The discussions about the development of the right to privacy as a significant Fundamental Right and whether it has been embraced by the government in letter and spirit cannot remain confined to philosophical or juridical evolutions alone. It is necessary to examine the constellation of practical evolutions that surround it. The victory of individual privacy emanating from the Puttaswamy judgement cannot be overemphasised. Any formal or legal recognition of a particular phenomenon does not guarantee that it will find adequate manifestation in societal or political spaces in the short term. Similarly, though the judiciary’s interpretation of Article 21 as containing the right to privacy is a progressive development, the mere recognition of the same is not a cure-all. Privacy is a deeply contested concept, becoming more complicated juxtaposed against the concerns of transnational crime and national security. It remains to be seen how the interpretations of the Puttaswamy verdict have affected legislative and executive action. This will allow better comprehension of efforts to balance privacy and individual liberty against surveillance and national security.
The purpose of this article is to understand privacy as an emerging issue in contemporary Indian society through an analysis of its evolution. It is divided into two parts. In Part I, it summarised the legislative and judicial precedents set by the courts after independence. It also examined the Aadhar controversy leading to the confirmation of the right to privacy as a Fundamental Right under the Constitution. In Part II, it will explore the related developments of the Srikrishna Committee Report and the Personal Data Protection Bill. Finally, it will explore the recent controversies related to the Pegasus project revelations.
Aadhar and related developments
Though the constitutionality of the Aadhar scheme was upheld, the Supreme Court also expressed apprehension about the risks involved in rendering personal citizen data available to private entities and service providers. Justice Chandrachud expressed his discomfort with the potential of personal information being transformed into commercial information for private service providers, having dire consequences for individual privacy and security. The Court directed the government to institute a “robust mechanism” to data protection and mitigate data breach risks. In response, the latter initiated a committee of experts under the leadership of former Supreme Court Justice BN Srikrishna to identify key issues in this regard and relay recommendations. On 27th July 2018, the Srikrishna Committee presented its report entitled A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians accompanied by a draft Data Protection Bill to the Ministry of Electronics and Information Technology. The committee recommended that the processing (collection, recording, analysis, and disclosure) of personal data could only be conducted for “clear, specific, and lawful” purposes, or if it is deemed necessary for any function of the Parliament or state legislatures – such as the provision of services or the issuance of licenses. It suggested that ‘data principals’ (individuals whose personal data is being processed) be secured the ‘right to be forgotten’ – empowering them to restrict or prevent any display of personal data once the purpose for processing has been terminated or once consent is withdrawn. Data principals would also be allowed the right to confirm the details of the information held or disclosed and correct all errors if necessary. The imperative of obtaining explicit consent and clear comprehension of purposes to process “sensitive personal data” – passwords, financial data, biometric data, sexual orientation, caste, or religion – was also emphasised. The committee also advised the strengthening of institutional mechanisms to protect against the transnational nature of data insecurity threats and the accompanying regulatory challenges, indicating that (i) personal data be localised and stored only on servers located within India, subjecting foreign data transfers to model contract clause safeguards, and mandating that critical personal data only be stored on national servers; and (ii) a Data Protection Authority be instituted to “protect the interests of data principals, prevent misappropriation of personal data, and ensure compliance with the safeguards and obligations under the data protection framework by data fiduciaries” – corporations, governments, or any other entity processing personal data. These bodies would be supervised by the Authority’s Codes of Practises, which would mandate that they conduct regular audits and institute a data protection officer and a grievance redressal mechanism. The Authority would also be empowered to inquire into any possible violations of the data protection regime and penalise any data fiduciaries for the same. The committee recommended that the Aadhar Act (2016) be amended to safeguard the autonomy of the UIDAI and reinforce data protection through the offline verification of Aadhaar numbers and additional civil and criminal penalties, though the ability to file complaints would be reserved to UIDAI alone. It also suggested that Section 8(1)(j) of the Right to Information Act (2005) pertaining to the disclosure of personal information in the larger public interest be amended. Section 8(1)(j) does not originally obligate the disclosure of personal information not related to “public activity or interest” or violative of the right to privacy, but the amendment would seek to balance between the public interest imperative of accessing any personal information and the harm incurred by the data principal in doing so.
