Monday, August 06, 2018

Placing surveillance reforms in the data protection debate

by Rishab Bailey, Vrinda Bhandari, Smriti Parsheera and Faiza Rahman.

Introduction

On July 27, 2018, the Committee of Experts constituted by the Government under the chairpersonship of (Retd.) Justice B.N. Srikrishna (Srikrishna Committee) released its report and the Personal Data Protection Bill, 2018. The Committee's recommendations make some headway in proposing legal reforms governing the use of personal data by intelligence and law enforcement agencies (LEAs), but fall short of offering a comprehensive solution (Bhandari, 2018).

Against this backdrop, our working paper on "Use of personal data by intelligence and law enforcement agencies" provides an overview of the existing framework on surveillance in India followed by an inquiry into how these laws and practices fare against the tests that were endorsed by the judges in Puttaswamy, the Supreme Court's right to privacy verdict. As we have previously noted on this blog, India currently does not have a comprehensive law regulating intelligence agencies/ LEAs, including on aspects such as the creation, composition, powers, functions and accountability of such bodies. What we have instead are separate provisions contained in the Telegraph Act, the Information Technology Act (IT Act), and the Criminal Procedure Code that enable government agencies to initiate lawful search and interception activities, based on the fulfilment of certain parameters. While assessing these laws and practices against the tests of legality, legitimate aim, proportionality and procedural safeguards identified in the Puttaswamy decision, we find the existing framework to be lacking in many respects.

The inadequacies of our current system become all the more evident when examined against the laws and practices of other jurisdictions that have worked harder to strike a balance between the civil liberties of individuals and the State's requirement to pursue legitimate surveillance activities. The general practice across jurisdictions is that privacy and data protection laws are also applicable to state intelligence and security agencies, albeit subject to certain exceptions (ICDPPC Census, 2017). It is important to keep in mind however, that exceptions are not all-encompassing or generic, and are usually to be applied in a proportionate manner.

In this post we highlight what can be regarded as legitimate and fair surveillance practices that are appropriate for the functioning of a democratic system. Based on a review of the current framework against the Puttaswamy tests and identified fair practices, we offer some recommendations on the next steps towards implementing holistic surveillance reforms in India. We also map these recommendations against the recommendations in the Srikrishna Committee report and the provisions of the draft law, and delineate how the draft law needs to be strengthened.

Principles of fair surveillance: International experience

International frameworks on surveillance have seen considerable development over the last decade. This has been due to changing technology and law enforcement needs, as well as instances such as the Snowden revelations that have led to greater global awareness about the need to adapt surveillance laws and practices to the modern communication era. Attempts have been made, at both the global and national level, to enhance the respect for privacy rights, through changes to statutes as well as through advocacy instruments such as the Necessary and Proportionate principles. Nevertheless, as observed by the UN Special Rapporteur on the right to privacy, no single surveillance related legislation perfectly complies with, and respects privacy rights (Joseph Cannataci, 2018).

The most commonly seen mechanisms used to ensure that LEAs/intelligence agencies act within their remit and with due respect to privacy rights include:

  1. Judicial oversight: As a general rule, countries such as the United States (US), the United Kingdom (UK), New Zealand, Australia, Germany and Canada require prior judicial authorisation for initiating surveillance activities. Often greater protections are put in place for the protection of rights of citizens as compared to foreign subjects, although both cases may require a certain level of judicial scrutiny. For instance, in the US designated courts under the Foreign Intelligence Surveillance Act have been created to authorise foreign surveillance activities. While this ensures a certain degree of oversight it should be kept in mind that these proceedings have been criticised for the lack of transparency and accountability.
  2. Oversight by legislature and independant bodies: Institutions such as Parliaments and Congress generally have extremely wide powers of supervision over the activities of LEAs/intelligence agencies, often through specific committees of panels charged with oversight. For instance, the US Congress has general powers of review over intelligence agencies. In Germany, the Parliament has a panel known as the Kontrollgremiumgesetz, while the UK has established an Intelligence and Security Committee. Both these countries have also established independant regulators to oversee the activities of LEAs/ intelligence agencies - the Office of the Investigatory Powers Commissioner and the G-10 Commission, respectively. Importantly, in addition to having access to the activities of agencies (which can extend to ex-ante reporting requirements), these bodies also publish regular public reports in pursuance of their oversight role. Further, the LEAs/ intelligence agencies themselves may also be subject to reporting requirements. In addition, transparency reports are often put out by intermediaries who receive information requests from these agencies.
  3. Implementation of redress mechanisms: While some countries such as Canada, Germany, Belgium and Austria, provide notice of surveillance to the subject in certain cases (thereby allowing processes to be challenged by the concerned individual), others create mechanisms to enable challenges to illegal surveillance through other means. For instance, the US, empowers electronic communications service providers to file petitions before the FISA Court to set aside directives issued by intelligence agencies under the FISA Act. In Europe however citizens may approach redress forums without concrete evidence of having been the subject of surveillance measures. (Klass v Germany, (1979-80) 2 EHRR 214).
  4. Implementation of organisational safeguards: The US, Germany and the UK have also implemented various administrative and technical safeguards to ensure adherence to privacy norms - ranging from embedding privacy/ethics officers within agencies, to implementing masking and other technical measures to ensure intrusions into privacy are minimised.

