Written by Tejas Chandna. The author is a Law Student, pursuing BA.LLB(Hons) from Symbiosis Law School, Pune.
Introduction
Remarking a need to indicate scope of discretion on secret surveillance and manner of such discretion, Zakharov v. Russia sets the test for telecommunications and surveillance laws in the European Union. The case sets a test on an EU legislation, for such discretion, to be of “quality of law” against data privacy, telecom phishing and phone tapping. A specific ‘margin of appreciation’ for surveillance by EU governments, was said to be of no harm by the court in this case. Quoting this case in K.S Puttaswamy vs Union of India comes as a harbinger for two assumptions. Firstly, India lacks cross border data privacy law especially in the middle of telecom war between companies like Jio and Vodafone Idea. Secondly, the right to privacy can never be stepped to constitutional violation by state action and for the same it laid down a three fold test of: 'legality', 'need', and 'proportionality' for the State.
This article analyzes Section 17 of India’s Draft Digital Personal Data Protection Bill, 2022 , which allows access of data by the Government of India to ‘specific countries and geographies’. Hereby, this regulation, its scope, manner and grounds become important as India becomes world’s second-largest telecommunications market with a subscriber base of 1,170.38 million in December 2022 . Reasonably, telecommunications faces concerns of contractual integrity of consumer privacy, protection and proportionality as the draft might be applied to every subscriber in India.
From Austin’s theory of sovereignty, an independent and political society was criticized as not just a limitation to power of the sovereign, but also on its compromised scope, characteristics and consequences when such power becomes unrestricted. However in the 21st century, data wars have been regulated in policy especially by Iceland, where ‘unambiguous’ and ‘informed consent’ have become subjects to data transfer under Data Protection Act. Regulating Austin’s unrestricted power of the sovereign, adding ‘unambiguous’ and ‘informed consent’ may intend to protect fundamental rights like Right to privacy under Article 21 of Constitution of India if applied to India. The author makes a case of what might and might not shape Section 17 and future laws on cross border transfer of data amid concerns of data localization and ‘consent’. The article recommends on the basis of tests, sources and directions of K.S Puttaswamy vs Union of India.
The Telecommunication data phishing, crimes and government surveillance
A big problem that surveillance policy and TRAI faces in the 21st century is the unregulated market, causing havoc during telecom attacks, phone tapping and data phishing. Also many companies sell data, especially phone information, numbers and SIM card information for revenue, which the many governments including India has not regulated till now. Critical vulnerability that cross border transfers to governments and hacking of data of these governments is to Indian firms, government agencies and an individual’s private life. Indian firms too as per December 2022 report by virtual private network (VPN) provider NordVPN see 12% of all user data found in cybercrime marketplaces. Hence, when there is government surveillance in the new bill under Section 17, question arises whether these ‘territories and geographies’ will be able to provide subsequent future guarantee in contractual terms of privacy (already in contention) and against data tendering to outside markets.
What might shape India’s cross border policy?
The Gopalakrishnan Committee in 2019 was set up for recommendations on non-personal data, but limited international character of data merely to MNCs and their dominance. The Srikrishna Committee set up on Data Protection Bill, 2021 saw cross border data flows as essence for the economy, however pointed out that such rampant flow cannot be an “unadulterated good”, giving exemptions to select government agencies to regulate such data transactions. However, what criteria and to what extent such data transactions would be regulated has been missing. Though data localization was recommended by the committee, data storage came as a discursive course in National Telecom M2M Roadmap but devising its regulation and outflow criteria have still been non-existent.
What are the impacts of such statutory silence in the draft?
Though the draft of 2022 bill is silent on how such cross border outflow will be done by the government, the only criteria visible is on how these ‘territories and geographies’ will be notified. This notification can be inferred under Section 17 to be based on ‘suitable data security landscape’. Consequently, there are two vulnerable impacts from government agencies. Partly, it is fundamental rights and constitutional liberties impact and other part being economic and government duties impact.