The Personal Data Protection Bill, 2019, was introduced in the Lok Sabha on 11th December 2019 by the Minister of Electronics and Information Technology, Mr Ravi Shankar Prasad, seeking to implement some of the provisions of the draft Personal Data Protection Bill, 2018 submitted by the Srikrishna Committee. The Bill aimed to protect individuals’ privacy in relation to their personal data by detailing its flow and use, to establish a trust relationship between data principals and data fiduciaries and protect the Fundamental Rights of the former, and, to establish a framework for organisational and technical measures in data processing, and for norms for social media intermediaries, cross-border transfer, accountability of data fiduciaries, and penalisation mechanisms for unsanctioned and harmful processing – through the establishment of a Data Protection Authority of India. The Bill applied to personal data – pertaining to characteristics and attributes that may identify an individual – processed by all data fiduciaries processing the personal data of Indian citizens, including the government and private companies, both domestic and foreign. It upheld the definitions and provisions of ‘sensitive data’ and its international transfer outlined by the Srikrishna Committee Report and enhanced the recommendations of the same regarding the obligations of the data fiduciaries, mandating that they implement transparency and accountability measures such as security safeguards (data encryption and prevention of data misappropriation), grievance redressal mechanisms, and age-verification and parental consent mechanisms for processing personal data of children. It also augmented the Report’s recommendations about the rights available to data principals, including the right to transfer data to any other fiduciary in certain circumstances. Though the Bill only allows for data processing of personal data if the consent of the principal is obtained, it specifies that consent may not be required if the State seeks to provide benefits to the individual, if the data is necessary for legal proceedings, or to respond to a medical emergency. It also allows the central government to exempt any of its agencies or departments from the provisions of the Act for a swathe of reasons – in the interest of the security of the State, public order, sovereignty and integrity of India and friendly relations with foreign States, or for preventing incitement to the commission of any cognisable offence relating to these matters; also exempting the processing of personal data from the provisions of the Bill if it is necessary for the prevention, investigation, or prosecution of any offence, or personal, domestic, or journalistic purposes. It does state that such processing requires a “specific, clear, and lawful purpose” and “certain” security safeguards but does not specify what they are. It defines the responsibilities of social media intermediaries enabling online interaction and information-sharing between users and possessing users above a certain threshold, impacting electoral democracy and public order – obligating the provision of a voluntary user verification mechanism for users in India. The Bill establishes a Data Protection Authority (DPA) for these purposes, specifies its organisational framework consisting of a chairperson and six members with at least ten years’ expertise in the field of data protection and information technology, and allows its orders to be appealed to an Appellate Tribunal answerable to the Supreme court. It specifies the offences and penalties for processing data in violation of the Bill (punishable with a fine of ₹15 crore or 4% of the annual turnover of the fiduciary), failing to conduct a data audit (punishable with a fine of ₹5 crore or 2% of the annual turnover of the fiduciary), and reidentifying, and processing de-identified personal data without consent (punishable with fine or imprisonment up to three years, or both). It also contains additional provisions relating to the amendment of the Information Technology Act, 2000 and the sharing of non-personal and anonymised personal data with the government. The Bill, however, was harshly criticised by Justice Srikrishna as possessing the capacity to render India an “Orwellian State.” The wide exemptions allowed to government agencies would allow them to access personal data without consent on a variety of grounds – not just national security as the committee had recommended – with concerning implications for individual liberty and privacy.
