Protection of privacy in India is an area which is legislatively under-developed. While the right to privacy has been recognized by the Supreme Court as a fundamental right1 under several decisions, there are still no clear cut guidelines governing the scope of the right to privacy and the extent to which the executive can impinge upon this right for the sake of national security. As such, there is an inherent conflict between the right to privacy and national security per se.
Recently, the enforcement agencies demanded private telecommunication companies to share information regarding their users and provide unrestricted access to users’ communication. This is likely to cause, if it has not already, grave concerns regarding privacy and protection of information. The present bulletin discusses the recent developments vis-à- vis data collection and surveillance by the law enforcement agencies in the name of national interest and the impact it will have on the civil and fundamental rights of organizations and individuals in India vis-à-vis data protection and privacy.
1.0 Recent developments
Quite recently, the logjam between the Intelligence Bureau (“IB”) and Research in Motion (“RIM”) brought to light the conflict between security concerns of the state and protection of privacy of the individual. This controversy hinges over allowing the IB real time access and surveillance to certain integrated services offered by RIM, mainly the e-mail services and messaging services which use a very sophisticated encryption. While RIM contended that even it does not have the capability of decrypting the e-mails and messages sent using Blackberry services, the IB has provided an ultimatum to RIM by stating that its services will be stopped in India if it does not yield to its demands.
This boiling point has been reached two years after the IB first asked RIM to share its server access and to have servers in India which RIM avoided. The department of telecommunication, IB and security agency National Technical Research Organisation conducted series of tests on service providers like Bharti Airtel, BPL Mobile, Reliance Communications and Vodafone-Essar network for interception of Internet messages from BlackBerry to non-BlackBerry devices in 2008.2 In the wake of the terrorist attack in Mumbai, the IB has upped its efforts in monitoring electronic and telephonic communication from suspects, and was facing technical difficulty in accessing the highly encrypted data transferred using RIM’s services.
In addition to this, the IB has also recently put Nokia, G-mail and Skype under the scanner3 for it is unable to intercept and decrypt the data or communication transferred using the aforementioned. The IB had, by a written communication, asked the Department of Telecommunication to cease Nokia’s messaging services and push e-mail services. The growing concern of the IB is with regard to its inability to monitor encrypted communication to and from the users of Nokia’s e-mail services or RIM’s Blackberry services. On the other hand, the rationale behind organizations using such services is on account of the encryption offering sophisticated and state-of-the-art data encryption. The present scenario creates a peculiar set of circumstances where internal security of India, seemingly, is compromised by high data encryption of personal and corporate communication by service providers who, in terms of the recent changes to the Information Technology Act, 2000 (“IT Act”) have an enhanced obligation for data protection.4
2.0 Impact on civil and fundamental rights
The demand of the IB and other governmental agencies has a derogatory impact on the civil and fundamental rights of individuals. Under Article 21, the right to privacy has been recognized as a fundamental right, and the right to data protection has been provided for under the IT Act. By accessing private and confidential communication, the governmental agencies will be invading privacy of individuals, without their knowledge, and it is not hard to imagine a scenario where such confidential information can be used against the individual, due to the lack of a legitimized surveillance protocol or regime.
While the security concerns of the government agencies in India may also be justified, it is not difficult to foresee a situation where providing the governmental agencies with access to personal or corporate communication will ensue ramifications for the service provider vis-à-vis the end user. The rising concerns of individuals in India comes from the previous efforts of the governmental agencies to put in place a national intelligence grid for surveillance and collection of information without offering any safeguard to privacy. In addition to this, the Unique Identification Project in India also does not offer any privacy safeguards or any concrete obligation on the government agencies to protect privacy, which has an adverse effect on the civil and fundamental rights of individuals.
In most cases, national security triumphs over an individual’s civil and fundamental rights, who is left with no remedy of the invasion of privacy. This is added to by the fact that till date India does not have legislation for the protection of privacy of individuals and organizations as the case may be. Further, it also remains to be seen that at present there is no infrastructure for carrying out surveillance activities by the IB and other governmental agencies. While there have been a few cases where the right to privacy has been recognized as a fundamental right, it will be difficult to enforce as the information is not being intercepted by the IB or governmental agencies, but is being shared with it by the service providers, therefore making an action under constitutional provisions unviable.
There is no doubt that national security is a priority and cannot be compromised due to technological hindrances, however due consideration must be paid to the implications it has on the civil and fundamental rights of individuals in rem. In order to reconcile the conflict between data protection and privacy rights and access to sensitive information for national security purposes, there is a need for legislation for regulating the use of information collected by the IB and other governmental agencies. To provide a certain level of freedom to the governmental agencies, the manner in which the information is accessed should not be regulated, however, the treatment of the information collected must be regulated in order to afford some protection to an individual’s privacy.
Authored by: Ashutosh Chandola
1 Supreme Court in PUCL v. Union of India 1997 AIR (SC) 568.
2 Please see http://www.cert-in.org.in/knowledgebase/SecurityBulletin/cisb-Sep08.htm for details. Visited on September 06, 2010. Also see, http://www.ethicalhackers.in/news/indian-govt-at-last-we-cracked-blackberrys- encryption.html, as visited on September 7, 2010.
3 For details please see: “Nokia’s mail service faces IB security test” on Economic Times, July 28, 2010.
4 Section 43 and 43A of the IT Act.