Privacy and Surveillance Reform
AN ANALYSIS OF INDIA'S NEW DATA EMPOWERMENT ARCHITECTURE
In Emerging Trends in Data Governance published by the Centre for Communication Governance, National Law University Delhi , January, 2023
The paper traces the evolution of India's new Data Empowerment and Protection Architecture (DEPA), a technology-enabled architecture that relies on user consent to facilitate personal data sharing through verifiable records. The idea of DEPA rests on two foundational pillars of ‘data empowerment’ and ‘consent’. Accordingly, the paper begins by examining the data empowerment narrative in India and globally and tries to locate DEPA’s place in that narrative. This is followed by an explanation of DEPA’s institutional structure and current adoption path. Given DEPA’s focus on consent as the basis for user empowerment, the paper also studies the consent conundrum -- how consent in the information age is recognised to be broken for several reasons but still remains an indispensable part of informational privacy frameworks. This discussion is vital to the paper's subsequent analysis of DEPA’s effectiveness as a solution to the consent problem and an exploration of its positive and negative aspects, both in terms of its design features and broader questions of process and governance.
CROSS BORDER DATA ACCESS FOR LAW ENFORCEMENT: WHAT ARE INDIA'S STRATEGIC OPTIONS?
Smriti Parsheera and Prateek Jha
Carnegie India Working Paper, 23 November, 2020
The paper evaluates India’s present mechanisms for data access by law enforcement authorities and existing arrangements for cross-border data access. It also analyzes the emerging global movement toward direct data access arrangements. Such arrangements authorize agencies in one jurisdiction to make direct data requests to service providers based in another jurisdiction. The paper argues that reforms in India's surveillance framework are necessary, both to ensure adherence to the fundamental right to privacy, and to signal its suitability as a potential partner for any international arrangements on cross-border access. It accordingly makes recommendations on a multi-pronged strategy to deal with the issue of law enforcement access within the contours of a rights-respecting framework.
Download paper | Op-ed | Video
DISCLOSURES IN PRIVACY POLICIES: DOES NOTICE AND CONSENT WORK?
Rishab Bailey, Smriti Parsheera, Faiza Rahman, Renuka Sane
Loyola Consumer Law Review, Volume 33, Issue 1, 2021
USE OF PERSONAL DATA BY LAW ENFORCEMENT AGENCIES
Rishab Bailey, Vrinda Bhandari, Smriti Parsheera, Faiza Rahman
We review the legal framework around surveillance in India, assessing it against the tests of legality, legitimate aim, proportionality and procedural safeguards laid down in the Puttaswamy case. This is followed by a discussion of the principles and best practices from other jurisdictions, with a focus on countries that have attempted to strike a balance between the civil liberties of individuals and the state's requirement to pursue certain surveillance activities. Drawing from these discussions, we offer some recommendations on the way forward for India in terms of building appropriate protections relating to access and use of personal data by intelligence and law enforcement agencies.
An earlier version of this paper dated 27 June, 2018 was relied upon by the Justice Srikrishna Committee while making their recommendations in the report accompanying the Personal Data Protection Bill, 2018. The paper has been updated following the release of the Committee’s report to analyse how the report and draft law fare in terms of implementing a sound legal framework on surveillance, based on the normative framework elucidated in the paper.
REGULATORY GOVERNANCE UNDER THE PDP BILL: A POWERFUL SHIP WITH AN UNCHECKED CAPTAIN?
Medianama, 4 January, 2019
The piece critiques the Personal Data Protection Bill, 2019 from a regulatory governance perspective, pointing to the issues with the composition of the proposed Data Protection Authority (DPA) and its selection committee and highlighting the importance of the DPA's independence from the Government. It illustrates the importance of these issues using examples of a data breach involving a public sector entity, regulation-making powers of the DPA and the DPA's control over the innovation sandbox. It concludes that the lack of procedural safeguards in the draft Bill coupled with weak state capacity could create a dangerous situation .