The Bill was swiftly referred to a Joint Parliamentary Committee (JPC) instituted in December 2019, headed by Member of Parliament Meenakshi Lekhi, and comprised of various industry and regulatory stakeholders, including the Ministry of Electronics and Information Technology, Reserve Bank of India, Securities and Exchange Board of India, National Payments Corporation of India, Income Tax department, UIDAI, National Association of Software and Service Companies, large social media players, and law firms. Though the committee originally intended to submit its report before the Budget Session of 2020, it sought more time to achieve its objective of comprehending how personal data is processed in real time and how data protection safeguards may be implemented to prevent data leakages, finally submitting its report and the new draft bill on 16th December 2021. The revised bill provides for specific timelines for the implementation of its provisions, limiting it to twenty-four months, and recommends that the data protection authority commences its work within six months, registration of data fiduciaries is done within nine months, and the appellate tribunal begins its work within twelve months. It also expands the scope of the bill, renaming the Data Protection Bill to encompass both personal and non-personal data as it has proven “impossible to distinguish” between them when mass data is collected or processed. It also balances the interests of the data principal and the data fiduciary by allowing the processing of non-sensitive personal data without consent when such “processing is necessary or can reasonably be expected by the data principal”, and there is a legitimate and reasonable interest in doing so. It obligates that data fiduciaries exclusively handling children’s data register with the DPA and inform the child three months before the age of majority, allowing them to decide whether to reoffer consent. It expands the rights of data principals by enabling the nominating of a legal heir or representative to handle their data in case of death or casualty and disallows the denying of data portability on any grounds other than technical feasibility. It establishes harsher requirements for the reporting of breaches of non-personal and personal data, limiting the timeline for notification to the DPA to within seventy-two hours of first knowledge, and empowering the DPA to direct data fiduciaries to adopt urgent measures to mitigate or remedy the breach or harm caused to the data principal. It seeks to treat all social media platforms that are not intermediaries as publishers and institute a media regulatory authority to ensure accountability for the content hosted by third parties and obligate setting up of offices in India. This is an alteration of the Information Technology Act 2000 (amended in 2008) and subsequent regulations around intermediaries, which protected intermediaries from content posted by third parties. The Bill clarifies that a Data Protection Officer (DPO) must be senior-level state officer or an individual in a key managerial position in a private company. It refines the requirements for the cross-border transfer of sensitive and critical personal data, necessitating that the DPA consult the government when approving any such contracts or intragroup schemes, disallowing its approval if it contradicts state or public policy, and prohibiting that it be shared with any foreign government or agency without government approval. It requires that the composition of the DPA be inclusive, robust, and independent and be comprised of six members – experts in legal, technical, and academic fields as well as secretary-level officials, and independent experts identified by the government from data protection, information technology, data management, data sciences, and data security services. It requires that the Attorney-General, a director from the Indian Institute of Management and one from the Indian Institute of Technology be members of the body. The Bill also extends the previous draft by providing for the institution of dedicated laboratories and certification standards to formally guarantee the integrity, trustworthiness, and security of hardware and software for all digital devices, empowering the DPA to penalise manufacturers that do not meet these standards. It recommends the creation of a privacy-centric alternative indigenous financial system to the Society for Worldwide Interbank Financial Telecommunication to bolster domestic digital economy and usage and secure the privacy of financial transactions. The Internet and Mobile Association of India (IAMAI) strongly condemned the JPC’s report and draft bill as being “out of sync with India taking the leadership position in the Techade” – the ten-year period beginning in 2020 that will define the interrelation between technology and Indian economy, defined by NASSCOM, and stressed that the Bill had moved away from its original intention of protecting the privacy of personal data to generic data protection, and from holistic data privacy to merely digital privacy. It criticised the data localisation obligations and restrictions on cross-border data transfers as causing higher compliance costs for companies and creating restrictions to the growth of Indian start-ups and the access of Indian consumers to a “truly global internet.” The most seething critique was that the regulation of intermediaries as publishers would gravely limit free speech on social media platforms – so essential to democracy and “pose a risk to the digital ecosystem.” It remains to be seen, therefore, how the Bill would reconcile the imperatives of national security and government interest with those of industry interests, citizen rights, and transparency.
