Date and Time: 09 April 2020 18:24:00 IST

Job Number: 114266416

Document (1)

1. THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S SURVEILLANCE ORDER,

ADDRESSING CHALLENGES TO INDIVIDUAL’S RIGHT TO PRIVACY 2020 2 MLJ 1
Client/Matter: -None-

| About LexisNexis | Privacy Policy | Terms & Conditions | Copyright © 2020 LexisNexis
 THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S
SURVEILLANCE ORDER, ADDRESSING CHALLENGES TO INDIVIDUAL’S
RIGHT TO PRIVACY 2020 2 MLJ 1
Madras Law Journal - Civil (Journal Article)

Madras Law Journal - Civil (Journal Article) > 2020 > Volume 2

THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S SURVEILLANCE ORDER, ADDRESSING
CHALLENGES TO INDIVIDUAL’S RIGHT TO PRIVACY

[By: Shobhit Garg, Vth Year, National University of Study and Research in Law, Ranchi and Yash Mittal, IVth Year,
Institute of Law, Nirma University, Ahmedabad]

Abstract

Immense concerns are prevailing with respect to the protection of personal data in the essence of individual’s right
to privacy, as with the gigantic advancement in technology and its contribution in creating a surveillance society
have started a debate whether information gathered by both state and non-state actors are legitimate or it leads to
unauthorized surveillance? Therefore, the purpose of this study is to achieve a comprehensive doctrinal
understanding of the constitutional right to privacy as evolved and understood by the judiciary and to examine the
multifarious issues associated with an individual’s breach of privacy. Hence, through this paper, the authors attempt
to analyze the legal and constitutional validity of the Ministry of Home Affairs (HMA) notification, which granted 10
central agencies whooping power to snoop into the computer resources of any individual living within the territorial
frontiers of India.

The author has divided the entire study into four parts i.e., Firstly, the underlying fallacies of surveillance
mechanism in India and its impact on the right to privacy in the light of the judicial pronouncement. Secondly, to test
the constitutional validity of the State’s power to surveillance. Thirdly, the impending need for legislative protection
from the breach of personal data and lastly, the requirement of a data policy framework to discourage cross-border
transferring of personal data.

Key Words: Privacy, Surveillance, Personal Data, Data Localization, Data Protection

Introduction

“There will come a time when it isn’t ‘They’re spying on me through my phone’ anymore. Eventually, it will be ‘My phone is
spying on me’.”
 Page 2 of 17
THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S SURVEILLANCE ORDER,
ADDRESSING CHALLENGES TO INDIVIDUAL’S RIGHT TO PRIVACY 2020 2 MLJ 1

- Philip K. Dick

In today’s modern globalized world “Right to Privacy” is generally accepted as a fundamental human right. Most
nations’ today guarantees the right to privacy to its citizens. The privilege granted to individuals to secure their
actions, choices and private opinions shared in the personal sphere from being misused, exposed or scrutinized by
the world at large. As a result, it becomes a normative standard in most countries to provide constitutional
safeguards to its citizens to deter breach of privacy.1 The fundamental rationale behind the law of privacy is a
recognition of the individual’s right to be let alone and to have personal space inviolate. The need for privacy and its
recognition as a right arises because the focus has been shifted from society as a whole to the increasingly
individualistic society.2

The right to privacy in common term relates to the specific right of an individual to monitor the collection, use, and
disclosure of personal information. Personal information could be recognized in the form of personal interests,
habits and activities, family records, educational records, communication records, medical records, financial
records, etc. Additionally, the convergence of technologies and the spread of the internet have spawned different
sets of the issue concerning privacy rights in the digital space.3

According to Article 124 of the Universal Declaration of Human Rights, 1948 (UDHR), the privacy of an individual is
also treated as the basic human rights enshrined under UDHR list which reads as:

“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon
his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Being a signatory to the UDHR, it becomes the obligation of India to implement the effective data protection law for
the protection of individual’s privacy. Most interestingly, the increased propensity with which alleged breach of this
sacrosanct ‘personal sphere’ is being committed in modern times requires a deeper introspection in protecting
personal data.

The unresolved dispute between Surveillance by State and right to privacy have been at the forefront of the
international debates ever since the explosive revelations of Snowden in May 2013 about the American and British
intelligence agencies extensive surveillance system which used to spy both on their own citizens and
 Page 3 of 17
THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S SURVEILLANCE ORDER,
ADDRESSING CHALLENGES TO INDIVIDUAL’S RIGHT TO PRIVACY 2020 2 MLJ 1

communications elsewhere in the world. Similarly in India, under the authorization of the Central Monitoring System
(CMS), provides for the telephony metadata by tapping into the telecommunications, and Netra, a dragnet
surveillance system is used to detect and record electronic communication.5 Furthermore, with the advancement of
technology, new methods of surveillance have been unveiled by employing sophisticated technology to exercise
mass surveillance by both state and non-state players, the foundation and working of these systems have a
dubious statutory backing, which impinges upon the fundamental right to privacy of an individual.

