CYBER LAW

CYBER SURVEILLANCE & DATA PRIVACY LAW : THE RECONCILIATION

SUBMITTED TO:
Dr. Amandeep Singh
(ASSISTANT PROFESSOR OF LAW)

PROJECT SUBMITTED BY:

Shurbhi Yadav
Semester VII, Section B
ENROLL. NO. 160101147

DR. RAM MANOHAR LOHIYA NATIONAL LAW UNIVERSITY.

LUCKNOW, UTTAR PRADESH

1
Acknowledgement

I would like to take this opportunity to thank faculty of Cyber law, without whose valuable support
and guidance, this project would have been impossible. His excellent teaching guidance and
steadfast support have been invaluable and ensured the completion of this project.

Of course, I never would have been able to conduct this study or write this final draft of my project
without the assistance provided by the library staff and would also like to thank the library staff for
having put up with my persistent queries and having helped me out with the voluminous materials
needed for this project.

Furthermore, I would also like to thank and show my deepest appreciation towards my seniors for
having guided me and culminate this acknowledgement by thanking my friends for having kept the
flame of competition burning, which spurred me on through the days and I am also indebted to my
various batch-mates, all of whom took on extra responsibilities to allow me the time needed to
document my findings and share them here, to whom I owe some special thanks

2
Table of Contents

INTRODUCTION:.....................................................................................................................4

INSTRUMENTS OF PRIVACY CONCERN IN CYBERSPACE...........................................................5

EFFECT OF IT AMENDMENT ACT, 2009 :...................................................................................6

EFECT OF IT (PROCEDURE & SAFEGUARDS FOR INTERCEPTION, MONITORING & DECRYPTION OF

INFORMATION) RULES, 2009 :.................................................................................................6

POLITICAL ASPECT:..................................................................................................................8

STATUS OF RIGHT TO PRIVACY IN INDIA..................................................................................9

PREVENTION OF MISUSE OF CYBER SURVEILLANCE PROVISION:...........................................11

PREFERENTIAL TREATMENT TO CYBER SURVEILLANCE:.........................................................12

RECOMMENDATIONS TO RECONCILE THE PRIVACY CONFLICT:..............................................13

BIBLIOGRAPHY......................................................................................................................15

Primary Sources....................................................................................................................15

Secondary Sources................................................................................................................15

3
INTRODUCTION:

Over the past two decades, the evolution of cyberspace has impacted almost every aspect of
human life. The increase in the speed, volume, and range of communications that cyberspace
offers has undeniably affected the way societies interact. 1 Although the Charter of
Fundamental Rights of the European Union distinguishes the right to privacy and the right to
data protection as two different fundamental rights, this is more in the nature of a formal
distinction.2 Scholars in the field opine that the right to data protection has been characterized
by strong links to the right to privacy.3 Today, privacy is more widely discussed among
academics, policy analysts, and journalists4 than it was when Uneasy Access was published in
1988. At that time, privacy was still an emerging concern. To be sure, federal and state
lawmakers had been steadily expanding privacy protections for data and communications
since the mid-19705 in response to threats posed by computer and surveillance technologies. 5
The concept of privacy is a multi-dimensional one, yet scholars across time and space have
attempted to confine it to a single definition. Warren and Brandeis in their seminal essay
enunciated that the right to privacy was based on a principle of “inviolate personality”,
thus laying the foundation for a concept of privacy, which we understand as control over
one’s own information.1

INSTRUMENTS OF PRIVACY CONCERN IN CYBERSPACE

The privacy principle was already a part of common law and the protection of one’s home as
one’s castle, but new technology made it important to explicitly and separately recognize this
protection under the name of privacy.2 The issue of data protection, especially unauthorised
data access, though traditionally prioritized, has recently gained much traction due to the
increasing number of news reports regarding various instances of unauthorised data access as
a threat to individual privacy. In the case of unauthorised data access, more than the
frequency of the instances, it is their sheer magnitude that has shocked civil society and

1
SHRADDHA KULHARI, BUILDING-BLOCKS OF A DATA PROTECTION REVOLUTION: THE
UNEASY CASE FOR BLOCKCHAIN TECHNOLOGY TO SECURE PRIVACY AND IDENTITY, 23,
(2018). JSTOR

