Author: Prashant Reddy T.

What We Should Really Be Asking About Twitter and its Legal Immunity Status in India

Will a court of law agree with the government’s interpretation of Section 79 and the Intermediary Guidelines that have been drafted under that provision?

India’s mainstream media recently reported that Twitter apparently lost its intermediary status because of its alleged failure to ‘comply’ with the new Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Guidelines”).

Ravi Shankar Prasad, the minister for IT, has also tweeted that Twitter has failed to comply with the new Intermediary Guidelines, thereby opening itself up to joint criminal liability for the material published by third parties. As if to make a point, the Uttar Pradesh government has filed a case against Twitter over the circulation of a video on its platform, alleging that it was meant to provoke communal tensions between different communities.

The reality of the matter is a bit more complicated. 

Whether or not Twitter will continue to enjoy immunity is a question of law for the courts to decide. The government has no powers to decide which company enjoys immunity under the present rules.

The actual question that we should be asking, therefore, is this – what is the the likelihood of a court of law agreeing with the government’s interpretation of Section 79 and the Intermediary Guidelines that have been drafted under that provision? As I have written earlier on The Wire, Section 79 has a complicated history which makes it possible to argue that only the judiciary can determine the requirements of “due diligence” under Section 79 and that the Centre has over-stepped its brief by defining “due diligence” through the Intermediary Guidelines. That is reason enough to set aside the rules. If the rules are set aside on the aforementioned grounds, Twitter and other platforms can try convincing a court of law that they exercised the requisite degree of due diligence and can hence enjoy the immunity offered by Section 79 from liability for third party content.   

Even presuming the Intermediary Guidelines are upheld as legal and presuming that Twitter has lost its shield from prosecution, the Indian state will find it quite difficult to actually hold Twitter liable under Indian criminal law. 

To begin with Twitter Inc. does not have an office or staff in India. Twitter’s subsidiary, which is Twitter Communications India Pvt. Ltd. which does have an office in India is a separate legal entity from its parent company. This legal fiction makes it legally impermissible to hold the staff of Twitter Communications India Pvt. Ltd. responsible for any decision by Twitter Inc. unless a court is willing to pierce the corporate veil. That almost never happens in Indian courts. In other words, even if a FIR is registered in India, the Indian state cannot really exercise any coercive power against Twitter Inc. without which it will be difficult, if not impossible, to punish Twitter’s management which currently sits in the United States. This is one of the reasons that the government is insisting on the appointment of a grievance redressal officer who is on the payroll of the global headquarters of Twitter as one of the conditions for Twitter to continue enjoying immunity under Section 79. 

Also read: The Power Politics Behind Twitter versus Government of India

Even presuming that Twitter does eventually create a physical presence in India, it will still be difficult for the Indian state to successfully prosecute Twitter, under current laws, for any content published on its platform by its users. To enable a successful prosecution under most Indian criminal laws that apply to dissemination of information, it is necessary to prove some kind of mens rea or active criminal intent on part of the Twitter management in disseminating obscene material or communally divisive material. Meeting this evidentiary threshold will be almost impossible in case of user-generated content where users post content without prior approval of Twitter. Hence criminal prosecutions are unlikely to succeed under most penal provisions in India. This could change if the law is amended to attach a presumption of criminal liability to the management of all these platforms for all content generated by the users of these platforms. For example, under The Press and Registration of Books Act, 1867 the ‘editor’ of a publication is presumed to have selected all the material published in the publication. If a similar law is enacted making management of social media platform automatically liable for user-generated content, it may easier to prosecute these companies in criminal court. 

It may be easier to proceed against Twitter under civil law. For example, in the case of defamatory content, it may be possible to hold Twitter liable for defamatory content published by its users, provided there is prior knowledge but the remedy under civil law is limited to injunctions and monetary damages not prison time. There are however no substantive remedies under civil law to stop the publication of obscene or communally divisive content. Again, this could change under a new law that gives the government the power to impose substantive monetary fines on social media platforms for their failure to police certain content that is in violation of Indian laws. Other countries like Germany have enacted special laws to police speech on the internet, especially social media platforms.

The government’s policy on intermediary liability is at a crucial juncture at the moment. Its bureaucrats are about to learn that they may have used the wrong policy lever to bring Silicon Valley to heel. Once Indian policymakers come to terms with the fact that they lack the legal ammunition to punish Twitter they may speed up the enactment and enforcement of a new data protection law because data localisation theoretically increases the sovereignty of the Indian state over companies like Twitter. Except, what will the Indian state do if Twitter fails to comply with even data localisation rules? There are simply no good answers to this question because all of them will involve some kind of new regulation that will increase governmental control over the Internet.  In the battle between national sovereignty and multinational corporations, history has shown that as citizens we must back the state which at the very least is accountable to its citizens. And demand, as the price for that consent, that this accountability be real and effective, and not just on paper.

Prashant Reddy is a lawyer. 

A Vintage SC Order on Political Advertising May Open a Pandora’s Box for Silicon Valley

Google’s decision to pre-certify political advertisements on its platform in India is just the tip of the iceberg.

As the Lok Sabha elections draw closer, all eyes are on the Silicon Valley and the role that its companies will play in influencing the Indian electorate.

However, it may also be time to flip that question and ask whether the upcoming general elections will influence the manner in which American tech giants operate in India.

The reason this question even comes up for discussion is a 2004 Supreme Court order that laid down a rigid, pre-censorship regime for political advertising through electronic resources.

The origins of the case lie in a decision of the Election Commission of India (ECI) in 1999 to prohibit all political advertisements on electronic media prior to elections. That decision was challenged before the Andhra Pradesh high court on the grounds that the ECI lacked the powers to ban political advertisements and that the ban violated the fundamental right to free speech under Article 19(1)(a) of the Constitution.

Chief Justice M.S. Liberhan in his judgment struck down the ban as unconstitutional. When the matter was appealed before the Supreme Court, the Ministry of Information and Broadcasting brought in an entirely new argument, citing a particular rule in the Cable Television Network Rules, 1994 that prohibited political advertisements from being broadcast on cable television.

The specific rule reads as follows:

(3) No advertisement shall be permitted, the objects whereof, are wholly or mainly of a religious or political nature; advertisements must not be directed towards any religious or political end.

It should be remembered that this rule was framed in 1994, in the early days of broadcast television in a country still smouldering from the flames of communal violence. Regardless, the constitutionality of this rule was highly suspect, given the blanket ban it imposed on political speech, which most commentators would classify as the most important type of speech.

The Supreme Court appears to have been aware of the constitutionality issue but rather than strike down the rule, a bench comprising of Chief Justice V.N. Khare and Justices S.B. Sinha, Justice S.H. Kapadia passed an order concocting a draconian pre-censorship regime for all political advertising through electronic media.

Also Read: In Run-Up to Lok Sabha Polls, Google To Reveal Details of Election Ads and Spends

As per this order, all political advertising would have to be submitted to the Election Commission (or any bureaucrat designated by the EC) for approval before it could be broadcast on electronic media. According to the court, any appeals against the decision of the bureaucracy would lie before only it.

This may have been the first time that judges of a democratic country vested the powers to censor political speech with unelected bureaucrats. To make it adequately clear that it was using brute power and not legal reasoning to justify its order, the court declared that its ruling was made under Article 142 of the Constitution – which allows the Supreme Court to pass any orders it thinks necessary to serve justice.

There was no attempt by the Supreme Court to engage with the constitutionality of the prohibition contained in the impugned rule. The court also declined to engage with the prickly constitutional issues in relation to pre-censorship on speech despite having divergent views on the issue in its earlier precedents.  