Evolution of Right to Privacy in India

Originally privacy is not mentioned in the Constitution of India and was never a part of constitutional assembly
debates but the judicial narrative on privacy has incessantly contributed towards the evolution of privacy rights in
India. The absence of a legislative framework on the general right to privacy has resorted the Indian Courts to
judicial activism in recognizing privacy rights of its subjects and has filled in where the legislature left a void. The
court has resorted to the innovative interpretation of Article 21 by liberally interpreting ‘right to life’ and ‘personal
liberty’, the consequence of which is implanting right to privacy under the umbrella of Article 21 to give it the status
of a fundamental right.

Kharag Singh v. State of Uttar Pradesh6 was the initial judicial trajectory that touched upon the privacy rights which
involved police surveillance and domiciliary visits. In this case, the petitioner contended that certain police
regulations which gave policemen unfettered powers of surveillance of persons with criminal records violated his
fundamental right to privacy and personal liberty under Article 21. The majority judges didn’t accept the right to
privacy as a fundamental right; it was, however, the dissenting opinion of Justice Subba Rao that sowed the seeds
of constitutional recognition of the right to privacy.7 Twelve years later in Govind v. State of Madhya Pradesh8, the
Court softened its stand on recognizing privacy as a fundamental right and observed that though the right to privacy
is not absolute the state must provide a ‘compelling public interest’ as a precursor to the exercise of powers
conferred by police regulations. Same contentions were raised in Malak Singh v. State of Punjab and Haryana9,
where court ruled that persons who did not have any past criminal records and did not pose security threat could
not be made subject to surveillance under the regulations.

The above set of cases majorly discusses the personal choices of prisoners in the context of journalistic practices
but the major breakthrough in the realization of the right to privacy came with the Auto Shankar case10, which was
the important subject matter in the light of which privacy revolved around freedom of speech and expression.
According to the facts, a Tamil magazine (petitioner) wanted to publish the autobiography of a prisoner on the death
row. Portions of the manuscript contained details about the nexus between police officers and criminals. The
respondents contended that publication in question was likely to be defamatory and invaded right to privacy of the
prisoner. The court, in this case, ruled out that:11

1. The petitioner has the right to publish what it claimed to be the autobiography, in so far as it reflected the
public records. If they went beyond and published his personal life details, it would result in an invasion of
his privacy.

2. The respondents had no right to impose a pre-publication ban merely because the matter was perceived
by them to be defamatory. Their cause of action would arise after the publication.
 Page 4 of 17
THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S SURVEILLANCE ORDER,
ADDRESSING CHALLENGES TO INDIVIDUAL’S RIGHT TO PRIVACY 2020 2 MLJ 1

3. The right to privacy has been considered within the precincts of the right to life under Article 21, which
ultimately brought two aspects w.r.t. right to privacy i.e., firstly, the common law remedy and secondly, the
constitutional right under Article 21.

Finally, in Justice (Retd.) K.S. Puttaswamy v. Union of India12 popularly known as Aadhaar case, where the
consideration of right to privacy as a fundamental right reached its tipping point. Here, the government’s decision to
call for mandatory enrolment under the Aadhaar card scheme in order to avail the benefit of state welfare schemes
violated the right to privacy of citizens. Govt. reliance on notion established in Kharag Singh’s case is rejected by
the Supreme Court and recognized the right to privacy as a fundamental right.

Indian Surveillance Laws and Right to Privacy

Primarily, the special laws enacted by the Parliament relating to electronic surveillance are governed under:

(a) The Telegraph Act, 188513:

“By virtue of Section 5(2), substituted vide Telegraph (Amendment) Act, 1972, the Central and State Governments have
been conferred with lawful authority to intercept or detain messages transmitted through the ‘Telegraph’. Section 3(1AA)
defines ‘telegraph’ as any “appliance, instrument, material or apparatus used or capable of use for transmission or
reception of signs, signals, writing, images and sounds or intelligence of any nature by wire, visual or other electronic-
magnetic emissions, radio waves or Hertzian waves, galvanic, electric or magnetic means.”