2
Samuel Warren and Louis Brandeis, The Right to Privacy, 4, HARVARD L.J. (1890) [as cited in Judith
DeCew, Privacy, The Stanford Encyclopedia of Philosophy, Spring 2015
<https: plato.stanford.edu/archives spring2015 entries privacy > accessed on 11 July 2019

4
especially civil rights groups. The whole idea to frame cyber surveillance provision i.e. sec 69
of IT Act is derived from section 5(2) of the Indian Telegraphs Act 1885 legislated by British
government. Section 5(2) of the Telegraphs Act states the grounds of Public emergency and
the Interest of public safety, on the occurrence of which transmissions can be intercepted and
detained for the interests of the sovereignty and integrity of India, the security of the State,
friendly relations with foreign states or public order or for preventing incitement to the
commission of an offence. when section 69(1) of IT Act was drafted, it had absolute
acquaintance with the said provision. But after the enforcement IT Act amendment act 2009,
its scope was enlarged by adding one more ground i.e 'investigation of any offence' to
intercept, monitor or decrypt any computer resource. Further on 20 December 2018, the
Ministry of Home Affairs issued an order granting authority to 10 Central agencies, to
intercept and monitor individual computers and their receipts and transmissions under powers
conferred on it by sub-section 1 of Section 69 of the IT Act, 2000, read with Rule 4 of the IT
(Procedure and Safeguards for Interception, Monitoring and Decryption of Information)
Rules, 2009”.3

EFFECT OF IT AMENDMENT ACT, 2009 :

The amendment of this provision lies in the inclusion of the term “for investigation of any
offence”. By including the term, scope of the law increases many more times because
eventualities covered under the five conditions of Indian Telegraph Act are far less than the
eventualities covered under the additional sixth condition of IT Act, simply because there are
lakhs of cases under investigation.This issue widely emerged among the citizens that made a
law student to file a PIL in the Allahabad High Court to challenge the constitutional validity
of sec 69.4

3
http://egazette.nic.in/WriteReadData/2018/194066.pdf

4
Ram Narain, Sec 69 of the IT Act: Fears of violation of privacy may not be unfounded, HINDUSTAN TIMES,
(July 11, 2019, 01:51 PM), https://m.hindustantimes.com/editorials/sec-69-of-the-it-act-fears-of-violation-
of-privacy- may-not-be-unfounded/story-CLqIDix78GTVpHSqaaMJaO_amp.html

5
EFECT OF IT (PROCEDURE & SAFEGUARDS FOR INTERCEPTION,
MONITORING & DECRYPTION OF INFORMATION) RULES, 2009 :

The important aspect regarding the rules is that an individual may not even know if her
electronic communications are being intercepted or monitored. If such surveillance comes
within her knowledge, due to the obligation to maintain confidentiality and provisions in the
Official Secrets Act 19235, he would not be able to know the reasons for such surveillance.6

Also, the time period within which such intercepted data can be retained with the government
agency, is up to 60 days which may extend to 180 days as per Rule 11, IT (Procedure and
Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009. 13 The
said rule certainly legitimizes “Continuous Surveillance” in every respect.

POLITICAL ASPECT:

In a democratic country such as India, there can be a possibility that provisions enforcing
cyber surveillance might be invoked for political gains of bureaucrats to intercept and monitor
the data of the 'individuals interested in opposition party'. The political history of India is
evident of the fact that powers conferred by constitution are covertly misused for self-interest.
The national emergency of 1975 is sufficient to indicate such malicious intention. It is a
matter of hypocrisy that on one hand the government has drafted the Personal Data Protection
Bill, 201814 to ensure safety of individual privacy from third party interception, and on the
other hand the Ministry of Home Affairs intends to mass cyber surveillance by issuing
notification to grant powers to 10 enforcement agencies in the same year. Also, there is no
provision in the said bill that authorizes government agency to process data ‘for investigation
of any offence’ unlike section 69 of IT Act. This contradiction indicates towards the
prospective threat to law enforcement of the country.

