A student-run group at NALSAR University of Law
[Ed Note : The following post, the third post in the series of posts containing comments to the Report and Draft Bill, 2018 published on the MeitY website, has been authored and compiled by students of NALSAR University of Law. This post contains comments on the enforcement mechanism of the Draft Bill, 2018.
The first post in the series an be found here. Keep watching this space for more posts!]
[Ed Note : The following post, the second post in the series of posts containing comments to the Report and Draft Bill, 2018 published on the MeitY website, has been authored and compiled by students of NALSAR University of Law. This post contains comments on the Report and Draft bill in relation to the AADHAR issue.
The first post in the series can be found here. Keep watching this space for more posts in the series!]
[Ed Note : The following series of posts contain comments on the Srikrishna Committee Report and the Draft Data Protection Bill, 2018 made and compiled by students from NALSAR University of Law -Ankush Rai, Ashwin Murthy, Arvind Pennathur, Namratha Murugesan, Priyamvadha Shivaji, Shweta Rao, Sriram Kashyap, Vishal Rakhecha and Tanvi Apte. The comments have been uploaded on the Ministry of Electronics and Information Technology (MeitY) website.
The present post deals with comments made in relation to four issues that arise in relation to the Report and Draft Bill – a) vagueness, b) government interference, c) the data protection authority and d) surveillance.
[Ed Note : The following press note has been authored by Shweta Rao and Arvind Pennathur from NALSAR University of Law. Do watch this space for more details on the symposium!]
On the 9th of September NALSAR University of Law’s Tech Law Forum conducted its first ever symposium with packed panels discussing a variety of issues under the broad theme of the Right to Privacy. This symposium took place against the backdrop of the recent draft Data Protection Bill and Report released by the Srikrishna Committee.
First Define ‘Privacy’
The problem with the nine-judge ruling is that after proclaiming privacy as a fundamental right, it has not defined what is privacy. It is now left to all adjudicators to give multiple interpretations in order to understand the term, writes Shailesh Gandhi.
The judgment of the nine-judge bench of the Supreme Court on privacy has been hailed with much enthusiasm. The right to privacy question was referred to this bench after a clutch of petitions challenging the Aadhaar Act came up before a five-judge bench. This article is an attempt to look at the consequences of the privacy ruling.
All laws and institutions in India are expected to be guided by the Constitution. To ensure that the Constitution can take changing circumstances into account Parliament has been given the authority to amend it in Article 368. The constituent assembly in its initial drafts had considered making the right to privacy a fundamental right. However, after extensive discussion, a conscious decision was taken not to do so.
An eight-judge bench of the Supreme Court had clearly come to the conclusion that the right to privacy is not a fundamental right (M P Sharma vs Satish Chandra) DM Delhi)2 in 1954. At that time, most of the members of the constituent assembly were also around, and there does not appear to have been any significant dissent with this decision. Thus it appears that the clear and conscious decision of the Constitution makers and all the Supreme Court judges (since that bench comprised all of them) was that privacy was not a fundamental right. The Supreme Court has the authority to interpret the Constitution and the law, but the authority to amend both clearly lies only with Parliament. It is worth contemplating whether a bench with about 33% strength should consider superseding an earlier judgment given by one of 100% strength. Besides, the 1954 judgment appears to be in consonance with the deliberations of the constituent assembly.
In the current judgment the apex court has recorded on page 204 at para 144:
On 17 March 1947, K M Munshi submitted Draft articles on the fundamental rights and duties of citizens to the Sub-committee on fundamental rights. Among the rights of freedom proposed in clause 5 were the following
…(f) the right to the inviolability of his home
(g) the right to the secrecy of his correspondence,
(h) the right to maintain his person secure by the law of the Union from exploitation in any manner contrary to law or public authority…”.