Section 5(2)14 reads as follows:

“On the occurrence of any public emergency, or in the interest of the public safety, the Central Government or a State
Government or any officer specially authorised in this behalf by the Central Government or a State Government may, if
satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the
State, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence, for
reasons to be recorded in writing, by order, direct that any message or class of messages to or from any person or class of
persons, or relating to any particular subject, brought for transmission by or transmitted or received by any telegraph, shall
not be transmitted, or shall be intercepted or detained, or shall be disclosed to the Government making the order or an
officer thereof mentioned in the order.”
 Page 5 of 17
THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S SURVEILLANCE ORDER,
ADDRESSING CHALLENGES TO INDIVIDUAL’S RIGHT TO PRIVACY 2020 2 MLJ 1

(b) The Information Technology Act, 200015:

“Section 69(1), impugned herein, authorizes the Central and State Governments to monitor, intercept, or decrypt
information contained in any ‘computer resource’. A ‘computer resource’, defined under Section 2(1)(k), refers to a
“computer, computer system, computer network, data, computer database or software.” The provision, as originally stood
from the year 2000 till 05.02.2009, vested the powers to intercept any information on the ‘Controller of Certifying
Authorities’. By virtue of Information Technology (Amendment) Act, 2008 [‘2008 IT Amendment’], the Parliament extended
the powers under Section 69 to “monitor” and “decrypt” electronic communications. Moreover, the 2008 Amendment
introduced two additional grounds (viz., ‘defense of India’ and ‘investigation of any offense’) to cause electronic
surveillance.”

Mass surveillance in India always remains a legally gray area of concerns and often cited as the state’s prerogative
to watch the activities of an individual in the name of national interests and public emergency. Undoubtedly, in the
modern societies surveillance is emerging as the most effective instrument of state authorities, corporations and
individuals. The Snowden revelations of mass surveillance programmes into the light of the day are depicting the
far-reaching capabilities of digital surveillance technologies. The lack of political will to show serious reactions
against such activities appears to be an unbroken trend which requires great care on the part of the government.16

The expanding horizon of communications technology in India is gaining its momentum since the 1980s when the
digital revolution in India has transformed our way of communications. Now we could communicate a lot more, and
to many more people than we could before. Phones, computers, and internet are not only used for communication
purposes but have become an integral part of our daily lives. Hence, any sort of intrusion into the person’s phone or
computer would be an infringement to their right to privacy.

Is Surveillance state a reality now?

The significance of this question draws its sustenance from a December 20, 2018 order17 from the Union Home
Ministry, declaring that “any information generated, transmitted, received or stored in any computer resource” is of
interest to the state, unmindful of the order which is clearly inconsistent with the Supreme Court’s verdict in privacy
judgment declaring it to be an intrinsic part of the right to life and personal liberty under article 21.

The center’s decision to authorize 10 central agencies to intercept, monitor and decrypt any information generated,
transmitted, received or stored in any computer in the country is a retrograde step which is full of manifest
 Page 6 of 17
THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S SURVEILLANCE ORDER,
ADDRESSING CHALLENGES TO INDIVIDUAL’S RIGHT TO PRIVACY 2020 2 MLJ 1

arbitrariness as it gives government a unbridled power to snoop into conversations and browsing the activities of
millions of its citizens.18 The very mention of these 10 agencies in one order suggested that they had been
handicapped by the problem of accessing information stored in “any computer resources” to perform their duties
effectively. Furthermore, another intriguing factor is the definition of “computer resource” which before 2008
amendment in IT Act, meant computer, computer system, computer network, data, computer database or software,
but the new definition under section 2(k) of the IT Act, provides it a wider ambit to also include mobile phones.

The snooping orders attribute that the existing surveillance framework is complex and confusing. In India, majorly
the Telegraph Act 1885 governs the telephonic surveillance, whereas the Information Technology Act 2000 governs
electronic surveillance. In both the cases the surveillance request has to be signed off by an official who is at least
at the level of the joint secretary.

The existing surveillance mechanism is flawed in three ways:

1. The whole decision-making process is bureaucratized i.e., the power to order surveillance is vested with
the executive, with no parliamentary or judicial supervision.

2. The surveillance regime is vague and ambiguous because the grounds of surveillance as specified u/s 69
of the IT Act are carved out from Article 19(2) of the constitution which includes phrases such as “friendly
relations with foreign states” or “sovereignty and integrity of India”.

3. There exists a lacuna on the process i.e., how surveillance decisions are taken, and how legal standards
are applied. The reasonability of this question persists because it is evident from the RTI query filed in
2014, which answered that on average 250 surveillance requests are approved every day. In this condition,
the approval resembles a rubber stamp rather than an independent application of mind.

Under the constitution right to privacy is not an absolute right, sometimes to ensure national security and pre-
emptive terror threats, the surveillance is required which must be placed outside the public eye. The arguments
w.r.t. to surveillance must be closely analyzed, where the primary notion should be to clear the misconception about
state surveillance hence, leading the debate to not about ‘whether surveillance at all’, but about ‘how, when, and
what kind of surveillance’.19

Is the surveillance order u/s 69 of the IT Act 2000 Constitutionally valid?