That ruling of the SC has held the field since 2004 and the ECI declared in 2013 that the ruling would apply to even social media and that all advertisements on social media will be subject to pre-censorship.

In its 2013 guidelines, , the ECI stated the following:

Since social media websites are also electronic media by definition, therefore, these instructions of the Commission contained in its order No.509/75/2004/JS-1/4572 dated 15.04.2004 shall also apply mutatis mutandis to websites including social media websites and shall fall under the purview of pre-certification. You are, therefore, requested to ensure that no political advertisements are released to any internet-based media/websites, including social media websites, by political parties/candidates without pre-certification from competent authorities in the same format and following the same procedures as referred in the aforesaid orders.

In its recently announced political advertising policy for India, Google has made it mandatory to submit a pre-censorship certificate from the ECI in order to run political advertisements on its platform. In doing so, Google has become the first Silicon Valley company to comply with the ECI’s instructions.

The question for Google now is whether it plans on complying with similar pre-censorship laws under the Cinematograph Act and vet all video advertisements on YouTube? This is a relevant question because with respect to advertisements, Google and YouTube are publishers, not intermediaries for third party content.

Silicon Valley has generally managed to evade tough regulation directed at the broadcast industry by arguing that the internet is a completely different medium from traditional media. By accepting the pre-censorship regime meant for electronic media in the case of political advertising Google has provided its critics with a useful precedent to hold against it even when Google claims it is a platform and not a publisher.  

By accepting the pre-censorship regime meant for electronic media in the case of political advertising Google has provided its critics with a useful precedent. Credit: Reuters/Adnan Abidi

Paid ads versus political content

What is also currently not clear is whether the pre-censorship regime is limited to paid advertisements and not content posted by political parties on their social media accounts. Is the ECI going to certify every social media post, be it video or content, on these platforms? There does not appear to be any rational basis for this distinction. If political parties cannot be trusted with mass communications, why trust them to broadcast content on their own pages or channels that are hosted by social media platforms?

The ECI needs to provide an answer to this question. If it cannot, it should take actions to ensure parity of treatment between political advertising on social media and traditional media.

The other big issue is the manner in which the ECI plans to regulate political advertising on the University of WhatsApp. As I have argued earlier in these pages, WhatsApp is no longer a personal messaging service, it is a mass communication service. A party worker can communicate a political message to five groups, which each group containing 256 persons, in a matter of seconds.

As per a recent Time story, Indian political parties are using WhatsApp for mass messaging, often with hate filled messages. How should the law classify these messages sent to 1,280 persons without any cost? Can it even be called an advertisement? Most likely not. In that case, it would be legal for political parties to simply send out messages on WhatsApp without any requirements for pre-censorship certificates. What then is the point of the ECI regulating political advertisements on other platforms.

Also Read: How Political Parties Could Use State Data Hubs To Sway Voters

Even presuming the ECI wants to have some kind of regulation targeted at WhatsApp, how does it plan to regulate an end-to-end encrypted platform? What happens when bad actors in the political ecosystem start spreading fake news in the 48 hours prior to elections when campaigning is supposed to stop? These are not hypothetical questions and the ECI has been grappling with similar issues in the past. Let us not forget that rumours on WhatsApp led to the Muzaffarnagar riots in 2013. Those riots are suspected to have polarised western Uttar Pradesh and partly contributed to the BJP’s sweep of Lok Sabha seats in that region. How is the ECI going to crack the whip in these cases?

Some of these questions may be answered by the Bombay high court since a PIL has been filed before it seeking regulation of political advertisements on social media. Going by the remarks from the bench, it would appear that the Silicon Valley and the ECI are in for some tough questions.

It doesn’t help their case that the lawyer for the petitioners is Abhinav Chandrachud, the author of Republic of Rhetoric – a book that traces the history of free speech in India. Given the general suspicion that Indian judges reserve for political parties in India, it is very likely that this case will end badly for the Silicon Valley. If that happens, a precedent for regulating Silicon Valley platforms in other scenarios will be set. 

Prashant Reddy is a senior resident fellow at the Vidhi Centre for Legal Policy, New Delhi

Liability, Not Encryption, Is What India’s New Intermediary Regulations Are Trying to Fix

It’s time to rethink the legal immunity we hand out to massive internet companies.

After several months of speculation over possible amendments to India’s intermediary laws, the Ministry of Electronics and Information Technology has published draft amendments called the Information Technology Intermediaries Guidelines (Amendment) Rules, 2018.

These have been drafted under Section 79 of the Information Technology Act, which provision deals with intermediary liability.  

The government’s proposal – especially the requirement to proactively identify and disable content – has come under heavy criticism on the grounds that it creates a pre-censorship regime like the one found in China. The issue is a lot more complicated than is being made out by the government’s critics.

The duty to block content has always been imposed on traditional publishers like newspapers or broadcasters such as news channels. A failure to do so leads to legal liability under the law. In the early days of the internet, the Silicon Valley giants, who were then startups, argued that it was impossible to proactively monitor content because of the sheer volume of information on the internet.

Proactive monitoring of all that information would mean hiring a large number of moderators, which was financially unviable for startups. Instead, these startups asked for a subsidy in the form of legal immunity, which created the legal fiction that intermediaries would be deemed to have no knowledge of illegal content (despite it being on publicly viewable platforms) until they were informed by users or the government.

The US Congress responded by creating a ‘safe harbour’ for these intermediaries which was then adapted to differing degrees by the rest of the world. These safe harbour provisions saved technology companies the cost of monitoring their own platforms and led to the world’s greatest experiment with mass communication that was not moderated by editors. The results have not been good. The troll armies, the toxic hate targeted against women have shown us the consequences of handing over the internet to the mob.

Also read: If WhatsApp Doesn’t Regulate Itself, Parliament May Have to Step In

Even Silicon Valley was smart enough to know that despite the immunity bestowed upon it by the US Congress and other legislatures, they would still have to conduct proactive filtering for the most outrageous content such as child pornography so as to maintain their goodwill. Google is also known to have developed software programs like Content ID to carry out proactive monitoring of copyright infringing content. The EU recently enacted a new law requiring large internet platforms like YouTube, Facebook and Twitter to proactively monitor the content they host for copyright infringement and take down infringing content without waiting for legal notices from the copyright owner. Similar pressure is being exerted by European countries on the issue of hate speech and child pornography.

The response of Silicon Valley has been to invest in more artificial intelligence programmes. Two years ago, Reuters reported on a far-reaching censorship programme launched by Silicon Valley to target extremist propaganda through AI programmes.  

Viewed in this backdrop, the Indian government’s proposal for proactive filtering is not as absurd as is being made out by its critics. Along with the requirement for large social media companies with more than five million users to establish offices and subsidiaries in India, this new policy will hopefully lead to a scenario where Silicon Valley begins to invest in better policing fake news, hate speech and hopefully, make the internet a better place.

That said, the government needs to consider retaining certain immunities for startups who are too small or who lack the mountains of data required to create AI programmes to proactively monitor the internet. If the government does not retain higher level of immunities for startups it will only end up cementing the position of Silicon Valley monopolies.

The contours of ‘unlawful content’

There has been a fair degree of criticism in the press about the requirement to proactively identify ‘unlawful information or content’. Concerns have been voiced that the phrase is vague and may lead to excessive censorship. This criticism may be misplaced because different provisions of the IPC and other laws are quite clear on the speech that qualifies as unlawful.

