On Thursday, the Ministry of Home Affairs issued a statutory order authorising 10 “security and intelligence agencies” to intercept, monitor and decrypt electronic information and communication. A media frenzy soon ensued, with Opposition political parties seizing the notification as evidence that the government was running a surveillance state. The ministry responded with a press release, clarifying that the order was in keeping with Section 69(1) of the Information Technology Act, 2000, and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, proving that the order was sound in law.
Several government officials and Bharatiya Janata Party representatives have since defended this order as being in India’s sovereign and national security interest. They say it will bring transparency and accountability into surveillance, and that is is only an extension of the previous Congress-led government’s policy from 2009.
No doubt, Central and state governments have had the power to intercept, monitor and decrypt any information in any computer resource since 2008, when Section 69 of the Information Technology Act was amended to expand the government’s powers of interception. This amendment was one of many changes introduced to India’s surveillance framework to tackle crime and terrorism in the wake of the 2008 terrorist attacks in Mumbai.
However, the ministry’s December 20 directive is the first time such an order has been introduced under this section; and in this difference between a legislation being on the statute books versus it being implemented lies the reason for collective public outrage. That said, research by the Centre for Internet and Society and SFLC.in shows that the Indian state has long engaged in surveilling electronic communications, and other kinds of interception and monitoring.
While railing against the ministry’s order is very welcome, it is futile if it does not lead to a conversation around the root of the problem – Section 69(1) of the Information Technology Act and the accompanying Information Technology Rules. This section empowers the Central and state governments to authorise government agencies to intercept, monitor or decrypt “any information generated, transmitted, received or stored in any computer resource”. It lays down six grounds on the basis of which such authorisation may be granted. These are:
- The preservation of India’s sovereignty or integrity.
- The security of the state.
- Public order.
- Maintaining friendly relations with other countries.
- Preventing offences relating to 1. to 4. from being incited or committed.
- Criminal investigations.
All authorisation orders issued by the government under Section 69(1) must be reasoned and written, and must be subject to the procedure laid down in the Information Technology Rules. As per these rules, all such orders must be scrutinised by a review committee of the Centre, or the state in question, set up under Rule 419A of the Indian Telegraph Rules, 1951. All review committees set up under Rule 419A comprise only of government secretaries. This means that the executive sits in judgment over its own decisions. This goes against one of the most basic principles of justice and fairness – that no person shall be a judge in their own case.
Threat to privacy
State surveillance threatens individual privacy and must be subject to adequate safeguards. Privacy is a fundamental right guaranteed by the Constitution of India, as recognised by nine judges of the Supreme Court in August 2017. Like all other fundamental rights, the right to privacy is not absolute, and can be restricted. According to the Supreme Court, these restrictions must be: (1) backed by law, (2) for a legitimate state aim, and (3) proportionate.
Consequently, any government order under Section 69(1) of the Information Technology Act must fulfil this three-part test to be constitutional. The absence of judicial or legislative oversight over the executive’s decision-making under Section 69(1) is likely to make it a disproportionate restriction on an individual’s fundamental right to privacy and, therefore, unconstitutional.
Even the government-appointed Justice Srikrishna Committee of Experts, which has been given the task of framing India’s data protection law, was concerned about this lack of legislative or judicial review. This committee has cited Germany, the United Kingdom, South Africa and the United States as countries with adequate procedural safeguards over government surveillance actions. On page 125 of its final report, it has noted, “Executive review alone is not in tandem with comparative models in democratic nations which either provide for legislative oversight, judicial approval or both.”
The Information Technology Act and the Information Technology Rules are but one of many means of government surveillance in India. Similar provisions exist in the Indian Telegraph Act, 1885, the Telegraph Rules, 1951, and the Indian Post Office Act, 1898. These laws are the extension of a colonial legacy, used by a foreign power to keep tabs on an alien population. Disappointingly, the Information Technology Act’s surveillance scheme only furthers this colonial hangover. Indian privacy thought, especially in the past few years, has reflected the idea that we must evolve an Indian privacy framework, grounded in our constitutional values, and tailored to the Indian context. It is about time that our surveillance laws begin to reflect our constitutional values as well.
Nehaa Chaudhari is Public Policy Lead and Tuhina Joshi is Policy Associate at Ikigai Law, a law and policy firm focused on new and emerging technologies. Their Twitter handles are @nehaachaudhari and @tuhinajoshi11