While analyzing the surveillance order on three counts firstly, its bureaucratic character, secondly its vagueness
and thirdly its opacity, the current surveillance framework lacks constitutional validity. It is significant to mention that
the very act of surveillance is against an individual’s right to privacy, and poses a chilling effect on the individual
right to personal liberty under Article 21 of the constitution. The decision to vest unbridled power within itself i.e.,
whether to put someone under surveillance or not, the executive order is arbitrary and unjustified in various terms:
 Page 7 of 17
THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S SURVEILLANCE ORDER,
ADDRESSING CHALLENGES TO INDIVIDUAL’S RIGHT TO PRIVACY 2020 2 MLJ 1

1. Firstly, the act of surveillance violates the fundamental rights under Article 19(1) (a) and 21, as it prevents
people from thinking about, reading and exchanging unorthodox, controversial or provocative ideas. The
perceived danger of being snooped by the government agencies into the activities performed by the
individual always raises the reasonable suspicion in the minds of the people, which impacts the citizen’s
ability to express, receive and discuss such ideas.

2. In the absence of parliamentary or judicial oversight the very existence of such disproportionate power
vesting with one wing of government would violate not only Part III of the constitution, which impacts
federal relationship between the citizen and the state; but would also undermine the principle of separation
of poweramong the executive, the legislature and the judiciary.

3. The MHA order fails upon the proportionality principle applied by Apex Court in Puttaswamy20 (Privacy)
judgment which is endorsed globally too, by constitutional courts in jurisdictions such as the EU, Canada,
and South Africa – to gauge the constitutionality of restrictions on privacy, i.e., to ascertain the (a) legality,
(b) legitimate goal, (c) proportionality and (d) procedural guarantees/safeguards of the impugned
provisions that have violated the right to privacy.

The Constitution Bench of Hon’ble Supreme Court in Puttaswamy (Aadhaar)21 held that the following four sub-
components of proportionality need to be satisfied before the validity of a law can be upheld (at Pr. 267 & 433):

- A measure restricting a right must have a legitimate goal (legitimate goal stage) and it is designated for a
proper purpose.

- It must be a suitable means of furthering this goal (suitability or rationale connection stage), i.e. measures
are undertaken to effectuate the limitation are rationally connected to the fulfillment of the purpose.

- There must not be any less restrictive, but equally effective alternatives (necessity stage), i.e. there are no
alternative less invasive measures.

- The measure must not have a disproportionate impact on the right holder (balancing stage), i.e. there is a
proper relationship between the importance of achieving the aim and importance of limiting the right.

Hence it is pertinent to mention that neither the IT Act nor the 2009 IT Rules have codified the basic principles of
necessity and proportionality, as required under the Puttaswamy (Privacy) judgment. Furthermore Justice
Srikrishna Committee also accepted the principle of neccesity, which clarified that the processing of personal data
by the State on non-consensual grounds (as in the case of surveillance) must be “strictly confined by necessity” and
the “State should not collect personal data more than what is necessary for a legitimate purpose”. The Committee
thus opined that “any systematic collection of data is to be preceded by an assessment of the extent to which data
collection would be proportionate having regard to the legitimate purpose at hand.”

Hence, Section 69 of the IT Act is the result of manifest arbitrariness and is liable to be struck down in following
terms such as:
 Page 8 of 17
THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S SURVEILLANCE ORDER,
ADDRESSING CHALLENGES TO INDIVIDUAL’S RIGHT TO PRIVACY 2020 2 MLJ 1

1. Section 69 all together delimits the minimum modicum of safeguards present in the Telegraph Act i.e., the
Act permits appropriate government to “intercept, monitor or decrypt” any information generated,
transmitted, received or stored in any computer resource without the prerequisite requirement of “public
emergency” or “public safety” that is still present in Telegraph Act.

2. Section 69 incorporated two new grounds, namely in the interest of the “defense of India” and the
“investigation of any offense”; which are in fact not mentioned in Article 19(2) of the Constitution.

3. Section 69(3) imposes an additional obligation on intermediaries, subscribers and persons-in-charge of the
computer resources to “extend all facilities and technical assistance” to the intercepting agency.

The underlying lacuna of Section 69 of the IT Act is the non-inclusion of public emergency or an issue of public
safety for the provision to be triggered which are even grounds under the Telegraph Act. The importance of public
emergency or public safety as the ground for surveillance is well explained in PUCL v. Union of India22, popularly
known as wiretapping judgment, the court observed that

“Unless a public emergency has occurred or the interest of public safety demands, the authorities have no jurisdiction to
exercise the powers under the said section. A public emergency would mean the prevailing of a sudden condition or state
of affairs affecting the people at large calling for immediate action, whereas the expression “public safety” means the state
or condition of freedom from danger or risk for the people at large. When either of these two conditions is not in existence,
the Central Government or a State Government or the authorized officer cannot resort to telephone-tapping even though
there is the satisfaction that it is necessary or expedient so to do in the interests of sovereignty and integrity of India etc.”