Again, it should be remembered that these draft rules do not create new offences but only provide conditions for immunities from offences that are defined in other laws such as the IPC.   

Encryption and the fake news epidemic

The second proposal in the draft rules that have caused outrage, is the requirement for all intermediaries to ensure traceability of the originator of content shared on their platform.

In India, the spate of lynching related to fake news spread on WhatsApp led to multiple meetings between the government and executives from WhatsApp on the issue of tracing the sources of these messages. The proposal contained in the rules is therefore not very surprising. It should be noted that the requirement to make content traceable is different from making encryption or mandating companies to decrypt information. Section 69 of the law allows the government to force decryption but there is no public evidence to show that it has taken steps to actually act and use this provision.

Multiple commentators have claimed that the proposals in the draft rules require messaging services like WhatsApp to break its end-to-end encryption thereby compromising on privacy. I am not sure that is the correct interpretation.

Also read: WhatsApp told India That Tracing Fake News Would Break Encryption. Is This True?

These draft rules require intermediaries to introduce a traceability requirement only if they want to be granted legal immunity offered under Section 79 of the IT Act. I had mooted a similar proposal earlier in these pages. It is necessary to remember that the immunity under Section 79 is a ‘subsidy’ and as a society, we are not bound to extend it to all internet companies.

If WhatsApp wants to retain its immunities offered by Section 79, it will have to give up its end-to-end encryption system in order to facilitate traceability. The lack of immunity under Section 79 will mean that WhatsApp’s management will be as liable as anybody else who facilitates the publication, transmission or broadcast of any hate speech mass. Consequences could include civil lawsuits for damages and criminal prosecutions.

If the draft rule is notified into law, the choice of retaining encryption lies with WhatsApp. The law does not make encryption illegal or force WhatsApp to introduce a traceability requirement.

If WhatsApp feels that the risk of prosecution and civil liability is too high, it will seek intermediary immunity under Section 79 and will have to introduce a traceability requirement which may involve breaking end to end encryption. Introducing a traceability requirement will mean that WhatsApp will also have to recruit a rather large staff to process requests because the messenger service is going to be inundated with traceability requests for investigating agencies.  

Prashant Reddy T. is a Senior Resident Fellow at the Vidhi Centre for Legal Policy, New Delhi.

Did SC Re-Affirm that Aadhaar Database Could Be Used for Criminal Investigations?

There will likely be more pressure on the UIDAI to co-operate with investigative agencies.  

The opposition against Aadhaar for the last few years has been primarily based on concerns of surveillance, with the concerns regarding exclusion getting little media space. The surveillance potential of Aadhaar was first flagged by Usha Ramanathan around eight years ago in an article published by the Economic & Political Weekly when few others were giving the UID project a hard look.

In that article, which was the first warning shot fired against Aadhaar, Ramanathan warned that the creation of a unique identifier like Aadhaar would eventually lead to the convergence of different databases that were otherwise maintained in separate silos, thereby giving the Indian state an unprecedented capacity to monitor the lives of its citizens and their activities.

The proponents of Aadhaar, have rejected this portrayal of Aadhaar and have pointed out that Aadhaar’s architecture allows it to collect only very limited information. For example, if an Aadhaar authentication is carried out by a bank to open an account or by a telecom service provider, the Aadhaar centralised database will only collect information regarding the entity which has requested the authentication but will not know the purpose of the authentication, i.e. the details of the transaction at the bank or the telecom service provider.

Also read: Aadhaar Verdict: Does the Mere Collection of Biometrics Violate Bodily Integrity and Privacy?

If an investigation agency wants to collect evidence related to the transactions conducted by the account holder, it will still have to seek a court order under The Bankers’ Books Evidence Act, 1891. The concerns about convergence may thus be overblown because each silo of information is usually governed by an in-built privacy regime.

The second concern with relation to Aadhaar’s surveillance potential was the possibility of its database of a billion biometrics being used for the purposes of criminal investigation. Since Aadhaar is designed in a manner to carry out de-duplication of each set of biometrics, the system can match the fingerprints of one individual against all 1 billion biometrics to check if the person has already been allotted an Aadhaar number. Its ability to carry out de-duplication goes to the heart of the UIDAI’s claim that Aadhaar is unique.

Theoretically, this means that if the police find fingerprints at a crime scene they could run those through the Aadhaar database, matching them against the entire database of citizens in the hope of identifying the culprit.

In fact, there is an actual instance of the Bombay high court directing the UIDAI to match fingerprints, collected by the CBI in a rape case, against its own database. The SC stayed the Bombay high court’s order in 2014 after it was approached by the UIDAI on the grounds that its database was not meant to be used for criminal investigations. Since that stay order of the SC, high-ranking officials such as the chief of the National Crime Records Bureau (NCRB) have made public comments about using the Aadhaar database for the purpose of criminal investigation. The UIDAI has repeatedly rejected such demands. The fear is that such power in the hands of the police is susceptible to misuse.   

Section 33 of the Aadhaar Act, 2016

The main provision of the Aadhaar Act, 2016 meant to curb the state’s potential to conduct surveillance is Section 33 which regulates the manner in which the identity information or the authentication information contained in the Aadhaar database can be shared by the UIDAI. This provision, whose constitutionality was challenged before the Supreme Court, has two parts.

The first part of the provision, S. 33(1), allows the sharing of identity information and authentication information pursuant to the orders made by a district judge. At no point, can a district judge order the sharing of core biometric information i.e. fingerprints or iris scans. The provision isn’t quite clear whether a district judge can order the UIDAI to run fingerprints, provided by an investigating agency, through its database to locate a possible suspect. Technically the UIDAI can conduct the exercise and share the identity information without sharing the biometric information. An additional issue with the wording of this provision is that it gives no guidance to a district judge as to the scenarios in which a request for accessing identity or authentication information may be accepted or denied.  

The second part of the provision, S. 33(2), allows for the sharing of identity information, core biometric information and authentication information, for the purposes of national security pursuant to the orders of a joint secretary to the government of India, whose orders will subject to post-facto review by an oversight committee consisting of the Cabinet Secretary and two other secretaries.

The constitutional challenge against Section 33

The challenge against Section 33 was three-fold.

The first ground of challenge was that the provision violated Article 20(3) which is the fundamental right against self-incrimination i.e. no person can be made to stand witness against oneself when accused of a crime. This was a weak argument because an earlier decision of the Supreme Court in 1962 has ruled that the collection of fingerprints and handwriting samples is only the collection of evidence and that it does not amount to giving testimony against one self and is thus not self-incrimination.

The second ground of challenge, was that ‘national security’ was a vague phrase and that the oversight committee was not independent enough. ‘National security’ is generally seen as a policy issue which is within the realm of the executive and courts rarely interfere with such clauses.

The third ground of challenge was that the oversight committee was not independent enough. There is really no constitutional principle requiring the oversight committee to be independent. As for the composition of the Oversight Committee it should be remembered that it adopts a formula laid down by the Supreme Court in the mid-nineties, in PUCL v. Union of India, where the court ordered the government to setup a review mechanism to monitor phone tapping.

The majority opinion

The majority opinion by Justice Sikri is quite disappointing because of its weak analysis. His honour makes no attempt to engage with the arguments in relation to self-incrimination, instead preferring to dispose the issue by stating that the district judge may consider the issue of Article 20(3) at the time of deciding applications for allowing access to the identity information or authentication information. The only concession made by the judgment is that the person whose information is being sought is required to be given a hearing along with the UIDAI prior to a decision being made by the district judge. But how exactly does this work when an investigating agency wants to run the fingerprints of an unknown person against the Aadhaar database in the hope of tracing an accused or perhaps trace the identity of a John Doe? The judgment is silent on the issue.   

