Intermediary Guidelines and the Digital Public Sphere: Tracing first originators

The previous post (here) set out how social media companies are key facilitators of public discourse, and structure the digital public sphere. The Intermediary Guidelines distinguish between ordinary intermediaries and ‘Significant Social Media Intermediaries’ (“SSMIs”) and Rule 4 sets out “due diligence” obligations that SSMIs must satisfy to avail of legal immunity for content shared on their platforms. In other words, a violation of Rule 4 of the Intermediary Guidelines does not itself impose liability on SSMIs, but it exposes them to a significant risk of liability given the large volumes of content being transacted on their platforms.

This post examines the requirement that SSMIs providing messaging services identify the “first originator” of specific content on their platforms pursuant to judicial or government orders. I begin by setting out the content of the requirement. Next, I briefly examine the role of secure communications and anonymity under the Indian Constitution. I then set out the technical proposals as to how a first originator may be identified and finally evaluate whether Rule 4(2) would survive constitutional scrutiny.

The ‘Traceability’ Requirement

Rule 4(2) obligates SSMIs that are “providing services in the nature of messaging” (think WhatsApp, Signal, Telegram, and iMessage) to “enable the identification of the first originator of the information on its computer resource”. SSMIs are required to comply with this obligation in two situations;

(1) where a judicial order is passed; or

(2) where an order is passed under Section 69 of the IT Act and the Information Technology (Procedure and Safeguards for interception, monitoring and decryption of information) Rules, 2009 (“IT Decryption Rules”).

The IT Act defines an “originator” as anybody who generates, transmits, or stores content. The effect of the rule is to enable the identification of the first user profile on a computer resource to generate, transmit or store a specific piece of information. While Rule 4(2) postulates a judicial order ordering identification, it does not mandate it. Orders under Section 69 are passed by senior civil servants, so there is no meaningful check on executive power. Further, the Union Government insists this is a measure to fight illegal content that has widespread reach; however, Rule 4(2) itself contains no threshold for ‘virality’ and could in principle apply to any content that was shared more than once. If there is more than one “originator”, there is de-facto a “first originator”

Rule 4(2) includes three safeguards and creates one legal presumption. First, an identification order may only be passed for the purposes of “prevention, detection, investigation, prosecution or punishment” of offences “related to” the sovereignty, integrity, or security of India, friendly relations with foreign states, public order, or the incitement of offences relating to any of these headings but also rape, sexually explicit material, or child sexual abuse. Second, an identification order cannot be passed where a less intrusive means to identify the first originator exists. Third, no SSMI is required to disclose the “contents of any electronic message or any other information related to the first originator, or any information related to its other users

Finally, Rule 4(2) also states that if the first originator of content on the messaging platform is located outside India, the first originator within India (i.e., the first person who generates, stores, or transmits the content in India) “shall be deemed” to be the first originator with respect to that content.

Privacy and Proportionality in India

In the last post we examined how social media companies constitute the digital public sphere. This is borne out empirically in the case of messaging platforms as well. In a recent study conducted by the Reuters Institute and the University of Oxford, 52% of Indian respondents reported getting their news via WhatsApp. 60% clicked on news links, 46% posted or shared news on the platform, and 39% took part in group or private discussions. Messaging platforms facilitate public discourse and allow citizens to shape public opinion, perhaps best demonstrated by the high levels of political content on these platforms. Anonymity and security thus form crucial barriers against political speech being chilled.

Messaging platforms also allow individuals to share constitutionally protected but socially stigmatised views, ensuring individual autonomy and dignity. It allows people to securely discover and express themselves, and effectively organise with other citizens to create centres of countervailing power. As the former UNHRC Special Rapporteur noted, being protected from the public gaze may allow citizens to discover and share ideas they may otherwise be persecuted for. “The ability to search the web, develop ideas and communicate securely may be the only way in which many can explore basic aspects of identity, such as one’s gender, religion, ethnicity, national origin or sexuality.” However, the security provided by privacy is especially fragile. Courts have recognised that where even the threat of surveillance exists without a remedy, there exists an interference with a citizen’s privacy.

Almost two decades ago, the Supreme Court in PUCL recognised that Indians have a constitutionally guaranteed right to communicate privately. In Puttaswamy,the Court articulated a vision of privacy grounded in individual autonomy that interacted and enabled the enjoyment of other rights guaranteed by the Constitution, most notably the right to freely and privately hold and express opinions, and associate with other citizens (¶412). In other words, privacy forms a necessary foundation to the enjoyment of the rights and privileges guaranteed by the Constitution. The Indian Constitution thus guarantees private and secure communications to both protect individual autonomy and facilitate democratic self-governance.   

Any infringement on a citizen’s right to communicate privately must therefore satisfy the test of proportionality: (1) the infringing measure must pursue a legitimate state aim; (2) the measure must substantially further the state aim; (3) the measure must be the least restrictive option amongst equally effective alternatives; and (4) the measure must not have a disproportionate impact on rights holders.

Rulemaking power

Before we examine the issue of privacy and encrypted messages, there exist a preliminary issue of the very power to frame such a rule. The prefatory text to the Intermediary Guidelines notes that the Guidelines are issued under the powers granted to the Union Government by Sections 87(2)(z) and 87(2)(zg) of the IT Act. The former grants the Union Government power to frame web-site blocking rules and the latter grants power to frame rules to regulate the immunity granted to intermediaries. In short, neither of the sub-clauses relate to monitoring or tracing content on computer networks. The government may argue that Rule 4(2) forms legitimate regulation of intermediary immunity, but this is belied by the fact that the IT Act itself grants the government to monitor and decrypt content in a separate and independent provision, namely Section 69. Section 69 has its own rule-making provision, Section 87(2)(y), and the government has already framed the IT Decryption Rules under this section.   

Operationalising ‘Traceability’

There exists a gap between Rule 4(2) mandating SSMIs to identify the first originator and the platforms being able to do so – and this is because all major messaging platforms such as WhatsApp, iMessage, and Signal are end-to-end encrypted. This means even if the messages on these platforms were monitored or intercepted, the messages would first need to be decrypted using a decryption key for their contents to be read. It is important to understand that the decryption key is stored on the user’s devices and not with platforms, so WhatsApp could not reveal the contents of messages even if it wanted to do so to comply with Rule 4(2). Further, the decryption key is unique between users, and changes over time. So even if a decryption key were acquired, it would reveal the contents of one chat for the limited period that the specific decryption key was used.

Understanding this, the impossibility of the task demanded of SSMIs comes into picture. How does a messaging platform trace a piece of content across thousands, potentially millions of chats (none of which it possesses decryption keys for) to locate the first originator? This tension is borne out in the IT Decryption Rules drafted in 2009. The Rules define “decryption assistance” as “allow access, to the extent possible, to encrypted information”. This is further buttressed by Rule 13(3) of the IT Decryption Rules, which states that “Any direction of decryption of information issued under rule 3 to intermediary shall be limited to the extent the information is encrypted by the intermediary or the intermediary has control over the decryption key.”      

Given that Rule 4(2) of the Intermediary Guidelines expressly states that an order to identify a first originator shall be “as per” the IT Decryption Rules, it may plausibly be argued that an identification order under Rule 4(2) would simply not apply to a platform which does not possess the decryption key. In fact, Facebook has expressly contended that a ‘best efforts’ obligation to assist the government does not contemplate a platform radically modifying its platform to allow the government to trace originators. However, while the Union Government states that it does not want to break end-to-end encryption, it has insisted that platforms are obligated to modify their functionality to enable tracing first originators.

There have been two prominent proposals on how traceability may be achieved without breaking end-to-end encryption. The first proposal was mooted by one Professor Kamakoti and is discussed in Aditi Agrawal’s piece (here). More recently however, anonymous officials from the Ministry of Electronics and IT have argued that a “hash constant” may be used to identify originators.

Hashes

The idea of a hash is to assign every distinct message a unique hash identifier. Briefly, if User P sends the message “I plan to undermine the Indian Government” to User Q, the message is assigned a hash identifier, for simplicity say the identifier is ‘52’. User Q now forwards the message to Users R, S, and T, who go on to send it to hundreds or thousands more until it reaches User M who believes the message to be illegal. Now, an investigative agency can ask the platform to run a search against all messages having the identifier 52, to find when it first appeared – with User P.

In her piece, Aditi notes that this may not work as platforms generate hashes based on: (1) the contents of the messages; and (2) the keys between users, which are constantly changing. Therefore, the message between User P and User R will have a different hash from the same message sent from User P to User T. This means that any one hash would be of limited value as it would disclose identical messages, between two users, sent when a specific decryption key was in use. All other identical messages would have different hashes.

Ironically, if this is not the case, the consequences are far grimmer. Because hashing ties an identifiable value to the contentsof a message (e.g., 52=I plan to undermine the Indian Government), the platform, and consequently the government, could know every user on the platform who has that message on their phone. This is contrary to Rule 4(2) itself, which states that SSMIs shall not be required to disclose the contentsof the message or any information related to other users. (Sidebar | it is entirely conceivable that over time the government shifts from searching for hashes that equal “I plan to undermine the Indian State” to hashes that equal “I don’t like the Indian Government.”)

Constitutional scrutiny

The proportionality test is a cumulative one, and for the sake of brevity I only highlight the most striking issues with Rule 4(2). First, the State bears the onus of demonstrating that the measure (tracing first originators) furthers its stated aims (preventing the incitement of offences against the integrity of India, sexually explicit material etc.). The law recognises that nearly any measure may potentially be useful or desirable for governments to achieve the cessation of crime and ideally, requires that the State demonstrate the measure in question is “necessary” to achieve its stated aims.

Why first originators?

It is unclear how tracing the first originator assists the State in achieving its aims. We cannot assume that the first originator createdthe content. This logic is defeated as Rule 4(2) cannot cover cross-posting; a twitter user could create and upload a video that is subsequently downloaded and shared on WhatsApp – the first originator is not the creator. Rule 4(2) itself rejects the creation rationale by acknowledging that content may be created outside India but sent to India – creating a ‘first receiver’ of sorts. Now if we were to argue that this ‘first receiver’ is facilitating the spread of the illegal content in India, how do we justify overlooking other originators for domestically sourced content? Imagine I send “illegal” content to User X, who forwards it to a group with several thousand users – who is facilitating the spread of illegal content and whom should the law be more focussed on identifying, and how should liability be apportioned between User X and me?   

Further, as Nandan Kamat noted, secondary liability for repeating and disseminating speech varies depending on the offence (public order, defamation, etc.) In some regimes, each re-publication (forward) constitutes a wholly new publication while in other cases liability for repeating content is minimal. The level of due diligence a speaker exercises before sharing content varies widely based on the content and the platform. Context is also crucial. Imagine illegal content is circulating on Platform A and Platform B. On Platform A, the content is being used to incite violence but on Platform B the content is being used to generate counter-speech against violence. As Rule 4(2) states that the contents of the messages cannot be disclosed, how do we differentiate between the originator on the two platforms? The first originator on Platform B may provide context by displaying the contents of her messages, but she should not have to, she should not even be implicated in a criminal proceeding for making constitutionally protected speech. All in all, Rule 4(2) is a blunt instrument most likely to limit the spread of both legal and illegal content by creating a massive chilling effect on users.

Are first originators the first?

Another major issue is that there is a distinction between proving that content first originated from a particular device or user profile and proving that the person who owns the device sent the content. The possibilities for manipulation are endless, ranging from virtual sim-cars linked to foreign numbers that are sold on all major app-stores for as little as ₹100 to picking up somebody’s phone or acquiring remote access privileges. This manipulability and arbitrariness are aggravated by the fact that Rule 4(2) is limited to a single SSMI’s platform (excluding cross platform posting) and the geographic restrictions.

Imagine a piece of “illegal” content is widely circulating on WhatApp (or even better, a smaller messaging service falling below the threshold of an SSMI). User X using a virtual (foreign) sim cross posts it to Telegram by sending it to his mother, and then uses her phone to forward it back to User X’s Indian Telegram. User X now forwards it to a Telegram group with 5,000 users. User X’s mother is the first originator. Therefore, how far the identity of the ‘first originators’ user profile or device can aid in criminal prosecution or curbing misinformation is highly questionable.

Alternative measures

The State must also demonstrate that tracing the first originator is the least intrusive method of achieving its aim among effective alternatives. While there seems to exist some uncertainty within the Union Government how the identification of first originators will be operationalised, the present proposals are particularly intrusive and risk the privacy of other users. An order under the IT Decryption Rules does not require judicial authorisation, and no remedy is provided to users. Because the government itself is a substantial actor on messaging platforms, the necessary independence of identification orders has not been secured. While Rule 4(2) prohibits an identification order from being passed where less intrusive measures exist, there exists no legal structure to guarantee or even scrutinise an incompetent or mala fide claim by an investigative agency that this is actually the case. Further, if hashing were to be employed, basic safeguards such as data retention and expiry are not in place – how long can a hash identifier associated with content be active?

This leaves the Government with a high burden to demonstrate that Rule 4(2) achieves something other measures simply cannot. This is undermined by the fact that mobile platforms already provide the Government a host of ‘basic subscriber data’ allowing the Government to trace users. For example, under the Criminal Procedure Code the Government already requests platforms to provide users’ phone numbers, names, device info, app version, start and end times, last connection, IP and email addressed and web-client data. The Government also has other legal powers such as wiretapping, geo-location, and physical surveillance of suspects. Further, the Government can also use human intelligence to infiltrate and track users on messaging platforms, as reporters have done to investigate the organised spread of misinformation. In summary, the Government has a host of alternative investigative tools while citizens rely almost exclusively on encryption to protect their communications.          

