THE CURIOUS CASE OF RIGHT TO PRIVACY
“To be left alone is the most precious thing one can ask of the modern world.” -Anthony Burgess
In this paper, the author would like to deal with the curious case of right to privacy in the light of recent era of digitalization. Privacy in its truest essence means right to be let alone. Privacy has come a long way from being a mere philosophy to a recognised right in international standards. With the advent of digital era, every piece of personal affair can be monitored starting from telephone calls to cell phone data location. This paper focuses firstly on the right to privacy and the constitutional protection guaranteed under Article 21. Secondly, the author shall be imploring the issue of E-surveillance and relevant provisions under the Information Technology Act and Indian Telegraph Act. Even though the provisions under the IT Act is supposed to be exhaustive, provision for geospatial information or location still remains in a confusion. The paper will investigate upon the rising misuse of geospatial information by persons and the lack of proper laws to regulate this matter. Absence of law makes the very activity of collecting such information using technology tricks make unfair and violative. Thirdly, a comparison is made between the US Law and Indian Law with reference to Fourth Amendment and the scope of search or seizure under these laws. The anarchic state of affairs leads to the conclusion that India is not properly equipped with laws to protect information privacy as there are many laws to the effect of conferring the power to collect digital information on different authorities. The multiplicity of laws leads to wide distribution of power to authorities. Finally, the paper concludes with suggestions and potential violation of right to privacy under the current scenario of affairs.
Keywords: Information Privacy, E-Surveillance, Information Technology Act, Geospatial Information, Search and Seizure.
Privacy, in its simplest sense, allows each human being to be left alone in a core which is inviolable. The general idea of “private” can be conceptualised as the practices or acts which we want to protect from public scrutiny. From Aristotle to Jermy Bentham, philosophers of all times identified the existence of private sphere of an individual’s life. Privacy is not a right, but it is a group of rights. Apart from the historical roots and philosophical backdrop of this concept, not until 1890 when the famous essay by Samuel Warren and Louis Brandeis titled “The Right to Privacy” (Warren and Brandeis, 1890) was there any systematic discussion on this matter. They wrote that privacy is the “right to be let alone” and focused on protecting individuals. This approach was a response to recent technological developments of the time, such as photography, and sensationalist journalism, also known as “yellow journalism”.
Privacy has come a long way from being a mere philosophy to a recognised right in international standards. Article 12 of the Universal Declaration of Human Rights of 1948 states that no one may be subjected to arbitrary interference with his privacy, family or correspondence. In the high-profile case of Associated Newspapers Limited v His Royal Highness the Prince of Wales, an appeal was made against the judgment in respect of the claim of Prince Charles for breach of confidence and infringement of copyright. The case brought about when ‘The Mail on Sunday’ published extracts of a dispatch by the Prince of Wales. The Court held that the information at issue in this case is private information, public disclosure of which constituted an interference with Prince Charles’ Article 8 rights. While Article 8 of the European Convention of Human Rights protects the right to respect for his private and family life, his home and his correspondence and prohibits intrusion by public authorities without the authority of law and the necessity of national security, public safety, prevention of crime Article 8 of the Charter of Fundamental Rights of the European Union (CFREU) protects personal data of a person. The Charter in fact specifies the existence of law under which personal data is being collected and requires that the data collected must be used only for the purpose it was collected. The basic difference between Article 8 of ECHR and the CFREU being, the former deals with privacy in private sphere while the latter deals with information privacy.
In India, Article 51 of the Constitution, which forms part of the Directive Principles, requires the State to endeavour to “foster respect for international law and treaty obligations in the dealings of organised peoples with one another. The Indian Courts have recognised that the right to privacy which is recognised by Article 12 of the Universal Declaration and Article 17 of ICCPR has been read into Article 21 “through expansive reading of the right to life and liberty”. Right to Privacy is not provided specifically in the Constitution but it falls under the wide ambit of Right to Life and Personal Liberty. In Maneka Gandhi v UOI, the Supreme Court recognised any law interfering with ‘Personal Liberty’ must satisfy the triple test: (1) law must prescribe a procedure; (2) the procedure must withstand the test of one or more of the fundamental rights conferred under Article 19 which may be applicable in a given situation; and (3) it must withstand the test of Article 14. Hence, the law and procedure authorizing interference with personal liberty and right of privacy must also be right and just and fair and not arbitrary, fanciful or oppressive.