Fundamental Rights and Constitutional Impact
The impact on fundamental rights is not just limited to privacy but also the value that is brought to contractual clauses, when a consumer buys a subscription to a certain telecommunications company for data storage, whether implied or express. After censorship of YouTube channels under new Intermediaries Guidelines Rules, 2021 and proposal to bring OTT services under Draft Telecom Bill, 2022, have an effect on a consumer’s ‘consent’ and their ability to make an ‘informed decision’. After the promise of contractual duty to consumers on privacy, allowance of cross border data flow without any clause of ‘consent’ might compromise a consumer’s consent and his informed decision to transfer this data to the government.
Telecom data has been suggested by the National Security Council to be operated in India. However, what might shape the definition of data localization and what type of data would take its shade, depends upon the vulnerability foreign surveillance has in India. Such data is likely to be RBI’s KYC, bank data, government documents, Aadhar and pan linked cards and in the telecom world, messages of OTP and Bank transfers.
A counterargument to this impact is national security, government surveillance and right to security of a citizen, however such is unmentionable as criteria in the Bill presented. If this is parallel to questions arising in Digital Rights Ireland Ltd v Minister, where a test of proportionality was set, then government agencies have to formulate such policy in the Indian context, where the unregulated market needs to be considered for privacy and security rights. Arguably, neither strictest data surveillance nor strictest telecommunication attack sees how much the market is unregulated. It affects privacy and fundamental security in regulated and unregulated telecommunication markets.
Government Duties and Informed Policy Making Impact
A careful analysis for cross border policy recommendation and data localization can be done on RBI’s “unfettered supervisory access”. Drawing parallelism to payment localization drive to telecom data localization, such unfettered supervisory access can be insured by a government agency, given independent criteria and tested policy access. Now, to decide this test, one may look upon the Puttaswamy test, where the court highlighted the public trust doctrine that the government holds in the Consolidated Fund of India, before even measuring such accessibility of data to itself.
This test of proportionality requires the government agencies and institutions to have its actions appropriate only to the objectives of the legislation under which it is devised and cannot go beyond that. In contest with Article 7 and Article 8 of Charter of Fundamental Rights of the European Union, the court in Puttaswamy quoted Digital Rights Ireland Ltd v Minister in modern techniques to not be violative of basic rights of life, privacy and social environments.
Here, policy or Government directive could be seen as relatable to economic life as the value of data and privacy being proportional to economic affairs of the telecommunications industry. This tests the quality of life an individual can make or is affected to be made from data localization. To prove the existence of such a test, the Data Retention Directive of France is a good example, where a set limit of 6 months and 24 months was brought as a minimum limit for data storage by the government. Especially to specific geographies in cross border, such effect and defect of data transfer must be to a limit and its results should be evaluated therein on the basis of right to private life and right to security analysis. A balance between the two can result in a test for data regulation criteria.
Conclusion
Comparing the aim of the data protection bill, 2022, two phrases are contentious in the same preamble. Aim of ‘right of individuals to protect their personal data’ against ‘need to process personal data for lawful purposes’ requires more specific lists of criteria of evaluation to balance the same. Penalties for unlawful purposes and data phishing in cross border transfers have not been defined. For the same, reliance is still there on IPC, CrPC and the IT Act. A more serious question arises when responsible governments indirectly transfer data unintentionally to other governments, which are not competent to store large data and amend such requirements. An expertise approach was seen by the Supreme Court in Avishek Goenka v Union of India where verification of prepaid and postpaid subscription was relied on by an expert committee in absence of any legislation, expert opinion or any data availability on consequences of the same. Expertise on such limited analysis on ‘trusted geographies’ can be done by a committee. Before cross border transfers to other geographies, the criteria for the same, scope, surveillance, a broader picture, contractual safety, surveillance response, agency intervention and right to private and social life of an Indian citizen must be factored and informed in the Bill.
Comments