Conclusion

Encrypted communications are a thorny issue world over and law enforcement agencies are lobbying hard to access user messages. But given the importance of encrypted messaging to the autonomy and dignity of citizens, and its centrality to shaping public discourse in India, any restrictions must be strictly scrutinised from the lenses of the rule of law and due process to address the power imbalances that exist between citizens and the State. How Rule 4(2) will be operationalised will have a substantial bearing on its legality. However, as it stands today, the identification of first originators requires weakening the privacy of millions of Indian users to ineptly trace a few potentially bad actors; actors that we are unclear whether we should, or how we will, ultimately hold guilty.    

Mobile Phones and Criminal Investigations: The Karnataka HC Judgment in Virendra Khanna [Guest Post]

[This is a guest post by Abhinav Sekhri, cross-posted from the Proof of Guilt blog].


(This post connects to a primer available on SSRN which deals with these issues, which is available here).


Earlier this month, a Single Judge Bench of the Karnataka High Court delivered the judgment in Virendra Khanna v. State of Karnataka and Anr. [W.P. No. 11759/2020 (Decided on 12.03.2021)]. The decision is likely to prove the first in a series of cases in the near future, in which courts grapple with issues posed to criminal investigations by mobile phones and similar digital devices. These issues require courts to not only consider the scope of constitutional protections but also interpret existing provisions of the Criminal Procedure Code 1973 [“Cr.P.C.”] and Information Technology Act 2000 [“IT Act”]. 

In this post, I argue that the conclusions arrived at in Virendra Khanna — in respect of the applicability of the fundamental right against self-incrimination, of the Cr.P.C. search and seizure provisions, and of the fundamental right to privacy, all in context of accessing digital devices — are incorrect. The interpretation that is endorsed by the High Court is also deeply problematic, as in the face of advancing technology, it seeks to restrict rather than enhance the contours of our constitutional rights to equip individuals with the means to protect themselves against unlawful incursions into enjoyment of one’s personal liberty by state agencies. The post does not engage with the guidelines provided by the Court, or its reiteration of the law laid down in Selvi [(2010) 7 SCC 263] that compelled administration of a polygraph test was is illegal.

The Facts and Issues Before the Court

The Petitioner was a person caught in the crosshairs of law enforcement agencies, and his mobile phone was allegedly important to advance the investigation into offences. In September 2020, the police went before the trial court asking for court orders to direct the Petitioner to unlock his mobile phone and grant access to email accounts, as the Petitioner had refused to cooperate. The court duly passed this direction and it appears the Petitioner complied. Then, the police moved another application before the trial court, this time asking for directions that the Petitioner be subjected to a polygraph test to confirm the mobile / email passwords, as it appeared that the Petitioner had been lying about the same during investigation. The court allowed this application as well and directed the polygraph tests be conducted — orders which, according to the Petitioner, were passed without ever giving him an opportunity to be heard and without considering if he had indeed consented to undergoing such tests. The Petitioner challenged this order and the consequent direction to undergo a polygraph test.

Following the judgment in Selvi, no court can direct any accused person to undergo polygraph tests unless such person consented to the same, and if seen from that perspective Virendra Khanna was an open-and-shut case requiring that the order be set aside. But the High Court was more indulgent with the legal issues placed before it and considered questions that lay beneath the surface as well. Out of these, I focus on the following three points taken up in the judgment:

  • What is the specific legal regime under which police can seek access to a digital device for pursuing its investigation?
  • What is the interplay between Article 20(3) and directions issued to an accused person for unlocking a digital device? 
  • What are the legal limits, if any, upon law enforcement agencies while they “explore” the contents of a digital device for investigation purposes?

Issue 1: The Relevant Legal Regime 

The High Court first considered whether there was any legal basis to root the actions of police officers in accessing a digital device for purposes of investigation. It observed that an officer could always ask an accused to open the device, but to direct compliance required some basis in law. This legal basis was found in the existing search and seizure regime of the Cr.P.C., concluding that the regime — which it admitted only applied to a “place” — was also applicable for accessing a digital device. Accordingly, the police would have to apply for search warrants to access a phone under Sections 93 / 94 of the Cr.P.C., and in emergent circumstances they could dispense with this requirement and act under Section 165 Cr.P.C. The obligations of the accused would be the same in both scenarios, i.e. assist in providing access to any locked space as provided by Section 100 Cr.P.C. 

Extending the existing search and seizure regimes from the realm of physical space to that of electronic / digital space is a path that many countries are taking. Erecting a need for judicial supervision by requiring search warrants to be sought before digital devices can be accessed helps redress the imbalance of power in such situations and also helps to keep law enforcement activity tailored to the needs of investigation and avoid roving inquiries into personal data. Viewed in the abstract, then, the choice of the Court does not seem problematic at all but a pragmatic solution. 

The problems only arise when we move beyond the realm of abstraction into practice. The Indian search and seizure regime does not mandatorily require search warrants; instead, police liberally use their powers under the “emergent circumstances” exception to conduct searches. The result is a situation where privacy is at the mercy of police. This is not to say that the search warrant regime itself, when invoked, supplies the necessary bulwark. The Cr.P.C. 1973 adopted wholesale the search regime that was present in the old British codes, the avowed purpose of which was to maximise scope of interference with personal liberty and not to safeguard it. Under this antiquated regime, general warrants allowing a roving search at a place are the rule, and a court may “if it thinks fit” restrict the scope of this search expedition.  

As noted above, this regime was designed to maximise state interests. Importing this regime in 1973 was a dubious decision. Applying it in 2021 to digital devices which are nothing short of portable vaults full of sensitive personal data, is a disastrous one. 

Issue 2: The Right against Self-Incrimination and Unlocking Mobile Phones

The High Court held that compelling a person to give up a password and / or biometrics to unlock a digital device did not attract the fundamental right against compelled self-incrimination as it was not the kind of evidence protected by the prohibition: providing a password did not disclose anything incriminating, and it was not the “testimonial compulsion” which Article 20(3) sought to protect. As a result, adverse inferences could be drawn if a person refused to comply with court orders. This analysis was coupled with portraying disaster if the view was taken to its logical consequence, which according to court: 

“… would result in a chaotic situation: no blood sample could be taken; no sample for DNA analysis could be taken; no handwriting samples can be taken; no other body sample for the purpose of DNA analysis could be taken; no search of a house or office could be undertaken; the data of a laptop or computer or server cannot be accessed by the investigating officer; offences like cyber crime could never be investigated; offences like pornography, child pornography which are more often than not, on the internet, could not be investigated.”

Both these conclusions of the High Court are, unfortunately, incorrect. The legal position is misstated, and the approach on the factual aspects is deeply misguided and troubling.

The High Court called upon the “testimonial compulsion” concept in its reasoning and concluded that the furnishing of a password / biometrics was not of this nature, but was akin to “physical evidence”. This binary logic was engrafted upon Article 20(3) by the Supreme Court in Kathi Kalu Oghad [AIR 1961 SC 1808], according to which there is a kind of material called “physical evidence” which falls outside the scope of the protection and persons can be compelled to furnish it. This includes blood samples, hair samples, or even asking an accused to wear specific clothing. Then, there is “testimonial compulsion” which is the material Article 20(3) covers, which traditionally makes one think of confessions. What is the basis behind this distinction? “Physical evidence” is only relevant for purposes of comparison and so by itself it is not incriminating — police take the sample to compare it with other material. “Testimonial compulsion” is incriminating by itself, and conveys to the police information that is the direct product of testimony. The key then is whether the testimonial act — be it speaking, or making gestures — conveys information that can help furnish a link in the chain of evidence, by its own merit.

Is giving the password / biometrics really not conveying any information? Is it of no value as testimony by itself? Surely, the answer is no. At its most basic formulation, the testimonial value in having an accused person unlock the phone lies in the many inferences that can be drawn from this act. Not only does it lend support to the inference that the accused owns the phone, but also to the inference that the accused was in control of its contents. And where the contents of this device are what are potentially incriminatory, surely this is as obvious a link in the chain of evidence as any. 

On a more specific point, while the Court relied upon Kathi Kalu Oghad, it seemingly ignored the decision in Shyamlal Mohanlal Choksi [AIR 1965 SC 1251]. Otherwise, the High Court could not have observed that giving a password is not testimonial compulsion because “it is only in the nature of a direction to produce a document.” After all, Shyamlal specifically held that a direction of this nature could not be issued to an accused person as it would run contrary to Article 20(3).    

Since the High Court was incorrect in comparing the giving of a password with giving of bodily samples and the like, it is already obvious that the “heavens will fall” approach to the consequences of concluding an Article 20(3) violation are an exaggeration unfounded in the law. But let’s ignore that for a minute, and take up the assertion on its face value. What it reveals is a troubling state of affairs where the High Court assumes that cooperation by an accused is necessary to secure any or all of these obviously legitimate investigative aims. This cannot be further from the truth and, in fact, the Court itself alludes to this when at a later point in the decision it recommends that police proceed to “hack” a device to gain access where the accused refuses to cooperate. What is troubling here is that this kind of piggybacking upon an accused to secure investigations is what a protection against self-incrimination, in its myriad forms, was designed to reduce. Technological advances have made it more possible for police to do their job independently and have helped to usher in a situation where investigations are not subject to the sweet will of an accused, and at the same time are free of any potential taints of accused persons being assaulted to secure information. It is unfortunate that the High Court endorsed a view which still sought to place the accused as the focal point of a police investigation, without appreciating the well-established perils of this approach.  

Issue 3: The Right to Privacy

The High Court in Virendra Khanna was keenly aware of the potential invasion of one’s privacy at stake considering how much data is found on our digital devices. It acknowledged that once police gain access to a device, even if for a specific reason, that often enables full-blown access to all aspects to a person’s life. After heading in this direction, the High Court simply noted that the use of any such data during the course of investigations would not amount to a violation of the right to privacy, as it was protected under the exceptions carved out. At the same time, the High Court observed that unlawful disclosures of this material with third parties could certainly amount to an actionable wrong.

With all due respect, the High Court’s analysis of the privacy issues barely scratched the surface and, in effect, simply placed the cart before the horse. Yes, a criminal investigation can certainly require invasions of the right to privacy that are otherwise prohibited, but to confer a blanket protection over all all kinds of activities that may be done under the pretext of an investigation effectively extinguishes the fundamental right altogether. Let’s take an example. The police allege that an accused spoke to other conspirators over email and this correspondence is evidence to show the existence of an agreement to commit a crime. This is as genuine a law enforcement need as can be justifying going inside an email account and one’s private chats. 

According to Virendra Khanna, when faced with this situation a court should support untrammelled access for police agencies to the email account. Such an approach is hardly the only way out and actually asks courts to forsake their responsibility of crafting a proportionate intrusion to best safeguard law enforcement interests without sacrificing one’s privacy altogether. Rather than confer a carte blanche upon the police, an approach which took privacy seriously — the respect a fundamental right deserves — would have a court consider if the police could demonstrate with reasonable particularity what they hoped to find or if it was just a hunch and, importantly, create a time-limit so that the individual is not forever beholden to police snooping through her inbox. 

The seemingly benign way in which the High Court viewed potential breaches of the right to privacy can be seen not only from how it viewed state interests as an unquestionable concept, but also in how it failed to address what remedies may lie in the event of a breach. As mentioned above, the High Court did note that disclosures to third parties were possible and could constitute a breach, but it neither offered nor suggested a remedy to the aggrieved accused in this regard. What’s worse, the High Court in its support for getting search warrants endorsed the regular position that the fruits of an illegal search could still be admissible as evidence. It failed to engage with the small but significant line of recent cases where another High Court took strong exception to searches being conducted without following procedures, noted that this amounted to a breach of the right to privacy, and excluded material gathered pursuant to search from being considered as evidence. 

Conclusion: Setting Back the Clock, by Some Measure

On its face, the petition in Virendra Khanna offered a straightforward issue — administering polygraph test without consent. The High Court looked past this simplicity to address the underlying legal questions which are becoming critical in their relevance to law enforcement needs and ordinary life. That it chose to do so and contributed to the discourse by offering clear answers to some questions was a welcome move. The problem is that the answers themselves are severely wanting, either proceeding on an incorrect legal basis or drawing exaggerated hypothetical conclusions. 

How this judgment is treated by the other benches in the Karnataka High Court, the state police, as well as other courts, will be interesting to see. 

Giving Freedom Some Breathing Space: The Allahabad High Court’s SMA Judgment

Yesterday, a single judge of the Allahabad High Court handed down an important judgment reading down Sections 4 & 5 of the Special Marriage Act, which requires couples to notify Marriage Officers one month in advance of their marriage, and for Marriage Officers to publicise such a notification. The SMA allows for any person to “object” to the marriage on the basis that it (allegedly) violates provisions of the Act (Section 7). The case – Safiya Sultana v State of UP – came to the Court as a habeas corpus case, but on resolving the issue of habeas corpus, the couple in question also asked for a finding on Sections 4 & 5 of the Special Marriage Act, especially in light of the ongoing cases under the Uttar Pradesh Prohibition of Unlawful Conversion of Religious Ordinance (separately under challenge before the Allahabad High Court). The reason for this was:

“… young couples are not in a position to raise these issues before solemnizing their marriages as any litigation further attracts unnecessary attention which invades into their privacy and also causes unnecessary social pressure upon them with regard to their choice of a life partner.”

Justice Vivek Chaudhary agreed with this argument, and proceeded to examine the Special Marriage Act on the touchstone of constitutionality. He began by noting that as the SMA had been passed in 1954, the task before the Court was to examine whether the social and legal landscape, in the meantime, had altered to a degree so as to warrant a different interpretation of the Act’s provisions. Justice Chaudhary observed that the 242nd Report of the Law Commission (2012) had specifically recommended deleting the notice requirement, observing that it would keep a check on “high handed or unwarranted interference”, which often took the form of social boycotts, harassment etc.

