India’s evolving data privacy jurisprudence – It’s 2019 and we’re missing the point!

Nitish ChandanCyber Security, Law

India's evolving data privacy jurisprudence - It's 2019 and we're missing the point!

Much has been said already about the recent order of the MHA under Section 69 of the IT Act notifying ten agencies to “intercept, monitor or decrypt” “information generated, transmitted, received or stored” in any computer resource. While it is controversial in the context of a feared police state of mass surveillance, the notification not only extends to intermediaries and service providers but to each and every citizen as well.
The notified agencies are now empowered to ask you or me to hand over our devices if it is in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.
Now, there is perhaps nothing wrong with the notification but something entirely wrong with Section 69 of the Act itself. Under this authority now, the office of Commissioner of Police, Delhi can seek any “computer resource” and not data when investigating offences, including an individual’s device, the server that perhaps routed his email and the device of someone who received the email. On more fronts than one, this would be a violation of an individual’s fundamental rights and a juxtaposition within the law enforcement ecosystem. And I’m not jumping into the debate about mass surveillance and the overarching prevalence of the big brother!
What intrigues me more is the floating of The Information Technology [Intermediaries Guidelines (Amendment) Rules], 2018 for public comments in this wave. After seeing the spite of the cyber criminals across the world and working with victims of sensitive crimes, I advocate for access to intermediary data by law enforcement (for investigation) and the courts (for delivery of justice) but in a way that does not impugn our privacy rights.
Undoubtedly, the level of access to both these institutions (or others) has to be different and with some level of accountability. A much-needed authority for law enforcement and “appropriate government” to investigate offences has been added along with a provision for removal of content under this amendment to the IT Rules. But here is what we are missing – when chalking out how the intermediary shall help a government agency, Rule 5 has been worded to provide such information or assistance as asked by the government agency. It is to be noted here that this has nothing to do with Section 69, conditions therein or the notification but requires situations as wide as investigation or detection or prosecution or prevention of offence(s) for the intermediary to assist. This is the exact opposite of the level of access mentioned earlier.
While the jurisprudence on data privacy evolves in India, we must take a step back and look at data itself; for data is something we haven’t defined in the context of privacy and disclosure. I’d like to point the readers to Section 2703 of the Stored Communications Act in the USA that creates a distinction between content and non-content data. While non-content data covers things such as subscriber information and other meta-data (size of a message, origination IP etc.) about anything (an email, text message etc.), content data covers the actual contents of the communication (text, video, attachments etc.).
Although the line between [content and non-content] occasionally blurs, in most cases the line is clear: it is the line between a message that a person wants to communicate and information about when and how he does so. Historically now, non-content data has been something that can be obtained by law enforcement or other agencies upon direct requests but for content data, a court would have to order (given the courts have been placed at the apex). While it does not solve the problem of snooping and privacy breaches, it does bring some structure and accountability. Companies have been complying to the directive and have set procedures such as subpoenas, court orders and search warrants which we come across while reading international literature. The process in the Indian law enforcement ecosystem is different and majorly, not defined.
If the data privacy jurisprudence in India is to evolve and privacy is to be established in some construct, first these definitional challenges need to be overcome and it should come as a wake up call to lawmakers that when we are creating regulation for assistance from intermediaries, something as wide as such information or assistance as asked for will only increase privacy concerns.