It took years for the Indian Judiciary to finally accept and assert that right to privacy falls under the ambits of Article 21 of the Indian Constitution. In earlier decisions, the courts held that Indian Constitution did not specifically protect the right to privacy. However, in Justice K.S. Puttaswamy& Anr v Union of India,the Supreme Court not only recognized privacy as a right but also brought it under the purview of Article 21. Although the days of struggle for recognition is over, right to privacy still remains a common man’s dream. The concept is used to describe rights in private domain between individuals as well as constitutional rights against the State. The latter is about the extent to which government authorities can intrude into the life of the private citizen to keep watch over his movements through devices such as telephonic tapping or surveillance.
Given the fact that right to privacy is an established right, it will be pertinent to note the decision in R v Spencer, privacy in relation to informational includes at least three conceptually distinct although overlapping understandings of what privacy is. These are privacy as secrecy, privacy as control and privacy as anonymity. In District Registrar and Collector v Canara Bank, the Supreme court held that in the context of the privacy, that while an intrusion into privacy may be permitted by legislative provisions, administrative, executive or judicial warrants where sufficient cause is made out, the extent of the intrusion must be limited to what is necessary for the protection of particular state interest. Whatever in excess of necessary grounds are in violative of Article 21. With the affirmation of right to privacy as a fundamental right in the latest judgement of Justice K.S. Puttaswamy; Anr v Union of India, the scope of data protection and information privacy can be taken to a whole new level. With advancements in cyber sphere and increasing online platforms, personally identifiable information (PIL) of persons are threatened to the extent that one has to think twice before entering into such transactions. This very reason calls out for a strong data protection regime and revamping the current legal provisions available to the individuals. The protection of information privacy is predominately governed by Sections 43 and 72 of the Information Technology Act, 2000.
The origins of global surveillance can be dated back to 1940 after the UKUSA Agreement, collaboratively enacted by the respective governments. In the year 1970, ECHELON was formed. ECHELON is the name given to international eavesdropping network run by the intelligence agencies of the United States of America, United Kingdom, Canada, Australia and New Zealand. In 2014, Edward Snowden, leaked thousands of intelligence files of the NSA and Five Eyes Intelligence Alliance that brought out global mass surveillance, government secrecy into the light. The world realised that nothing remains private in this digital world. From telephone calls to location data, everything was collected with the cooperation of European government and telephone companies. The leaks indicated that several world leaders, diplomats, companies, individuals even were under the surveillance. This revelation raised serious questions regarding information privacy and their protection.
E-surveillance is the is the monitoring of computer or mobile activity and data stored on a hard drive, or data being transferred over computer networks such as the Internet. E-surveillance takes many forms such as monitoring of instant messaging apps such as Whatsapp, Social networking sites such as Facebook, Location determining apps such as Google Maps, CCTV cameras etc. Several banks are planning to use e-surveillance in ATMs so as to prevent and combat ATM breaking and other crimes. However, surveillance of information without a person’s knowledge or expectation is a gross violation of his privacy. A person may expect a CCTV camera in ATM and roads but he certainly wouldn’t be expecting them in front of his house! Similarly, no person will be expecting personal chats and location being monitored by the government. It will be pertinent to note that in the wake of recent Cambridge Analytica data leak scandal, where social networking giant Facebook has been supplying personal data and information to CA which in turn was used for analysing political and commercial purposes, our personal data no longer remains safe in the hands of these private giants. This makes us stand on a road where our private information can be monitored both by the government and private entities.