Key design principles for India

On mapping the legal framework and practices on surveillance in India against the Puttaswamy tests and globally recognised surveillance principles, we find our current framework to be lacking in many respects. The present set up is not well suited to meet the requirements of a system that guarantees the constitutional right to privacy or, for that matter, one that has limited state capacity in carrying out effective surveillance activities. We therefore need a system that is designed in a manner where the resources of the surveillance machinery can be optimally utilised without undue infringements into the right to privacy. Addressing these issues requires both a reassessment of the current legal framework as well as a re-evaluation of the philosophy that drives surveillance related activities by intelligence agencies and LEAs in India.

A risk-based approach to surveillance

The broad path towards safeguarding civil liberties in a system with limited state capacity lies in adopting a risk-based approach to surveillance. Countries such as the US and the UK have already moved in this direction by embedding certain risk management techniques within their surveillance architecture (Omand, 2010). This approach recognises that any country's resources are limited and therefore the surveillance architecture should focus on credible risks, whether they be reputational or operational. Apart from calibrating responses to the risk posed by different threats, this sort of an approach also takes into account broader risks such as the risks to privacy and other civil liberties, reduction of international trust in domestic firms and the impact of intelligence operations on relationships with other countries (Clarke et al., 2013).

We recommend that the Indian surveillance framework should also adopt systematic risk management as a key design principle to balance national security and privacy on one hand and limited state capacity issues on the other. The report of the Srikrishna Committee also endorses this recommendation, although the draft Bill, notably, is silent on this aspect.

Changes to the legal framework

India needs to build a robust legal framework governing the functioning of intelligence agencies. This requires the creation of a statutory framework governing intelligence agencies and LEAs, including their constitution, composition, powers and the accountability measures expected to be followed by them. The Srikrishna Committee's report recommends that the "Central Government carefully scrutinise the question of oversight of intelligence gathering and expeditiously bring in a law to this effect". It then goes on to state that although these recommendations are not directly made a part of the data protection law proposed by the Committee, they are important for the effective implementation of data protection principles and must be urgently considered.

While a data protection law may not be an appropriate site for pursuing a comprehensive reform of intelligence agencies and LEAs, there are several critical changes that can be adopted through the data protection law as well as amendments to existing laws that impact surveillance. We set out below specific recommendations that will help to ensure that any intrusion into an individual's right to privacy by state surveillance is in consonance with the principles in the Puttaswamy case.