At para 148 on page 207 the apex court comes to the conclusion that
This discussion would indicate that there was a debate during the course of the drafting of the Constitution on the proposal to guarantee to every citizen the right to secrecy of correspondence in clause 9(d) and the protection to be secure against unreasonable searches and seizures in their persons houses, papers and assets. The objection to clause 9(d) was set out in the note of dissent of Sir Alladi Krishnaswamy Iyer and it was his view that the guarantee of secrecy of correspondence may lead to every private correspondence becoming a state paper……. The clause protecting the secrecy of correspondence was thus dropped on the ground that it would a serious impediment in prosecutions while the protection against unreasonable searches and seizures constitute was deleted on the ground that there were provisions in the Code of Criminal Procedure, 1898 covering the area. The debates of the Constituent Assembly indicate that the proposed inclusion (which was eventually dropped) was in two specific areas namely correspondence and searches and seizures. From this, it cannot be concluded that the Constituent Assembly had expressly resolved to reject the notion of the right to privacy as an integral element of the liberty and freedoms guaranteed by the fundamental rights.
I am not able to see this conclusion flowing from Munshi’s draft which has been recorded at para144. The draft which has been quoted appears to prove that the constituent assembly took a conscious decision not to accord privacy the status of a fundamental right, and this was confirmed by the Supreme Court bench in 1954.
It is true that the Constitution has to evolve with changes in the world, international covenants and changing realities and expectations of the people. But it has clearly defined the roles of the three estates, and the legislative function has been given to Parliament, which draws its legitimacy directly from the citizens who elect its members. Just as a percentage of members is specified for a constitutional amendment in Parliament, should not a percentage of judges of the Supreme Court be required to overturn an earlier ruling of this nature? There may be serious implications in future of such a transfer of powers.
What is Privacy?
It is evident that privacy is built into the common law in various ways. The real problem with the nine judge judgment is that after proclaiming privacy as a fundamental right, it has not defined what is privacy. It is now left to all adjudicators to give multiple interpretations to understand the term. Earlier in R Rajagopal vs State of TN3 the Supreme Court had given a broad definition of privacy and its domain where it stated that:
The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a “right to be let alone”.
A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters. The Court could have defined this in a more precise way and then allowed some matters to be adjudicated. It must be appreciated that the right to privacy has a certain tension with Article 19 (1) (a) of the Constitution which guarantees that “All citizens shall have the right to freedom of speech and expression.”
From this is drawn the freedom to publish and the right to information (RTI). What can be published in matters relating to citizens in the media is the same as information from public records which can be given in the right to information. The reasonable restrictions on the exercise of this are given in Article 19 (2) and can only be “in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence.” Which of these will apply to privacy? In most cases restrictions in the interest of “decency and morality” would have to be invoked for restricting publication or information in RTI in matters relating to privacy. The RTI Act also bars such information from being given under Section 8 (1) ( j) which exempts information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information: Provided that the information, which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.”
Parliament had laid down a simple acid test to determine which personal information should be denied under the RTI. If such information would assault “decency or morality” it would violate privacy and should not be given to Parliament also. Thus the R Rajagopal judgement and the RTI Act both are in consonance with Article 19 (2) of the Constitution. It would have been good if the Supreme Court had reiterated this or expanded it. Presently some of the information that is often denied under the RTI under Section 8 (1) (j) is as follows:
iii) Educational, caste, income certificates of people: There are instances where RTI has uncovered fake education certificates even of doctors working in government hospitals.
vii) Income Tax returns: It is a fact that the affidavits of politicians who stand for elections are never verified with their IT returns. These are not given in RTI also.
Misinterpretation of RTI
In some instances when such information has been disclosed it has led to the exposure of corruption. One of the objectives of the RTI (stated in its preamble) is to curb corruption. Because of the varied positions taken by the public information officers (PIO), information commissioners and Courts, the law is grossly misinterpreted. In fact, many state governments have issued directives to all the PIOs not to disclose information about public servants. With this decision of declaring privacy as a fundamental right without making any attempt to judicially define it, many wrong deeds will thus get protection. We must also understand that the same constraints will apply to the freedom to publish. If giving information about some matters is intrusion into privacy, then publication of it also cannot be permitted.