STATUS OF RIGHT TO PRIVACY IN INDIA

India is a signatory to the Universal Declaration on Human Rights and the International Convention

5
Section 5(2) of the Official Secrets Act, 1923 - If any person voluntarily receives any secret official code or pass word
or any sketch, plan, model, article, note, document or information knowing or having reasonable ground to believe, at
the time when he receives it, that the code, pass word, sketch, plan, model, article, note, document or information is
communicated in contravention of this Act, he shall be guilty of an offence under this section.
6
Anita Gurumurthy, Are India’s laws on surveillance a threat to privacy?, THE HINDU, (July 12, 2019, 02:10 PM),
https://www.thehindu.com/opinion/op-ed/are-indias-laws-on- surveillance-a-threat-to-privacy/article25858338.ece/amp/

6
on Civil and Political Rights. Article 12 of the former and Article 178 of the latter recognize privacy
7

as a fundamental right. Though a member and signatory of these conventions, India does not have
laws which provide a right to privacy to citizens. For the purpose of filling this lacuna in the law,
the Courts in India have tried to enforce a right to privacy to its citizens through two manners,
Firstly, recognition of a constitutional right to privacy which has been read as part of the rights to
life and personal liberty embedded in Art. 21 of the constitution. 9Secondly, a common law right to
privacy which is available under tort law and has been borrowed primarily from American
jurisprudence. It must be mentioned at the outset that the privacy is not a very strongly enforced
right in India and there are a number of exceptions to the right to privacy which have been carved
out by the Courts over a period of time.10 The overly broad contours of the proposed amendment
to the Intermediary

Rules confer unchecked powers on the executive, reminiscent of the arbitrariness that led to
the famous Shreya Singhal case. In the absence of judicial or legislative oversight, such
powers result not only in a disproportionate restriction on individual fundamental right
to privacy, but also have far-reaching consequences for other freedoms - a chilling effect on
the freedom of speech and association and democratic participation. cyber- security experts
caution that it’s not possible to create a “back door” decryption to target one individual, and
that tampering with encryption can compromise security for all.

7
Art. 12 of UDHR - No one shall be subjected to arbitrary interference with his privacy, family, home or
correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law
against such interference or attacks
8
Art. 17 of ICCPR - No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or
correspondence, nor to unlawful attacks on his honour and reputation.
9
K. S. Puttaswamy v. Union of India, Writ Petition (Civil) No. 494 of 2012 (Sup. Ct. India Aug. 24, 2017)
10
https://cis-india.org/internet-governance/blog/state-of-cyber-security-and-surveillance-in- india.pdf/view

7
RISING NECESSITY OF CYBER SURVEILLANCE BY THE STATE

Even though unintended encroachment to data privacy, the primary object of cyber
surveillance has been the protection from cyber-security threats. The cyber security discourse
is predominantly shaped by the notion of national security 11. Cases such as the cyber-attacks
on the online banking system in Estonia, the defaced government websites in Georgia, and the
use of the Stuxnet worm to harm Iran‘s nuclear program demonstrate the importance and the
increasingly crucial role of cyberspace for national security. As a result, states have defined
cyber-security in their military and security doctrines as a new domain of conflict.12 Cyber
security concern is now indeed indispensable because of the increased pervasiveness of
technology in our society.

state. In the era of cyber warfare, the security and sovereignty of a state in the cyber space
plays a significant role in protecting its citizen from external cyber security threats. It is the
duty of a responsible sovereign state to apply all the possible measures to ensure the safety of
its masses. Sometimes for the purpose of preventive measures or for investigation of any
offence that challenges the integrity and sovereignty of state, it becomes necessary for the
state to take into account the data of citizens. Since criminal activities also have become
digitized, law enforcement must visibly patrol the Internet. In addition, the police may need to
operate covertly. To investigate serious crime and predict crime or terror attacks, predictive
analysis, access to social media accounts and big data analytics could provide significant aid
for law enforcement.13 For this purpose, section 69 of IT act regulates the actions of cyber
surveillance by government agencies to the data of citizens.

PREVENTION OF MISUSE OF CYBER SURVEILLANCE PROVISION:

With the advent of state interference in individual privacy, the data protection concerns take
place with sufficient cause. It is indeed necessary to prevent the misuse of cyber surveillance
law because these laws contain sufficient instruments to infringe the data privacy laws.
11
Dominik Eisenhut, Sovereignty, National Security and International Treaty Law, 48, ARCHIV DES
VÖLKERRECHTS, 431, 431, (2010). JSTOR

12
Allen, Anita L. Gender and Privacy in Cyberspace, 52, STANFORD L.R., 1175, 1195 (2000). JSTOR

13
Stephanie K. Pell and Christopher Soghoian, Your Secret Stingray's No Secret Anymore: The Vanishing
Government Monopoly over Cell Phone Surveillance and Its Impact on National Security and Consumer
Privacy, 28, HARVARD J. LAW & TECH, 1-35 (2014). JSTOR

8
Keeping in view the prospective misuse of section 69, the central government made the rules
under Information Technology (Procedure and Safeguards for Interception, Monitoring and
Decryption of Information) Rules, 2009.