For years it has been common man who have been preys to surveillance be it the Global surveillance by Prism or the Cambridge Analytica. In PUCL v UOI, the Supreme Court held that right to privacy included the right to hold a telephonic conversation in the privacy of one’s home or office and that telephone tapping, a form of “technological eavesdropping” infringed the right to privacy. In Malak Singh v State of Punjab, the Supreme Court observed that surveillance of persons, who did not fall within the category mentioned under the regulation, or for reasons unconnected with prevention of crime or excessive surveillance, would entitle a citizen to the protection of the court. Hence, excessive surveillance is bad in law.
The author would like to deal with 2 aspects of surveillance: Information and Location.
Section 5 of the Indian Telegraph Act, 1885 requires 2 circumstances under which messages can be intercepted: One being occurrence of any public emergency or in interest of public safety; Second the necessity or expedient to do so in the interests of sovereignty of India or, security of India or, friendly relations with foreign states or, public order or prevention or commission of any offences. The effect of this section being that if either of the two conditions i.e., public emergency or public safety are not in existence, the Central or State Government cannot make use of this section even though the second condition is satisfied. Hence, occurrence of a ‘public emergency’ (interpreted by the Supreme Court in PUCL v UOI as prevailing of a sudden condition or state of affairs affecting the people at large for immediate action) or ‘public safety’ (state or condition of freedom from danger or risk for the people at large) is a precondition for exercising telephone tapping by the concerned authorities.
After the PUCL v UOI decision, the Information Technology Act 2000 was enacted. Thereafter the monitoring of internet data is predominantly governed by IT Act 2000. The term “Internet data” connotes the core contents of data-packets transmitted between user-end device and host-server and includes chats, email etc. “Internet meta-data” on the other hand signifies particulars of Internet data apart from its core-contents. This would include information such as date and time of transmission, duration for which data was transmitted and location from/to which data was transmitted.Section 69 of the IT ACT 2000, allows agency so authorized by Central or State Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated transmitted, received or stored in any computer resources; if it is expedient to do in the:
1. Interest of sovereignty or integrity of India
2. Defence of India
3. Security of State
4. Friendly relations with foreign states
5. Public order
6. Preventing the incitement to the commission of any cognizable offence relating to the above
7. Investigating of any offence.
In consonance with the court’s decision in PUCL v UOI, the Centre has already formulated Rule 419A to the Indian Telegraph Rules 1951, the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009 and Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009 thus satisfying the dictum of just fair, reasonable and just procedure. The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 are an important step towards building a legal regime that protects the privacy of individuals whilst enabling the secure collection, use and storage of personal information by state and private entities.
Additionally, section 69 of the IT Act mandates that any person or intermediary who fails to assist the specified agency with the interception, monitoring, decryption or provision of information stored in a computer resource shall be punished with imprisonment for a term which may extend to seven years and shall be liable for a fine. The Telegraph Act only allows for interception of messages or class of messages transmitted by a telegraph, the Information Technology Act enables interception of any information being transmitted or stored in a computer resource. Since a “computer resource” is defined to include a communication device (such as mobile phones and PDAs) there is an overlap between the provisions of the Information Technology Act and the Telegraph Act concerning the provisions of interception of information sent through mobile phones.
As to the concerns of E-surveillance, as right to privacy is a fundamental right under Article 21, the violation of it must be with the authority of valid law. Any violation of Information Privacy without confirming with the standards of Article 14, Article 19 and Article 21 is fanciful and oppressive. The notions under which Section 69 of Information Technology Act couched is to include anything and everything under the internet. It also requires any person or intermediary failing to assist the authorities with imprisonment. These provisions mirror the legislative forte build by the government to collect and monitor information.
“In the fall of 2008, a 30-year-old computer expert named Zarrar Shah roamed from outposts in the northern mountains of Pakistan to safe houses near the Arabian Sea, plotting mayhem in Mumbai, India’s commercial gem. Mr. Shah, the technology chief of Lashkar-e-Taiba, the Pakistani terror group, and fellow conspirators used Google Earth to show militants the routes to their targets in the city. He set up an Internet phone system to disguise his location by routing his calls through New Jersey. Shortly before an assault that would kill 166 people, including six Americans, Mr. Shah searched online for a Jewish hostel and two luxury hotels, all sites of the eventual carnage.”