There are many more cases in which personal information is disclosed by some PIOs and denied by others on the basis of it being an invasion of privacy. All personal information does not constitute privacy. One of the most favourite exemptions to deny information is Section 8 (1) (j). In most cases the legal requirement of deciding whether it would be denied to Parliament is not applied. The right to privacy ends where the RTI and the right to publish starts. It is unfortunate that the nine member bench of the Supreme Court decided to proclaim privacy as a fundamental right, but did not take the responsibility of defining its domain. The PIOs, information commissioners and judges are now left to do this job on a “case to case” basis. There should be an attempt to make law as definitive as possible. It is evident that matters relating to a person’s body, home, sexual preferences, religious or political beliefs, should generally be considered as issues relating to privacy. These could be justified by Article 19 (2) which permits reasonable restrictions on the basis of “decency or morality.” However, with respect to a person’s body there have been some divergent opinions. The most easily identifiable part of a person’s body is the face. Can we now argue that taking a person’s photo and disclosing it or publishing it is an invasion of privacy?
Aadhar and Privacy
One of the primary causes for this entire controversy regarding privacy has been the Aadhar card and the requirement for linking it with all other interactions with government. Most of those who read this article are likely to be in favour of the domain and importance of privacy being extended. The personal details taken for Aadhar, which may not be given in many other government records,- are the biometric identification in terms of fingerprints and iris scans. Everyone going out of the country (and a large percentage of readers of this article) give their biometric identity at the emigration counter. Universal requirement of the Aadhar card is likely to reduce benami transactions and ghost names of beneficiaries.
The argument was made before the Supreme Court that privacy is an elitist concern. The Supreme Court disagreed. Citizens have said that all their transactions may be connected with Aadhar. The fact that corruption is one of our major concerns cannot be denied. I guess we must also admit that our governments are unable to really curb this. We have a number of people having multiple PAN cards, floating shell companies, and taking illegal benefit of various welfare schemes and so on. A large number of private companies are registered at the residences of public servants. These actually snatch morsels from the mouths of the disadvantaged. There may be some inconvenience for some people and perhaps some embarrassment. Calling the house a castle and saying privacy is an essential part for a dignified life sounds really good. If this were possible without reducing the scope of the RTI and the freedom to publish it would be fine. There is a possibility that the right to privacy will be at the cost of the right to information. Sometime in the future the freedom to publish may also be curbed.
There are perhaps two competing issues in thinking of the desirability of Aadhar: Concern for privacy and the need to curb corruption and leakages in welfare schemes. Going by the talisman of Gandhiji one should consider which step is likely to benefit the poor. It appears evident to me that having an Aadhar card linked to most government transactions will benefit the poorest in at least getting basic amenities.
Conclusions
It appears that Supreme Court, has, in claiming to interpret the Constitution, read it to claim that a concept discarded by the constituent assembly was meant to be included. In this decision the Supreme Court should have defined privacy and its contours. When deciding on the definition of privacy Article 19 (2) must be kept in mind and the RTI and the freedom to publish must not be curbed beyond what the Constitution permits.
The greater good is likely to be served by having an Aadhar card.
[Ed Note : The following cross – post, authored by Sayan Bhattacharya of NALSAR University of Law, was first posted on the Law School Policy Review. The link to the same can be found here. ]
By leaving essential terms undefined and placing a higher burden to disclose personal information, the amendments proposed by the Srikrishna Committee are defeating the purpose of a right to privacy i.e. to make the state more transparent and the citizen less transparent.
In a post-Snowden world, there has been relatively more awareness and interest in the right to privacy regarding digital communications; and in knowing when the government can snoop-in on personal conversations. A majority of the communications taking place today are digital and involve two crucial processes i.e. encryption and decryption. Encryption (which is conversion of information into a code) happens when a message/call is initiated. At the same time, decryption (conversion of code back into useful information) happens when the message/call is received by the recipient. There are multiple nuances in this process; both in the technological aspect and the legal aspect.
For quite a while now, WhatsApp chat pages show the message – “Messages and chats are now protected with end-to-end encryption.”. The end-to-end encryption or E2EE (first used in program called Pretty Good Privacy, by Phil Zimmermann in 1991) is a form of encryption that makes it improbable if not impossible to intercept a private conversation. Traditionally, there are 3 instances when a conversation can be intercepted – firstly, from the device of the sender before encryption, secondly, when the information code in is transmission and thirdly from the device of the recipient after decryption.
