On 20 December 2018, the Ministry of Home Affairs (MHA), Cyber and Information Security Division, issued an order authorizing ten security and intelligence agencies to intercept, monitor and decrypt any information generated, transmitted, received or stored in any computer resource under the Information and Technology Act, 2000 (IT Act).
The order created a furore with several stakeholders claiming that this granted unprecedented draconian powers to investigating agencies to access all personal data of individuals. However, an analysis of the wording and effect of the order seems to suggest a different story.
The fact that the central and state governments have had the power to undertake surveillance is evident from the analogous provisions contained in section 5(2) of the Indian Telegraph Act, 1885 (Telegraph Act), read with rule 419-A of the Indian Telegraph Rules, 1951 (Telegraph Rules), and section 69 of the IT Act read with the IT Rules.
The Supreme Court upheld the constitutional validity of interceptions and monitoring of information under section 5(2) of the Telegraph Act in the case of People’s Union for Civil Liberties v Union of India. The Supreme Court observed that while the right to hold a telephone conversation in the privacy of one’s home or office can be claimed as right to privacy, telephone tapping would infringe the fundamental right to life and right to freedom of speech and expression, unless it is permitted under the procedure established by law. The court laid down certain guidelines to put in place institutional safeguards.
Subsequently, in an effort to expand the government’s surveillance regime for tackling crime and terrorism, section 69 of the IT Act was amended and introduced in its current form. It empowers the government to authorize agencies to intercept, monitor or decrypt any information generated, transmitted, received or stored in any computer resource. A process broadly similar to that contained in rule 419-A of the Telegraph Rules, has been built into section 69 of the IT Act read with the IT Rules. All authorization orders issued by the government under section 69(1) must be reasoned and written, and must be subject to the procedure laid down in the IT Rules. Further, all orders are subject to the scrutiny of a high-powered review committee constituted under rule 419-A of the Telegraph Rules.
It appears that the recent order only lists agencies that are empowered to undertake surveillance, and was done to curb unauthorized access and abuse of powers by third parties, including other state agencies. The substantive powers of the agencies identified in the order and the processes to be followed have not been modified.
Therefore, the agencies specified in the order would have to obtain statutory authorization from the competent authority for each instance of interception, monitoring or decryption of information. Further, all decisions will be subject to scrutiny of the review committee as provided in the IT Rules.
Accordingly, it would be inaccurate to state that any of the notified agencies per se have been given a general authorization to intercept, monitor or decrypt information. Therefore, the outrage over the order in the belief that it is a novel attempt of the current government to conduct extensive surveillance of its people, appears to be baseless and to a great extent misguided.
The bigger concern, which neither the preceding nor present government has addressed, is the lack of procedural safeguards on government surveillance under the IT Act and Telegraph Act. The orders for undertaking surveillance are issued by government secretaries, who also form the review committee. Unlike in other countries such as the US, where investigators must generally obtain court warrants for surveillance, there are no similar checks and balances in India.
In fact, there is no framework for judicial oversight, and Indian laws at most offer only post-facto protection wherein a person may prosecute the government if they are wrongly put under surveillance. While the present order does not appear to broaden the scope or authority for undertaking government surveillance as it exists under Indian laws today, the debate must move beyond politics and into more meritorious matters such as bolstering procedural safeguards in relation to government surveillance activities. In this regard, it will be interesting to see whether the proposed data privacy law will introduce any surveillance reforms and how it will define the role of the central agencies notified in the order to enable them to continue carrying on the task of surveillance.
Cyril Amarchand Mangaldas is India’s largest full-service law firm. Bharat Vasani is a partner and Vidhi Sharma is a senior associate at the firm.
Cyril Amarchand Mangaldas
Peninsula Corporate Park
Lower Parel, Mumbai – 400 013 India
New Delhi | Bengaluru | Hyderabad | Chennai | Ahmedabad
Tel: +91 22 2496 4455
Fax: +91 22 2496 3666