Corporate & Commercial

The need for a Statutory Code for State Surveillance.

In late 1780s, James Madison wrote the first constitutional articulation of the right to privacy in the modern world which read as, 

“The rights to be secured in their persons, their houses, their papers, and their other property, from all unreasonable searches and seizures, shall not be violated by warrants issued without probable cause, supported by oath or affirmation, or not particularly describing the places to be searched, or the persons or things to be seized.”

In 1791, a version of this articulation became the Fourth Amendment to the US Constitution. Since then, States the world over have struggled with the concept and its varied manifestations in daily administration, and the challenge is further vexed by technologies that encompass every aspect of individual life. We in India acknowledged privacy as an inherent feature of personal liberty under Article 21 of the Constitution through the Supreme Court’s ruling rendered in the Puttaswamy case in 2017. This decision sought to create a privacy regime which was protective of the State’s need for security, while ensuring that no unreasonable restrictions were placed upon personal liberty.

As such, privacy in India – as elsewhere – is not an absolute right and may be lawfully restricted for certain legitimate goals. What may constitute a “legitimate goal” for such restriction, is understood through the Supreme Court’s necessity and proportionality test. As such, privacy can only be limited when the State demonstrates a ‘critical need’ and even then, the restriction must be the least invasive of available options. While theoretically, this test accords with global best practices on the subject, any theoretical enunciation of privacy by itself is insufficient unless tested and implemented on the ground.

This can be achieved through a well-defined architecture for legal and common-sense State intervention that reduces uncertainty for both the State and citizens. Currently, State interventions for public order and national security (in the information technology domain) are implemented through three provisions of the Information Technology Act, 2000 (IT Act) – Sections 69, 69A, and 69B. These allow the State to break encryption (where technologically possible), conduct digital surveillance, and censor certain communications. However, little to no standards are provided under the IT Act for when these actions are legal – a clearly apparent omission. Thus, every order issued under these provisions ought to be individually reviewed. Countless orders therefore are rendered beyond review due to the impossibility of challenging each of them individually – an anathema for a fundamental right.

Even from the State’s perspective, such an ad-hoc statutory regime does little to empower justifiable protections for national security. Cybersecurity experts have long lamented the lacunae in the country’s cyber defence system. Currently, CERT-In acts as an emergency response team against cyber threats but the agency has a grossly inadequate mandate and resources. Further, there is little specialized capacity with other agencies like the NIA or CBI to cover for its limitations. Major democracies around the world are fast building such capacity. Britain recently unveiled a cyber force within its intelligence architecture at the GCHQ to disrupt cybersecurity threats. 

The need of the hour is for India to develop a self-contained code providing adequate authority to the State for securing justifiable security interests, while implementing all constitutionally envisaged checks and balances. Such a legislation would further enhance India’s expertise in responding to cyber security threats. India’s failure to achieve this despite a vibrant IT industry is baffling.

Speculatively, both the State and civil society may be at blame for the inordinate legal infrastructure in this domain since they are both unwilling to confront the challenge for fear of making the tough choices this entails. Clearly, this approach is counterproductive because a democratic conversation on these issues fosters more mature institutions. Consider the public debate in the US following Edward Snowden’s revelations of government surveillance. It prompted courts to declare parts of the NSA’s surveillance program unconstitutional, precluded renewal of offensive provisions of the PATRIOT Act; and spawned countless changes that have delivered sophisticated encryption technologies to common users as well. Resultantly, privacy rights for individuals have been strengthened. Even, the US government now acts with greater deliberation – the NSA for instance, voluntarily abandoned some of its surveillance programs. Despite that, in the 7+ years since the Snowden revelations, no terrorist attack has been attributed to these changes. Infact, US intelligence agencies have demonstrated a particularly stellar record of maintaining internal security, suggesting liberty and security are not necessarily contrarian ends.

A public discussion on the scope of the State’s authority has allowed the US to find an equilibrium. We concede that this is a dynamic equilibrium, and that changes in technology will require reconsideration of this conclusion. However, India currently inhabits the worst of both worlds – our security agencies operate in an ad-hoc institutional structure with vaguely defined authority, while the citizenry relies on abstract enunciations of fundamental rights with little practical relevance. This is an entirely avoidable situation. The time has come to recognize the complexity of our Information Technology ecosystem and devise sensible solutions for national security and protection of our fundamental liberties.

Corporate & Commercial

India’s final amended tax residency rules for Citizens and Indian origin individuals based overseas

This note is in continuation to our earlier note of February 2020 which discussed the proposals of the Finance Bill, 2020 (‘the Bill’) to amend the tax residency conditions for non-resident Indians and persons of Indian origin1 with effect from 1 April 2020 (i.e. Financial Year 2020-21 onwards2).

