In late 1780s, James Madison wrote the first constitutional articulation of the right to privacy in the modern world which read as,
“The rights to be secured in their persons, their houses, their papers, and their other property, from all unreasonable searches and seizures, shall not be violated by warrants issued without probable cause, supported by oath or affirmation, or not particularly describing the places to be searched, or the persons or things to be seized.”
In 1791, a version of this articulation became the Fourth Amendment to the US Constitution. Since then, States the world over have struggled with the concept and its varied manifestations in daily administration, and the challenge is further vexed by technologies that encompass every aspect of individual life. We in India acknowledged privacy as an inherent feature of personal liberty under Article 21 of the Constitution through the Supreme Court’s ruling rendered in the Puttaswamy case in 2017. This decision sought to create a privacy regime which was protective of the State’s need for security, while ensuring that no unreasonable restrictions were placed upon personal liberty.
As such, privacy in India – as elsewhere – is not an absolute right and may be lawfully restricted for certain legitimate goals. What may constitute a “legitimate goal” for such restriction, is understood through the Supreme Court’s necessity and proportionality test. As such, privacy can only be limited when the State demonstrates a ‘critical need’ and even then, the restriction must be the least invasive of available options. While theoretically, this test accords with global best practices on the subject, any theoretical enunciation of privacy by itself is insufficient unless tested and implemented on the ground.
This can be achieved through a well-defined architecture for legal and common-sense State intervention that reduces uncertainty for both the State and citizens. Currently, State interventions for public order and national security (in the information technology domain) are implemented through three provisions of the Information Technology Act, 2000 (IT Act) – Sections 69, 69A, and 69B. These allow the State to break encryption (where technologically possible), conduct digital surveillance, and censor certain communications. However, little to no standards are provided under the IT Act for when these actions are legal – a clearly apparent omission. Thus, every order issued under these provisions ought to be individually reviewed. Countless orders therefore are rendered beyond review due to the impossibility of challenging each of them individually – an anathema for a fundamental right.
Even from the State’s perspective, such an ad-hoc statutory regime does little to empower justifiable protections for national security. Cybersecurity experts have long lamented the lacunae in the country’s cyber defence system. Currently, CERT-In acts as an emergency response team against cyber threats but the agency has a grossly inadequate mandate and resources. Further, there is little specialized capacity with other agencies like the NIA or CBI to cover for its limitations. Major democracies around the world are fast building such capacity. Britain recently unveiled a cyber force within its intelligence architecture at the GCHQ to disrupt cybersecurity threats.
The need of the hour is for India to develop a self-contained code providing adequate authority to the State for securing justifiable security interests, while implementing all constitutionally envisaged checks and balances. Such a legislation would further enhance India’s expertise in responding to cyber security threats. India’s failure to achieve this despite a vibrant IT industry is baffling.
Speculatively, both the State and civil society may be at blame for the inordinate legal infrastructure in this domain since they are both unwilling to confront the challenge for fear of making the tough choices this entails. Clearly, this approach is counterproductive because a democratic conversation on these issues fosters more mature institutions. Consider the public debate in the US following Edward Snowden’s revelations of government surveillance. It prompted courts to declare parts of the NSA’s surveillance program unconstitutional, precluded renewal of offensive provisions of the PATRIOT Act; and spawned countless changes that have delivered sophisticated encryption technologies to common users as well. Resultantly, privacy rights for individuals have been strengthened. Even, the US government now acts with greater deliberation – the NSA for instance, voluntarily abandoned some of its surveillance programs. Despite that, in the 7+ years since the Snowden revelations, no terrorist attack has been attributed to these changes. Infact, US intelligence agencies have demonstrated a particularly stellar record of maintaining internal security, suggesting liberty and security are not necessarily contrarian ends.
A public discussion on the scope of the State’s authority has allowed the US to find an equilibrium. We concede that this is a dynamic equilibrium, and that changes in technology will require reconsideration of this conclusion. However, India currently inhabits the worst of both worlds – our security agencies operate in an ad-hoc institutional structure with vaguely defined authority, while the citizenry relies on abstract enunciations of fundamental rights with little practical relevance. This is an entirely avoidable situation. The time has come to recognize the complexity of our Information Technology ecosystem and devise sensible solutions for national security and protection of our fundamental liberties.