Rule 3 of this regulates the scope of power conferred to government agencies so as to avoid
the arbitrariness and provides the prerequision of an order by the competent authority to
intercept and monitor individual data. For this purpose “competent authority” contains (i) the
Secretary in the Ministry of Home Affairs, in case of the Central Government; or (ii) the
Secretary in charge of the Home Department, in case of a State Government or Union
territory, as the case may be. The role of the Review committee under Rule 22 is quite
significant: The committee shall sit at least one in two months in order to check any
arbitrariness in the exercise of these powers and setting aside the directions which
contravenes the provisions of these rules. Also, Rule 24, prohibits unauthorised persons to
intercept or monitor individual data, failing which may punish them under relevant provisions
of IT Act. As per Rule 25, Even if such data is processed with authorisation it can’t be
disclosed by intermediary to any person other than the designated officer.

It is indispensable to note that these rules indicates the intention of the state to exercise cyber
surveillance in such a manner that violation of individual privacy in minimum.

9
PREFERENTIAL TREATMENT TO CYBER SURVEILLANCE:

A Government which abdicates its responsibility has no right to be in the Government. A

Citizen who wants the Government to abdicate its duty is himself failing in his duty as a
citizen. The Constitution of India guarantees every citizen the right to life and personal liberty
under Article 21. The Supreme Court, in Justice K.S. Puttaswamy v. Union of India ruled that
privacy is a fundamental right. But this right is not unbridled or absolute. The Central
government, under Section 69 of the Information Technology Act, 2000, has the power to
impose reasonable restrictions on this right and intercept, decrypt or monitor Internet traffic
or electronic data.

If, in a case, a law confers the preferential treatment to right to privacy over cyber
surveillance by state, the aftermaths are not favourable to the security of the state as a whole.
In that condition there has to be sufficient amendment in other laws including IPC or POTA
to enforce such law and this would make India a haven for Criminals, Naxalites and
Terrorists. It will prevent Police from undertaking any search or preventive arrests, impose
restrictions on public for prevention of offences etc., since all such provisions will be
restrictive of the Right to Privacy in one sense. 14 Those who swear by the constitution has to
swear by the “Primacy” of “We the People” and cannot ignore the security of people even
before worrying about providing guarantee of the Right to Privacy.15

14
https://www.naavi.org/wp/allahabad-high-court-admits-pil-against-section-69-notice-2/
15
Ibid

10
RECOMMENDATIONS TO RECONCILE THE PRIVACY CONFLICT:

The intricate challenge is that in-between the surveillance and the privacy lays the personal
data—the new gold from a commercial perspective, a resource in the fight against terrorism
from a security perspective, and a future threat of human rights from an individual
perspective. There is no simple solution to the paradox.16

Laws enforcing Cyber surveillance and individual’s data privacy are two sides of a coin. In
every case, one would overshadow another. hence the conflict is inevitable. It can be deduced
that legal flexibility of conflicting points shall be the possible reconciliation, that’s presented
as below:

As per Rule 7 of Information Technology (Procedure and Safeguards for Interception,

Monitoring and Decryption of Information) Rules, 2009, every direction issued by competent
authority to intercept or monitor individual’s data shall contain the ‘reasons’ for such
direction. It is recommended that such ‘reasons’ should be communicated to the person whose
data is to be intercepted or monitored, through reasonable means of communication. Provided
that, the government may ascertain a specific category of “persons with excessive degree of
suspicion” regarding whom the government agencies need not bound by the aforementioned
rule. For instance- habitual offenders or proclaimed offenders. This may probably act as
sufficient justification for breach of data privacy.