A cashless society is no longer a myth but an impending reality, one of the causes for concern is the issue of privacy which this article deals with.
The idea of a cashless society, i.e., ‘a civilization holding money, but without its most distinctive material representation – cash’, is said to have originated in the late 1960s. The transition to go cashless had been slow and steady, but it is now increasing at a rapid pace this last decade. As technology evolves, the shift from a cash reliant to a cashless society is becoming more apparent. At least in the urban society, using ‘contactless payments’ or ‘non-cash money’ is not unheard of. It has been reported that not only did the first debit card possibly hit the markets in the mid-1960s but that in 1990, debit cards were used in about 300 million transactions, showing the rise of the same in today’s society. Before welcoming this change with open arms, we must take care that we do not ignore the security and privacy concerns, some of which will be addressed in this article.
As we are transitioning from a cash-reliant society to a [quasi] cashless society, there are some fears about phones being hacked or stolen, or reliance placed on devices which require batteries or internet – what if either is not available? However, conversely, our cash or wallets could be stolen, destroyed in a matter of seconds, could be misplaced, etc. The only difference is the medium of transaction.
Fear is a factor which inhibits change, however these fears are usually not unfounded. In the year 2014, Target, the second-largest discount store retailer in the United States was hacked and up to 70 million customers were hit by a data breach. Furthermore, 2 years later, it was reported that roughly 3.2 million debit cards were compromised in India, affecting several banks such as SBI, ICICI, HDFC, etc.
Nevertheless, as earlier pointed out, just as financial details present online can be stolen, so can paper money. With each transaction taking place online, the fears of online fraud are present, however Guri Melby of Liberal (Venstre) party noted, “The opportunity for crime and fraud does not depend on what type of payment methods we have in society.” A mere shift in the means of trade will not eliminate such crimes. It is here that I must clarify that a cashless society could be in various forms and degrees, be it debit/credit cards, NFC payments, digital currencies such as bitcoin or even mobile transactions such as M-Pesa.
Bruce Schneier, cyber security expert and author of best seller, Data and Goliath, notes that the importance of privacy lies in protection from abuse of power. A hegemony of the authorities over our information – details [and means] of our every transaction – provides absolute power to the authorities and thus a much higher scope for abuse. Daniel Solove, further notes that abuse of power by the Government could lead to distortion of data; however, even if we believe the government to be benevolent, we must consider that data breaches and hack could (and do) occur.
Cash brings with it the double-edged sword of an anonymity that digital transactions do not provide. A completely cashless society might seem attractive in that each transaction can be traced and therefore possibly result in reduction of tax evasion or illicit and illegal activities; however, though that crime might cease to exist in that form, it could always evolve and manifest itself in some other form online.
One of the concerns raised in this regard is that the government could indefinitely hold or be in possession of our transaction history. This seems to be an innocent trade-off for the ease and convenience it provides. The issue that arises however, as Domagoj Sajter notes, is that every single citizen has become a potential criminal and a terrorist to the government, worthy of continuous and perpetual monitoring. The citizens become latent culprits whose guilt is implied, only waiting to be recorded and proven. The principle of innocent till proven guilty vanishes in the mind of the government.
Furthermore, a completely cashless society places power with the Government with no checks and balances of the same. Advanced technology could disable funding of mass actions, extensive protests and large-scale civil disobediences, all of which are important traits of democratic processes. It is pertinent to remember that Martin Luther King Jr. was tracked by the FBI. Providing the government with more ease in curtailing democratic processes leads to a more autocratic governance.
Consider the following: an individual finds out that the Government or one of its agencies is committing a crime against humanity, and she reports it to the public. Not only could her personal life be excavated to find faults but any support that she would receive in terms of money (in a cashless society) could possibly be blocked by the Government. Minor faults could be listed and propaganda could be spread to discredit her point or deviate the masses’ attention. By controlling the economy, they could wring the arms of the media and force them to not focus on or to ignore the issues raised by her.