Hence, in the absence of a public emergency as well as public safety, Section 69 of the IT Act provides the
government agencies an unbridled power to snoop into the personal affairs of an individual or a group. Thus it is
significant to mention that Section 69 of the IT Act and IT Rules of 2009, in general, lack any requirement for
transparency and accountability in as much as the person intercepted will likely to remain unknown it being put
under surveillance. Furthermore, in any event, the public emergency / public safety requirement may justify the
narrow view taken regarding judicial oversight in the Wiretapping judgment23 (supra), but the complete absence of
such a requirement under Section 69 of the IT Act renders judicial oversight virtually indispensable.

Need for National Data Protection Regulatory Framework

Taking the consideration of lack of any concrete and specific law on data protection, MHA order can be considered
as critical in the light of the upcoming election. There is a deep distrust among Indian citizens over various policies
of the government. From Request for Proposal (RPF) to set up social media communication hub to this surveillance
orders, it appears that the incumbent government would like to project itself in a good light for the upcoming election
and identify dissenting voices speaking against it by using intelligence apparatus to secure its interests in the
 Page 9 of 17
THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S SURVEILLANCE ORDER,
ADDRESSING CHALLENGES TO INDIVIDUAL’S RIGHT TO PRIVACY 2020 2 MLJ 1

election.

In the light of privacy judgment and to strengthen Indian Data Protection regime, Ministry of Electronics and
Information Technology (“MeitY”) in August 2017 constituted a committee with intent “to study various issues
relating to data protection in India and to make specific suggestions for consideration of the Central Government on
principles to be considered for data protection in India and suggest a draft Data Protection Bill”24. In order to
achieve this goal a committee came into existence headed by Justice B.N. SRIKRISHNA, former judge of the Apex
Court of the Country. After due analysis and research the committee presented its report on Jul. 27th, 2018. The
key recommendation made by the committee was:

1. A special authority for Data prevention and Protection will be created under the new data protection law
with that will act as an independent and regulatory authority with the aim to perform various functions such
as

a. Observing and reinforcing;

b. Legal affairs, policy, and standard setting;

c. Explore and understanding;

d. Investigation, addressing any violation of data privacy, and adjudicate the culprits25.

2. The new data protection law shall not act retrospectively26 but at the same time it will be applicable to all
the data collected, handled and transferred within the physical boundaries of India27.

3. The new definition of sensitive personal data shall be comprising of passwords, data pertaining to finance,
data relating to sexual life of an individual and at last but not least the biometric and genetic data and every
information pertaining to individual’s political and social belief28. These heads that have been added in the
definition is not exhaustive and definition can be extended by the DPA as per the criteria set by the law29.

4. The new data protection law shall be applicable to both public as well as a private entity30.

5. Consent should be the major factor in the processing of data pertaining to individual and consent so
obtained should be of free, fair and clear nature and in the case of information being of sensitive nature
than for consent so obtained should be of explicit nature31.

6. The individual has the right to be forgotten in the new data protection law but such right shall not be of
absolute nature and there can certain restriction that could be imposed in ‘right to be forgotten’.

7. Personal data determined as critical will only be processed within the boundaries of India and no cross
border transfer shall be permitted for such personal data.32 Only the health data of the individual on the
prompt need of medical grounds and emergency factor can be transferred through the borders but only
with the prior approval of central government.

8. Only the data termed as non-critical shall be transferred through cross border but with the essential
requirement of keeping at least one secondary record of such data safe within the boundaries of India33
 Page 10 of 17
THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S SURVEILLANCE ORDER,
ADDRESSING CHALLENGES TO INDIVIDUAL’S RIGHT TO PRIVACY 2020 2 MLJ 1

9. National security and interest of the country can be the exception to the rule of consent and the state is
allowed to keep a copy of such sensitive data without the consent of such individual34.

10. There is the need to maintain a balanced relationship between Article 19 and informational privacy,
‘journalistic activities’35 are termed as an exception to data protection law but such exception is not of
absolute nature moreover the data can be used for the personal, domestic purposes36 and research
purposes.37

Data localization, a step towards restricting cross border transfer of data

Collection and storage of personal data are one of the major challenges faced by the authorities in the wake of
surveillance order. Whatever data processed surveilled or intercepted needs to be stored in due protective care to
prevent any misuse of collected data. Hence, with the objective of protecting and storing of personal data the
committee presents the strict policy that need to be adopted while dealing with the personal data and recommends
that since the data in the present case is of Indians and hence it is direly needed to store it locally and any attempt
to transfer such data without the permission of such individual should attract a liability on the person who is
engaged in doing so and while dealing such data breach Indian law should be applied.

The term ‘Data Localization’ generally refers to storing of the data within the physical boundaries of a country or a
Nation but with the advancement of time data localization is also referred to preventing and restricting any outflow
of data from the physical boundaries of the country provided that such transfer is not authorized by the individual
who is the owner of such data38. It is a combination of measure to encumber the transfer of data across national
borders. There is a variable measure that comes under the ambit of data such as preventing the personal data of its
citizen being smuggled out of the country; obtaining consent before transferring such data or imposing duty and
taxes before such data transfer.