Justice Chaudhary then went on to observe that in a series of judgments – from 2006 onwards – the Supreme Court had repeatedly emphasised the role of individual autonomy in questions of marriage, and held it to be inherent in Articles 19 and 21 of the Constitution. Examining the Puttaswamy privacy judgment in some detail in order to glean the scope of the right to privacy, the Court followed up by noting – crucially – that in Navtej Johar, it had been clarified that, when examining a law for constitutionality, what was important was not its object or form, but its effect. Drawing precedent together, Justice Chaudhary concluded by observing that:

“The law as declared by the Supreme Court, since the case of Lata Singh till the decision in Navtej Singh Johar, has travelled a long distance defining fundamental rights of personal liberty and of privacy. “Once a person becomes a major he or she can marry whosoever he/she likes” (Lata Singh); “choice of woman in choosing her partner in life is a legitimate constitutional right. It is founded on individual choice that is recognized in the Constitution under Article 19” (Asha Ranjan); “the consent of the family or the community or the clan is not necessary once the two adult individuals agree to enter into a wedlock…..it is a manifestation of their choice which is recognized under Articles 19 and 21 of the Constitution” (Shakti Vahini); “Neither the state nor the law can dictate a choice of partners or limit the free ability of every person to decide on these matters….. social approval for intimate personal decisions is not the basis for recognising them.” (Shafin Jahan) and finally the nine-judges bench “Privacy is the ultimate expression of the sanctity of the individual. It is a constitutional value which straddles across the spectrum of fundamental rights and protects for the individual a zone of choice and selfdetermination…….privacy is one of the most important rights to be protected both against State and non-State actors and be recognized as a fundamental right” (Puttuswamy) is a long chain of decisions growing stronger with time and firmly establishing personal liberty and privacy to be fundamental rights including within their sphere right to choose partner without interference from State, family or society.” (para 40)

Thus, a combination of the propositions that (a) an individual’s autonomous choice in intimate matters was constitutionally protected, and (b) constitutionality had to be considered by the effect of a law, brought Justice Chaudhary to the conclusion that the SMA had to be interpreted in a way that its reporting requirements would have to be read as voluntary, not mandatory:

The interpretation of Sections 6 and 7 read with Section 46 containing the procedure of publication of notice and inviting objections to the intended marriage in Act of 1954 thus has to be such that would uphold the fundamental rights and not violate the same. In case the same on their simplistic reading are held mandatory, as per the law declared today, they would invade in the fundamental rights of liberty and privacy, including within its sphere freedom to choose for marriage without interference from state and non-state actors, of the persons concerned. (para 45)

Justice Chaudhary buttressed this conclusion by noting that there were no similar reporting requirements under the several personal laws, and that therefore, there was no reason to make the process under the SMA more onerous.

The judgment of the Allahabad High Court represents an important judicial pushback against what has been – of late – increasing State interference in questions of marriage, including by empowering social and vigilante groups. The SMA’s notice requirements, of course, are not new: as the Court observed, they were present at the very beginning, when the original SMA was introduced in 1872. However, arguably, it is these notice requirements that have formed the baseline of further intrusions (the UP ordinance also has a similar notice requirement). What is most important is what they signify: notice and reporting requirements convey a message to the world that decisions of the most intimate character are not for the individual to make, but must be ratified by the society (which, in practical terms, means the dominant members of society). In practice, they leave individuals and couples with a stark choice: face the possibility of social persecution and violence, or give up your freedoms. These are not choices that a constitutional democracy should be asking its citizens to make.

In recognising that, Justice Chaudhary’s judgment represents an authentic articulation of liberty under the Indian Constitution.

Notes From a Foreign Field: The Impact of Schrems-II [Guest Post]

[This is a guest post by Rohit Gupta.]


On July 16, 2020, the Court of European Union (‘CJEU’) passed a landmark judgement in Data Protection Commission v. Facebook Ireland, Maximillian Schrems (‘Schrems II Decision’). The Schrems II Decision produced shockwaves for the practice of commercial transnational data transfers of personal data originating from the European Union (‘EU’) and being transmitted to a non-EU country, such as India. Under the EU data protection regime, data transfers are conducted pursuant to the European Union General Data Protection Regulation (‘GDPR’), in conjunction with the Charter of Fundamental Rights of the European Union (‘Charter’) and several other directive and regulations. Chapter V of the GDPR allows for transfers of data outside the EU through three different modes, provided that the receiving countries were determined to provide adequate privacy protections for the same. First, an adequacy decision may be passed by the Data Protection Commission as to the existence of adequate privacy protection within the domestic legal framework of the receiving country. Second, an agreement to provide adequate safeguards, accompanied with enforceable data subject rights and effective legal remedies for data subjects. These may take place between two public authorities, such as in the case of the EU-US Safe Harbour or Privacy Shield, or between the sending and receiving data processors, such as in the case of Standard Contract Clauses (‘SCCs’), or between affiliated companies within a single commercial enterprise, such as in the case of Binding Corporate Rules (‘BCRs’). Third, derogations, or exceptions, to the requirement of either one of the above may be availed in specific circumstances.

While the Schrems II Decision proceeds on the lines of evaluating the privacy protection of mechanisms used by companies incorporated in the United State of America (‘US’) to transmit data from the EU, this blog will translate the broader implications of the judgment, specifically in the context of India and its privacy regime, or a lack thereof.

The Schrems II Judgment

In 2012, Maximillian Schrems (‘Schrems’), an Austrian national, raised concerns regarding the transnational data transfer practices of Facebook under the Data Protection Directive 95/46/EC, the predecessor to the GDPR. However, the Irish Data Protection Commissioner (‘DPC’), the Irish supervisory authority for data protection, rejected the complaint on the basis of the European Commission’s Decision 2010/87, which upheld the validity of the EU-US Safe Harbour. Subsequently, the CJEU, in the Schrems I Decision, concluded that the standard of data protection afforded by the United States was not “essentially equivalent” to that afforded within the European Union. Hence, the Safe Harbour Decision was annulled.

A second complaint was formulated by Schrems on the claim that the use of SCCs by Facebook was invalid since the latter was obligated to allow the United States Government to access the foreign personal data collected through these agreements. The complaint also impugned the EU-US Privacy Shield. While the European Commission had affirmed the validity of both the aforementioned mechanisms in Decision 2000/520 and Decision 2016/1250 respectively, the complaint was referred to the CJEU by the Irish High Court for a final determination.

The CJEU, in the Schrems II Decision, concluded three crucial findings regarding the transnational transfer of personal data from European Union:

A. The CJEU Confirms Extra-Territorial Application of GDPR for EU-Citizens’ Data

First, it held that the GDPR would remain applicable to personal data that has been transferred out of the European Union by one economic operator, or body corporate, to another for any commercial purpose, regardless of whether such data may be processed by the governmental authorities of the latter for the purposes of public security, defence and State security.

B. SCCs to Hold Validity Only if Underlying Framework Provides GDPR-Esque Data Protection

Second, it affirmed the validity of SCCs, provided that the level of data protection must be of a standard which is “essentially equivalent” to that guaranteed under the GDPR, read with the Charter. To this effect, The CJEU mandated the use of “other clauses or additional safeguards” in circumstances where the SCC itself failed to secure adequate levels of protection. These may cover, for example, the issue of law enforcement and access of personal data by government agencies. Additionally, respective Data Protection Authorities were under the obligation to suspend or prohibit data transfer to any third country wherein the aforementioned privacy safeguards, and alternative methods to achieve the same, were absent. 

C. EU-US Privacy Shield Invalidated for Lack of Safeguard Against Government-Sanctioned Surveillance

Third, it invalidated the EU-US Privacy Shield on the grounds that (1) the United State surveillance regime, based on  Section 702 of the Foreign Intelligence Surveillance Act, 1978 and Executive Order 12333 (1981), assumes primacy of national interest and law enforcement over the fundamental right to privacy by allowing the sanctioning of surveillance with no apparent limitation, violating the principles of proportionality in so far as the same is not restricted by the requirement of necessity, (2) the United States does not provide foreign data subjects with an actionable right against the Government for privacy breaches, under the Presidential Privacy Directive 28 (2014) and Executive Order 12333 (1981), and (3) the United States legislative framework is inadequate in ensuring the independence of the judicial ombudsman, an authority established by the EU-US Privacy Shield and an undersecretary of state, and the requisite authority of the body to deliver binging judgments upon US intelligence services.

Implications for India: An Analysis in light of the Personal Data Protection Bill, 2019

According to Article 45 of the GDPR, the relevant inquiry into an adequacy decision involves an assessment of the rules and regulations applicable to data controllers and processors within a country. This also includes an analysis of the accompanying safeguards limiting the governmental access to foreign personal data. Per the Schrems II Decision, a like analysis would now be required for the operation of other modes of data transfer, such as Privacy Shields, SCCs, or BCRs. The recognition of the fundamental right to privacy in K.S. Puttaswamy v. Union of India (‘Puttaswamy Decision’) inducted principles of proportionality from Article 8 of the European Convention of Human Rights. Yet, without an underlying statutory framework, these rights lack remedial mechanisms that may be triggered by their violation. However, while the Personal Data Protection Bill, 2019 (‘PDPB’) remains to be passed, India exists in a state of limbo. Without a current standard of foreign personal data protection for all commercial operations, India does not qualify the criteria for an adequacy decision.

An analysis of the previous adequacy decisions illustrate that the privacy safeguards contained in the PDPB, such as data minimization, purpose limitation, transparency and accountability, may prima facie allow India to qualify for an adequacy decision as well.

Nonetheless, with regards to independent oversight and enforcement, the PDPB authorizes the Central Government to compose the supervisory authority, i.e. the Data Protection Authority of India, on the recommendations of the selection committee, which also comprises members of the Executive. To this effect, it may be noted that in the 2018 draft, this selection was based on judicial intervention. Additionally, governmental access to personal data collected for law enforcement purposes provided for under the Information Technology Act, 2000, and rules thereunder may also deter an adequacy decision. For example, on December 20, 2018, the Ministry of Home Affairs issued a notification, under the Section 69 of the Information Technology Act & Rule 4 of the Information Technology (Procedure for Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, authorizing 10 central agencies to intercept, monitor and decrypt any computer information.

Moreover, the PDPB itself allows the Central Government to exempt its agencies from the application of the legislation if the same is necessary in the interest of friendly relations with foreign states, public order, or to prevent inciting the commission of any cognizable offense related to the same. The use of vague and overbroad terms such as “public order” also affords arbitrary powers to the Central Government. Thus, the current concerns regarding the independence and impartiality of the oversight body and the arbitrary and obtrusive governmental access to foreign personal data vitiate any efforts to obtain an adequacy decision.

Article VII of the World Trade Organization’s General Agreement on Trade in Services, on the other hand, mandates that the EU offer similar opportunities to countries to negotiate comparable arrangements as offered to other countries. This mandate is based on the principle of non-discrimination and anti-protectionism. Thus, India has a claim to initiate negotiations for a Privacy Shield which would bypass the costly and time-consuming alternatives, such as SCCs or BCRs. This would also nullify the need to comply with respective Data Protection Commissions’ requirements for obtaining individual adequacy decisions.

Article VII of the World Trade Organization’s General Agreement on Trade in Services, on the other hand, mandates that the EU offer similar opportunities to countries to negotiate comparable arrangements as offered to other countries. This mandate is based on the principle of non-discrimination and anti-protectionism. Thus, India has a claim to initiate negotiations for a Privacy Shield which would bypass the costly and time-consuming alternatives, such as SCCs or BCRs. This would also nullify the need to comply with respective Data Protection Commissions’ requirements for obtaining individual adequacy decisions.

However, for establishing and maintaining a Privacy Shield, the inadequacies of the PDPB and other state legislations must still be rectified by incorporating provisions within the agreement which nullifies the operation of the same. Whether this would be an overreach of the powers of the Executive under the separation of powers doctrine is the subject matter of another discussion. Similarly, the operation of SCCs may also be discontinued if these violations are not safeguarded against. Essentially, the effects of the Schrems II Decision, thus, extend to India just as they do for the United States.

A Bleak Picture of Alternatives

While the India Government may work towards obtaining an adequacy decision or establishing a Privacy Shield, Indian companies may avail the following alternatives, apart from the common practice of using SCCs. However, as has been highlighted herein, these alternatives are merely the next-best alternatives, and do not paint an optimistic picture in comparison to the traditional methods in use.

A. Binding Corporate Rules

BCRs represent codes of conduct which are used exclusively for intra-enterprise transfers, i.e., between enterprises engaged in a joint economic venture. The European Data Protection Board (‘EDPB’), however, has specified that companies reliant on BCRs would still be required to conduct a prior assessment to determine that the receiving nations’ privacy safeguards are essentially equivalent to those provided by the European Union. Nevertheless, an alike assessment is mandatorily conducted by the relevant data supervisory authority, which is obligated to pe-approve the BCRs in question for operation. As indicated above, India’s current and proposed data protection framework illustrates a lack of requisite safeguards. Additionally, the GDPR prescribes a requirement of mandatory physical presence within the EU, a condition that may limit opportunities for several small-to-medium scale businesses. These are also unlikely to be adopted for common use due to the time-intensive case-to-case approval process involved. To remedy the same, a model BCRs template may be prepared by each data supervisory authority to expedite the process. This must, however, be preceded by legislative efforts to secure the protection of incoming foreign personal data.