It is recommended that government agencies shall have access to any category of data except
that of “Genetic data” as defined in section 3(20) of the Personal Data Protection Bill, 2018.17
Provided that, the government may ascertain a specific category of “persons with excessive
degree of suspicion” regarding whom the government agencies shall not bound by the
aforementioned rule. For instance- habitual offenders or proclaimed offenders. The sole
rationale for the presented recommendation is that, the uniqueness of genetic information, it is
contended, entitles it of greater privacy protection than other types of information.31 The
dilemma for privacy advocates is not simply the almost inexhaustible opportunities for access
to data but also the intimate nature of those data and the potential for harm to persons whose
privacy is violated. Against this backdrop of increasing use of genetic information, scholars,
16
Hagen, Janne, and Olav Lysne. Protecting the Digitized Society—the Challenge of Balancing Surveillance
and Privacy, 1, THE CYBER DEFENSE REVIEW, 75, 87, Spring (2016). JSTOR

17
“Genetic data” means personal data relating to the inherited or acquired genetic characteristics of a natural person
which give unique information about the behavioural characteristics, physiology or the health of that natural person and
which result, in particular, from an analysis of a biological sample from the natural person in question

11
legislators, judges, and the public have asserted that genetic information is entitled to
additional levels of privacy protections because it is virtually unique among health-related
data.18

18
Ronald M. Green 8: A Matthew Thomas, DNA' F W: Distinguishing Features for Policy Analysts: ll
HARVARD J. LAW & TECH, 57 (1998). JSTOR

12
BIBLIOGRAPHY

Primary Sources

1. Ahmed Farooq, Cyber Law in India, (Delhi: New Era PubUcation, 2005).
2. Ahuja V.K., Law Relating to Intellectual Property Rights,
3. Carter Ruck P.P. and James E.P. Skone, Copyright: Modern Law and Practice, (London:
Faber And Faber, 1965). Chaubey, Cyber Crime and Cyber Law,
4. Commer Douglas E., Internet Book, 3rd ed. (Delhi: Pearson Education, 2003). Copyright
Act, 1957 xiv of 1957 with Rules and Appendices, 4th ed.

Secondary Sources

1. Hagen, Janne, and Olav Lysne. Protecting the Digitized Society—the Challenge of
Balancing Surveillance and Privacy, 1, THE CYBER DEFENSE REVIEW, 75, 87,
Spring (2016). JSTOR
2. https://www.naavi.org/wp/allahabad-high-court-admits-pil-against-section-69-notice-
2/
3. Stephanie K. Pell and Christopher Soghoian, Your Secret Stingray's No Secret
Anymore: The Vanishing Government Monopoly over Cell Phone Surveillance and Its
Impact on National Security and Consumer Privacy, 28, HARVARD J. LAW &
TECH, 1-35 (2014). JSTOR
4. K. S. Puttaswamy v. Union of India, Writ Petition (Civil) No. 494 of 2012 (Sup. Ct.
India Aug. 24, 2017).

5. Art. 12 of UDHR - No one shall be subjected to arbitrary interference with his

privacy, family, home or correspondence, nor to attacks upon his honour and
reputation. Everyone has the right to the protection of the law against such
interference or attacks.

6. 16 Art. 17 of ICCPR - No one shall be subjected to arbitrary or unlawful interference with

his privacy, family, home or correspondence, nor to unlawful attacks on his honour and
reputation.

13
7. Shreya Singhal v. Union Of India [AIR 2015 SC 1523]- The Supreme Court struck
down Section 66A of the IT Act, 2000, as unconstitutional on grounds of violating
Article 19(1)(a) of the Constitution of India.
8. Section 5(2) of the Official Secrets Act, 1923 - If any person voluntarily receives any
secret official code or pass word or any sketch, plan, model, article, note, document or
information knowing or having reasonable ground to believe, at the time when he
receives it, that the code, pass word, sketch, plan, model, article, note, document or
information is communicated in contravention of this Act, he shall be guilty of an
offence under this section.
9. Anita Gurumurthy, Are India’s laws on surveillance a threat to privacy?, THE
HINDU, (July 12, 2019, 02:10 PM), https://www.thehindu.com/opinion/op-ed/are-
indias-laws-on- surveillance-a-threat-to-privacy/article25858338.ece/amp/
10. Period within which direction shall remain in force.— The direction for interception
or monitoring or decryption shall remain in force, unless revoked earlier, for a period
not exceeding sixty days from the date of its issue and may be renewed from time to
time for such period not exceeding the total period of one hundred and eighty days.

14