Also read: One Data Protection Legislation and One Regulator for 1.3 Billion People?

On the issue of Section 33(2) and ‘national security’, Justice Sikri refers to relevant precedent to declare that ‘national security’ is a not a question of law but a matter of policy and held that the state could access information held by the UIDAI in the interests of national security. However, with the regard to the person who can order access to be provided in the interest of national security, Justice Sikri declares, at page 424, that joint secretary is too junior a rank and that the power should be granted to a higher ranking official. On this basis he strikes down Section 33(2) of the Aadhaar Act. His honour does not even attempt to explain the legal basis of such a conclusion.

By the time Justice Sikri arrives at the conclusion of his judgment at page 559, where he summarises his holdings, he states that a judicial officer should be associated with process of passing an order to access information.

He states in relevant part:

“However, for determination of such an eventuality, an officer higher than the rank of a Joint Secretary should be given such a power. Further, in order to avoid any possible misuse, a Judicial Officer (preferably a sitting High Court Judge) should also be associated with. We may point out that such provisions of application of judicial mind for arriving at the conclusion that disclosure of information is in the interest of national security, are prevalent in some jurisdictions.”

Like much of this judgment, there is simply no legal reasoning to back this conclusion or engage with the court’s own precedents. The Supreme Court in the PUCL case had rejected a request for phone tapping to be authorised only on the basis of warrants issued by judges rather than bureaucrats.

If Justice Sikri is diverging from this viewpoint, as appears to be the case, it is only reasonable to expect reasons for this conclusion. More puzzling is the formulation that he suggests. What exactly does his honour mean when he states that a judicial mind should be associated with the process of passing such an order? Does it mean that a judge should be sitting with a bureaucrat to pass an order? This would be an extraordinary setup because there is simply no precedent for such an arrangement.   

The concurring opinion

The concurring opinion by Justice Bhushan upholds Section 33 without making any recommendations on the lines made by Justice Sikri. Unlike the majority opinion, Justice Bhushan’s conclusions are backed by cogent reasoning and precedent.  

On the issue of whether Aadhaar violates the right against self-incrimination under Article 20(3), he refers to the precedent of the Supreme Court from 1962, in the case of State of Bombay v. Kathi Kalu Oghad, where the Court drew a distinction between collection of evidence and standing witness against oneself, noting that collection of biometrics fell within the former, which is not the same as self-incrimination.

Also read: Aadhaar and the ‘Least Intrusive Option’: What Did the SC Say About Smart Cards?

On the issue of ‘national security’, Justice Bhushan found in favour of the government because of the precedent that has declared national security to be a policy issue that can be determined by the government and not the judiciary.

In addition, Justice Bhushan also referred to a number of Indian and international judgments where it was held that national security was a valid ground to access personal information.

The dissent

The dissent by Justice Chandrachud does not really analyse the arguments regarding Section 33, and understandably so, because he concludes that the entire Aadhaar project violates the fundamental right to privacy when tested on the proportionality touchstone.

Once he concludes that the Aadhaar project itself is unconstitutional, there is little to be gained by analysing Section 33.

More pressure

As things stand now, Section 33(1) is constitutional, and it is constitutional to use the Aadhaar database for criminal investigation. Neither the majority nor the concurring opinion prohibits such usage.

In fact, the concurring opinion is quite lucid on this point when it concludes as follows:

“Section 33 cannot be said to be unconstitutional as it provides for the use of Aadhaar data base for police investigation nor it can be said to violate protection granted under Article 20(3).”

The implications of this conclusion are significant because there will now be more pressure on the UIDAI to co-operate with investigative agencies.  

While Section 33(2) has been struck down as unconstitutional, the formulation specified by Justice Sikri is so bizarre that it is not possible to implement. It is now up to the government to recommend a new formulation of Section 33(2).

Prashant Reddy T. is an assistant professor at NALSAR University of Law, Hyderabad.

Aadhaar and the ‘Least Intrusive Option’: What Did the SC Say About Smart Cards?

The challenge for the court, was to test whether there was a less intrusive or restrictive mechanism for the state to achieve the same aim while reducing the potential privacy violation of citizens.

At the heart of the legal challenge against the Aadhaar Act was an argument that the Supreme Court must use the test of proportionality to strike down the legislation because the Aadhaar-style centralised authentication mechanism was not the ‘least intrusive’ option to identify individuals.

Instead of a centralised authentication mechanism, the petitioners argued for a system of smart cards that would store biometrics on individual cards, thereby enabling decentralised authentication.

Also Read: On Aadhaar Authentication and Linking, the Supreme Court Barely Scratched the Surface

Before proceeding to the court’s application of this test in the Aadhaar case, it may help to briefly recount the evolution of the proportionality standard of review and how it differs from existing standards of review.

The proportionality test evolved in Europe and while there are a few different variations of this test, the basic elements are as follows:

(a) Whether a legislative measure restricting a right has a legitimate goal;

(b) whether the legislation is a suitable means of furthering the legislative goal;

(c) Whether there is a less restrictive but equally effective means to achieve the same goal and

(d) Whether the restriction has a disproportionate impact on the rights of any particular stakeholder and whether the legislation achieves a balance between the rights of the different stakeholders.  

The proportionality test has a certain appeal, especially in progressive circles, because it allows the judiciary to hold the state to higher standards of accountability and induces a certain degree of transparency in the decision-making process. This test however, also vests in the judiciary a significant power to second guess both the legislature and the government, especially at the stage of determining whether there is a less restrictive or intrusive route to achieve the stated legislative goal.

Historically, Indian courts have followed more conservative tests while judging constitutionality of legislation. For example, if reservations for certain sections of society are challenged as violating Article 14, the SC would examine if the criteria to identify the class of beneficiaries is well defined and having a rational nexus to the policy of the state, which policy is also required to be legitimate. When the court is judging the restrictions on free speech, it will examine whether the restrictions fall within the parameters laid down in Article 19(2). In neither case, is the court required to examine a less restrictive option.

Historically, Indian courts have followed more conservative tests while judging constitutionality of legislation. Credit: Wikipedia

The proportionality test in the Indian context

In the context of administrative law (i.e. review of decisions by unelected bureaucrats), the Supreme Court imported the proportionality analysis into Indian jurisprudence more than a decade ago.  However as pointed out by Abhinav Chandrachud in an empirical study, it does not seem like Indian courts are applying this test in the European sense.

One of the important questions raised in the litigation against Aadhaar is whether the proportionality test could be applied to examine the constitutionality of parliamentary legislation. This was an important question because the Indian Supreme Court has been a relatively conservative institution which defers to the parliament in most cases of judicial review. But even this relatively conservative behavior of the court has provoked ferocious reactions from parliament, the worst being Schedule IX of the constitution which shields more than 250 state and central legislation (dealing with land reform and reservations mostly) from judicial review meaning that the court cannot examine whether these legislation are constitutional. This immunity was partially diluted by the Supreme Court in 2007 but Schedule IX is a constant reminder of the potential for a showdown between the parliament and the Supreme Court.