B. Derogations

Hinted by the CJEU itself, derogations under Article 49 of the GDPR allow for the legitimization of data transfers even in circumstances where the receiving state lacks adequate privacy safeguards. These may be allowed in specific circumstances, including when the express informed consent of the data subject is obtained, when the transfer is necessary for the performance of a contract between the data subject and the data controller, or when the transfer is necessary for public interest. However, the applicability of these derogations is exceptional in nature so that regular data transfers cannot be justified.

C. Data Localization

Another alternative is to switch to data localization which entails the storage of all consumer data within the territory from which it is collected. Thus, companies can opt to set up data storage infrastructures within the European Union. While other jurisdictions generally demand only the storage of a copy of data transferred under data localization obligations, such as for law enforcement purposes, this specific obligation would completely restrict the outstation transfer of data in the absence of requisite privacy safeguards. However, this would exponentially increase processing costs and would also restrict the operation of several services which require a to-and-fro transfer of data.

Conclusion

Since member-states of the EU represent major players in the globalization and commercialization scene, nations across the world are likely to enact “essentially equivalent” data protection regimes to prevent against the inability to trade and offer services within the EU. India would also be caught in such a wildfire lest it amend its domestic regime to suit the requirement expounded by the Schrems II Decision. Thus, the Schrems II Decision may catalyse the spread of European data protection principles as a global privacy standard. While the DPCs across the EU are releasing separate guidelines to assist foreign companies to chart measures needed to be adopted in order to comply with the Schrems Decision II, urgent initiative must be taken by the Indian Government to counteract the immediate effects of the possible destabilization of the India-EU data transfer network.

Notes From A Foreign Field: The Ninth Circuit Court of Appeals and Bulk Metadata Surveillance [Guest Post]

[This is a guest post by Rudraksh Lakra.]


On 3rd September 2020, the United States Court of Appeals for the Ninth Circuit (9th Circuit) delivered its decision in a landmark criminal appeal case of United States v. Moalin. The Court ruled that the National Security Agency’s (NSA) collection of telephony metadata under the now discontinued mass surveillance Telephony Metadata Collection Program (TMCP) constituted a search under the Fourth Amendment of the American Constitution and was potentially unconstitutional. Moreover, TMCP was deemed unlawful for being violative of the Foreign Intelligence Surveillance Act of 1978 (FISA). FISA is a federal law that establishes the procedure for authorizing and carrying out foreign intelligence surveillance. It is the first case where a federal court has held that bulk collection of metadata by intelligence agencies would constitute a search under the Fourth Amendment, and the second federal court decision to hold the TMCP foul of FISA Subsection IV Section 1861.

The article examines the interpretation given by the 9th Circuit on the constitutionality of the warrantless bulk surveillance undertaken by intelligence agencies to understand the lessons Indian courts can imbibe in the post-Puttaswamy era. This becomes even more important  in light of the petitions pending in the Supreme Court challenging the constitutionality and lawfulness of Section 5(2) of the Telegraph Act and Section 69 of the Information Technology Act (IT Act), along with the rules therein.

Background

The facts and procedural history leading to the appeal are themselves quite remarkable. Moalin was charged for providing financial assistance to a terrorist organization in Somalia. The main evidence the District Court relied upon was a wiretap authorized under FISA Chapter I. Moalin had unsuccessfully sought to exclude the wiretap from evidence, contending that information filled to authorize the wiretap was collected through illegal surveillance which the government failed to include in evidence or provide the Moalin notice of.

A month after this decision, Edward Snowden revealed the existence and working of NSA’s mass surveillance programs, including the TMCP. Under TMCP, the NSA maintains a central database of telephone metadata of all communication within and from the US. Telephone metadata, in this case, referred to the phone number of a caller, the location, recipient, and duration of the call, identity of the mobile subscribers, and the mobile device ID.

Subsequently, amidst public outcry, government officials justified TMCP by citing the case of Moalin’s prosecution as a success of TMCP. The-then FBI deputy director admitted before the House Permanent Select Committee on Intelligence that the investigation into Moalin was reopened only after the NSA provided them information collected under the TMCP.

It was based on this information that Moalin was able to file a motion for a new trial at the District Court, and on that motion being denied, for an appeal to the 9th Circuit.

Moalin challenged the District Court’s decision on various grounds. The three grounds relevant for our discussion are: the TMCP was violative of the Fourth Amendment (1) and of the FISA subchapter IV (2). Additionally, he contended that the government’s failure to provide notice of the metadata surveillance to him was violative of the Fourth Amendment and FISA (3). Therefore, evidence collected through TMCP, and fruits obtained therein, ought to be inadmissible, including the wiretap. 

The Fourth Amendment Argument

Moalin asserted that the TMCP was violative of his Fourth Amendment right against “unreasonable searches and seizures” without probable cause. Fourth Amendment protections apply where there the citizen has “an actual (subjective) expectation of privacy,” and “the expectation [is] one that society is prepared to recognize as ‘reasonable.’” (Katz v. United States). He contended that there is a reasonable expectation of privacy in telephone metadata.

The government and the district court in Maolin had relied upon Smith v. Maryland, in which the Supreme Court held that data voluntarily provided to third parties (third-party doctrine) was not protected by the Fourth Amendment. In Smith, the Supreme Court approved the collection by the government of call records spanning a few days, using a pen register. It observed that society would not have a reasonable expectation of privacy for a few days of call records, and for data that is voluntarily provided to communication service providers.  

Smith was, to an extent, overruled by the US Supreme Court in 2018 in Carpenter v. United States, where it held that obtaining seven or more days’ worth of cell-site location information constituted a search under the Fourth Amendment. The court rejected the application of the third-party doctrine to certain novel technologies on the grounds that – due to technological advancements in digital technology – these technologies have become a necessary part of life, and the collection of data through them is different. However, the Court refused to extend their finding to surveillance carried for foreign affairs or national security.

In Moalin, the Court – similar to Carpenter – distinguishes Smith in terms of the quantity of data stored by telecommunication service providers today, and how revealing it is vastly different from Smith, where a pen register was used to collect metadata for only a few days.  Moreover, the Court concludes that similar protection is to be provided to bulk collection of metadata and content data.

The Court observes that massive shifts in technology have allowed for bulk surveillance for extended periods of time, with which, conventional expectations of privacy must also evolve. Therefore, the Court concludes that today, unlike Smith, bulk collection of telephone metadata falls within society’s recognized reasonable expectation of privacy, as demonstrated by the public outcry post-Snowden’s revelations. Consequently, the Court notes that the collection of metadata under TMCP constitutes a search under the Fourth Amendment, but stops short of declaring it unconstitutional. 

This was because the Court found that the evidence the government presented at the trial was not a fruit of the metadata collected earlier, and was, therefore, not tainted by it. It was also bound by the 9th Circuit precedent US v. Ankeny, which held that it was not appropriate to adjudicate on Fourth Amendment questions where the exclusion of evidence was not warranted.

What is central to both Carpenter and Moalin is the idea that constitutional protection should be transformative and reflective of the realities of today. Thus, the decades-old precedents and understanding of constitutional protection should not be controlling today, especially concerning technological matters.

Another idea central to both Carpenter and Moalin is that state surveillance should not only be based on executive authorization but should also require probable cause. In cases of communication surveillance, the executive cannot be granted absolute discretion. Therefore, there is a need to have an independent body to regulate state surveillance activities. This need is reflected in international law standards (For instance See, Roman Zakharov v. Russia para 275 and United Nations High Commissioner 2018, Privacy Report para 39-40) and comparative practices (for instance, Germany, Canada, UK, New Zealand Australia, France, Belgium, Romania, and South Africa).  

Authorisation and Oversight of Communications Surveillance in India

In India, surveillance under both the Telegraph Act and the IT Act is authorized by the executive, and the surveillance orders under the rules of both are to be reviewed by a review committee of executive members every two months.

The constitutionality of this practice is itself in question. Recent SC jurisprudence, similar to Moalin, has indicated the need for judicial authorization regarding state’s surveillance activities. Justice Nariman in Puttaswamy I, observed that “the ultimate analysis” of a measure’s proportionality “must be left to the training and expertise of the judicial mind.” (J Nariman Opinion, Para 86). This need was reiterated as a part of the  Puttaswamy II case, wherein a provision of the Aadhar Act, which allowed for the disclosure of user information, was struck down, with the absence of judicial oversight or the scrutiny of the “judicial mind” being a critical factor in the court’s determination(Para 449(4)(f)).

This need was reiterated by the BN Srikrishna Data Protection Committee Report, which concluded that the lack of independent oversight over surveillance activities makes the Indian surveillance framework  potentially unconstitutional post Puttaswamy I.

When the SC adjudicates on the challenge to the contentious sections of the Telegraph and IT Acts, it will have to revisit PUCL v. UOI (1996) a more than two decades old precedent which currently governs laws on surveillance, along with the Telegraph and IT Acts, where it upheld the constitutionality of section 5(2) of the Telegraph Act. It also refused to require judicial approval for surveillance and laid down limited procedural safeguards, such as the requirement of an executive review committee. Moalin shows how the law – especially with respect to technology – must reflect the realities of today. Therefore, PUCL’s approach must be overturned, as it was laid down before the surveillance capacity of the state had ballooned, information technology had become central to society, and bulk surveillance had become the norm.

TMCP and FISA, Subsection IV Section 1861

FISA Subsection IV Section 1861(a)(1) allows the state to carry out surveillance only after being authorized by the FISA Court to “protect against international terrorism or clandestine intelligence activities.” However, at the time of the case, for surveillance to be authorized, 50 U.S.C § 1861(b)(2)(A) required demonstration of a relevancy nexus between the target sought and “an authorized investigation.”

The appellants argued that the TMCP violates the relevancy requirement, as the government collected metadata in bulk without any nexus to an already authorized investigation. They argued that the term “relevant” was inserted by Congress as a limiting principle.

The Court sides with the appellants, basing its reasoning and building upon American Civil Liberties Union v. Clapper – a 2015 Second Circuit Appeals Decision – which had held that bulk metadata surveillance contravened the FISA. In Clapper, the government had argued that the relevancy requirement should be read widely, as the Congress did not intend it to be a limiting principle. The court rejected this interpretation as being “unprecedented and unwarranted” and reading the “‘authorized investigation’ language out of the statute.” The Court’s interpretation was correct, as the government’s interpretation would have defeated the object of the section – to place a check on the executive’s discretion – and would have destroyed the essence of the right at stake.

The government argued that the collected metadata indicates that Moalin was associated with foreign terrorists, and therefore, the surveillance was relevant to a counterterrorism investigation. However, as the Court correctly points out, 50 U.S.C § 1861(b)(2)(A) requires the government to demonstrate a nexus between the target sought and “an authorized investigation” before any surveillance is authorized by the FISA Court. Moreover, the relevance nexus requirement cannot be satisfied after authorization by analyzing the collected surveillance data.

Consequently, the Court in Moalin concludes: “that the telephony metadata collection program […] violated that section [1861] of FISA.” However, the Court refuses to exclude the evidence presented in the district court, because FISA subchapter IV did not allow for suppression of evidence even if unlawfully gathered. Additionally, the Court concludes that the collected metadata did not taint the other evidence including the wiretap.

The approach of both Clapper and Moalin was to interpret the section allowing for state surveillance in a way to at least to narrowly restrict it. The approach of the SC in PUCL (1996) was similar, where it laid down procedural safeguards for surveillance under the Telegraph Act, limiting and narrowly tailoring the scope of authorization and the collection of data.

It is important to remember that the TMCP was based on a series of FISA Court orders. Therefore, even a separate supervisory body can become nothing more than a rubber stamp, if it does not have the institutional capacity to render objective rulings and exercise effective, and oversight over authorized surveillance activities, continuous (see Roman Zakharov v. Russia para 257-267).

Review Committees under the Telegraph and IT Acts

As observed above, executive review committees that have been established under the 2009 IT Rules and Rule 419 A – similar to the FISA Court – are nothing more than a rubber stamp. The BN Srikrishna Data Protection Committee Report highlighted that a review committee that meets once in over two months has the unrealistic task of extensively reviewing more than 18000 judgments. Clearly, the review committees cannot apply their judicial acumen well enough in every case and are merely meaningless stamps of approval.

This should amplify the concerns regarding executive authorization and review of communication surveillance. The SC, in the upcoming challenge to the Indian surveillance framework, must overturn PUCL (1996), and require an independent body with adequate institutional capacity to authorize and oversee surveillance activities.

Notice

The Fourth Amendment – in the case of a wiretap – requires notice to be provided once the surveillance operation is complete, (Dalia v. United States), and FISA Section 1806(c) require the government to provide a notice to the defendant to and to the District Court of the collected information “when the prosecution intends to enter into evidence or otherwise use or disclose information” obtained pursuant to the government’s foreign intelligence authorities.

The Government argued and sought to justify the failure to provide notice by distinguishing Dalia, relying upon US v. Cavanagh, which held that FISA satisfies the Fourth Amendment requirements and stated that Fourth Amendment standards apply differently to intelligence gathered for national security.

The Court, while concurring with the government that different standards apply in the context of foreign intelligence, observes that the rule does still apply here nonetheless. Therefore, the requirement of providing notice has to be complied with, even if it is circumscribed. The Court concludes that, at a minimum, the Fourth Amendment requires notice for surveillance conducted under FISA to a criminal defendant and to the Court in the required circumstances under Section 1806(c).

However, the Court refuses to declare if the government’s failure to provide adequate notice was unlawful. This because the lack of notice did not prejudice the appellant and the metadata did not taint other evidence.

While it is understandable why the Court sets a lower threshold of providing notice in the context of foreign intelligence, its standard is woefully inadequate. A more robust and stricter standard should be used in cases with a higher probability of abuse by the executive, which includes mass surveillance programs. Providing notice is essential to the right to an effective remedy (ubi jus ibi remedium) and the right to a fair trial. More fundamentally, it leads to greater transparency in the case of state surveillance programs, enabling stakeholders to meaningfully scrutinize their workings.