Michael Snyder also raises an important point about erasure of autonomy in a cashless society, “Just imagine a world where you could not buy, sell, get a job or open a bank account without participating in ‘the system’”. It need not start with forcing people to opt-in, simply providing benefits in some form could indirectly give people no choice but to opt-in. The Supreme Court of India has noted multiple times that the Aadhar Card cannot be made compulsory (a biometric identity card). However, the Aadhar card has been made mandatory to avail EPF Pension Schemes, LPG Benefits and even for IIT JEE 2017. The Government of India is even mulling making Aadhaar number mandatory for filing of income tax (I-T) and link all bank accounts to the unique identity number by the end of this financial year. The government is concurrently working on developing a common mobile phone app that can be used by shopkeepers and merchants for receiving Aadhaar-enabled payments, bypassing credit and debit cards and further moving to cashless transactions. The Aadhaar-enabled payment system (AEPS) is a biometric way of making payments, using only the fingerprint linked to Aadhaar. These are all part of the measures taken by the Indian government to brute force the Indian economy into a cashless form.
Policing of the citizen is not a purely hypothetical scenario; it has already taken place in the past. In 2010, a blockade was imposed by Bank of America, VISA, MasterCard and PayPal on WikiLeaks. In 2014, Eden Alexander started a crowdfunding campaign hoping to cover her medical expenses, but later, the campaign was shut down and the payments were frozen; the cause being that she was a porn actress. We must also take into account the empowerment that cash provides; consider an individual saving cash from their alcoholic or abusive spouse, or the individual who stuffs spare notes under her mattress for years because it gives her a sense of autonomy. We should take care that in seeking development, we do not disempower the downtrodden, but lift them up with us.
The idea of a cashless society is no longer strange, with multiple corporations and even countries having expressed their interest in going cashless. Harvard economist and former chief economist of the IMF, Kenneth Rogoff in his Case Against Cash argues that a less-cash society [in contradistinction to a cash-less society] could possibly reduce economic crime, he suggests in the same article that this could be executed by a gradual phasing out of larger notes. A cashless or less-cash society is inevitable. In Sweden, cash transactions made up barely 2% of the value of all payments made. The question thus is not about when [it will happen] but what are the safeguards we set up to protect our rights.
For further reading:
1] Melissa Farmer: Data Security In A Cashless Society
https://www.academia.edu/12799515/Data_Security_In_A_Cashless_Society
2] David Naylor, Matthew K. Mukerjee and Peter Steenkiste: Balancing Accountability and Privacy in the Network
https://www.cs.cmu.edu/~dnaylor/APIP.pdf
3] Who would actually benefit from a Cashless Society?
https://geopolitics.co/2016/01/30/who-would-benefit-from-a-cashless-society/
4] Anne Bouverot: Banking the unbanked: The mobile money revolution
http://edition.cnn.com/2014/11/06/opinion/banking-the-unbanked-mobile-money/index.html
5] Kenneth Rogoff: Costs and benefits to phasing out paper currency
Ed. Note.: This post, by Benjamin Vanlalvena, is a part of the NALSAR Tech Law Forum Editorial Test 2016.
A background of the issue
For the first time since the Investigatory Powers Tribunal’s (IPT) establishment in 2000, a complaint against a UK intelligence agency has been upheld. The IPT, which oversees Britain’s secret agencies, is one of its most secretive and deferential courts. In a judgment last week, the IPT announced that the intelligence-sharing rules between the United States National Security Agency (NSA) and its British equivalent Government Communications Headquarters (GCHQ) governing the exchange of information collected through ‘mass surveillance of internet communications’ were against UK human rights law.
The tribunal ruled that “the regime governing the soliciting, receiving, storing and transmitting by UK authorities of private communications of individuals located in the UK, which have been obtained by US authorities … contravened Articles 8 or 10 [of the European Convention of Human Rights]”. Article 8 of the European Convention on Human Rights (ECHR) confers the right to respect for private and family life and Article 10 of the ECHR confers the right to freedom of expression.