Pegasus is spyware or hacking software designed by the Israeli company NSO Group that is developed, publicised, and licensed to governments around the world. Its capacity to infect phones running on iOS or Android operating systems was first discovered in 2016 when it utilised spear-phishing through alarming texts or emails to prompt targets to click on malicious links. Its capabilities have evolved since then, however, and Pegasus infections now can be achieved through ‘zero-click’ attacks – where no interaction with the phone’s owner is required, exploiting ‘zero-day’ vulnerabilities or flaws and bugs in the operating system unknown to the phone’s manufacturer. WhatsApp announced in 2019 that the software had been utilised to transmit malware into more than fourteen hundred phones and stressed that it could be successful simply by placing a call to a target device, even if the target does not answer. Pegasus may also be installed over wireless transceivers near the target if the target’s phone is stolen or by exploiting several other undiscovered vulnerabilities that render prevention and identification by even cybersecurity experts difficult. Once installed in a phone, Pegasus can harvest any information or extract any file – SMSs, emails, WhatsApp chats, photos and videos, GPS data, calendar, contact books – activate camera or microphone, record calls, and transform the phone into a spying device. Essentially, if the Pegasus software infects a phone, every aspect of an individual’s privacy and personal data is wholly compromised.
As it became evident in 2021 that the Pegasus spyware had been used against numerous ministers, opposition leaders, political tacticians, journalists, activists, minority leaders, Supreme Court judges, religious leaders, Election Commissioners, and heads of the Central Bureau of Investigation, seventeen media organisations undertook a collaborative investigative journalism initiative termed the Pegasus Project. The reports indicated that around three hundred Indian numbers were targeted (with the presence of the spyware confirmed) – including those belonging to Rahul Gandhi, Prashant Kishor, Ashok Lavasa, Abhishek Banerjee, Siddharth Varadarajan, Umar Khalid, and the female employee who had accused former Chief Justice of India, Ranjan Gogoi of sexual harassment. The Campaign for Judicial Accountability and Reforms, the Press Club of India, and the Editor’s Guild of India condemned this extensive intrusive surveillance into the personal devices of important democratic representatives, media, and judicial personages as flagrantly violative of the right to privacy and the independence of the judiciary, and indicative of an improper collusion between the national executive and legislature and a foreign agency. These bodies as well as several individuals – including senior journalists N Ram and Sashi Kumar; Rajya Sabha MP John Brittas; Supreme Court lawyer ML Sharma; and journalists like Paranjoy Guha Thakurta, SNM Abdi, Prem Shankar Jha, Rupesh Kumar Singh, and Ipsa Shataksi – filed numerous writ petitions in the Supreme Court seeking an independent and monitored enquiry into the matter (based on the recognition of the Fundamental Right to privacy under the Puttaswamy verdict). This was especially as the government did not categorically deny the usage of the software and instead reiterated that each case of interception, monitoring and decryption is approved by the Union Home Secretary, supervised by a review committee headed by the Union Cabinet Secretary, conducted under the due process of law. On 27th October 2021, the Supreme Court bench comprising Chief Justice NV Ramana and Justices Surya Kant and Hima Kohli appointed a three-member expert technical committee headed by former Supreme Court justice RV Raveendran – comprised of Naveen Kumar Chaudhary, Prabaharan P, and Ashwin Anil Gumaste – to analyse the “chilling” snooping allegations. It specified that it had refused the Centre’s offer to constitute an expert committee to do the same because “such a course of action would violate the settled judicial principle against bias, i.e., that ‘justice must not only be done but also be seen to be done'”. The Court emphasised that the right to privacy must be balanced against contemporary technological developments and national security. Individual privacy could be violated by the State only if “absolutely necessary” to protect national security, but the necessity must be proportional, and the surveillance must occur with “sufficient statutory safeguards, by following the procedure established by law under the Constitution.” It declared that “mere invocations of national security” would not silence the Court. Given the refusal of the Centre to file a detailed affidavit in the matter, instead of responding with an “omnibus and vague denial”, the submissions of the petitioners would be accepted prima facie, and the committee would enquire, investigate, and determine whether indiscriminate violations of the citizens’ right to privacy by the central or state governments or any other agency had occurred. In every democratic society, if the “reasonable expectation of privacy” assumed by all citizens was thus infringed, it would result in “self-censorship” deeply injurious to their civil rights. Cybersecurity expert Anand Venkatanarayanan appeared before the Raveendran Committee and confirmed that Siddharth Varadarajan’s and Sushant Singh’s phones were indeed infected and that there were “enough indicators that the Indian state had bought Pegasus.” The Committee recorded several statements of experts like Sashi Menon, Sandeep Shukla, N Ram, Siddharth Varadarajan, and MP John Brittas and published two public notices on 2nd January 2022 and 3rd January 2022 requesting that individuals submit their phones or data which Pegasus seemingly infected. The committee has so far met with partial success as individuals have been reluctant to submit their phones to the court, fearing the possibility of a data breach of their personal identifiable information. On 8th February 2022, a special National Investigation Agency Court allowed the submission of the phone numbers of the seven accused in the Elgar Parishad-Maoist case to the committee.