It has been further classified into two categories namely ‘strict and conditional’. Strict restriction requires a total
censorship on any outflow of data from the physical boundaries of the country whereas, the conditional restrictions
refers to the transfer of individual data outside the physical boundaries of the nation subjected to certain terms and
condition that needs to be fulfilled before making any transfer39. The Central Government has the power u/s 40 and
41 of the draft legislation to decide whether the cross border transfer of data is required or not. The highlight
sections 4040 and 4141 are:

• The Union Government shall through an appropriate channel shall determine the classification of data that
shall be comprising of sensitive personal data and also classify what type of sensitive personal data shall
be of critical nature and lay the procedure that such type of critical data shall be dealt and processed within
the boundaries of India only.

• Any sort of non-sensitive or non-critical data can be allowed to flow outside the physical boundaries of the
nation subjected to a condition that atleast one copy of such data shall be kept in the country itself.

• Any form of data transfer that is non critical Cross border transfers of personal data, other than critical
personal data will be through model contract clauses with the data transferor being directly liable to the
data principal.
 Page 11 of 17
THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S SURVEILLANCE ORDER,
ADDRESSING CHALLENGES TO INDIVIDUAL’S RIGHT TO PRIVACY 2020 2 MLJ 1

Steps taken forward to limit the storing of data in outside India

1. RBI’s order on mandatory local storage of payment data: Even before the recommendations of Srikrishna
Committee on data, the RBI had touched upon the data, where it through an order cast a mandate on all
electronic payment service providers to essentially keep all the data pertaining to any payment made
through their channels within the boundaries of India by any person and such data shall be stored in
system situated in India. Under the said notification, for the absolute protection of data related to any
payment, the RBI has mandated the payment service providers to store locally all the details that consists
of details, payment instructions and any other information directly or indirectly related to the payment.
Moreover in order to check the proper implementation of this order the RBI has asked the payment
services provider to maintain the records of data and audit it annually and all this process has to be
reported annually to RBI itself.

2. The National E-Commerce Policy: This policy is the latest development while concerning the ‘Digital
Economy’ with the objective to govern and regulate the recent rising of online shopping sector of India. The
prime aim of this policy is to support and aid the growth of India’s online economy and in order to do
achieve this aim, the data pertaining to individual arising or generating through the use of social media
websites, online shopping platforms or arising out of any other reasons etc. has to be entirely stored within
the physical boundaries of India and all the power in respect of regulation and control of such data should
be provided in the hand of any other of India only.

Existing laws ‘trying’ to ‘prevent smuggling’ of data

It is not the first time that the need for impending legislation to regulate cross border transfer of data has aroused. In
fact, in the year 201142 and 201443 also draft legislation has been released with the motive to regulate cross border
transfer of data, however, neither of the drafts were tabled in the parliament. As already stated that India has no
dedicated legislation to protect the transfer of data to foreign lands and Indian legislations do not comprehensively
address this issue but indeed there is some law in fragment’s that try to limit the transfer of persons private data.
These laws regulate the transfer of data by corporate bodies, data pertaining to national interest or security, and
certain categories of specific financial data. In the year 2014, the National Security Council of India through the
proposal considered the need for all data related to communication between two users in India to remain within the
country44. Few of the context-specific laws are:

1. Data protection by Department of Telecommunication (DoT): Department of telecommunications has

formed 2 sets of regulations namely Unified Access Services Licence (“UASL”) and Unified License (“UL”)
in which Clause 39.23(viii)45 of the UL states that:

“The Licensee shall not transfer the following to any person/place outside India:-
 Page 12 of 17
THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S SURVEILLANCE ORDER,
ADDRESSING CHALLENGES TO INDIVIDUAL’S RIGHT TO PRIVACY 2020 2 MLJ 1

A. any accounting information relating to the subscriber (except for international roaming/billing) (Note: it
does not restrict a statutorily required disclosure of financial nature);

B. User information”46.

While the clause 41.20.viii of the UASL lays down the following

“The Licensee shall not transfer the following to any person/place outside India:-

A. Any accounting information relating to the subscriber (except for international roaming/billing) (Note: it
does not restrict a statutorily required disclosure of financial nature); and

B. User information”47.

2. Data protections under IT act: Transfer of personal data is governed by SPD rules (Sensitive and Personal
Data or Information) Reasonable Security Practices and Procedures and Sensitive Personal Data or
Information Rules, 2011 issued by virtue of powers conferred to it under Section 43 A of the Information
Technology Act48. The SPD not only defines the personal data49 or mandate the requirement of
implementation of policy handling such data but also at the same time it lays various other factors into
account such as lawful purpose50, consent requirement51 and effects on withdrawal of consent52 etc. but
the compliance of the SPD rules remained questionable as soon after the release of SPD rules the
government of India issued a clarification that these rules shall be applicable only to those within the
territory of India53.
3. Public records: Section 4 of the Public Records Act 199354 clearly lays down that:

“No person shall take or cause to be taken out of India any public records without the prior approval of
the Central Government; Provided that no such prior approval shall be required if any public records are
taken or sent out of India for any official purpose”
 Page 13 of 17
THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S SURVEILLANCE ORDER,
ADDRESSING CHALLENGES TO INDIVIDUAL’S RIGHT TO PRIVACY 2020 2 MLJ 1

4. Official Data: With the objective to localize the non-sensitive data within the territory of India The National
Data Sharing and Access Policy (NDSAP) was notified by the Ministry of Science and Technology in
201255 . Moreover, with the intent to promote the use of Cloud sharing among government offices and
officials, full-fledged cloud-based services were introduced named “MeghRaj”. Out of many mandates for
recordation of cloud services providers under the “MeghRaj” requires that “The data center facilities and
the physical and virtual hardware should be located within India”56.

As far as data is concerned the existing policies and laws have made sure that every fragment of the government
data shall remain within the boundaries of India but only a few attempts have been made in order to protect the
personal data of the common citizens of India. Though the SPD rules provide measures to protect the ‘sensitive’
and ‘personal’ data of the common citizens but with the advancement in the technology the threat of misuse of data
in the digital economy has escalated concerns among various stakeholders, and hence proved to be less effective
from the perspective of present setup of data protection framework, the primary reason being that the definition of
Sensitive Personal Data57 provided under the SPD rules is somewhat narrower as it only includes Password,
Financial information, Sexual orientation, and Biometric records but with the changing dimensions of development
in the technological spheres, the definition should be modified to be included with Genetic information, Racial &
ethnic origin, Caste information etc. also and hence at this current juncture it is the need of the hour to incorporate
such rules or introduce the new data protection bill.

Conclusion

The study concludes that the MHA Surveillance order lacks a legal and constitutional validity, and has posed a
challenge to ensuring oversight and accountability of actions taken by intelligence agencies issuing requests under
Section 69(1) of the IT Act. The order has created a debate around key issues concerning privacy, surveillance and
state overreach. Furthermore, the order fails upon the test of necessity, legality, and proportionality which was laid
down in Puttaswamy (privacy) judgment, according to which any law that encroaches upon the fundamental rights
of an individual will have to be justified in relation to Article 21 of the constitution.

One of the crucial issues the study expostulated is with respect to data protection and data localization, as the
incumbent order was passed by the MHA when India doesn’t possess any Data Protection Regulatory Framework
(DPRF), which includes protection of personal data and restriction of cross-border transfer of personal data. Hence,
it is pertinent to mention that the surveillance order is brought with nasty intention when the elections are around the
corner, and the government trying to manipulate the elections by collecting the personal data of the citizens to gain
momentum in the upcoming polls.

1 Agnitipdo Tarafdar, Surveillance, Privacy and Technology: A Comparative Critique of the Laws of USA and India, 57
JILI, (2015).

2 Madhavi Divan, The Right to Privacy in the Age of Information and Technology, 4 SCC, (2002).
 Page 14 of 17
THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S SURVEILLANCE ORDER,
ADDRESSING CHALLENGES TO INDIVIDUAL’S RIGHT TO PRIVACY 2020 2 MLJ 1

3 Aashit Shah and Nilesh Zacharias, Right to Privacy and Data Protection, Nishit Desai and Associates (Feb. 25, 2019,
09:58 AM), http://www.nishithdesai.com/fileadmin/user_upload/pdfs/Right_to_Privacy_-_data_protection.pdf.

4 Universal Declaration of Human Rights. Art.12.

5 Tarafdar, supra, 1.

6 1964 SCR (1) 332.

7 Gautam Bhatia, State Surveillance and Right to Privacy in India: A Constitutional Biography, 26 NLSI Rev., (2014).

8 1975 SCR (3) 946.

9 1981 SCR (2) 311.

10 R. Rajagopal v. State of Tamil Nadu (1994) 6 SCC 632 (India).

11 Bhatia, supra, 7.

12 K.S. Puttaswamy v. Union of India, W.P. (CIVIL) NO 494 OF 2012 (India).

13 Indian Telegraph Act, Sec. 5 (2), 1885.

14 Indian Telegraph Act, Sec. 5 (2), 1885.

15 The Information Technology Act, Sec. 69, 2000.

16 Bhatia, supra, 11.

17 Krishna Das Rajgopal, Centre’s Surveillance Order Challenges Supreme Court Verdict on Privacy: experts, The Hindu
(Feb. 26, 09:30 AM), https://www.thehindu.com/news/national/centres-surveillance-order-challenges-supreme-court-
verdict-on-privacy-experts/article25801251.ece.

18 Surveillance State, The Hindu Business Line (Feb. 26, 11:05 AM), https://www.thehindubusinessline.com/opinion/-
editorial/giving-intelligence-agencies-sweeping-powers-without-a-system-of-oversight-is-a-bad-
idea/article25821525.ece.