Also Read: Supreme Court’s Aadhaar Verdict Refutes the Modi Government’s Arrogance

Given this historic tension between the Supreme Court and parliament, it was certainly interesting to see the former declare in the judgment last year by nine judges that proportionality could be grounds of judicial review of legislative action. Prior to the Puttaswamy decision, there had been only a few decisions like the case of Anuj Garg v Union of India where a smaller bench of the court adopted higher standards of judicial review while reviewing parliamentary legislation. The constitutional challenge against the Aadhaar Act was thus going to be the first major test case of the Supreme Court’s willingness and ability to use the proportionality doctrine as the basis of reviewing a parliamentary legislation.

Proportionality in the context of Aadhaar

The first two steps of the test were relatively easy for the government to argue because the judgment by the nine judges last year had already concluded that it was a legitimate aim of the state to collect and analyse information for the purpose of disbursing benefits and subsidies.

The challenge for the court, was the third prong of the test i.e. whether there was a less intrusive or restrictive mechanism for the state to achieve the same aim. Simply put, was it possible for the state to use a technological medium that would reduce the potential privacy violation of citizens.

For example, were smart cards a less intrusive mechanism to achieve the same aim as Aadhaar since it would prevent a centralised database of information – be it biometric information or authentication records? Without a centralised database, it was less possible for the state to profile citizens or so the argument went. Given the court’s history, this was setting the bar quite high.

Even the relatively conservative behavior of the court has provoked ferocious reactions from parliament, the worst being Schedule IX of the constitution which shields more than 250 state and central legislation. Credit: Wikimedia

The majority judgment

Of the three judgments, the majority opinion penned by Justice Sikri concluded in page 351 that there was no alternative to the Aadhaar system of authentication and that despite repeated queries, the petitioners themselves were not able to suggest any such method.

This appears to be a factually incorrect conclusion because Justice Sikri had recorded earlier, in page 321, that the state of Gujarat had argued that the petitioners who had suggested smart cards as an alternative had failed to establish that “smartcards are less intrusive than the Aadhaar card authentication process”.

It is quite stunning for the majority to claim that the petitioners did not even suggest an alternative to Aadhaar.

The concurring judgment

Justice Bhushan in his concurring judgment upholding the Aadhaar does mention that the petitioners argued that smart cards were less intrusive than the Aadhaar style of authentication. He however rejects this argument on the grounds that it is not within the realm of the court’s jurisdiction to second guess parliament on the best technological mode to conduct authentication. His conclusion in page 1,213 of the judgement is as follows:

At this juncture, we may also notice one submission raised by the petitioners that Aadhaar Act could have devised a less intrusive measure/means. It was suggested that for identity purpose, the Government could have devised issuance of a smart card, which may have contained a biometric information and retain it in the card itself, which would not have begged the question of sharing or transfer of the data.

We have to examine the Aadhaar Act as it exists. It is not the Court’s arena to enter into the issue as to debate on any alternative mechanism, which according to the petitioners would have been better. Framing a legislative policy and providing a mechanism for implementing the legislative policy is the legislative domain in which Court seldom trench.     

While this conclusion may have been in line with the court’s traditional standard of review, it does not quite tie into Justice Bhushan’s analysis in page 1,174 that the the proportionality test requires the court to examine the “least intrusive means”.

It is quite stunning for the majority to claim that the petitioners did not even suggest an alternative to Aadhaar.

The dissent

In his dissent, Justice Chandrachud is categorical in his rejection of the government’s argument that the court lacked the institutional expertise to examine the least intrusive alternative to Aadhaar from a technological perspective.

He states:

In applying the proportionality test, the Court cannot mechanically defer to the States assertions. Especially given the intrusive nature of the Aadhaar scheme, such deference to the legislature is inappropriate. The State must discharge its burden by demonstrating that rights-infringing measures were necessary and proportionate to the goal sought to be achieved. (page 838)

So far so good. But his judgment falters at the very next prong on how exactly the court should assess the “least intrusive measure” when compared to the state’s offer of a centralised database such as Aadhaar. He does point to several possible problems with the Aadhaar system but appears to have not dealt with the smart card option as an alternative despite recording the fact that the State of Gujarat had countered the petitioner’s suggestion for smart cards (p. 622).

Also Read: ‘Aadhaar Act is Unconstitutional’: The Fiery Dissent of Justice D.Y. Chandrachud

As a result, his conclusion that the Aadhaar Act fails the proportionality test does not really hold up. 

Together, the three judgments reveal an alarmingly discordant Supreme Court. Hopefully these judgments serve as a note of caution on the challenges of importing the proportionality analysis into an already confused Indian jurisprudence on the standards of judicial review of parliamentary legislation. There is also the question of whether we want the Supreme Court to enjoy such immense powers over an elected body like the parliament.

Will the court’s second guessing of parliament provoke something worse than Schedule IX? Is it not better to hit the streets and hold the parliament accountable? 

Prashant Reddy T. is an assistant professor at NALSAR University of Law, Hyderabad.

Aadhaar Verdict: Does the Mere Collection of Biometrics Violate Bodily Integrity and Privacy?

While the argument made out by petitioners was a bit outlandish, it is quite surprising that four of the judges felt that there is no reasonable expectation of privacy with regard to fingerprints and iris scans.

One of the many issues raised by the petitioners challenging the constitutionality of the Aadhaar Act 2016, was the legality of the very act of collecting fingerprints and iris scans.

As Shyam Divan, senior advocate for one of the petitioners phrased it in court during the arguments last year in the Binoy Viswam case (challenging the PAN-Aadhaar linking):

My fingerprints and iris are mine and my own. As far as I am concerned, the State cannot take away my body. This imperils my life. As long as my body is concerned, the State cannot expropriate it without consent, and for a limited purpose.

Those were widely reported lines that captured the imagination of many people. The Binoy Viswam judgment records Divan’s legal argument in the following words:

“The right to life extends to allowing a person to preserve and protect his or her finger prints and iris scan. The strongest and most secure manner of a person protecting this facet of his or her bodily integrity and identity is to retain and not part with finger prints/iris scan.”

These arguments were meant to establish that the very act of collecting biometrics was in violation of bodily integrity of the citizens and that biometrics were personal information protected under the informational privacy doctrine.

An added bonus for the petitioners was that Divan’s widely reported lines provoked the-then attorney general Mukul Rohatgi to proclaim in court that “Citizens don’t have absolute right over their bodies”. That utterance sounded ominous in the following day’s press.

Ultimately, the Binoy Viswam case did not examine the issue on the grounds that the nine judges had yet to decide the issue of whether privacy was a fundamental right.

The nine judges last year agreed that privacy was a fundamental right and that bodily integrity and informational privacy were components of the fundamental right to privacy. Since the judges only laid down principles without deciding the constitutionality of the Aadhaar programme, the issue of whether collection of biometrics violated bodily integrity was raised once again before the 5 judges who delivered, on September 26, 2018 the three judgments running into 1,448 pages.

Are biometrics any different from photographs?

One of the problems with the petitioner’s characterisation of biometric collection as “expropriation of the human body” (as I pointed out earlier in these pages) is that biometrics are simply high quality photographs and as we all know when a camera is used to take a photographs of our faces it does not expropriate any part of our face. If the court was to declare a scan of a fingerprint as an expropriation of a body, it would necessarily have to conclude that even the photograph of the face is expropriation of the body.

Also read: SC Judgment on Aadhaar is an Exercise in Divorcing UID From the Concerns That Were Raised

Consequential reasoning aside, it is difficult to understand, even from a conceptual standpoint as to how scanning fingerprints or iris scans violates the bodily integrity. Issues like laws disallowing abortions or contraceptives for women, forced stress positions, where agents of the state curb the ability of a person to control their own bodies definitely results in violation of bodily integrity because harm is caused to the body by an agent of the state.