In substance, the proposals aimed to reduce the flexibility of stay currently given to such individuals in the determination of their tax residency status and bring within the tax net Indian citizens that are not tax resident in any country. If such a person was to become an ordinary resident under the proposed amendments, not only would such person be liable to tax in India on global income but also be required to report all foreign assets in the tax return. The nature of the proposals brought into the focus the potential importance of the ‘tie-break’ rule under a tax treaty of India with the country of such person’s residence. The note is attached once again for your easy reference.

Subsequent to the introduction of the Bill, concerns were raised by various stakeholders that the language of the proposed amendments could negatively impact cases of such persons genuinely employed / working / living outside India. To address this, the Government of India issued a press release stating that income earned outside India by such Indian citizens who are bona-fide based outside India shall not be taxed in India unless it is derived from an Indian business or profession.

Given this background, suitable modifications were expected to be made to the proposed amendments at the time of passing of the Bill. As expected, at the time of enacting the Finance Act, 2020 (‘the Act’), the following modifications have been made:

Nature of person Original proposal as per the Bill Enacted provision of the Act
An Indian citizen or a Person of Indian origin (PIO) based outside India and visiting India Would be considered as an Indian resident if:

  • stay in India was for 120 days or more in that financial year; and
  • aggregate stay in India in the preceding 4 years was 365 days or more.
Would be considered as an Indian resident if:

  • stay in India was for 120 days or more in that financial year;
  • total income (excluding income from foreign source3) exceeds INR 1.5mn in the given financial year; and
  • aggregate stay in India in the preceding 4 years was 365 days or more.
    Accordingly, only persons exceeding the above mentioned income threshold would now be subject to the lower threshold of stay of 120 days. For others, the existing threshold of stay of 182 days continues to apply.
An Indian citizen who is not liable to tax in any other country or territory Deemed to be a resident in India, irrespective of his period of stay in India in the said financial year. Deemed to be a resident only if the total income of such citizen (excluding income from foreign source3) exceeds INR 1.5mn.
Nature of person Original proposal as per the Bill Enacted provision of the Act
by reason of his domicile or residence or any other criteria of similar nature (i.e. Stateless Indian Citizen)    
Individual treated as “not ordinarily resident” (NOR) Will be treated as NOR if such individual is non-resident in India in 7 out of the 10 preceding financial years.
In other words, an individual will be treated as ordinary resident only if considered resident in 4 out of 10 preceding years.
The proposed amendment has been dropped. Accordingly, the existing conditions of NOR will continue i.e. for being a NOR such person should be:

  • non-resident in 9 out of 10 preceding years or
  • stay in India should be of 729 days or less during the preceding 7 years.

However, the definition of NOR has now been expanded to include:

  • Individual considered as Indian resident due to the amended new threshold of 120 days, provided stay in India is less than 182 days;
  • A stateless Indian citizen considered as Indian resident due to the above amended new provisions.

The amendments enacted by the Act seeks to address the concerns raised by stakeholders. However, while the threshold of INR 1.5mn for non foreign source income should reduce the applicability of the amendments to many such persons (herein after referred to as “NRIs”4 for sake of brevity), NRIs with high net-worth (HN) may need to further analyse the applicability of these provisions as they are likely to have Indian sourced income exceeding INR 1.5mn annually.

HN NRIs falling in the category of stateless Indian Citizens may consider arguing that while their countries of residence do not actually levy tax, they continue to remain liable to tax in those countries as and when the need arises. This argument should be backed by a tax residency certificate (TRC) issued by the authorities of such NRI’s country of residence. Other HN NRIs who may get covered by the lower threshold of 120 days of stay in India need to carefully monitor the days of stay in India. The use of ‘tie break’ test under an applicable Indian tax treaty should also enable both sets of NRIs to argue that they ultimately are non-residents in India. To access the tax treaty, TRC would be a must. The features of the tie-break rule were already discussed in our earlier note.

Having said the above, one of the key takeaways from the amendments made by the Act are that even if such NRIs are treated or deemed ‘resident’ in India, they will be categorised as NOR only. The following table explains the difference arising from the categorisation of residency of such NRIs:

Resident NOR Non-resident
Liable to tax in India on global income Liable to tax in India only on India-sourced income and income which arises from a business or profession controlled or setup in India Liable to tax in India only on India-sourced income
Required to disclose all foreign assets in Indian tax return Not required to disclose all foreign assets in Indian tax return Not required to disclose all foreign assets in Indian tax return

From the table, it can be observed that NOR NRIs will not be liable to tax on their global income in India. Further, they will not be required to disclose foreign assets in their Indian tax returns.

