The latest Home Ministry order authorising 10 central agencies to access ‘any’ data stored on ‘any’ computer is not just bad in principle but also bad in law, as the carte-blanche order of the government poses serious questions on privacy and data protection

New Delhi: The latest Home Ministry order authorising 10 central agencies to access ‘any’ data stored on ‘any’ computer has generated a heated debate around state surveillance and individual privacy.

The order is not just bad in principle but also bad in law. The present carte-blanche order of the government poses serious questions on privacy and data protection, and is arguably an excessive delegation of powers to these 10 agencies.

The discretionary power that rested with the Home Secretary has now been delegated to these agencies without ensuring proportionality of action. It’s debatable whether the parent IT Act, 2000 and the subsequent rules permit this delegation of discretion.

It has been argued that the IT Act, 2000 and the relevant rules of 2009 have always existed and were framed under the UPA era. However, prior to the latest order of the NDA government, each central agency had to seek permission on a case-to-case basis from the Home Secretary and the detailed reasons had to be recorded in writing.

The Home Secretary may permit or deny the request based on merits of each case to any agency. This ensured minimal and proportionate state interference on individual privacy. Even the actions of the Home Secretary had to be forwarded to a ‘Review Committee’, comprising the Cabinet Secretary, Law Secretary and Secretary of the Department of Telecommunications. The review committee maintained an oversight over the decisions of surveillance so that state interference remains in permissible limits.

It’s important to note the language employed under the Information Technology (Rules for procedure & safeguard for Interception, monitoring and Decryption of Information), 2009. The language of Rule 4 says that the Home Secretary “may authorise” the agency to intercept information.

At all points, under the 2009 rules, the authority lies solely with the Home Secretary who is called the ‘competent authority’. The Home Secretary does not have broad scope to give an omnibus permission and notify all agencies which have unfettered discretion to intercept information.

The move to grant an unfettered discretion is also against the spirit of the 2009 rules, which say that interception should be last resort to extract information.

The order is issued under Section 69 of the Information Technology Act, 2000 which invokes the “national interests” requirement under which data from any computer may be intercepted. Further, the Information Technology (Rules for procedure & safeguard for Interception, monitoring and Decryption of Information), 2009 lay down the process as to which agency may intercept information through what process.

These IT rules of 2009 authorise the ‘competent authority’ which means the Home Secretary at the Centre or state level to authorise monitoring and surveillance of individuals by central agencies upon request.

The present order of the NDA government raises question about what happens to the due process. Do all these agencies have a carte-blanche power to decide which individuals need to be under surveillance? Is the nod of Home Ministry on a case-by-case basis still needed? How will the Review Committee maintain the oversight?

These are the grey areas which remain unanswered under the present order of the Home Ministry. This lacuna or rather the arbitrariness of the language of the order cannot be overlooked, especially when the Supreme Court has laid down privacy as a fundamental right. These are valid legal grounds for such executive orders to be struck down.

It must be stated in unequivocal terms that we live in an era where the Supreme Court bench of nine judges has laid down that privacy is fundamental right all pervasive under part 3 of the Constitution. This means that privacy flows as an amorphous concept in all fundamental rights especially Right to life (Article 21) and Right to Equality (Article 14).

The state can restrict privacy or infringe upon the privacy of an individual in a reasonable and proportionate manner. There cannot be sweeping infringement of privacy without due reason and caution which the present order of the government seems to be doing.

The world’s largest democracy doesn’t have data protection regime to safeguard our information and data floating online. In the absence of any statute, it’s only the Supreme Court judgemen that would be the final law. The privacy judgement of the Supreme Court will have to be considered by any government when they frame laws, statutes or issue executive orders not just for data protection but whenever government decisions are made which touch upon the citizens’ rights and privacy.

Every law, especially the interpretation of the existing laws like the IT Act, 2000 and the relevant rules have to be in resonance with the Supreme Court ruling

The interpretation in the form of present order of the MHA is even under basic legal principles of reasonableness and proportion is bad in law. To argue that the 2009 rules were framed by the UPA might be a political argument but has no legal soundness. The top court’s judgements on Aadhaar and the case of Shreya Singhal (2015) (when the Supreme Court struck down the Section 66A of the IT Act) are the key precedents in this matter.

The Supreme Court judgement sets out three-fold requirements when the state infringes upon privacy of an individual, not limited to informational privacy. Justice Chandrachud lays down that the state must be acting under an existing law and action of the state must be proportionate and reasonable. The present order of the Ministry of Home Affairs is very broad interpretation which gives unfettered powers to agencies to access ‘any’ information on ‘any’ computer to these 10 agencies. It’s only to check abuse that the discretion to allow interception has rested with high government functionaries, so that accountability of the state action can be sought.

The tussle between national security and privacy has always been a difficult one. ‘National security’ has been regarded as a key concern by the Supreme Court when one deals with the issue of individual privacy. But the court has repeatedly underlined the need for proportionality.

The action of the government has to be proportional to the means sought. Even when the Modi government was defending the Aadhaar scheme in the Supreme Court, the government had assured the court that data of individuals cannot be accessed by government or private corporations without the order of District Judge or authorised by a senior government functionary.

At the very least, the latest order of the Home Ministry is silent on the extent and scope to which these agencies can decide on interception and how abuse is curtailed. This silence breeds arbitrariness and misuse of law which the apex court has very clearly indicated cannot be permitted in today’s day and age. For the sake of national security, state can invade privacy in reasonable and proportionate manner. No unfettered powers can be exercised through delegation of power via an executive order.