The mere scanning of either fingerprints or iris scans does not result in citizens losing control over their body. At best, the petitioners had an arguable case to classify biometrics as personal information that is protected under the theory of informational privacy. This is an issue that even the Unique Identification Authority of India (UIDAI) agrees to.

The majority opinion

The majority judgment by Justice Sikri states that an “Iris scan is nothing but a photograph of the eye, taken in the same manner as a face photograph.” They also state that “Finger print and iris scan have been considered to be the most accurate and non-invasive mode of identifying an individual.” (page 320) This conclusion is logical and the court should have concluded that the mere collection of biometrics does not violate bodily integrity.

Except the majority then proceed to make the following worrying conclusion:  

“There is no reasonable expectation of privacy with respect to fingerprint and iris scan as they are not dealing with the intimate or private sphere of the individual but are used solely for authentication”.

In the same breadth, the majority also concludes that biometrics are unique identifiers. If some information is unique to a person, and forms a part of the identity, it is only logical that it be classified as personal information that requires to be protected under the informational privacy doctrine.

It is not clear why the majority concluded that there is no reasonable expectation of privacy with regard to biometrics because even the Aadhaar Act, 2016 concedes this point when it grants core biometrics the highest level of data protection under the legislation.

The concurring opinion

Justice Bhushan borrows similar reasoning from the majority to conclude that fingerprints and iris scans are “non-invasive” (page 1109), while also agreeing that an “Iris scan is nothing but a photograph of the eyes taken from a camera.” (page 1108) Again, this analysis was enough to deal with the bodily integrity argument but the reasoning that follows is as worrying as that of the majority.

Justice Bhushan specifically states that “From fingerprints and iris scans nothing is revealed with regard to a person” and “there is no reasonable expectation of privacy” with regards to biometric information.

And like the majority, he also concludes that: “The fingerprint and iris scan have been considered to be most accurate and non-invasive mode of identifying an individual.” (Page 1108-09)

But if the biometric information serves as a unique identifier for each individual does it then not deserve to be classified as personal information which the state is obligated to protect under the fundamental right to informational privacy?

The dissent

The dissenting judgment by Justice Chandrachud leans the other way. He is silent on the majority’s classification of the technology as nothing but photographs. On whether collection of biometrics is a violation of bodily integrity he is silent. Rather he classifies it as a violation of the personal space, stating:

“The collection of most forms of biometric data requires some infringement of the data subject’s personal space. Iris and fingerprint scanners require close proximity of biometric sensors to body parts such as eyes, hands and fingertips.”  (page 754)

His judgment however does not push the analysis far enough to conclude that it is a violation of bodily integrity. Rather, he states that:

“The use of biometric technology is only likely to grow dramatically both in the private and public sector. On our part, we can only ensure that the strides made in technology are accompanied by stringent legal and technical safeguards so that biometrics do not become a threat to privacy.” (Page 784).

This is an implicit recognition that biometrics are better protected under the head of informational privacy which means that the state can collect information but subject to restrictions and safeguards.

Also read: ‘Aadhaar Act is Unconstitutional’: The Fiery Dissent of Justice D.Y. Chandrachud

To, collect such biometrics, Justice Chandrachud reasons that the government must demonstrate “…a compelling legitimate interest in using biometric technology” and that governments must follow the “no harm principles” which according to him means “that biometrics and digital identity should not be used by the issuing authority…….to serve purposes that could harm the individuals holding the identification”. (Page 786)

The rest of Justice Chandrachud’s dissent analyses whether the Aadhaar Act provides a “compelling legitimate interest” for the collection of biometric information, which will be the subject of a separate article.

Some dissonance

To conclude, none of the five judges agreed with the petitioners that collection of fingerprints and iris scans violate bodily integrity.

This was a predictable result because of the outlandish nature of the argument in the first place but what is quite surprising is the conclusion by four judges that there is no reasonable expectation of privacy with regard to fingerprints and iris scans.

That conclusion is baffling since these same judges also conclude that fingerprints and iris scans are the most accurate unique identifiers. Why did these judges arrive at such a conclusion when even the UIDAI concedes that fingerprints and iris scans are personal information that are accorded the highest level of protection?

Prashant Reddy T. is a an Asst. Professor at NALSAR University of Law, Hyderabad. 

One Data Protection Legislation and One Regulator for 1.3 Billion People?

Such centralisation of power does not bode well for a country like India, particularly one which is likely to ignite regulatory turf wars and hand the government another instrument of coercive power.

After all the allegations by privacy activists against the committee of experts on data protection, that its composition was lopsided and that it was not transparent, the report and draft bill turned out to be quite the anti-climax.

The committee’s recommendations are broadly in line with the demands made by the privacy activists save for some minor quibbles. The committee has thus leaned heavily in favour of an European Union-style heavy regulatory framework which, as I’ve argued earlier in these pages, may not be in the best interests of the Indian democracy and economy. The main problem with the committee’s approach is that it seeks to tackle a humungous issue affecting 1.3 billion Indians and their $2.5 trillion economy through one legislation and one regulator.

Such centralisation of power does not bode well for a country like India.

Does the constitution permit a single data protection law?

First, the recommendation of the committee for only one legislation likely runs against the federal nature of the Indian constitution. As per Article 246 of the constitution, only parliament can legislate on those entries contained in List I of Schedule VII to the constitution, while only state legislatures can enact laws on entries contained in List II. Both parliament and state legislatures can enact legislation on entries in List III.

For example, only parliament has been given the power to enact laws regarding tax income (excluding agricultural income) while only state legislatures have the power to tax agricultural income. Of course, this delineation of power is not always that clear cut. Quite often there is litigation on whether parliament or state legislatures have crossed the boundaries of their powers. In these cases, India’s constitutional courts try to ascertain the ‘pith and substance’ of the disputed legislation to determine whether the essence of the legislation falls under List I, II or III. As I explained earlier, the issue of government records and the data contained within them has been a contentious issue. When parliament was debating the Public Records Act, 1993, some MPs made a demand that parliament extend the law even to state governments and not confine it to only records of the Central government.

In the decade that followed, several state legislatures enacted Right to Information-style laws on the assumption that only the state legislature could regulate the manner in which state government records could be accessed. In 2005, the UPA government decided that since none of the entries in Schedule VII mentioned the right to information specifically, it could be presumed that the RTI Act fell within Entry 97 of List I – this entry contains the residuary powers i.e. if a particular subject matter is not listed in any of the three lists it is presumed to fall under Entry 97 thereby bestowing in Parliament the power to legislature on the topic.

This logic put forth by the UPA at the time to push through the RTI Act is highly doubtful because the “pith and substance” of the RTI Act lies in regulating access to public records. The maintenance and manner of accessing these public records goes to the heart of an efficient administration. For example, the administration of land falls under List II and the maintenance of land records goes to the heart of administration of land. To argue that state legislatures are saddled with the burden of administering land while parliament can decide how these land records can be accessed under the RTI Act is absurd.

I give these specific examples related to public records because a potential data protection legislation, like the RTI Act, basically deals with the manner in which government records have to be maintained and accessed. It is only logical and desirable that state legislatures should have the power to set data protection standards for all areas of administration found in List II. This still leaves a considerable swathe of power with parliament because the bulk of this data protection legislation has to do with internet-based communication, which anyway falls under List I.

Credit: Pawel Kopczynski/Reuters

The logical conclusion of this argument is that parliament does not have the power to extend either the RTI Act or a potential data protection legislation to those areas that follow within the sole purview of state legislature.