In early 2022, the New York Times (NYT) reported after a yearlong investigation that the “Indian intelligence service” had purchased Pegasus from NSO for “dozens of millions of dollars” – a deal finalised in 2017, during Prime Minister Narendra Modi’s visit to Israel to meet then-Israeli Prime Minister Benjamin Netanyahu – though it was unclear whether it denoted the Intelligence Bureau (IB) or the Research and Analysis Wing (R&AW), or any other agency reporting to the National Security Council Secretariat (NSCS). According to NYT’s Ronen Berman, the contract had been cleared by the Israeli Ministry of Defence based on the guarantees that the Indian government would only utilise it for itself, seek prior permission to share it with any other body, and employ its surveillance against terrorism and organised crime. NSO engineers would travel to India to install it and liaise with Israel’s intelligence agency Mossad in the process. Even though Bergman could offer no evidence for these claims, and the Government of India’s official response was that there was “no factual basis” for these reports intended to foment an “international conspiracy” to “malign the Indian democracy and its institutions”, citizen groups and journalists in India expressed concerns exacerbated by the secrecy in the functioning of the NSCS, IB and the R&AW – exempt from the provisions of the Right to Information Act, Parliamentary scrutiny, and financial audits of the Comptroller and Auditor General. The Supreme Court recently deferred the hearing of petitions for the controversy till 25th February 2022, where it would also discuss the interim report of the Raveendran Committee.
The development of the right to privacy in India has been multifaceted, and though its recognition as a Fundamental Right was a significant victory for the civil liberties of citizens, controversies like the Pegasus spyware have exacerbated concerns whether the right would be recognised only in a letter or also in spirit.
- Bergman, R., & Mazzetti, M. (2022, January 28). The Battle for the World’s Most Powerful Cyberweapon. The New York Times.
- BL Mumbai Bureau . (2022, February 24). Data protection bill: Parliamentary panel’s proposals could hit India’s tech leadership aspirations, says Internet body. Business Line.
- Dhavate, N., & Mohapatra, R. (2022). A look at proposed changes to India’s (Personal) Data Protection Bill. Portsmouth: The International Association of Privacy Professionals. Retrieved from The International Association of Privacy Professionals.
- Haidar, S., & Singh, V. (2022, February 2). ‘Indian intelligence service’ bought Pegasus from Israel, coordinated with Mossad: NYT reporter. The Hindu.
- Pegg, D., & Cutler, S. (2021, July 18). What is Pegasus spyware and how does it hack phones? The Guardian.
- Press Trust of India. (2021, October 27). Pegasus spyware case: SC appoints 3-member committee to inquire into alleged snooping controversy. The Times of India.
- Rajagopal, K. (2017, July 29). The lowdown on the right to privacy. The Hindu.
- Rajagopal, K. (2021, October 27). Pegasus case | No absolute power for state to snoop into ‘sacred private space’ of individuals, says Supreme Court. The Hindu.
- Sircar, S., & Sachdev, V. (2018, July 27). Key Highlights From Srikrishna Committee Report on Data Protection. The Quint.
- Srivas, A., & Agarwal, K. (2021, July 18). Snoop List Has 40 Indian Journalists, Forensic Tests Confirm Presence of Pegasus Spyware on Some. The Wire.
- Tarafder, A., & Basu, A. (2017, August 25). For the Many and the Few: What a Fundamental Right to Privacy Means for India. The Wire.
- Thapa, S. (2021). The Evolution of Right to Privacy in India. International Journal of Humanities and Social Science Invention, 53-58.