19 Gautam Bhatia, The case against surveillance, The Hindu (Feb. 28, 2019, 02:35 PM), https://www.thehindu.com/-
opinion/lead/the-case-against-surveillance/article25822069.ece.

20 Puttaswamy, supra, 12.

 Page 15 of 17
THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S SURVEILLANCE ORDER,
ADDRESSING CHALLENGES TO INDIVIDUAL’S RIGHT TO PRIVACY 2020 2 MLJ 1

21 Justice K.S.Puttaswamy (Retd.) vs Union of India, W.P. (CIVIL) NO. 494 OF 2012.

22 AIR 1997 SC 568.

23 Id.

24 Justice B.N. Srikrishna, “A Free and Fair Digital Economy” <https://meity.gov.in/writereaddata/-

files/MeitY_constitution_Expert_Committee_31.07.2017.pdf> accessed. March 01, 2019

25 Justice B.N. Srikrishna, “A Free and Fair Digital Economy” <https://meity.gov.in/writereaddata/-

files/Data_Protection_Committee_Report.pdf.> accessed March 01, 2019

26 97 Personal Data Protection Bill 2018.

27 2 Personal Data Protection Bill 2018

28 3(35) Personal Data Protection Bill 2018

29 22 Personal Data Protection Bill 2018

30 3(13) and 3(15) Personal Data Protection Bill 2018

31 12 & 18 Personal Data Protection Bill 2018

32 40(2) Personal Data Protection Bill 2018

33 40(1) Personal Data Protection Bill 2018

34 42 Personal Data Protection Bill 2018

35 47 Personal Data Protection Bill 2018

36 46 Personal Data Protection Bill 2018

37 45 Personal Data Protection Bill 2018

38 Rishab Bailey and Smriti Parsheera, “Data localization in India: Questioning the means and ends” NIPFP Working
Paper, <https://www.nipfp.org.in/media/medialibrary/2018/10/WP_2018_242.pdf> accessed on March 3, 2019
 Page 16 of 17
THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S SURVEILLANCE ORDER,
ADDRESSING CHALLENGES TO INDIVIDUAL’S RIGHT TO PRIVACY 2020 2 MLJ 1

39 Martina Ferracane, “Restrictions on Cross-Border Data Flows: A Taxonomy” European Centre for International Political
Economy <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3089956> accessed on March 4, 2019

40 Personal Data Protection Bill 2018, Section 40

41 Personal Data Protection Bill 2018, Section 41.

42 Ministry of Communications & IT Department of Telecommunications “Licence agreement for provision of unified
access services” <http://dot.gov.in/sites/default/files/UAS%20license-agreement-19-12-2007.pdf.> accessed on March
05, 2019

43 The Personal Data Protection Bill, 2014 <http://164.100.47.4/BillsTexts/RSBillTexts/asintroduced/data%20-E.pdf>

accessed on March 05, 2019

44 ‘National Security Council proposes 3 pronged plan to protect Internet users’ The Hindu Businessline,
<https://www.thehindubusinessline.com/info-tech/National-Security-Council-proposes-3-pronged-plan-to-protect-
Internet-users/article20727012.ece.> accessed on March 05, 2019

45 Supra, 44

46 Id

47 Id

48 Ministry of Law, Justice and Company Affairs (Legislative Department), “The Information Technology Act 2008” <
http://nagapol.gov.in/PDF/IT%20Act%20 (Amendments) 2008.pdf.> accessed on March 05, 2019

49 Sensative Personal Data Rules, Rule 3, 2011

50 SPD Rules 2011, Rule 5(2)

51 SPD Rules 2011, Rule 5(1)

52 SPD Rules 2011, Rule 5(7)

53 SS Rana & Co., “India: Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules, 2011” (Lexology, March 06)
<https://www.lexology.com/library/detail.aspx?g=35f56a2a-c77c-49e7-9b10-1ce085d981dd> accessed on 23 Feb,
2019

54 The Public Records Act, 1993

55 Department of Science & Technology Ministry of science & Technology, “National Data Sharing and Accessibility
Policy-2012” <https://nsdiindia.gov.in/nsdi/nsdiportal/meetings/NDSAP-30Jan2012.pdf> accessed on Feb 28, 2019
 Page 17 of 17
THE INDIAN SURVEILLANCE FRAMEWORK AND THE CENTER’S SURVEILLANCE ORDER,
ADDRESSING CHALLENGES TO INDIVIDUAL’S RIGHT TO PRIVACY 2020 2 MLJ 1

56 Ministry of Electronics & Information Technology, “Audit Criteria for Cloud Service Providers”
<https://meity.gov.in/writereaddata/files/CSP-01-03%20-%20Audit%20Criteria%20for%20CSPs.pdf.> accessed on
March 06, 2019

57 SPD Rules 2011, Section 3

End of Document