I’m aware that federalism is hardly an issue of interest these days but let us not forget that the more centralised administration becomes in India, the further away we travel from the ultimate aim of decentralisation of power. If we were to look at Europe, countries like Germany have different data protection legislation for the federal government and state governments. There is no reason for India to not follow such an approach. Given that state governments are investing significant sums in creating vast digital databases called State Resident Data Hubs (SRDH) they need to consider whether they want to be able to regulate these data hubs under their own laws or submit to the centre’s diktat.

The possibility of regulatory turf wars

The second significant objection to the committee’s report is its recommendation to create a single data protection legislation and data protection authority (DPA) to regulate data protection across multiple sectors of India’s $2.5 trillion dollars economy. Once created, the DPA, like any other regulator, will have the power to make binding rules, non-binding codes of practice for different sectors like telecom, banking etc. The DPA will also have the power to enforce these rules.

The obvious problem with this arrangement is the centralisation of immense regulatory power. If data is going to be the new oil of the fourth industrial revolution, do we really want to vest the power to regulate data across crucial sectors like banking, telecom, medical service providers with one regulator?

Apart from the political issues associated with centralisation of such regulatory power, there is also the question of efficiency and turf battles. Given the centrality of data to the digital economy, sectoral regulators like TRAI, RBI & CCI will inevitably end up taking decisions related to data in order to ensure competitiveness and consumer welfare. This will most likely lead to regulatory turf wars with the proposed DPA and in India such turf wars lead to prolonged litigation.

Would it then not make sense to structure the law in such a way that sectoral regulators are vested with the power to regulate the data protection aspects of their respective sectors? Thus, the RBI would set and enforce data protection standards for the banking and payments sector, while TRAI would set the standards for the telecom industry. This approach may require separate sectoral data protection legislation rather than one omnibus standard. 

Does the Indian state need yet another regulator with coercive powers?   

The third significant objection is the creation of a single DPA whose tentacles spread across every sector of the economy and with the power to investigate, search and punish. The average Indian business and citizen is already subject to the tyranny and arbitrariness of multiple government agencies and regulators and this can impact crucial sectors like journalism. Let us not forget that when Atal Bihari Vajyapee was upset with Outlook for its reporting, the finance ministry unleashed the IT department on the Raheja family that owned the magazine. Do we really want to create one more authority i.e. the DPA and give the government another instrument of coercive power? Would it not be a better idea to vest existing sectoral regulators with the power to regulate even data protection rather than create a new expensive behemoth?

Taking on too many lobbies at the same time?

Last, but not the least, is the issue of whether the legislation drafted by the expert committee steps on too many feet, thereby risking an early death. In its present form, the draft legislation is going to upset three powerful lobbies: the intelligence community which has tripped earlier attempts to enact a privacy law will oppose this draft because it curbs their ability to conduct surveillance until authorised by law; the Silicon Valley lobby will oppose the new draft bill because of the data localisation requirements and finally, the bureaucracy, which will now have to rework their record keeping practices failing which department heads will be liable for offences.

The issue with upsetting three heavily entrenched lobbies is that the draft bill will face so much opposition that it will never move beyond the drafting stage. Would it not be better to have different sectoral data protection laws? In case one lobby blocks one particular sectoral legislation the remaining sectoral legislation can still move ahead. 

Prashant Reddy T. is an assistant professor at the National Academy of Legal Studies and Research (NALSAR), Hyderabad where he teaches intellectual property law and administrative law. He is co-author of Create, Copy, Disrupt: India’s Intellectual Property Dilemmas (OUP).

Is the Srikrishna Committee Giving Us a Way to Balance the Rights to Information and Privacy?

The committee has reportedly recommended amending the RTI Act in a manner that tilts the law in favour of privacy and against disclosure of information.

After several weeks of speculation regarding the recommendations of the committee of experts on data protection, headed by Justice B.N. Srikrishna, it appears that a copy of the committee’s proposed legislation has finally leaked to the Caravan. One of the issues covered by the Caravan, in its report on the draft Bill, is the recommendation of the expert committee to amend the Right to Information Act, 2005. As per the Caravan’s reporting, the committee has recommended amending the existing Section 8(1)(j) of the RTI Act in a manner that supposedly tilts the law in favour of privacy and against disclosure of information.

In its present form, Section 8(1)(j) of the RTI Act reads as follows:

“(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information: Provided that the information, which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.”

The above provision hasn’t been very popular with RTI activists because it is vague and there was some concern that the Supreme Court judgment in Puttaswamy would further muddy the waters.

The proposed amendments to Section 8(1)(j), as reported in the Caravan, will allow for the disclosure of personal information, only if the following principles are fulfilled:

“(a) the personal data relates to a function, action or any other activity of the public authority in which transparency is required to be maintained having regard to larger public interest in the accountability of the working of the public authority;

(b) if such disclosure is necessary to achieve the object of transparency referred to in clause (a); and

(c) any harm likely to be caused to data principal by the disclosure is outweighed by the interest of the citizen in obtaining such personal data having regard to the object of transparency referred to in clause (a).”

Presuming that the language of the proposed amendment reported by the Caravan is accurate, it would mean that the committee of experts has proposed deleting the word ‘privacy’ entirely from Section 8(1)(j) of the RTI Act, 2005 (the only provision in the law which contained the phrase privacy). That is not an insignificant amendment. Post the Puttaswamy judgment of the Supreme Court recognising the fundamental right to privacy, some RTI activists did express concern that the judgment would make it easier for public information officers to invoke Section 8(1)(j) to deny RTI applications because the court failed to lay down the contours of the right to privacy. Former information commissioner Shailesh Gandhi has been writing extensively on the conflict between the RTI Act and privacy, calling for the law to declare a proper definition of privacy.

The concerns expressed by Gandhi and others are valid because the Puttaswamy judgment grounds the fundamental right to privacy in the concepts of ‘autonomy and dignity’, both of which are vague. For example, it is quite easy to argue that educational records of a person are intrinsic to their dignity and sense of worth. In many countries, educational records are considered private and are not shared without the permission of the person concerned. In India, examination results are often published for public viewing. Such publication is to ensure transparency and accountability. But does it affect the dignity of students and violate their right to privacy? That’s a difficult question.

Ideally, the Supreme Court should have identified the balance between the right to information and right to privacy, but even when it discussed possible exceptions to privacy, it limited its analysis to cases of national security or the requirement of social welfare programmes. The reason for its silence on the effect of privacy on transparency was the fact that nobody argued the issue before the court.

The court’s silence on the appropriate balance between privacy and transparency under the RTI Act was disconcerting because the wide contours of the right to privacy as outlined by the court gave public information officers (PIO), or for that matter information commissioners, the option of deciding the scope of dignity and autonomy while invoking the privacy exception to deny information requests.

If the phrase ‘privacy’ is proposed to be deleted from the RTI Act, it saves the legislation from some of the complexities that would have followed from the Puttaswamy judgment, but that does not mean that the right to privacy no longer applies in the context of the RTI Act. The amendments still protect personal information from disclosure by requiring that PIOs follow a three-step test that appears to be based on the European proportionality test that was endorsed by the Supreme Court in the Puttaswamy case.

The proportionality test requires a structured analysis while evaluating any measure that curbs a legal right. The first prong requires an assessment of whether a measure aimed at curbing a right has a legitimate policy objective. The second prong requires as assessment of whether the measure curbing the right is in fact suitable to achieve that aim. The third prong of the test requires that the measure limiting the right is the least onerous way of achieving the legitimate aim and that competing interests have been assessed.