The Court’s standard limits the challenge to data collected by intelligence agencies only at the trial stage. It does not provide a remedy to those individuals whose data is stored by intelligence agencies even if it is completely extraneous to the investigation and was obtained unlawfully.

Notice: India

In the Indian context, there is no requirement of notice or of disclosure (even a limited one like Moalin) to the subject of surveillance. The only way a subject would potentially receive knowledge of the surveillance is at trial, where even illegally obtained evidence is admissible (State v. Navjot Sandhu). While the Bombay HC, last year, had refused to admit evidence in contravention of the right to privacy (read more here). There is also a contrary Delhi HC judgment on the point (read more here). The SC is yet to rule on this point of law (post Puttaswamy, the SC should side with the Bombay HC). This, in any event, will still not exclude all illegally obtained surveillance, but only that which can be demonstrated as unconstitutionally obtained.

Currently, lack of notice, coupled with the fact that illegally obtained evidence is admissible in court, means that an individual may not be able to seek effective remedy for the potential violation of their fundamental rights (such as quashing surveillance orders or excluding evidence). This raises constitutional concerns following the SC’s observation inAK Gopalanthat the exclusion of an individual’s access to effective remedies under the Constitution’s Articles 32 and 226 is unconstitutional.

Again, when the SC adjudicates upon the challenge to the Indian surveillance framework, it must mandate the requirement of a notice to the subject. While the concerns Moalin raises ought to be taken into account, the limited model it proposes should only serve as a cautionary tale.

Conclusion

On a concluding note, we must remember that Moalin’s case was an exception. He could only challenge the clandestine surveillance because the government itself admitted it, which does not happen in most similar cases.

Information asymmetry between the state and accused is a hallmark in such cases. Evidence presented at trial is often only collected based on the information gained from clandestine surveillance, which – due to both the classified nature of the program and the lack of notice – the accused is oblivious to. Even if the accused were to challenge surveillance programs, it is tough to prove the case as direct evidence is rarely available, and the design of the program is classified or unknown.

The judgment by the 9th Circuit is to be rightly commended for many reasons. First, the Court did not have to explore the question of the legality of TMCP, given that the collected metadata, according to the Court, did not taint the evidence presented against Moalin at the District Court. Second, the Court could have abdicated its responsibility or exercised juridical deference, since it was faced with a complex technological problem, and a sensitive case linked to national security and counter-terrorism operations.

Yet, the Court does not abdicate its responsibility even under such circumstances. Instead, it directly engages, rather than sidestepping, important constitutional and rule of law issues, forcing the state to adequately justify its surveillance program against the touchstone of the Fourth Amendment and FISA.

Second, the Court invests time in understanding and engaging with the technological design of the surveillance program and its effectiveness, instead of believing the state prima facie or avoiding engagement with questions about the technology.

Finally, the Court builds upon the foundation of Clapper, applying it to the situation of communication surveillance for national security, an area where the Court in Clapper had refused to delve into. The judgments expected from a constitutional court are not only to be based on correct precedents but must build upon those to forward constitutional aspirations and protect civil liberties.

The Indian SC will potentially face its biggest challenge on privacy when it adjudicates upon the constitutionality of the legislative surveillance framework. It would have the opportunity to forward its transformative right to privacy jurisprudence and apply it to a concrete case to reform India’s surveillance landscape. Moalin offers the Indian SC valuable lessons on how this can be achieved. However, the SC’s contemporary approach to key constitutional issues (recently, on privacy, see the mandatory voice sample case, here and here) and gradual shift in its role to that of an executive court will require a re-orientation if this is to happen.

Guest Post: (Mis)Applying Puttaswamy – The Delhi High Court on Privacy and Evidence

[This is a guest post by Karthik Rai.]


It has been argued  that the transformative character of the Puttaswamy judgement did not extend to governing claims to the fundamental right of privacy between private parties. To recapitulate, Puttaswamy adopted a narrow approach to privacy and did not examine horizontality (and rightly so, as this was not what the constitution bench was convened to answer). Thus, the court did not explicitly hold that an Art.21 protection in case of privacy violation would extend to violations by private parties or individuals.

However, this conclusion is not a unanimous or unambiguous one. Recently, in the case of Deepti Kapur v. Kunal Julka – a case where an argument based on the fundamental right to privacy was raised in a divorce-related proceeding between the plaintiff and the defendant – the Delhi High Court ruled that evidence cannot be inadmissible on grounds solely of breach of privacy under Article 21. The issue of horizontality serves merely as a prefatory remark to introducing this case; the more significant issue is the manner in which Puttaswamy was applied in this case, whether the horizontal application was valid or not. I argue in this piece that the interpretation of Puttaswamy in Kunal Julka was very restricted – and, at place, perhaps incorrect – and could precipitate an undesirable jurisprudence on the admissibility of evidence.

The Facts

The husband filed for divorce before the Family Court under S.13(1)(a) of the Hindu Marriage Act, stating that his wife had defamed him before her friend, causing him mental agony and cruelty. As proof, he submitted, in a CD, a video-recording of her conversation with her friend, collected by the CCTV camera in that room. The statute governing this issue was Section 14 of the Family Courts Act, 1984:

14. Application of Indian Evidence Act, 1872.—A Family Court may receive as evidence any report, statement, documents, information or matter that may, in its opinion, assist it to deal effectually with a dispute, whether or not the same would be otherwise relevant or admissible under the Indian Evidence Act, 1872 (1 of 1872). (emphasis mine)

The wife claimed that she had the right to the non-invasion of her ‘thoughts and behavioural patterns’ as part of her privacy rights, and that secretly-recorded conversation occurred in her bedroom, where her conversations should have been confidential. This, she argued, violated her fundamental right to privacy per the Puttaswamy holding (para 6). Since the evidence produced was in breach of this fundamental right, the recording would be inadmissible. While Section 14 permitted evidence notwithstanding its inadmissibility under the Evidence Act, it did not permit evidence that was not admissible “as per the Constitution”. (para 7).

Contrarily, the husband argued that the fundamental right to privacy was subject to restrictions – specifically, his right to fair trial under Article 21, lest he should be denied the opportunity of proving his claim. He also argued that Section 14 ensured admissibility regardless of its inadmissibility under the Evidence Act.

The High Court ruled in the husband’s favour. Its ruling on this point had two broad arguments, which are analysed below.

[A]. Relevance as the only test of Admissibility

The Court noted that the test for admissibility was ‘crisply’ detailed in Pooran Mal v. The Director of Inspection (Investigation), New Delhi, where it was held that since the Evidence Act referred to only relevance as the criterion of admissibility, the ‘spirit of our Constitution’ could not be invoked to exclude illegally-procured evidence. Then, the Court relied on State v. Navjot Sandhu which, while referencing RM Malkani v. State of Maharashtra, upheld the admissible-if-relevant test (paragraphs 17-20).

However, Justice Bhambani does not analyse the fact that Puttaswamy overrules each of these cases on these points, whether directly or indirectly. For instance, Pooran Mal relied on MP Sharma. As Vrinda Bhandari and Karan Lahiri argue, Puttaswamy, by upholding a fundamental right to privacy, overruled MP Sharma v. Satish Chandra which, while examining if procuring inculpatory documents violated Article 20(3) of the Constitution (which protected against self-incrimination), stated that, given the Constitution did not recognize a fundamental right to privacy, Article 20(3) could not be applied to such illegal procurement. Pooran Mal also relied on the siloed approach advocated by A. K. Gopalan v. State of Madras (para 23) which is now overruled. Therefore, Pooran Mal stands on very unstable grounds. The argument in Kunal Julka that post-Puttaswamy cases like Yashwant Sinha v. CBI too relied on Pooran Mal forthe admissible-if-relevant test (para 25), is consequently questionable.

Malkani considered the issue only of violation of a statutory provision (the Indian Telegraph Act), and did not address the issue of violation of a constitutional provision. Chandrachud J. stated that Malkani followed Kharak Singh’s reasoning, which stated that there was no fundamental right to privacy, and which was therefore overruled by Puttaswamy (para 51). Moreover, Malkani, too, adopted the siloed approach to fundamental rights which has been disregarded since RC Cooper and Maneka Gandhi, and thus liberty and privacy claims under Article 21 were not examined (something that Selvi v. the State of Karnataka [para 192]examined and upheld, in the context of the constitutionality of confession-obtaining methods like narco-analysis). Subsequently, Navjot Sandhu too fails as authority on this point, for its holding was premised on Malkani and Pooran Mal (paras 154-155).

Kunal Julka’s decision ties into a significant issue. Gautam Bhatia has argued that, since Selvi, which read Articles 20(3), 21 Sections 24-27 of the Evidence Act harmoniously to protect an accused’s mental privacy, a distinction has been created between illegally-procured and unconstitutionally-obtained evidence. Post Puttaswamy, this distinction was carried forth, as argued on this blog, by Vinit Kumar v. CBI and Ors. In Vinit Kumar, the Bombay High Court noted (in my opinion) rightly, that the interception orders passed under the Telegraph Act were violative of the testsofprivacyestablished in Puttaswamy, and therefore, the Court would be ‘breeding contempt’ by eschewing procedure, if such illegally procured evidence were to still be admitted in a trial (para 38). In fact, it noted all the cases mentioned afore and cited in Kunal Julka, and held that any privacy infringement by the State will have to meet the privacy tests Puttaswamy established, with any case suggesting otherwise not a ‘binding’ precedent on that point (para 12).

This well-founded distinction was not touched upon, unfortunately, in Kunal Julka. It only examined the Evidence Act and the Family Courts act, stating that the special law has to prevail over the general law (para 15). With the Constitution having a bearing on the admissibility of evidence, and not merely the Evidence Act, the question of ‘generalia specialibus non derogant’ rule should have never arisen.

Kunal Julka also stated that evidence adduced under Section 14 were to be excluded on privacy grounds, Section 14 would become ‘nugatory’ (para 35). However, that is a fallacious argument, and is not a legitimate justification for the admissibility of evidence under its scope. Besides, evidence collected illegally, but satisfying the Puttaswamy tests, could still be admitted under Section 14, and therefore, Section 14 would not necessarily be nugatory.

[B] Privacy subject to Fair Trial

Ruling on the husband’s claim for a fair trial right under Article 21, the Court simply stated that, since the fundamental right to privacy is not absolute, privacy considerations ‘may have to yield’ to the fundamental right to fair trial under Article 21 (para 24). It stated that, after the evidence had been made admissible, the weight (if any) to be given to evidence must be decided based on (undefined) ‘considerations of justice and fair play’ (para 36).

It is surprising how the Court, in its enthusiasm to admit the evidence, does not follow its own statement that no fundamental right is absolute. Since the right to fair trial, therefore, is also not absolute, the Court should have applied the tests of privacy established under Puttaswamy to ascertain if the privacy-violation precipitated by the evidence met the tests of legality and proportionality, instead of making a nonchalant remark that it may yield to fair trial rights. Only then should the evidence have been even made admissible. In fact, the court cited the Sahara v. SEBI case to justify the importance of fair trial against other fundamental rights, but that case tried to balance the two rights based on pre-established tests, observing that (para 25):

…even Articles 14 and 21 are subject to the test of reasonableness after the judgement of this Court in Maneka Gandhi…(para 25)”

Conclusion

Theinterpretation in Kunal Julka is, in my opinion, an archetypal adherence to the crime-control model as against the due-process model that Mrinal Satish and Aparna Chandra prove still pervades jurisprudence in cases of admissibility of evidence and criminal-law jurisprudence in general. In one part of the judgement, it even holds that, howsoever the evidence is collected, fair-trial and justice mandate its admissibility (para 35). Claims that a right to fair trial had to be preferred denying it impacted the public as against a personal impact if privacy was violated (para 23), further substantiate this point. If such substantive-truth seeking jurisprudence re-develops in future cases notwithstanding Puttaswamy, without even applying its tests, it may serve as the death knell for privacy and procedural truth, especially with modern technologies like Fitbits, etc., being used in trials as evidence. In any case, the argument this piece makes, is that the reasoning in Kunal Julka is extremely tenuous, dealing a heavy blow to the transformative character of Puttaswamy. The judgement exemplifies the truism, that whether a judgement is interpreted conservatively or expansively, could determine the outcome of a range of cases not specifically anticipated by it.

Guest Post: The Democracy Branch – Reimagining the Role of the Data Protection Authority

[This is a guest post by Nikhil Pratap.]


In Justice K.S.Puttaswamy (Retd) v. Union of India (2017), the Supreme Court instructed the Justice Srikrishna Committee to formulate a comprehensive legislation for personal data protection. A law was deemed necessary in the context of the surveillance and privacy threats to individuals, primarily from the executive action. The main purpose of the law would be to incorporate data protection principles and also ensure accountability of government use of data.

The efforts on instructions of the Supreme Court eventually culminated in The Personal Data Protection Bill, 2019 (“PDP Bill”) which sets out data protection principles for collection and processing of personal data, both by government and private parties. It envisages a Data Protection Authority (“DPA”) having wide powers to carry out policy setting, monitoring enforcement, investigation, research, awareness and grievance redressal functions. The powers and the structure of the DPA in the PDP Bill are largely inspired from other sectoral regulatory bodies – such as SEBI or TRAI, which carry out core economic functions of the executive and are under its direct supervision and control.

It is the author’s argument that the proposed DPA in its current form greatly deviates from its originally envisaged primary function i.e. to ensure accountability of the executive (both Central Government and State Governments and its various arms) – while it collects and processes personal data of its citizens. Given the intent and context of the PDP Bill, setting up the DPA as a sectoral economic regulator under the control of the Central Government, amounts to defeating its mandate. To ensure that the Bill effectively meets its purpose, the DPA should be reimagined as a ‘Fourth Branch’ Institution or a ‘Democracy Branch’ Institution.