In essence, the only difference between a NOR and a non-resident NRI will be that in addition to India-sourced income, a NOR will be liable to also pay tax in India on income which arises from a business or profession controlled or setup in India. Practically, such income would most likely already be covered in the definition of India-sourced income and hence, no material impact may arise.

Nevertheless, the term “income derived from a business controlled in or a profession set up in India” is now of two-fold significance i.e.

  • for determine scope of total taxable income; and
  • determining the threshold of INR 1.5mn for the new stricter residency rules.

Accordingly, it is hoped that tax authorities provide suitable clarifications on the meaning of this term to enable concerned NRIs to understand the exact scope and nature of income to be considered while computing the threshold of INR 1.5mn. This should provide greater certainty to NRIs and significantly reduce the possibility of litigation with tax authorities.

On a parting note, it may be mentioned that if the case of any such NRI does get selected for scrutiny by the Indian tax authorities (which is routine in India), an intense and invasive scrutiny of such NRI’s personal matters cannot be ruled out. For instance, the tax authorities may:

  • undertake verification of the passport to determine number of days of stay in India,
  • understand and verify the nature of activities in India and overseas,
  • ask for details of total wealth, businesses, income etc. and their bifurcation between India and overseas5,
  • ask for composition of family, their location, businesses, etc.

Further, if the NRI is relying on a tie-break rule, possibility of litigation with Indian tax authorities on account of any contrary interpretation also cannot be ruled out.

In conclusion, HN NRIs need to carefully assess their residential status in India from 1 April 2020 onwards and analyse the impact on their liability towards Indian taxes arising from the amendments enacted by the Act.

For any further information, please feel free to reach out to Sakate Khaitan, Senior Partner at or Abbas Jaorawala, Consultant at


1. A person who is of Indian origin but citizen of another country.
2. Financial Year in India is for the period April to March.
3. Income from foreign sources has been explained to mean income which accrues or arises outside India but does not include income derived from a business controlled in or a profession set up in India.
4. NRI is a popular term loosely used for non-resident Indian citizens or persons of Indian origin.
5. The tax authorities may seek this information to expand the scope of taxable income in India. However, it may be possible to argue that as an RNOR, the NRI is not required to provide details of foreign assets and income to Indian tax authorities.

Corporate & Commercial

Evolution of the data protection regime in India

India currently does not have any express legislation governing data privacy and protection. While the transition to a digital economy is underway, the processing of personal data has already become omnipresent. The reality is that almost every single activity undertaken by an individual involves some sort of data transaction or the other. The Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 at present govern protection of personal and sensitive personal information of individuals however, it does not address the growing concern on data security and the technological revolution that India is facing.

The Indian jurisprudence on privacy and data protection changed in August 2017 and marked a watershed moment when the Supreme Court in Justice K.S. Puttaswamy v. Union of India held that the Indian Constitution under Article 21 included a fundamental right to privacy. The ruling is the outcome of a petition challenging the constitutional validity of the Indian biometric identity scheme Aadhaar and the validity of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. This conception of privacy also aligned with already existing regulatory frameworks in data protection in other jurisdictions.

The European Union (EU) in 2013 proposed to harmonize and consolidate its preexisting data protection framework through a new regulation: the General Data Protection Regulation (GDPR). After GDPR went through extensive rounds of consultations, it finally came into force in 2018. This effort to create a comprehensive data protection regulation in the EU influenced the debate in India.

In December 2019, the government introduced the Personal Data Protection Bill, 2019, which would create the first cross-sectoral legal framework for data protection in India. The bill is largely modelled on the GDPR and aims to protect the informational privacy of individuals by creating a preventive framework that regulates how businesses collect and use personal data.

The bill creates a set of rights and responsibilities for the processing of personal data and broadly proposes to:

  • create a DPA for making regulations and enforcing the legal framework;
  • make consent a centerpiece of all processing of personal data;
  • create a separate category of “sensitive personal data” and states that such data can be processed only with explicit consent;
  • make data fiduciaries accountable for all compliances under the bill;
  • exempt certain kinds of data collection and processing from specific requirements;
  • require data localization;
  • follow a consultative process including various regulatory bodies in India;
  • implement monetary and criminal penalties including imprisonment for non-compliance.

The bill was until recently was open to comments from various stakeholders. We are yet to see what amendments were incorporated.