The proportionality test can be applied across the law in various situations and is a means of ensuring a more transparent decision-making process. While English and European courts are required by their governing legislation to follow this test, the Indian parliament is yet to incorporate this test into Indian legislation. The Indian Supreme Court of course isn’t that shy and has incorporated this test into Indian jurisprudence, although it is questionable whether past Indian judges have actually understood the proportionality test as conceptualised in Europe.

The test proposed by the Committee of Experts requires a three-fold test: first whether personal data in question has implications for transparency and accountability of a public authority, second whether disclosure of the personal information is required to achieve transparency and third whether disclosure of the personal information outweighs the harm that would be caused to the citizen while keeping in mind the competing objective of transparency.

There is little doubt that this test proposed by the Committee of Experts requires PIOs and information commissioners to conduct a more structured analysis while dealing with requests for personal information. The existing test in Section 8(1)(j) requires balancing the information request with ‘public interest’, which is a phrase that is regrettably vague and which ends up vesting too much discretion in the hands of the PIO. Will the end results of the proposed test differ significantly from the existing test in Section 8(1)(j)? I don’t think so, but the advantage of the test proposed by the Committee of Experts is that it will force more transparency in the decision-making process. If a PIO fails to reason decision in terms of this particular test, the final order can be set aside on appeal.

Prashant Reddy T. is an assistant professor at the National Academy of Legal Studies and Research (NALSAR), Hyderabad where he teaches intellectual property law and administrative law. He is co-author of Create, Copy, Disrupt: India’s Intellectual Property Dilemmas (OUP).

If WhatsApp Doesn’t Regulate Itself, Parliament May Have to Step In

WhatsApp needs to go beyond cosmetic fixes. One option is to exclude it from the immunities under Section 79 and fasten strict liability for content transmitted on its services.

In the words of a wordsmith on Twitter, the argument of those defending WhatsApp for the fake news-inspired lynchings sounds eerily similar to the Americans defending their right to bear arms.

Simply put, “WhatsApp doesn’t kill people, people do”. The only logical conclusion to this argument is that WhatsApp is not to blame for the misuse of its services by those responsible for the lynching of at least 25 people. The solution according to them is that the government should focus on improving law enforcement. The concern of those defending WhatsApp is that any attempt to regulate the platform will lead to an erosion of privacy that the service currently offers.

While these people do have a point, it is also necessary to understand that lynchings are only the most visible aspect of the fake news epidemic on WhatsApp. As more Indians use WhatsApp, the problem of fake news is going to become much more complex. The effects of such an epidemic are not completely understood since the world has never experienced the spread of fake news on an encrypted service that governments cannot crack.

WhatsApp encryption service

At the core of the debate is WhatsApp’s seemingly impenetrable end-to-end encryption which ensures that even WhatsApp cannot monitor communications on its services. For privacy activists, encrypted communications services have tremendous social value in a country like India where the law does not afford Indian citizens strong privacy rights in the face of mounting mass surveillance.

The flip side of encryption is that it is a convenient device for companies, like WhatsApp, to evade any accountability while at the same time allowing them to reap profits. Encryption allows service providers to legitimately claim that they have no actual or constructive knowledge about the content being transmitted on their services thereby insulating them from legal liability. That argument does have legal merit but the question that Indian policymakers must debate is whether such a position in law is the most appropriate public policy for a country like India where millions are getting on to the internet for the first time and when it is amply clear that reform of police forces is a long-term project expected to take decades?

Legal liability and immunity

Traditionally under tort law, a person offering a new product or service is liable for flaws in the product or the manner in which it is used provided that the person selling such a product or service has either real or constructive knowledge of the flaws or possibility of misuse of the product. For example, if a manufacturer makes a new car and the car has an accident because of a design flaw, the manufacturer can be held liable for damages and perhaps criminal negligence.  

As a matter of public policy, the law can carve out certain immunities from legal liability. A recent example of such immunity is the Civil Nuclear Liability Act, 2010 where parliament capped the liability of nuclear service providers to 300 million SDR, even if the damage caused by a faulty reactor is much higher. Similarly, service providers like airlines have their liability capped for lost luggage or accidents that cause death. The logic of liability caps is to reduce financial risk of certain businesses in order to make them more viable in a manner that benefits society. Lower risk means lower insurance premiums which means lower fares for consumers.  

Liability of communication services

In the context of communication products and services, the equation is slightly more complicated.

Postal services and telephone service providers are not expected to conduct surveillance on their customers but then again these are personal communications between individuals and ones that can be easily surveilled by the government. Internet platforms like Facebook, YouTube and Twitter are on a different footing because the information posted by users on these platforms is publicly visible and are not private in any sense. This means the administrators have knowledge of the information that they are hosting and that triggers legal liability for illegal content. However, these platforms have limited legal immunity in the form of Section 79 of the Information Technology Act. As enacted, Section 79 offered these platforms legal immunity if they took down content within a period of 36 hours of being informed.

As I’ve explained earlier in these pages, the Supreme Court has given these platforms more immunity than allowed by parliament and it is time for the parliament to step in and restore the balance.

WhatsApp is very different from these existing platforms. It started off as a personal messaging service between individuals before graduating to “group chats” consisting of 256 people. To that extent, WhatsApp is now a mass communication service and not just a personal messaging service. The law has never treated personal communication services on par with mass communication services, be it newspapers, cable TV, direct-to-home broadcasting or the internet. In the case of mass communication services, the law has always had some form of regulation either ex-ante or ex-post or usually a combination of both because mass communication services have real potential to cause public disorder. An example of such regulation is the broadcast licences required by television and radio stations within India. Any act that may be in violation of the law could result either in private lawsuits before the courts or executive sanctions for violating the terms of the licence.

While services offered over the internet have not been subject to ex-ante regulation, Section 79 and judicial blocking orders are a form of ex-post regulation. Therefore, regulating mass communication services is not without precedent.

Since WhatsApp has literally chosen to look away from its content by encrypting it and not saving messages, the only option open to parliament is to exclude it from the immunities under Section 79 and fasten strict liability to WhatsApp for content transmitted on its services regardless of whether the service had any knowledge of the content it was carrying. This would not be an exceptional move since the doctrine of strict liability is not new to Indian law. Such liability standards are affixed to those handling hazardous material or in cases of criminal law, to those found in possession of prohibited substances under the NDPS Act. The strict liability doctrine was created precisely for these situations where proving knowledge or intent is close to impossible.

Hoisting such liability on WhatsApp will have consequences in that the service will be forced to either redesign its system in a manner that requires it to track messages, while protecting privacy or alternatively, cease to offer its services for Indian users. The latter is unlikely to happen given that the company is planning the rollout of a payment service that will earn it potentially billions in future revenue.

The challenge thus is to balance privacy as a legal right with other competing interests, such as the rights of the victims. Even the Supreme Court in its recent privacy judgment has been categorical that the right to privacy is not absolute and the state may curb privacy to maintain public order. This is a matter for parliament and it would be odd if India let WhatsApp get away with laughable tweaks such as a ‘forwarding tag’ or promises to educate Indians on fake news.

If the private sector refuses to regulate itself, parliament will have to step in and regulate it.  

Prashant Reddy T. is an assistant professor at the National Academy for Legal Studies and Research (NALSAR), Hyderabad and is co-author of Create, Copy, Disrupt: India’s Intellectual Property Dilemmas (OUP)