Fourth Branch Institutions

Constitutional theory traditionally divides the State into three branches – the Legislature, the Executive and the Judiciary. Under this traditional conception of State, institutional accountability of executive action lies with the other two branches of the government – namely, legislature and the judiciary. However, due to the design constraints of parliamentary democracy and collective responsibility, legislative accountability tends to get weakened as the executive usually commands the support of a parliamentary majority. (See recent decision of the Parliamentary Committee on review of PM Cares). This means that the judiciary is effectively the only institution responsible for protection of Constitutional checks and balances.

In such a context, the concept of a ‘Fourth Branch’ of the State gains immense significance and potential. There is growing literature which classifies institutions protecting the core ideals of democracy, as the ‘Fourth Branch’ or the ‘Democracy Branch’. (See Professor Bruce Ackerman and Professor Tarunabh Khaitan). The core democratic ideals which the Fourth Branch ought to protect depends on the conception of the democracy embraced by the Constitution. A ‘thinly’ defined democracy would limit these core ideals to fair processes such as free and transparent elections, oversight, impartiality and civil and political liberties whereas a ‘thickly’ defined democracy would also require protection of other constitutional values such as socio-economic rights and distribution of financial resources. The protection offered by the fourth branch institutions would thus vary depending on the constitutional values. However, in either case, these institutions are independent from the other branches of the State and provide for an additional layer of institutional accountability- apart from the judiciary.

Good examples of fourth branch institutions are the ‘Chapter IX’ institutions in the South African Constitution, which are called ‘State Institutions Supporting Constitutional Democracy’. These include institutions such as the South African Human Rights Commission, Electoral Commission, the Auditor General and the Commission for Gender Equality. Similarly in India, institutions such as the Finance Commission, Election Commission, the CAG, Lokpal, Information Commission, National Human Rights Commission may be considered as examples of the fourth branch even though they are not explicitly enumerated as such. The distinctive characteristic of the ‘Fourth Branch’ institution is that they are independent from the direct influence and control of the Executive.

While some of these fourth branch institution are constitutional bodies, they may be created through a statutory enactment as well. Gautam Bhatia argues that statutory bodies that provide a framework towards implementation of core fundamental rights or a democratic ideal are elevated to the status ‘constitutional statutes’. He draws a functional equivalence between constitutional bodies (such as the Election Commission) and the institutions created by constitutional statutes (such as Information Commission, CBI, CVC)- as both of them serve core democratic functions and ensure accountability- and concludes that both types of bodies are fourth branch institutions. As such they deserve equal protection of their independence from the executive, irrespective of their structure or manner of enactment. In this context, he argues that the recent Right to Information (Amendment) Act, 2019, which removed the fixed tenure and salary of the Information Commissioners is unconstitutional because it dilutes their constitutionally protected independence.

To ensure independence, members of the fourth branch institutions are usually not appointees of the executive but are appointed by a committee often having bipartisan legislative representation and in some cases representatives from the judiciary. Examples of appointment through such selection committees include the Information Commissioners, Central Vigilance Commissioners or the members of the National Human Rights Commission. Many fourth branch institutions have fixed terms and salary for their members. For example, the Comptroller and Auditor General of India has a fixed term of 6 years and can only be removed from office in the same manner and on the same grounds as that of a judge of the Supreme Court and his/her salary can be altered only by a law by the Parliament. Similarly, members of the National Human Rights Commission can be removed on ground of proved misbehaviour or incapacity as prescribed in law.

DPA AS A FOURTH BRANCH INSTITUTION

The question which then arises for consideration is why must the DPA be considered a fourth branch institution instead of a mere sectoral regulator such as TRAI, SEBI or CERC. To answer this question, we must first understand that in a welfare state such as India, the executive branch continues to play a dominant role in individual lives, and they process a wide range of personal data for functions such as healthcare, subsidies, census, surveillance and targeted governance. Intelligence and law enforcement agencies also collect and process swathes of personal data of individuals. Given the width and scale of executive action related to personal data, accountability of executive actions becomes necessary. This sentiment was captured in Puttaswamy, where Chandrachud J. observed :

180. (…) In a social welfare state, the government embarks upon programmes which provide benefits to impoverished and marginalised sections of society. There is a vital state interest in ensuring that scarce public resources are not dissipated by the diversion of resources to persons who do not qualify as recipients (…) Data mining with the object of ensuring that resources are properly deployed to legitimate beneficiaries is a valid ground for the state to insist on the collection of authentic data. But, the data which the state has collected has to be utilised for legitimate purposes of the state and ought not to be utilised unauthorizedly for extraneous purposes. This will ensure that the legitimate concerns of the state are duly safeguarded while, at the same time, protecting privacy concerns.

 

The potential dangers of privacy and surveillance posed by the executive has already been made evident in the constitutional challenge to the AADHAR scheme, where the Petitioners exhaustively presented the privacy, surveillance and security dangers to unchecked data processing by the government.

Further, the right to privacy has already been recognized as a civil political right which requires heightened protection from the executive abuse, for they are inextricably linked to a free exercise of other democratic rights such as a right to vote or the right to freedom of movement and association. Thus, protection of right to privacy as a fundamental right is not merely an end in itself but also instrumental in protecting the minimum democratic core of our Constitution. It is for safeguarding this fundamental right of privacy that the Supreme Court instructed the Committee chaired by Justice B N Srikrishna to draft an appropriate legislation, knowing fully well that an unchecked collection and use of personal data can lead to executive aggrandizement and adversely affect democracy.

The mandate of the PDP Bill was to constitute an independent body which would facilitate democratic and institutional accountability of the executive but in stark contrast, the DPA has now been modelled as a sectoral regulator; and much like any other sectoral regulator, the central government has retained executive control and supervision over the DPA. For example, the Selection Committee which appoints the members of the DPA comprises entirely of members from the executive i.e. secretaries from different departments of the Central Government. Their salaries and allowances are to be prescribed by the Central Government. The Central Government has also been empowered under the Act to remove any member of the DPA on the grounds enumerated in the PDP Bill. Emulating economic regulators, the PDP Bill has also vested its adjudicatory function in adjudicatory officers. The manner and term of appointment of these officers shall be decided by the Central Government.

Such pervasive executive control built into sectoral regulators is justified as they are bodies which set out, regulate and monitor economic policy. Since economic policy is a core function of the executive, it is only appropriate that the government has the functional autonomy and powers related to it. However, the same principal cannot apply to an accountability and democracy body such as DPA. Given the key role of DPA in protecting a core democratic ideal of the Constitution (and that too largely against the Executive itself), it neatly fits into the category of a fourth branch institution and not a sectoral regulator. It is therefore necessary that the DPA is reimagined as a robust and independent part of the ‘Fourth Branch’ lest the right to privacy becomes illusory over time.

Coronavirus and the Constitution – XXIV: Aarogya Setu and the Right to be Forgotten [Guest Post]

[This is a guest post by Karthik Rai.]


Introduction

While the Puttaswamy case recognized privacy as intrinsically embedded in Art. 21 of the Constitution of India, it was simultaneously conceded that health concerns would trump privacy considerations, if there were through necessary and proportionate intrusions into individuals’ privacy [paragraph 180]. In light of the Covid-19 pandemic currently gripping the world, one such purported governmental intrusion into the citizens’ privacy was the introduction of the ‘Aarogya Setu’ app (‘the App’) to track users’ movements and ascertain if they are at the risk of contracting the virus.

Let me briefly describe the App. The App obtains details regarding the users’ name, sex and medical antecedents, to mention a few, and its usage is propelled by mobiles’ Bluetooth and GPS services. These details, under certain circumstances, get uploaded onto the server which is then accessed by the government to respond appropriately. There had been various concerns with the privacy policy (‘Policy’) of the App which compelled the government to release an updated Policy with various changes. However, criticisms have still persisted – on its static Digital Identity Number (‘DiD’), its requirement of GPS being excessive and not in line with global standards, and its lack of transparency – all of them seemingly infringing privacy disproportionately.

However, through this piece, I provide a hitherto-unexplored perspective to the App’s Policy. First, I will be proving that the Policy contains a substantial phrasal fallacy, intentional or not; next, I will show this affects the RTBF and its related concomitants, undermining user privacy. Finally, I shall conclude with suggestions on how to alleviate the problem.

The Phrasal Fallacy and its Consequences

Clause 1(d) of the Policy (it can be accessed here) states that the App collects locational information in fifteen-minute intervals – basically, the App stores data about the places users visited. It also states when said data will be uploaded to the server. Clause 3(b) addresses data retention apropos information collected under Clause 1(d), and posits three different time periods for data retention, based on the category the data falls in:

Category 1: If the data is not uploaded to the server, not having satisfied the conditions mentioned under Clause 1(d), it gets ‘purged’ within 30 days from the App.

Category 2: If the data is uploaded to the server, two further situations arise:

If the person tests negative for Covid-19, the data will be purged from the Server within 45 days of upload.

If the person tests positive, the data will be purged from the Server within 60 days of being cured.

While Category 1 entails data deletion from the App, Category 2 concerns deletion from the Server. So, if a person’s data under Clause 1(d) has been uploaded to the Server, there is no provision providing for the deletion of the same information from the App, implying it could remain on the App, indefinitely.

Clause 1(d) stipulates three situations under which the data gets uploaded to the Server: when the person tests positive for Covid-19, when ‘self-declared’ symptoms indicate a probability of being infected, and/or when the self-assessment test returns a ‘yellow’ or ‘orange’ result.

The assessment is conducted by algorithms whose criteria are unclear. Therefore, reports have stated that misidentifications are highly possible. A similar mechanism is present in China, and such predictive data-assessment has been inaccurate. Therefore, even mere suspicion could lead to a ‘yellow’ outcome, mandating a data transfer to the server. This would then mean that the user falls within Category 2, and his/her data would be deleted from the server but would linger in the App indefinitely, without violating the Policy.

Clause 2(e) states that the data collected under Clause 1(d), will not be used for purposes other than those mentioned in Clause 2. However, under Clause 2, the use mandated for Clause 1(d) data is only for the replicated data uploaded onto the Server. So, no use has been prescribed for the original data the App collects, which means Clause 2(e) does not exactly apply to it. Thus, it could be used for anything as long as it is not uploaded to the Server. Additionally, the data present on the App is not even encrypted into DiDs.

Clause 1(a) data, which contains personal attributes like name, gender, etc., remain as long as the account remains. Clause 1(a) data is first ‘collected’ in the App and subsequently ‘stored’ on the server. Thus, both Clause 1(a) and 1(d) data, in many users’ cases, can remain indefinitely on the App (and thus the mobile), and an accurate map of the places the user has visited can be charted, easily combinable with his/her personal attributes.

The government recently issued a slew of directions in order to increase usage of the App, including making the installation of the App mandatory for all employees in both the private and the public sector. Astonishingly, the Noida police has stated that not having the App on your smartphone would constitute a crime, possibly attracting imprisonment. In light of these developments, it becomes all the more important to understand how the problematic Policy could proliferate privacy violations, contravening fundamental principles of data protection.

Purpose Limitation and the Violation of RTBF

Purpose Limitation (‘PL’), an essential prerequisite for data protection, states that the collection of data must be for a specific purpose. The ‘data principal’ – used to refer to persons whose data is processed – must know the reason for which they provide data voluntarily. Therefore, the limit of data usage by the government must be constrained by the informed consent of the user.

The Supreme Court has held in the Aadhaar judgement that purpose limitation is integral for executive projects involving data collection – unless prior permission is provided, third parties cannot be provided access to personal data [paragraph 166]. This principle is embodied in S.5 of the yet-to-be-implemented Personal Data Protection Bill, 2019 (‘the Bill’). PL, as stated earlier on this blog, enhances transparency in data processing, and helps examine the proportionality of the mechanism used to collect data for a specific purpose. Moreover, as Siddharth Deb writes, it prevents the emergence of permanent data ‘architectures’ based on interlinking databases without consent. Stemming from this is an implicit expectation of RTBF. In order to understand and appreciate the relevance of RTBF, it becomes pertinent to establish the jurisprudence pertaining to the same in India.

The Right to be Forgotten: A Brief History

RTBF grabbed headlines after the popular Google Spain case, where a case was filed by a Spanish citizen against Google requesting the erasure of links that concerned forced sale of certain properties he owned due to debts, indicating financial hardships. The Court of Justice of the European Union ruled in the citizen’s favour by acknowledging that his right to be forgotten, and therefore his privacy, were being violated. Since the information had become “irrelevant” and “inadequate”, he had a legitimate claim to get such data removed under the EU Directive 95/46; thus he could be ‘forgotten’ from the internet [paragraphs 93-94].

However, the trajectory of the evolution of RTBF in India was slightly different, due to the absence of the right being grounded in statute. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which was India’s first legal framework recognizing the need to protect the privacy of personal data, had no mention of RTBF. Therefore, contrasting judgements on RTBF emerged.

To exemplify, the Gujarat High Court in Dharamraj Bhanushankar Dave v. State of Gujarat held that there was no law under which the petitioner could claim that he had a right to ensure the removal, from the internet, of a court judgement he was a party to; therefore, his arguments were insufficient to establish a successful case of violation of Art. 21 of the Constitution. However, a judgement reported four days later, {Name Redacted} vs The Registrar General, recognized RTBF explicitly, though in a limited sense. The petitioner’s request to remove his daughter’s name from a judgement involving claims of marriage and forgery was upheld by the Karnataka High Court. It held that recognizing RTBF would parallel initiatives by ‘western countries’ which uphold this right when ‘sensitive’ cases concerning the ‘modesty’ or ‘reputation’ of people, especially women, were involved [paragraph 5].

