EDITORIALS
Questioning Surveillance sans Data Protection
The Ministry of Home Affairs’ recent notification is yet another reason why we urgently need a data protection law.
L
ast week, the Ministry of Home Affairs (MHA) brought
out a notification authorising 10 government agencies to
intercept, monitor and decrypt “any information gener-
ated, transmitted, received or stored in any computer” under
the Information Technology (IT) Act, 2000 and its 2009 rules. It
has also emerged since that the government is proposing to
bring in amendments to the 2011 rules under the IT Act regarding
guidelines for intermediaries (communications platforms like
WhatsApp and Telegram). It proposes the regulation of “unlaw-
ful” social media content, requiring these intermediaries to pro-
vide the government with “traceability” of encrypted content—
defeating the purpose of end-to-end encryption—and increasing
the period of time for which data has to be stored by them. The
scare and frenzy that erupted following the notification was
responded to by the government, quite characteristically, as just
implementation of the laws that were brought in by the previous
United Progressive Alliance (UPA) government.
There is a need to revisit not just this notification, but the IT
Act itself as well as India’s surveillance framework, especially in
light of the landmark judgment on privacy in the K Puttaswamy
case in 2017. It is not as if the government has not already been
surveilling and intercepting data all these years; a 2014 report
had stated that 9,000 phones were tapped every month in India.
The government’s Centre for Development of Telematics (C-Dot)
had also rolled out in 2013 the Central Monitoring System, an
automated mass surveillance project that the C-Dot annual report,
released earlier this year, describes as “practically complete.”
In a world where people’s lives are so enmeshed in the digital,
one’s computer or phone has become an extension of one’s very
person. With the government itself promoting and pushing for a
“Digital India,” it, then, becomes all the more essential that
there be a strong data protection law protecting the interests of
the individual, rather than laws that only protect the actions of
the state in the name of national security. In fact, the building
blocks of the country’s surveillance framework can be found in
the Indian Telegraph Act, 1885 and the Indian Post Office Act,
1898. Section 69 of the IT Act merely echoes these colonial-era
laws in the conditions under which the government can inter-
cept, monitor and decrypt data: “in the interest of the sover-
eignty or integrity of India, the security of the State, friendly
relations with foreign States or public order or for preventing
incitement to the commission of any cognizable offence.”
As the B N Srikrishna Committee on data protection has noted,
“Surveillance should not be carried out without a degree of
transparency that can pass the muster of the Puttaswamy test
8 decEMBER 29, 2018
of necessity, proportionality and due process.” As regards the
necessity and proportionality of surveillance, the debate on the
trade-off between privacy and security is an old one. However,
it is a lopsided debate, where, in the absence of a data protection
law, the implementation of safeguards to protect the individual’s
right to privacy, of data and otherwise, has taken a backseat. As
for due process, while we wait for some semblance of a data
protection act—like the bill drafted by the Srikrishna Committee—
to see the light of day, how surveillance processes are working
on the ground is something that the government is unwilling to
share. Furthermore, the vaguely worded conditions in the IT
Act, in the absence of judicial oversight, contribute in making
the entire operation opaque. Instead, we have a government
that charges ahead by way of one executive order after the other,
ducking any legislative or judicial oversight.
With the conditions of necessity, proportionality, and due
process being flouted in their implementation on the ground,
when the government tries to pass such blanket surveillance
measures, it leads to a trust deficit in the government. The
furore over the MHA’s notification points to this. While govern-
ments in India have passed many a law and committed many a
questionable act in the name of national security—recent
examples being the Aadhaar project and the demonetisation
exercise—which demand an intrusive amount of transparency
from individuals, we do not see the government being as forth-
coming and transparent with its people.
The nature of communications technology has drastically
changed since the Indian Telegraph Act was passed. We com-
municate a lot more, and to many more people than we could
before. Phones and computers, thanks to the medium of the
internet, are no longer used to just communicate important
messages or work on word processors, but are an integral part
of how we express ourselves and lead our everyday lives. Hence,
any sort of interception in or monitoring of a person’s phone or
computer would mean a much deeper intrusion in their lives
than what it would have been earlier. We talk, read, work, bank,
express, protest, and dissent via these devices. Concurrently,
illegalities and threats to national security have also gone the
digital way. However, pervasive and unrestricted curbs on or
surveillance of these devices and networks would be tanta-
mount to the government playing the role of an omnipresent
Big Brother. What is required is a complete overhaul of India’s
surveillance framework, the inclusion of and compliance with
the principles of privacy delineated in the Puttaswamy judg-
ment, and the urgent implementation of a data protection law.
vol lIii no 51 EPW Economic & Political Weekly