  1. Prior judicial review: Present Indian laws confer wide powers on the executive in terms of deciding the scope and manner of surveillance. Intelligence agencies and LEAs initiate requests for surveillance, which are then authorised by another executive agency - the Home Secretary in the Central and State Governments). Oversight of authorisation is also done by an executive agency - the Review Committee established under the Telegraph Rules. The decision in Puttaswamy held that any intrusion by the state in an individual's privacy rights is permissible only if it is supported by a "fair, just and reasonable procedure established by law". A process that is driven solely by one arm of the state mitigates from the system of checks and balances that is necessary to satisfy this criteria. We therefore recommend that the current processes need to be amended to incorporate an element of prior judicial review (or post-facto judicial scrutiny in emergency cases). This review may be conducted through specialised courts designated for this purpose or by judicial members of an independent body, such as a Data Protection Authority. The role of this body would be to apply the principles of legality, lnecessity and proportionality in each and every case to ensure that the nature of surveillance, its duration and scope is in line with the purpose that is sought to be achieved. Further, a mechanism for filing an appeal against the decision of the judicial body must be provided. The adoption of the proposed structure would require corresponding amendments to the Telegraph Act, IT Act and the rules thereunder.
  2. Reporting and transparency by LEAs: Current laws need to be amended to ensure appropriate reporting and transparency requirements are implemented pertaining to all surveillance activities. These requirements may differ depending on the nature of information and the entity to which it is being provided (for instance, to the Parliament or the public). Reporting must be on both ex-ante and post facto basis, as may be relevant to the circumstances. Further, oversight bodies must also be required to publish periodic reports of their activities and that of LEAs/ intelligence agencies under their supervision, while service providers must be permitted to publish aggregated statistics detailing volume and nature of surveillance requests.
  3. Implementation of data retention norms, principles of fair processing: Principles of fair processing must be applicable even to data processed by intelligence bodies/LEAs. They must also ensure that as far as possible, personal data is up to date and accurate, while data retention norms need to be appropriately designed to ensure only relevant data is stored by the authorised agencies.
  4. Notice to the data subject: In order to achieve a balance between the objectives of surveillance and the rights of the data subject, the law should provide for an obligation to ensure that the affected data subjects are notified after completion of the surveillance. However, the agency may seek the approval of the judicial body to delay or avoid the requirement of notice under certain exceptional circumstances, for instance if it can be established that such a disclosure would defeat the purpose of surveillance.
  5. Right to seek redress: The requirement of notice to the data subject must be accompanied by a right to challenge and seek appropriate redress against surveillance activities. This right should extend to a person who is, or has reasonable apprehension of being, the subject of surveillance. In addition, intermediaries that are required by law to facilitate access to information by LEAs should also have the legal right to question the scope and purpose of the orders received by them.
  6. Privacy officers in LEAs: Independent officials must be appointed to the intelligence agencies and LEAs to scrutinise requests for surveillance (before they are placed before the sanctioning judicial body). Such scrutiny must be recorded in writing and available to relevant oversight bodies (if not the public).
  7. Technical measures to enhance privacy: Technical measures and privacy by design principles must be used to inform surveillance procedures and ensure proportionality and due process. This may imply for instance, the use of masking techniques to protect identities of citizens caught up in bulk surveillance of foreign intelligence, ensuring collected data is encrypted, acess controls, etc.
  8. Evidentiary value of information collected in breach of data protection law: Illegality in conducting search and surveillance activities does not lead to a bar on the admissibility of that evidence in subsequent proceedings under Indian law. Consequently, the incentives of LEAs are not fully aligned with the objective of ensuring that the legal processes governing surveillance are strictly followed. This will continue to pose a challenge even if privacy safeguards are introduced in the law. We therefore recommend that relevant laws should be amended to bar the admissibility of any information that is obtained by the agencies in breach of the proposed data protection law and other surveillance related laws.
  9. Revisiting telecom licenses: Telecom licenses contain specific provisions relating to the obligations of telecom service providers (TSPs) to facilitate lawful interception activities. We recommend that to the extent that any of the provisions contained in telecom licenses create additional restrictions on the privacy rights of individuals, these provisions need to adopted through legislative instruments. Further, we recommend that the terms of telecom licences also need to be revisited in so far as they contain restrictions on the encryption standards that can be adopted by TSPs, which in turn limits the privacy rights of their users. The Telecom Regulatory Authority of India's (TRAI) recent recommendations on data protection indicate a positive move in this direction. The regulator recommended that the Department of Telecommunication needs to reexamine the encryption standards laid down in the telecom license conditions. It noted the need for personal data of telecom consumers to be encrypted, both during storage and in motion. Further, TRAI recommended that decryption by authorised entities should be permitted on a needs basis, either with the consent of the consumer or in accordance with legal requirements.
  10. Transparency regarding standard operating procedures (SOPs): We recommend that any SOPs formulated by the Government to give effect to the provisions governing surveillance must be made publicly available and stakeholders should also be given an opportunity to contribute to their framing. To the extent that the SOPs might create any independent obligations on individuals or intermediaries, we recommend that the same should be supported by a legislative instrument.
  11. Amendments to other laws: Provisions of the Whistleblowers Protection Act, 2011 need to be revisited to ensure adequate protection is given to whistleblowers who expose mala fides or illegalities in surveillance procedures. In particular, the general exemptions granted under the statute (to matters impinging on sovereignty or strategic interests of the state, disclosures under the Official Secrets Act, 1923, etc) may need to be revisited. Similarly, revisions may be required to the generic exemptions granted under the Right to Information Act, 2005, to various LEAs.

Reviewing the Srikrishna Committee's proposals

The Srikrishna Committee's draft law proposes protections relating to the collection, processing and use of personal data of individuals (referred to as data principals) and offers remedies from related harms. The draft law defines "harms" to include (i) any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled; and (ii) any observation or surveillance that is not reasonably expected by the data principal.