However, it was only in the Puttaswamy judgement that RTBF was unequivocally recognized by Justice Kaul as residing in Art.21, which guaranteed privacy. He noted that the recognition of RTBF would imply that, if an individual desired to remove his/her personal data from the virtual space, it ought to be respected, if said personal information served no ‘legitimate interest’, was ‘incorrect’, or was not ‘necessary’ or ‘relevant’ [paragraph 69]. However, he did concede that RTBF was subject to reasonable restrictions based on countervailing rights like free speech [paragraph 69]. Similarly, in Zulfiqar Ahman Khan vs M/S Quintillion Business Media, the Delhi High Court recognized RTBF as ‘inherent’ in the right to privacy [paragraph 9], thereby ordering the removal of internet articles that would sully the plaintiff’s reputation ‘forever’ [paragraphs 7 and 8].

Applying RTBF to the App’s Policy

In light of the judicial interpretation of RTBF in India, especially post Puttuswamy, it is clear that, once the purpose of the data submitted is completed, data principles have a right to be erased without unwarranted intrusions into their privacy. This is embodied in S.20(1)(a) of the Bill. RTBF is founded on the dignity of an individual, which could be tarnished if the information is not erased.

In the instant case, personal data is uploaded by users to the App for a limited, specific purpose – to ascertain their health’s status. Once the purpose of this data is completed, an automatic deletion of the data collected must have been effected, as Prof. Schönberger suggests. Moreover, the data collected by the App constitutes ‘digital footprint’, as the data upload is by the principals themselves, and not by other parties. Thus, after the purpose is complete, neither public interest nor any violation of free speech will occur by deleting such information from the App. Thus, RTBF in this case should have been absolute.

However, if a user is denied this right by not deleting his/her personal information from the App, issues of identification of such persons arise. There have been instances of inter-app communication, wherein one app permeates another to extract information from the latter. This app then sends this data to an external server, which could be of another country as well. Then, the data could be used for any purpose. This could lead to microtargeting, finding out what medicines you use, etc., all of which violate privacy.

Besides, identification based on such data could precipitate widespread social media abuse. In South Korea, where similar surveillance methods were used recently, detailed timelines of people’s locations were uploaded on social media, with information like the place of residence giving reasonable indications of who the person was. A man was accused of infidelity after one of his locations on the app in Korea was near a brothel. Such online harassment impacts people’s psyche, and has also led to suicide.

The Right to Informational Self-Determination (‘RISD’)

RTBF is grounded in the fact that a citizen has control over his/her digital footprint, and thus no competing claim can use the information for anything else. Only the user has complete control over their data. The data principal must be equipped with the ability to retain personal control over personal information. In Puttaswamy, the judges emphasised the criticality of informed consent and informational autonomy, in line with European data privacy practices [paragraph 177], and any use of data contravening such consent would be ‘unauthorized’. Consent, therefore, is not a one-time permission, but must be obtained each time a new, specific use of the information is needed.

In the App, if the user tests ‘yellow’ or is Covid-positive, the information is uploaded to the Server from the App, voluntarily. However, 45 or 60 days after such information transfer, as the case may be, the purpose of sharing information is complete. The data principle had ascertained that only the government could control such information, and, that too, for a specific period, which has lapsed. Thus, RTBF automatically operates, and, respecting the users’ RISD, consent for further use of data should immediately terminate. However, since the App does not purge this information, users’ locational data could be illegitimately used for any purpose, by anyone. This violates their RISD.

Conclusion

The Supreme Court in Puttaswamy stated how the transgression of the right to privacy is subject to reasonable restrictions [paragraph 26, Sapre J.]. Therefore, the infringement must be backed by law, must be proportionate to the specific objective sought to be achieved, and must be the least intrusive measure.

There is no clarity on the legal underpinning behind the App; it can be surmised that it has been envisioned under either the vaguely-provisioned Epidemic Diseases Act, or the National Disaster Management Act, both of which provided extensive executive discretion. However, a chassis of clear regulations has not been designed to collect and reveal information about travel history, sex, etc. Thus, there is no specific law backing such executive action.

This is aggravated by the fact that the Bill has not been passed yet; thus, statutory grounds to regulate data collection and processing are still unavailable. Coupled with the fact that judges are deferential towards executive actions during such testing times, a challenge to the App based on Art.21 may not be sustained. Mere assurances by the government about protecting privacy will not suffice, as evidenced by Singapore, where, despite the government’s guarantees, user data was published in great detail, online.

It is not difficult, thus, to surmise that data protection is a desideratum for constitutional inspection. The Bill must soon be implemented and the App’s privacy policy recalibrated to pass the scrutiny of the Bill’s provisions, including RTBF, and purpose limitation. This would ensure a legitimate legal backing. Additionally, ensuring open access to the App’s source code is all-important. This would facilitate greater transparency and attenuate privacy flaws, thereby rendering the privacy intrusion by the App the least intrusive alternative.

Countries like China South Korea, which have managed to reduce Covid-19 cases through measures mirroring the App, have substantially infringed their citizens’ privacy, with the citizens condoning the same as a necessary trade-off to achieve greater efficiency of the measures. However, this institutionalizes the ‘culture of tolerance’ of repeated and excessive privacy violations, giving the government greater confidence to effect more blatant privacy violations in the future. Thus, in light of the abnormal times we are countenancing, the govt has to implement the Bill, recalibrate the Policy, and take other necessary measures to achieve an optimal trade-off between efficiency and privacy.

Coronavirus and the Constitution – XXI: The Mandatory Imposition of the Aarogya Setu App

The extension of the “nationwide lockdown” by another two weeks has brought with it a slew of further directions under the National Disaster Management Act. Many of these directions exacerbate the problems pointed out in previous posts. For example, unlike previous directions, this one actually does impose a physical curfew (between 7PM and 7AM), and directs local authorities to pass necessary orders implementing it. This particular direction lies at the intersection of rule by executive decree and the undermining of federalism, as discussed previously. In this post, however, I want to briefly consider Guideline 15 of Annexure 1, which mandates the use of the government’s contact tracing app – Aarogya Setu – for all private and public employees, and obligates employers to ensure 100% coverage.

To those who have followed the many twists and turns of the Aadhaar story, this metamorphosis from “voluntary” to “voluntary-mandatory” to “effectively mandatory” will have a familiar ring – the pandemic probably just accelerated the pace of transformation from a few years to a few weeks. The mandatory imposition of Aarogya Setu through executive decree, however, suffers from serious legal problems, discussed below.

The Absence of Anchoring Legislation

As pointed out repeatedly on this blog, the legal framework for the government’s pandemic management strategy has been the National Disaster Management Act, which has an umbrella clause permitting the issuance of guidelines and directions aimed at addressing disasters. Previously on this blog, we have discussed the separation of powers and other democratic problems that come with using vague enabling legislation to anchor a wide-reaching executive response. When it comes to the infringing of rights, however, the problem is even more acute: Part III of the Constitution requires that even before we get to the discussion of whether a rights violation is justified or not, there must exist a law that authorises it. Any such law has to be specific and explicit with respect to the rights that it seeks to infringe, the bases of infringement, the procedural safeguards that it establishes, and so on.

The NDMA cannot be such a law, because it says absolutely nothing about the circumstances, manner, and limitations under which the government is authorised to limit or infringe civil rights (in this case, the right to privacy). The enabling clauses do not help, because – as pointed out above – they are generic enough so as to permit just about any executive decree that (the executive believes) is required to tackle the disaster. If the NDMA was indeed accepted as the basis, then this would effectively subvert the legality requirement entirely and across the board: there could, hypothetically, be one single umbrella legislation that stipulates that “the government may do anything that it believes is reasonable to achieve the public interest” , and do away with any further need for lawmaking in toto. This, however, is the very definition of rule by executive, instead of the rule by and of law.

It should be noted that the proposition I am advancing here is a very basic one. Last week, for example, the High Court of Kerala refused to allow the government to cut salaries without specific legislation authorising it (the Court correctly observed that the existing provisions of the Epidemics Act and the Kerala Covid-19 Ordinance were far too generic to authorise such a step). We shall discuss the judgment of the Kerala High Court in a subsequent post, but for now, suffice it to say that this is not just a basic proposition under Indian law, but a basic proposition everywhere. The Israeli High Court – not exactly known for being a hotbed of bleeding-heart liberal jurisprudence – held a few days ago that the Shin Bet could not engage in surveillance without authorising legislation. A few months ago, the High Court of Kenya held that GPS Coordinates and DNA samples could not be collected under cover of a general law, but – at the very least – would require “anchoring legislation” to do so.

The requirement of specific legislation is not a mere procedural quibble, but a crucial constitutional point. One, of course, is the separation of powers issue, which we have discussed before: if the State is going to mandate an intrusive, data-collecting app upon its citizens, then the least that ought to be done is that it be authorised by the citizens’ elected representatives, in Parliament. Equally importantly, however, a hypothetical “Aarogya Setu law” will necessarily have to demonstrate constitutional compliance with respect to data protection principles. A good example of this – again – is the history of Aadhaar: once it became clear to the government that it actually had to pass an Aadhaar Act, the accompanying infrastructure – including limitations upon the use of Aadhaar – also had to be considered. Writing out these provision in law also enabled an informed challenge in Court, where at least a part of the Act was struck down for being unconstitutional (I need not go over that again here). Blithely mandating Aarogya Setu in one sentence through an executive decree tears the constitutional architecture to shreds.

The Proportionality Test(s)

Given the government’s penchant for Ordinances (the Kerala government has, for example, issued an ordinance to get around the High Court’s salaries judgment), the requirement of legislation is unlikely to present an effective check upon executive abuse. That, however, makes it important to highlight that there exist serious substantive constitutional concerns with the mandatory use of the Aarogya Setu app.

As is well known, the proportionality standard for adjudicating whether a violation of the right to privacy is justified or not has four prongs: legality (requirement of a law, with a legitimate purpose), suitability (the government’s action must be suitable for addressing the problem, i.e., there must be a rational relationship between means and ends), necessity (i.e., it must be the least restrictive alternative), and proportionality stricto sensu (there must be a balance between the extent to which rights are infringed and the State’s legitimate purpose).

There is, by now, extensive literature on the question of the very effectiveness of contact-tracing apps to fight a pandemic such as Covid-19. As this Brookings Paper shows, (a) contact tracing is effective where there exists large-scale testing capacity and less spread (the first condition certainly does not exist in India today); (b) there is a high risk of false positives and false negatives, something that gets worse as the population size increases (recent examples in India bear testimony to this); (c) the absence of complete smartphone penetration can defeat the purpose (particularly true for India) (the authors also point out other risks, such as social stigmatisation). It is, therefore, an open question whether the second limb of the proportionality test – suitability/rationality – is satisfied.

The problem grows more severe when we come to the necessity prong (discussed previously on this blog as well). The data collection practices of the Aarogya Setu app – and how they fall short of constitutional standards – have already been discussed extensively (see here, here, here, and here). Now, it is not the purpose of this post to engage in a detailed technical discussion about whether the Aarogya Setu app complies with the third limb of the proportionality standard or not (much of that work may be accessed in the links above). However, there is a broader legal point that needs to be noted. This is the issue of burden: it is well-established under Indian constitutional jurisprudence – most recently in the Aadhaar judgment – that once a prima facie violation of privacy has been demonstrated, the burden of justification (under the proportionality standard) shifts to the State. In other words, it is for the State to show that the suitability and necessity prong of the proportionality standard are satisfied. A necessary corollary of this is that as far as the suitability prong goes, the State cannot mandate the use of a privacy infringing app before it is first demonstrably established that a means-ends relationship actually exists. Thus, if – as the Brookings analysis shows – there is a non-trivial likelihood that the app in question cannot achieve the very (legitimate) purpose that it is designed for, it cannot be made mandatory.

Secondly, as far as the necessity prong goes, it creates a constitutional obligation upon the State to be transparent about the basis for choosing this app, designed in this way. Were less intrusive alternatives considered (see the IFF working paper linked above)? If so, were they found non-suitable for the goal? If not, why were they rejected? And even if not, why is there not a mandatory sunset clause here? Once again, this is not a radical legal proposition: in the Aadhaar judgment, the mandatory linking of bank accounts with Aadhaar was struck down precisely on the basis that there existed less restrictive alternatives, and that the government had comprehensively failed to provide any reasons why they had not been considered. It is fair to say that if the government cannot even show why it has chosen a more intrusive data collecting app over a less intrusive alternative (that exists), then it is in no sense a constitutionally justified decision.

Conclusion

The government directive mandating Aarogya Setu for all public and private employees suffers from serious legal flaws. In the absence of a specific anchoring legislation, it fails the first limb of the proportionality test. And on more substantive grounds, the government bears the burden of showing that the design of the app satisfies both the suitability and the necessity prongs of the test – a burden that, thus far, remains undischarged (indeed, going by blithe ministerial statements about how the app might continue to be in use for two years, there seems to be very little appetite in the government to even attempt to discharge that burden). There would, therefore, appear to be excellent legal grounds for a challenge to the NDMA Direction; of course, the prospect of any such challenge succeeding at a time when the Court appears to have withdrawn itself from its task of rights adjudication, is another matter.

Guest Post: The UP Hoardings Case – in Defence of the State

[This is a guest post by Tanishk Goyal and Rishabh Narain Singh.]


This post is a response to Shubhangi Agarwal’s interesting piece on the U.P Hoardings case, where it was argued that the swift justice delivered by the Allahabad High Court  in the Hoardings Case was derailed by the Supreme Court of India, that its reliance on the UKSC judgement in the case of In the matter of an application by JR38 for Judicial Review (Northern Ireland) was misplaced, and that it failed to correctly apply the Puttusawmay judgement to the present case.

