being transparent to the individual, the individual is made transparent to the State.
  • Aadhaar Act being passed as a Money Bill
  • Violation of Articles 14 and 21 of the Constitution:
    • There is no informed consent. There is no opt-out option. UIDAI has no direct relationship with the collecting agencies. The data collected and stored lacks integrity.
    • Biometrics are untested, and probabilistic. The use of biometrics has led to exclusion from welfare schemes. If biometrics don’t work, then a flesh and blood individual ceases to exist. If your biometrics don’t match, you become a ghost. A citizen in a democratic society has the right and choice to identify herself in a reasonable manner. Mandating a single highly intrusive form of identity is inconsistent with democracy.
    • Authentication records include the time of authentication and the requesting entity. This can be stored for 2 + 5 years. This enables real-time surveillance.
    • Information about the specific details of the CIDR is not in the public domain because of natural security concerns. (Answering Chandrachud, J’s question as to who maintains the CIDR)
    • Private enrollment agencies cannot be entrusted with the crucial task of ensuring informed consent.
    • Definition of “resident” is arbitrary and has no verification magazine.
    • The individual has a right to remain free of monitoring as long as they have not violated any criminal law.
    • On cancellation of Aadhaar, the services will be disabled personally. You can just switch off a person.

The bench will now continue the hearing on 30.01.2018.

Also read the highlights from Day 1, Day 2 and Day 3 of the hearing.

Source: twitter.com/gautambhatia88