Research

Privacy and Surveillance Reform

AN ANALYSIS OF INDIA'S NEW DATA EMPOWERMENT ARCHITECTURE

In Emerging Trends in Data Governance published by the Centre for Communication Governance, National Law University Delhi , January, 2023

The paper traces the evolution of India's new Data Empowerment and Protection Architecture (DEPA), a technology-enabled architecture that relies on user consent to facilitate personal data sharing through verifiable records. The idea of DEPA rests on two foundational pillars of ‘data empowerment’ and ‘consent’. Accordingly, the paper begins by examining the data empowerment narrative in India and globally and tries to locate DEPA’s place in that narrative. This is followed by an explanation of DEPA’s institutional structure and current adoption path. Given DEPA’s focus on consent as the basis for user empowerment, the paper also studies the consent conundrum -- how consent in the information age is recognised to be broken for several reasons but still remains an indispensable part of informational privacy frameworks. This discussion is vital to the paper's subsequent analysis of DEPA’s effectiveness as a solution to the consent problem and an exploration of its positive and negative aspects, both in terms of its design features and broader questions of process and governance.

CROSS BORDER DATA ACCESS FOR LAW ENFORCEMENT: WHAT ARE INDIA'S STRATEGIC OPTIONS?

Smriti Parsheera and Prateek Jha

Carnegie India Working Paper, 23 November, 2020

The paper evaluates India’s present mechanisms for data access by law enforcement authorities and existing arrangements for cross-border data access. It also analyzes the emerging global movement toward direct data access arrangements. Such arrangements authorize agencies in one jurisdiction to make direct data requests to service providers based in another jurisdiction. The paper argues that reforms in India's surveillance framework are necessary, both to ensure adherence to the fundamental right to privacy, and to signal its suitability as a potential partner for any international arrangements on cross-border access. It accordingly makes recommendations on a multi-pronged strategy to deal with the issue of law enforcement access within the contours of a rights-respecting framework.

Download paper | Op-ed | Video

DISCLOSURES IN PRIVACY POLICIES: DOES NOTICE AND CONSENT WORK?

Rishab Bailey, Smriti Parsheera, Faiza Rahman, Renuka Sane

Loyola Consumer Law Review, Volume 33, Issue 1, 2021

This survey based paper, one of the first of its kind from India, evaluates the quality of privacy policies of five popular online services in India from the perspective of access and readability -- do the policies have specific, unambiguous and clear provisions that lend themselves to easy comprehension? Our survey evaluates how much do users typically understand of what they are signing up for. We find that the policies studied are poorly drafted, and often seem to serve as check-the-box compliance of expected privacy disclosures. Survey respondents do not score very highly on the privacy policy quiz. The respondents fared the worst on policies that had the most unspecified terms, and on policies that were long. Respondents were also unable to understand terms such as "third-party", "affiliate" and "business-partner". The results suggest that for consent to work, the information offered to individuals has to be better drafted and designed.

Download paper | Blog post | Op-ed

USE OF PERSONAL DATA BY LAW ENFORCEMENT AGENCIES

Rishab Bailey, Vrinda Bhandari, Smriti Parsheera, Faiza Rahman

August, 2018

We review the legal framework around surveillance in India, assessing it against the tests of legality, legitimate aim, proportionality and procedural safeguards laid down in the Puttaswamy case. This is followed by a discussion of the principles and best practices from other jurisdictions, with a focus on countries that have attempted to strike a balance between the civil liberties of individuals and the state's requirement to pursue certain surveillance activities. Drawing from these discussions, we offer some recommendations on the way forward for India in terms of building appropriate protections relating to access and use of personal data by intelligence and law enforcement agencies.

An earlier version of this paper dated 27 June, 2018 was relied upon by the Justice Srikrishna Committee while making their recommendations in the report accompanying the Personal Data Protection Bill, 2018. The paper has been updated following the release of the Committee’s report to analyse how the report and draft law fare in terms of implementing a sound legal framework on surveillance, based on the normative framework elucidated in the paper.

Download paper | Blog post

REGULATORY GOVERNANCE UNDER THE PDP BILL: A POWERFUL SHIP WITH AN UNCHECKED CAPTAIN?