We begin by arguing that the executive orders passed for the recovery of damages from the protestors constituted “law” as required by the first determinative factor of the proportionality test. Next, we argue that that the aim of the above orders was not to deter mischief by the protestors, but to warn the public at large not to purchase the property of such persons, which had been attached to claim the recovery amount. Next, we illustrate not only how there existed a rational nexus between the means employed and the object sought to be achieved by the State, but how such means were just, fair and reasonable as well. Having established the due compliance of the law with the proportionality test, we seek to apprise the reader that the Supreme Court, in fact never placed its reliance on the UK SC judgement in the case of In the matter of an application by JR38 for Judicial Review (Northern Ireland), while referring the matter to a larger bench.

On Administrative Orders Qualifying as Law within the meaning of the Proportionality Test

The Allahabad High Court in the case of Mohammad Shujauddin v. State of Uttar Pradesh & Ors. had taken judicial notice of rioting, arson, and the damage to private and public property by an insurgent mob in 2009. Having taken such judicial notice, a single judge bench of Justice Sudhir Agarwal had issued certain directions that mandated the competent authorities to hold quasi judicial proceedings, assess the damages and pass necessary recovery orders. The directions also emphasised the realisation of the assessed damages from the protestors as arrears of land revenue and included a mandate to comply with the decision of the Supreme Court in the case of In Re:Destruction of Public and Private Properties Vs. State of Andhra Pradesh & Ors.

In pursuance of this judgement, an administrative order was issued by the Uttar Pradesh Government on January 8, 2011, whereby all District Magistrates and Additional District Magistrates of the State were empowered to hold quasi judicial proceedings, assess the damages and pass necessary recovery orders so as to ensure compliance with the directions. Since the decision of the Allahabad High Court has not been set aside till date, it remains good law. Furthermore, the decision of the Allahabad High Court itself created a right in the State to recover the damages as “arrears of land revenue” under the Uttar Pradesh Revenue Code and Revenue Rules 2016 (which involves attachment of property and a warning to the public at large not to deal in the attached property, explained in Part III) when the conditions given in Direction IV of the judgement are satisfied:

  • That there is a finding that the persons against whom the claim has been filed are responsible for the said loss;
  • Such amount has not been paid by the persons on their own;
  • Such amount has not been paid within the time directed by the competent authority.

Therefore, the Administrative Order which was relied upon to realise the assessed damages from the protestors was in pursuance of a High Court Judgement which provided for the Uttar Pradesh Revenue Code and Revenue Rules 2016 to step in to back the State Action of realising the damages as arrears of land revenue (involving the attachment of property and a warning to the public at large by the beat of drums not to deal in the attached property) if the foregoing conditions were not satisfied. This is to say that the power to put up of banners flows from the non-payment of damages by the defaulters. As soon as the prescribed time period lapses, the Uttar Pradesh Revenue Code and Revenue Rules 2016 step in to back the State Action of putting up the posters.

Thus, the action satisfies the test of legality, which postulates the existence of law according to the first determinative factor of the proportionality test.

Understanding the Legitimate State Aim in the Current Case

In the post post mentioned above, it has been averred that the authorities also failed on the second count of the proportionality test as “the aim to deter mischief and recover money from protesters for alleged damage to public property was not a legitimate aim, as they were not fugitives, and there was no need to publicize their personal details.”

 It is acknowledged that the protestors were not fugitives. However, there was still an impending need to publicise their personal details. This is because in the case of fugitives, the publication of personal details is aimed at deterring such fugitives from evading the process of law in India by staying outside the jurisdiction of Indian Courts. However, in the case at hand the administrative orders were not intended to have a punitive impact. This is to say, that the aim of the State was not to deter the protesters from committing such acts in the future. Instead, the aim of the administrative orders was to warn the public at large not to deal with such persons in property as the same has been attached for recovery proceedings. This is amply illustrated by the Administrative order passed by the State on January 8, 2011 which empowered the Executive magistrates to be the competent authorities as mentioned in the directions issued by the Allahabad High Court. A close reading of the directions mentioned above reveal that the State was under by a positive obligation to fulfil the mandate of recovery of damages, failing which the State officials would have to face disciplinary action. The responsibility conferred on the State to fulfil such a mandate of recovery from the protestors is evident from the following lines of the order.

(iv) After giving an opportunity of hearing to the concerned persons, Competent Authority shall pass appropriate order within next 30 days. In case it is found that persons, against whom such claim is filed, were responsible for the said loss, the amount assessed and awarded by such Competent Authority shall be realized, if not paid on its own by the person responsible within such time as directed by such authority, as arrears of land revenue.

(vi)         If the authorities responsible for taking steps, as directed above, failed to observe their duties within the specified time, it shall be treated to be a misconduct justifying disciplinary action.(emphasis supplied)

Furthermore, this is not the first time that the recovery from the defaulters has been supplemented by the publication of their names and addresses. Illustratively, The Bombay High Court in D.J Exim Bank Pvt. Ltd v. State Bank Of India, while allowing the banks to publish the names and photographs of the defaulters, observed that:

A perusal of the said Rule clearly indicates that the bank has the right to publish the name of the defaulters by giving their names and addresses and two-fold purpose is served as a result of the said publication of the names, firstly the fact that these persons are wilful defaulters is made known to the public at large and secondly it also tends to caution the prospective buyers who may be offered the property which is mortgaged by these defaulters with the bank. This being the primary objective for the publication of the notice, in our view, there would be no impediment in publication of photographs of wilful defaulters and particularly those defaulters who have committed various acts of misfeasance.

A Special Leave Petition was preferred against this order and was accordingly dismissed by a division bench of the Supreme Court. The bench upheld the Bombay High Court Order allowing the lender to publish names and photographs of directors and guarantors of defaulter firms in newspapers on the grounds that Rule 8 framed under the SARFAESI Act (which interestingly does not mention that the names and addresses of defaulters may be published) authorised such a move. The Supreme Court agreed with the view that there was no legal bar either in the said rule or under any provisions of the Act which expressly prevents the bank from publishing photographs, and that therefore, the action taken by the bank was not ultra vires.

Similarly, The Madhya Pradesh High Court in M/S Prakash Granite Industries vs. The Punjab National Bank, The Madras High Court in M/s.Mohan Breweries and Distilleries Limited v. The Authorized Officer,State Bank of Mysore, and The Delhi High Court in M/s. K.V. Wall Mount Pvt. Ltd. v. State Bank of India, have endorsed the reasoning of the Bombay High Court, allowing the banks to publish the photographs of the wilful defaulters.

Thus, the aim of the State in the present case was to affix a civil liability on the protestors and recover the damages from them, and not to deter them from committing such acts in the future. Furthermore, the photographs and address of the protestors were only published after the order for recovery by the Executive Magistrate had been passed, and had not been complied by the defaulters.

It is for this reason that the argument claiming that “lakhs of accused persons in UP were also facing criminal trials but their personal details were never subjected to such publicity” is misconceived, as contrary to those facing criminal trials, the present case concerns itself with defaulters against whom the final order for recovery has already been passed.

Rational nexus between the means employed and the object sought to be achieved

As explained in the previous section, the object which was sought to be achieved by the State was the recovery of damages from the protestors against whom a final order had been passed by the Executive Magistrate.

This power of an Executive Magistrate to pass a final order, after conducting a quasi-judicial proceeding and after giving an opportunity of hearing to the defaulter, is in fact sourced from the judgement of the Allahabad High Court in the case of Mohammad Shujauddin v. State of Uttar Pradesh & Ors. According to the guidelines issued by the Court in the above case, the order for recovery cannot be passed by the competent authority if the defaulter has not been given an opportunity of hearing.

Once the order of recovery has been passed against the accused, and the order is not complied with, a right is created in the State to recover the amount as arrears of land revenue. The recovery of a certain amount as “arrears of land revenue”, under Section 279 of the U.P Zamindari Abolition and Land Reforms Act, 1950 & Rules 1952 inter-alia involves the creation of a security interest on the property of the defaulter, as well as notice to the public at large that the property has been attached, by the beating of drums. This is illustrated by Section 279 of the Act, the corresponding rule to which as been reproduced below:

273. Where any land is attached in pursuance of the provisions of Clause (d) or (f) of Section 279 or sub-section (1) of Section 284 or of Section 286 or is let out under sub-section (2) of Section 284, a proclamation in Z.A. Form 73, shall be affixed at a conspicuous place in the village in which the land is situate and it shall also be notified by beat of drum.

Interestingly, This Act was replaced by the Uttar Pradesh Revenue Code and Revenue Rules 2016. The new act mandates recovery of arrears by attachment of land of the defaulters, the corresponding rule to which states: […] “158 (2) A copy of R.C. Form-41 shall also be served on the defaulter and the factum of attachment shall also be announced by beat of drum on the spot.”[…]

Thus, it is clear that the objective sought to be achieved by the State was the recovery of damages from the protestors against whom a final order had been passed by the Executive Magistrate. The means to achieve the same objective were evidently laid down by the Allahabad High Court which empowered the competent authority to pass the final order of recovery. If the defaulter could not pay the damages, the same was mandated to be realised as “arrears of land revenue” under the erstwhile U.P Zamindari Abolition and Land Reforms Act, 1950 & Rules 1952 (Replaced by the Uttar Pradesh Revenue Code and Revenue Rules 2016 with similar provisions). Whenever an amount has been realised as “arrears of land revenue” the legislative intent has concurrently been to inform the public at large about the attachment of such a property so that they are consequently precluded from dealing in the same.

In the present case, in light of the non feasibility of the “beating of drums” the mode of communication to the public was reasonably extended to and replaced by the publication of banners, whose only objective was to warn the public at large not to deal with such persons in property as the same has been attached for recovery proceedings. Moreover, the least restrictive measure which the State should employ is a matter of policy. By virtue of being a matter of policy, the State is given a limited amount of discretion. The limits to such discretion have been emphatically spelled out in the case of Reliance Airport Developers Pvt. Ltd vs Airport Authority of India, where a division bench of the Supreme Court ruled that discretion, when applied to State action should be according to rules of reason, which is regular, and not arbitrary or fanciful. This requirement of employing a least restrictive measure which is guided by a sound and reasonable exercise of discretion was accordingly met in the present case as the publication of the banners was a reasonable extension to the mandate of the “beat of drums” under the Uttar Pradesh Revenue Code and Revenue Rules 2016. This is essentially because, the requirement of the “beat of drums” in the Revenue Code (which is essentially meant to be employed in villages and small towns) would not suffice for the demographics of a city like Lucknow where the defaulters were alleged to have been residing. This line of argumentation was, in fact endorsed and upheld by a division bench of the Supreme Court in the case of Rai Vimal Krishna v. State of Bihar, where Justice Ruma Pal held that,

27. […] Indeed it appears to us that the requirement to notify people by beat of drum is an anachronism which appears to inappropriate in the present day and age in a large city like Patna. Where equally efficacious, if not better modes of publication are available, it would be ridiculous to insist on an obsolete form of publication as if it were a ritual.

The above judgement in fact went on to distinguish between the requirement and the manner of publication, holding that while the requirement of publication per se was mandatory in nature, the manner in which such publication should be made is merely directory, and the Courts should look at whether there has been sufficient compliance in effecting the intention of the legislature to warn the public at large in the city.

Now, one counter to this line to argument would be that if the purpose is to publicise the fact that there is certain property under attachment and to prevent the property-holder from alienating such a property and circumventing the legal process, then why can’t the State publicise the description of the property itself, instead of the personal details of the property-holder? While such an alternative may have been able to achieve the objective sought, it would also have caused undue hardship to the persons who might have a stake or an undivided interest in the property. This is to say, that the aim of the State is to recover the damages only from the share of the person in a property (which may have multiple undivided interests) against whom a final order of recovery has been passed. In light of this, the means employed in achieving the objective, were rational, and reasonably least restrictive in nature.

The Reliance of the Supreme Court on the UKSC Judgement

Contrary to the opinion expressed in the above blogpost, the UKSC judgement in the case of In the matter of an application by JR38 for Judicial Review (Northern Ireland), was never relied upon by the Division bench of the Supreme Court while referring the matter to a larger bench. The Supreme Court merely noted the submission of the Learned Solicitor General. This is illustrated by the following lines.

Learned Solicitor General also relied upon the decision of the Supreme Court of United Kingdom in the matter of an application by JR38 for Judicial Review (Northern Ireland), (2015) UKSC 42 and particularly paragraphs 2, 3 and 73 of the decision. He also placed for our consideration text of Article 8 of the European Convention on Human Rights (ECHR), which was subject matter of discussion in said decision and submitted that the action taken by the State in the instant case was fully justified.

Thereafter, without relying on any ruling whatsoever cited by both the sides, the Court went ahead to refer the matter to a larger bench for reasons solely relating to the “nature of the matter and issue of significance involved therein.

It is pertinent to note here, that the Supreme Court had explicitly relied upon the In the matter of an application by JR38 for Judicial Review (Northern Ireland), judgement of the UK Supreme Court in the case of K.S Puttaswamy vs. Union of India (2017) SCC 1. Here, the plurality opinion of Justice D.Y Chandrachud, in Paragraph 168 quoted the separate concurring judgement of Lord Clarke, where he said that “[…] the criminal nature of what the appellant was doing was not an aspect of his private life that he was entitled to keep private. He could not have had an objectively reasonable expectation that such photographs taken for the limited purpose of identifying who he was would not be published.”

This amply illustrates the relevance of the UKSC judgement in the privacy jurisprudence of India which remains to be relied upon or interpreted by a larger bench of the Supreme Court.