Sections 42 and 43 of the draft law deal with the processing of personal data in the (i) interests of the security of the state; and (ii) for prevention, detection, investigation and prosecution of any offence or any other contravention of law, respectively. In both these cases the identified activities are exempted from the requirements under the draft law if they satisfy the requirements of legality, necessity and proportionality. The exemption, however, does not include the requirement to ensure that any personal data is processed in a fair and reasonable manner (Section 4) and in accordance with reasonable security standards, including methods such as de-identification and encryption of the data and prevention of misuse and unauthorised access (Section 31).

In drafting these provision, the Committee has reiterated the position laid down by the judges in Puttaswamy, but without addressing the related structural and procedural elements required to make these principles work. For instance, the requirement of legality is incomplete without a description on what constitutes legality in case of access by intelligence agencies/ LEAs. Should it include only legality of the means of access or also require the need for a legislative basis for the agencies to whom such access is provided? Similarly, what factors should be taken into account to judge whether a proposed intervention is "necessary and proportionate" in the facts of the case? Who should be making this determination?

In the context of discussing the exemption of measures taken to ensure "security of the state", the Committee proposes that the law should provide for ex-ante access controls by designating a district judge to hear requests for processing of personal information by intelligence agencies in closed door proceedings. It also proposes that such approvals should be time-bound and require periodic renewal, subject to the judge being satisfied that the purpose for processing remains relevant. Further, the report talks about ensuring accountability through ex-post periodic reporting and review by a parliamentary committee.

The recommendations of the Committee point in the right direction, but their effectiveness is marred by the suggestion that such measures be adopted if and when the Government decides to pursue a comprehensive law governing intelligence agencies. Given that surveillance activities are already taking place, the immediate requirement would be to make amendments to the laws that enable such access to personal information by intelligence agencies and LEAs, namely the Telegraph and IT Act and the rules thereunder. The draft law proposed by the Committee already suggests some amendments to provisions contained in the IT Act and the Right to Information Act, 2005. The logical step would have been to at least incorporate similar suggestions on amendments to existing surveillance related laws to build in the safeguards suggested in its report regarding ex-ante analysis and ex-post accountability for surveillance related activities.

In terms of our other suggestions, the draft law includes an obligation of fair and reasonable processing and ensuring security of data even when such processing takes place under the given exemptions. It, however, fails to recognise other important requirements like having data protection officers inside intelligence agencies and LEAs; (deferred) notice to the concerned individual, and the right to seek appropriate redress. Further, the draft law also fails to address the issue of the evidentiary value of information collected in breach of the proposed data protection law.

Conclusion

The draft law proposed by the Srikrishna Committee has tremendous scope for improvement, both in terms of strengthening the protections available to individuals who are subjected to surveillance activities as well as the structural and procedural safeguards governing such access. Having said that, we also believe that the recommendations contained in the report, particularly on ex-ante and ex-post safeguards against surveillance, are an important starting point for this discussion. To take these suggestions to their logical conclusion, it is important that corresponding amendments should be made to the draft before it shapes into a bill that can be placed before the Parliament.

References

Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, 2018.

Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, Personal Data Protection Bill, 2018.

David Omand, Securing the State: A Question of Balance, Chatham House, 8 June, 2010.

International Conference of Data Protection Privacy Commissioners (ICDPPC), Counting on Commissioners: High level results of the ICDPPC Census 2017, September, 2017.

Joseph Cannataci, Working Draft Legal Instrument on Government-led Surveillance and Privacy, 2018.

Richard A. Clarke, Michael J. Morell, Geoffrey R. Stone, Cass R. Sunstein and Peter Swire, Report and Recommendations of The President's Review Group on Intelligence and Communications Technologies, Obama White House, 12 December, 2013.

TRAI, Recommendations on Privacy, Security and Ownership of the Data in the Telecom Sector, 16 July, 2018.

Vrinda Bhandari, Data Protection Bill: Missed Opportunity for Surveillance Reform, The Quint, 28 July, 2018.

 

Vrinda Bhandari is a practicing advocate in Delhi. Rishab Bailey, Smriti Parsheera and Faiza Rahman are researchers in the technology policy team at the National Institute of Public Finance & Policy.

No comments:

Post a comment

Please note: Comments are moderated. Only civilised conversation is permitted on this blog. Criticism is perfectly okay; uncivilised language is not. We delete any comment which is spam, has personal attacks against anyone, or uses foul language. We delete any comment which does not contribute to the intellectual discussion about the blog article in question.

LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.