This blog is written by Sourav Kumar and Anushka Singh, first year students of Rammanohar Lohiya National Law University, Lucknow.
An international collaborative investigative report revealed that more than 50,000 people across the world were identified for targeted surveillance using a sophisticated piece of spyware called Pegasus.
On 18th July, The Wire published a list of forty Indian journalists whose phones were possibly infected with the Pegasus Spyware developed by Israeli private company NSO. Their website states, “NSO creates technology that helps government agencies prevent and investigate terrorism and crimes to save thousands of lives around the globe.”
“NSO group only licences its most well-known software product Pegasus to select, approved, verified and authorized states and state agencies specifically to be used in national security and major law enforcement driven investigation. NSO Group does not operate the Pegasus system and, it can only be deployed by its government operators against one mobile phone number at a time, much like a traditional wiretap. The tool is not designed for, nor can it be used in any manner, for mass surveillance.”
But as far as the Indian government is concerned, they have refuted it as mere allegations and petty politics by opposition. The investigation into the matter is yet to be announced like France despite opposition’s call for an independent judicial probe. So, the big question being put up is how strong surveillance laws in India are? And is the private data of citizens safe?
In light of the recent development, this article discusses the prevailing surveillance and privacy laws in India.
Laws Governing Surveillance in India
There is no specific or direct law governing surveillance in India. However, there are some Acts and Rules governing it indirectly. The Indian Telegraph Act, 1885 and Section 69 of the Information Technology Amendment Act, 2008 is currently being used to regulate surveillance in India.
The current legal procedure for surveillance finds its root in a Supreme Court judgement of 1996, Public Union for Civil Liberties v Union of India (1996), in which the Court laid down a guideline finding lack of procedural safeguard in Indian Telegraph Act, 1885. This guideline later worked as a basis on which Information Technology (Procedures and safeguards for blocking for Access of Information by Public) Rules, 2009 under Section 69(2) of the Information Technology Act, 2008 (IT Act) was formulated, which is in force at present.
Indian Telegraph Act, 1885
This Act provides the Central Government or State Government or any officer specially authorized on their behalf with power to intercept communications (if they find it necessary) in the interest of public safety or on the occurrence of public emergency (till the public emergency exists). It further cites several exceptions under which communication can be intercepted like in the interest of the sovereignty and integrity of India, the security of the state, and friendly relations with foreign states.
IT Rules, 2009
This rule provides the legal procedure for the orders to be issued by an officer, not below the rank of the Joint Secretary to the Govt. of India for the interception, monitoring or decryption of information through a computer resource. Under circumstances where prior permission is not feasible, the order can be issued by the Head or the Second senior-most officer of the security and law enforcement agency at the Central level while on State or Union Territory level same can be issued by officer not below the rank of Inspector General of Police or equivalent rank.
Given, this emergency approval is informed to competent authority within 3 days and get approved within 7 working days. In cases where this is not approved, the information is not intercepted or monitored thereafter.
This order for interception remains in force for a period of 60 days, which can be increased from time to time, if necessary for total period of 180 days.
Each order then is sent to review committee (constituted under rule 419A of Indian Telegraph Rules, 1951) containing reasons for approval of interception.
Surveillance laws in US and UK
The power to grant electronic surveillance is vested in President when any foreign power or person who is agent of foreign power is to be snooped, without any court order through the Attorney General to gather information up to 1 year. The house of Permanent Select Committee on Intelligence and Senate Select Committee is further reported about the same by the Attorney General.
Any federal officer can file an application for electronic surveillance which is decided upon by the committee of 7 judges from 7 different circuit courts appointed by the Chief Justice. They either grant, modify or deny such applications except when the application has already been denied, the application will not be entertained.
Regulation of Investigatory Powers Act, 2000 governs the procedures around investigation and surveillance in the United Kingdom. It provides guidelines to law enforcement agencies or whoever wants to acquire private information. Under this guideline, surveillance can only be done in case of terrorism, public safety, crime or emergency services. Even in Europe, there is no specific law for surveillance and EU members use UK’s Regulation of Investigatory Powers Act, 2000.
Privacy was declared a fundamental right, subject to certain restrictions, in a landmark 2017 judgement in Justice K S Puttaswamy v. Union of India. There is no direct legislation regulating privacy in India yet. However, there are various laws and regulations like the IT Act, 2000 and IT (Reasonable Security Practises and Procedures and Sensitive Personal Data or Information) Rules, 2011 dealing with data protection. Indian Parliament tabled a bill ‘The Personal Data Protection Bill, 2019’ in 2019 which is still being examined by the Joint Committee of Parliament and the report is yet to be submitted. The government’s committee that drafted the Personal Data Protection Bill was headed by Justice B N Srikrishna. Recently Justice B N Srikrishna commented on Pegasus attack and privacy that had the Data Protection law been there the “the potentially targeted” could have taken the legal remedy and the government would have been answerable as any private entity for the breach of privacy by Israeli Company NSO Group’s Pegasus.
Although it is yet to be proved if the Indian government is responsible for this breach of privacy, Justice B N Srikrishna seems very clear when he further says that only the government can do such an act and nobody else could. Therefore, the people must move to the Supreme Court stating that their fundamental right to privacy is breached under Article 21 of the Constitution.
As per the report, among the potentially targeted for surveillance are ministers, opposition leaders, scientists, rights activists, legal community, businessman, government officials, journalists and others. The list of the people snooped and potential snoops does not contain a single name of a suspicious terrorist, extremist or insurgent, this raises the question on the ground of which the surveillance is done as it is clearly in contravention to the Information Technology Rules, 2009 and violates the fundamental right of privacy of citizens. And then the question of authorisation comes into picture, as the officer authorising for surveillance and the committee reviewing that authorisation belong to executive. For better check on unbridled powers of executive led surveillance regime, independent, competent and impartial judicial authority should be appointed. And all request of surveillance of citizens must be first cleared from the judicial authority.