Medianama, 4 January, 2019

The piece critiques the Personal Data Protection Bill, 2019 from a regulatory governance perspective, pointing to the issues with the composition of the proposed Data Protection Authority (DPA) and its selection committee and highlighting the importance of the DPA's independence from the Government. It illustrates the importance of these issues using examples of a data breach involving a public sector entity, regulation-making powers of the DPA and the DPA's control over the innovation sandbox. It concludes that the lack of procedural safeguards in the draft Bill coupled with weak state capacity could create a dangerous situation .

INPUTS ON THE PERSONAL DATA PROTECTION BILL

Comments on the Personal Data Protection Bill, 2019 (Part 1 and Part 2), Rishab Bailey, Vrinda Bhandari, Smriti Parsheera, Faiza Rahman, LEAP Blog, April 2020.
Response to the Draft Personal Data Protection Bill, 2018, Rishab Bailey, Vrinda Bhandari, Smriti Parsheera, Faiza Rahman, LEAP Blog, 22 February, 2018. Full text of the comments is available here.
Comments on the Justice Srikrishna Committee's White Paper -- Towards a data protection framework for India, Vrinda Bhandari, Amba Kak, Smriti Parsheera, Faiza Rahman and Renuka Sane, LEAP Blog, 20 October, 2018. Full text of the comments is available here.

INDIA'S COMMUNICATION SURVEILLANCE THROUGH THE PUTTASWAMY LENS

Vrinda Bhandari, Smriti Parsheera and Faiza Rahman

The LEAP Blog, May, 2018

In this piece we discuss the extent to which India's current communication surveillance practices are likely to withstand scrutiny under the tests identified by the judges in the Puttaswamy case. For the purposes of this analysis we focus on the lawful interception provisions under the Telegraph Act, the Centralised Monitoring System operationalised through telecom licenses, and provisions on encryption and decryption on demand.

DATA PROTECTION BILL: LUKEWARM EFFORT TOWARDS STRONG DPA

The Quint, 4 September, 2018

The piece reviews the draft Personal Data Protection Bill formulated by the Justice Srikrishna Committee from the perspective of independence and accountability of the proposed Data Protection Authority (DPA). It points out that the draft bill takes only tepid steps towards building the DPA on strong foundations of sound agency design. Having an authority with tremendous powers, but minimal structural safeguards, would only lead to sub-optimum outcomes for all stakeholders. It is therefore imperative that we recognise these gaps and collectively work towards addressing them in subsequent versions of the bill.

ANALYSIS OF PUTTASWAMY : THE SUPREME COURT'S PRIVACY VERDICT

Vrinda Bhandari, Amba Kak, Smriti Parsheera, Faiza Rahman

The LEAP Blog, 20 September 2017

In August, 2017 the Supreme Court of India delivered a landmark verdict in the Puttaswamy case, affirming the fundamental right to privacy in India. In this piece we analyse the nine-judge bench decision of the Supreme Court, highlighting the context in which this case arose, the tests laid down by the different judges and the implication of this decision for future cases.

EMERGING THEMES AROUND PRIVACY AND DATA PROTECTION

Vrinda Bhandari, Amba Kak, Smriti Parsheera and Renuka Sane

The LEAP Blog, 12 April 2017

In this post, we identify certain key themes that need to guide the thinking on privacy and data protection in India. This includes an evaluation of the meaning and value of privacy, understanding privacy harms and recognizing the need for safeguards against state surveillance. We propose the need for a comprehensive, principles-based, horizontal privacy law in India.

NEWSPAPER ARTICLES

How to resolve individual data privacy complaints, Indian Express, 9 July, 2020

The right to efficient redress is a critical piece of the proposed data protection framework. Based on a critical assessment of the institutional and implementation structures for grievance redress under the PDP Bill, the piece makes the case for creating a stand-alone Data Protection Ombudsman.

India's moment in global privacy crisis, Business Standard, 22 May, 2018

The piece draws parallels between the global financial crisis and the ongoing global privacy crisis and argues that India needs to borrow from the momentum of the global privacy crisis towards the adoption of a robust data protection law.

A phenomenal verdict and its effects, Economic Times, 25 August, 2017

Analysis of the nine judge bench decision of the Supreme Court in the Puttaswamy case. The piece highlights three immediate implications -- a much-needed course correction on Section 377 of the Indian Penal Code; implications for the Aadhaar challenge; and the path towards a data protection law.

Privacy as a fundamental right: Minding our business, Economic Times, 21 August, 2017

Written in the days prior to the pronouncement of the Supreme Court's right to privacy decision, this piece argues in favour of the need for such a declaration, using examples of political and physical privacy and their link with what it means to live a dignified life in a liberal democracy.