The abovementioned incident is the one of the main driving force behind the Indian Government to draft Geospatial Information Regulation Bill in 2016. Undoubtedly, the very technology that we use in our daily lives can be misused if befallen in the wrong hands. The Mumbai Terror Attack is one of the deadliest terrorist attack the world has ever seen and it was done with the help of Google Maps, an application that analyses geospatial information.
Geospatial information, also known as location information, is information describing the location and names of features beneath, on or above the earth’s surface. Although traditionally geospatial computing was primarily done by personal computers, with the advancements of digital technology mobile devices too started living up to its demands. Mobile geospatial computing technology uses Geospatial Navigation Satellite System (GNSS) receivers and barometric pressure sensors, to capture and process geospatial information in the field.Geospatial computing applications such as Google Maps. Global Positioning System (GPS) are the most common systems utilised by mobile devices. Such applications if used without the consent or knowledge of the person by the government or private entity, is a huge violation of one’s privacy.
Doctrine of reasonable expectation of privacy, founded in American Jurisprudence, is the reasonable expectation of privacy that an individual seeks in certain location or situation. In the case of United States v Jones, Mr. Jones’ location was obtained and monitored for 28 days via the Global Positioning System (GPS) by the investigation agencies. The court went on stating that “…GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations. Disclosed in GPS data… will be trips the indisputably private nature of which takes little imagination to conjure: trips to the psychiatrist, the plastic surgeon, the abortion clinic, the AIDS treatment centre etc. The Government can store such records and efficiently mine them for information years into the future…” The Supreme Court of United States held that the investigating agency invaded the privacy of Jones by breaching his reasonable expectation of privacy without his knowledge.
In fact, majority of the mobile users are unaware of the Google Location History Feature. Google uses Google Maps and other Google Apps to constant track the user. It will not be surprising to say one being tracked form the time we log in to Google services. It creates a minute by minute map of one’s movements. Prolonged surveillance reveals types of information not revealed by short-term surveillance, such as what a person does repeatedly, what he does not do, and what he does ensemble. These types of information can each reveal more about a person than does any individual trip viewed in isolation.
As far as laws in India is concerned, Section 69 of the IT Act 2000 gives wide powers to the Government to monitor, intercept or decrypt Internet data which includes everything in short. However, the law is silent about geospatial information such as location and Maps. It will be pertinent to note that, location does not fall under the category of internet-data as well thus Section 69 is not applicable. Even if “location” falls under “Internet Traffic Date”, Section 69B of IT Act deals with monitoring and collecting of Internet Traffic Data. The said section is only for enhancing cyber security and tackling computer contaminants. Although Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 provides for rules to protect sensitive personal data or information pf persons by casting an obligation upon the body corporate who collect such information. However, upon the plain reading of Section 3, sensitive personal information pertains to password, medical records or history, physical, physiological and mental health condition, sexual orientation, financial information such as Bank account or debit card details, any detail relating to above clauses provided to the body corporate for providing service and nay information received, stored, processed by the body corporate pertaining to the above mentioned information through a lawful contract.Terms such as Information and Data has the same meaning as under Section 2 (1) of the Information Technology Act,2000 thereby creating doubts as to whether location falls under the sensitive personal information. As the Information Technology Act in itself is ambiguous as to the position of geospatial information, the Rules as well exhibit the same lacunae. Undoubtedly, location of a person is one of the most sensitive and personal information and the exclusion of it from the purview of sensitive information leaves a person exposed to surveillance.
Thus, there is no law as per Article 21 to govern Geospatial information surveillance and the nonexistence of law with respect to, makes it illegal. Furthermore, private entities are able to access, store and even use the location of people connected to the internet. Personal data has been accessed neither with consent nor with knowledge of the user and it is being used for commercial purposes. It is a gross violation of privacy as location is not only a mere information but also provides a leeway to one’s personal life. As mentioned by Justice Sonia Sotomayor in United States v Antonio Jones, physical intrusion is now unnecessary to many forms of surveillance.