INPUTS ON THE PERSONAL DATA PROTECTION BILL
Comments on the Personal Data Protection Bill, 2019 (Part 1 and Part 2), Rishab Bailey, Vrinda Bhandari, Smriti Parsheera, Faiza Rahman, LEAP Blog, April 2020.
Response to the Draft Personal Data Protection Bill, 2018, Rishab Bailey, Vrinda Bhandari, Smriti Parsheera, Faiza Rahman, LEAP Blog, 22 February, 2018. Full text of the comments is available here.
Comments on the Justice Srikrishna Committee's White Paper -- Towards a data protection framework for India, Vrinda Bhandari, Amba Kak, Smriti Parsheera, Faiza Rahman and Renuka Sane, LEAP Blog, 20 October, 2018. Full text of the comments is available here.
INDIA'S COMMUNICATION SURVEILLANCE THROUGH THE PUTTASWAMY LENS
Vrinda Bhandari, Smriti Parsheera and Faiza Rahman
The LEAP Blog, May, 2018
In this piece we discuss the extent to which India's current communication surveillance practices are likely to withstand scrutiny under the tests identified by the judges in the Puttaswamy case. For the purposes of this analysis we focus on the lawful interception provisions under the Telegraph Act, the Centralised Monitoring System operationalised through telecom licenses, and provisions on encryption and decryption on demand.
DATA PROTECTION BILL: LUKEWARM EFFORT TOWARDS STRONG DPA
The Quint, 4 September, 2018
The piece reviews the draft Personal Data Protection Bill formulated by the Justice Srikrishna Committee from the perspective of independence and accountability of the proposed Data Protection Authority (DPA). It points out that the draft bill takes only tepid steps towards building the DPA on strong foundations of sound agency design. Having an authority with tremendous powers, but minimal structural safeguards, would only lead to sub-optimum outcomes for all stakeholders. It is therefore imperative that we recognise these gaps and collectively work towards addressing them in subsequent versions of the bill.
ANALYSIS OF PUTTASWAMY : THE SUPREME COURT'S PRIVACY VERDICT
Vrinda Bhandari, Amba Kak, Smriti Parsheera, Faiza Rahman
The LEAP Blog, 20 September 2017
In August, 2017 the Supreme Court of India delivered a landmark verdict in the Puttaswamy case, affirming the fundamental right to privacy in India. In this piece we analyse the nine-judge bench decision of the Supreme Court, highlighting the context in which this case arose, the tests laid down by the different judges and the implication of this decision for future cases.
EMERGING THEMES AROUND PRIVACY AND DATA PROTECTION
Vrinda Bhandari, Amba Kak, Smriti Parsheera and Renuka Sane
The LEAP Blog, 12 April 2017
In this post, we identify certain key themes that need to guide the thinking on privacy and data protection in India. This includes an evaluation of the meaning and value of privacy, understanding privacy harms and recognizing the need for safeguards against state surveillance. We propose the need for a comprehensive, principles-based, horizontal privacy law in India.
How to resolve individual data privacy complaints, Indian Express, 9 July, 2020
The right to efficient redress is a critical piece of the proposed data protection framework. Based on a critical assessment of the institutional and implementation structures for grievance redress under the PDP Bill, the piece makes the case for creating a stand-alone Data Protection Ombudsman.
India's moment in global privacy crisis, Business Standard, 22 May, 2018
The piece draws parallels between the global financial crisis and the ongoing global privacy crisis and argues that India needs to borrow from the momentum of the global privacy crisis towards the adoption of a robust data protection law.
A phenomenal verdict and its effects, Economic Times, 25 August, 2017
Analysis of the nine judge bench decision of the Supreme Court in the Puttaswamy case. The piece highlights three immediate implications -- a much-needed course correction on Section 377 of the Indian Penal Code; implications for the Aadhaar challenge; and the path towards a data protection law.
Privacy as a fundamental right: Minding our business, Economic Times, 21 August, 2017
Written in the days prior to the pronouncement of the Supreme Court's right to privacy decision, this piece argues in favour of the need for such a declaration, using examples of political and physical privacy and their link with what it means to live a dignified life in a liberal democracy.