It is expected that with the passing of Geospatial Information Regulation Draft Bill 2016 there will be a regulation on such issues. The Draft Bill however states that its main objective is to regulate the acquisition, dissemination, publication and distribution of geospatial information of India which is likely to affect the security, sovereignty and integrity of India and for matters connected therewith or incidental thereto. From the plain reading of the draft bill it is clear that the bill is not at all concerned about the privacy nor has it made any attempts to incorporate the eight principles of national privacy recommended by Justice A P Shah committee in the Report of the Group of Experts on Privacy in 2012.
3.SEARCH AND SEIZURE
The word “privacy” is never really used in the US Constitution. This right stems from the First Amendment’s right to free assemble, Fourth Amendment’s right to be free of unwarranted search or seizure and Fourteenth Amendment’s due process right, as recognised by the Supreme Court as protecting general right to privacy within family, marriage, motherhood, procreation and child-rearing. Similarly, the Indian Constitution too does not provide for the word “privacy” and right to privacy stems out form a broader right known as Right to Life. It is ironic to note that though Indian right to privacy is founded upon the vast rights to life, it is very limited compared to its US counterpart.
The third-party doctrine was established in the United States by United States v Miller.The doctrine states that once an information is shared with a third party voluntarily, then the person cannot have a “reasonable expectation of privacy” over such information. This doctrine helped the Government to collect, monitor and use information from banks, cell phone providers etc without a warrant issued to such persons. However, in the recent case Carpenter v United States, the Supreme Court upheld the rights conferred under the Fourth Amendment and held warrantless search is an infringement of right to privacy of a citizen. The Court in majority rejected the Government’s argument based upon the third-party doctrine and United States v Knotts and held that it cannot be applied to cell phone technology as the personal information is not limited to a particular information such as a landline connection.
The Fourth Amendment armed the US courts to deal with instances of E-Surveillances, Information Privacy and locational privacy. Supreme Court of India in Directorate of Revenue v Mohd. Nisar Holia, examined right to privacy in the context of the powers of search and seizure under the Narcotic Drugs and Psychotropic Substances Act, 1985. The court held that although hotel is a public place, hotel room occupied by guest is not. The guest is entitled to privacy of his room and untrammelled authority to make searches and seizures of a person at all hours and all places to be ultra vires. The right to privacy is not about persons and not places. So even in a public place, a person cannot be said to have altogether lost right to privacy. This decision in reality is against the third-party doctrine and runs in consonant to the US position.
The difference lies on the fact that Section 69 of the Information Technology Act 2000 has a ground of investigating of any offence by which the appropriate authority can monitor, control or decrypt information while the US Law requires a “Warrant” as it constitutes Search or Seizure. The major difference lies on the fact that US law requires “Warrant” as an individual has a separate right under Fourth Amendment and that is absent in Indian Law. Furthermore, the Code of Criminal Procedure 1908 deals with the aspects of Search and Seizure along with several other rules. A need for separate policy is required with digital evidence and search or seizure of digital devices such as cell phones, laptops or even monitoring the location by attaching Global Positioning System (GPS) without the knowledge of persons. Information Technology Act 2000 lay down provision for investigation of certain crimes, requires the search to be made upon an order by competent authority i.e., under Sections 69 and 69B the Secretary to the Department of Information Technology. However, the same access from intermediaries is extended to any agency or person who are lawfully authorised for investigative, protective, cyber security or intelligence activity upon a written order under Rule 3(9) of Information Technology (Due diligence observed by Intermediaries guidelines) Rules 2011. It is not surprising to find that this power is again granted to any government agency for the prevention, detection, investigation, prosecution, and punishment of offences, obtain personal data from an intermediate “body corporate” which stores data under Rule 6 of Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. There is also higher danger of surveillance as information can be collected by any agency or person who is lawfully authorised to any government agency on the grounds of investigation, protection etc. The multiplicity of laws leads to wide distribution of power to authorities as there are many laws to the effect of conferring the power to collect digital information or devices on different authorities. E-surveillance can be easily set up on persons. The Code of Criminal Procedure dispense with warrant requirement under Section 165 when an officer in charge or any office duly authorized by him conducts the search of any place as long as he has reasonable grounds to believe that such search cannot be obtained without undue delay and it is for the purpose of investigation. The officer conducting search must as far as possible note down the reasons for such belief in writing prior to conducting the search. The police has the authority to search a person upon arrest as long as requirements under Section 51 is complied with and a search warrant can be exempted under this exception.
However, besides regarding such search as irregular, there is no additional procedural protection of individual privacy, and the search powers of the police are extremely wide and discretionary. In fact, there is a specific absence of the exclusionary rule as a protection as well, which means that, unlike under the Fourth Amendment, the non-compliance with the procedural requirements of search would not by itself vitiate the proceedings or suppress the evidence so found but would only amount to an irregularity which must be simply another factor considered in evaluating the evidence.
The Code of Criminal Procedure lays down general provisions for investigation and applying the same procedure to search or seize digital information or devices is not proper. The rationale behind warrantless search under Section 165 or Section 51 is different and the invasion of privacy such persons were different prior to digitalisation. Mobile phones, Laptops store much intimate and personal information hence search or seizure of such devices must be done according to a set of procedure established under law specifically.
E- surveillance is the modern way of mass surveillance. Millions use computer, mobile phones, Internet and they can be subjected to surveillance even without their knowledge. Though the US Constitution and Indian Constitution does not have the word “privacy” anywhere in its body, the law have accepted privacy as a right. The K S Puttuswamy v Union of India recognised Right to Privacy and it can only be compromised by the authority of law under Article 21. Information Technology Act 2000, provides the government with the power to decrypt, intercept or monitor information on the grounds of interest of sovereignty or integrity of India, defence of India, security of state, friendly relations with foreign states, public order, preventing the incitement to the commission of any cognizable offence relating to the above and investigating of any offence.
However, there is confusion as to whether location falls under internet data or can it be construed as sensitive information. As location does not come under sensitive information under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011, there is no obligation on the private parties to protect locational information acquired by them in the course of provision of services or otherwise. With the Geospatial Information Regulation Bill 2016 still in its draft stage, there is no law existing to regulate such information. Private companies such as google are reaping mines of data and there is no effective data protection regime established in India to curb this activity. Justice A.K.Shah Committee Report on Data Protection Principles such as Prior Notice, Consent, right to be Forgotten etc must be kept in mind before framing any law in respect to IT Act 2000.
Our judicial system follows the Code of Criminal Procedure 1973 for search or seizure of document or thing that includes electronic evidence and devices. Though in the case of Anvar P.V. v P.K. Basheer and Ors it is held mandatory to have Certificate under Section 65B of the Indian Evidence Act in order to produce an electronic evidence, the manner of search and seizure of such electronic devices are not dealt with. We require a new policy in regard to this matter.
Countries around the world have already enacted Privacy Bills or are in the process of drafting Privacy Bills. Considering the fact that, India has just recognised Right to Privacy as a Fundamental Right, there are various factors and challenges that the Indian judiciary will have to face. It is recommended that:
Bring out a uniform set of procedures in cases of search and seizure of electronic devices.
Enactment of a strong and efficient Data Protection Act
Modifications to Geospatial Information Regulation Draft Bill, 2016 to include responsibility of private parties towards individuals in case of breach of privacy.
Clarify the position of “location” that is geospatial information under the Information Technology Act,2000
Amend Section 3 of Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 to include geospatial information/location as sensitive information.
It may be argued that considering geospatial information as sensitive information and bringing aspects of privacy under Geospatial Information Bill 2016 will be prejudicial for the government to carry out its powers that existed previously. Both these measures will only cast responsibility upon the private partied to adopt reasonable practices to protect such information and store them in accordance to any law in force rather than hamper government’s intelligence agencies. The Government or appropriate authority under Law has the authority to collect information, decrypt and monitor on the grounds provided under Section 69 of the Information Technology Act 2000 by abiding procedures under the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009. Also, multiplicity of authorities under different Rules of Information Technology Act 2000 puts information of privacy of persons under a tight spot and paves way for E-surveillance.
As long as there is no coherent idea on Information privacy, there exists a sword of Damocles hanging over head of ones’ privacy.