Transparency at the cost of anonymity seems to be a common underlying theme among India, the European Union, and the United States.
IN April this year, India’s Cyber Emergency Response Team (‘CERT-In’) issued certain directions for the prevention and reporting of certain incidents. These directions require data centres, Virtual Private Service (‘VPS’) providers, cloud service providers and Virtual Private Network (‘VPN’) service providers, to register and maintain certain subscriber/customer information for a period of five years. It also requires companies to mandatorily enable logs of all their information and communications technology systems, maintain them securely within the Indian jurisdiction for a period of 180 days, and provide access to this data to the CERT-In upon demand.
India is neither first nor unusual in its move to regulate the cyber-world, in a manner that prioritises State security and sovereignty. In June, the European Parliament and Council reached a provisional agreement to compel crypto providers to provide identifying information on all digital asset transactions, under its Transfer of Funds Regulations. These regulations are intended to strengthen anti-money laundering requirements to ensure that crypto transfers can always be traced and suspicious transactions can be blocked. But these regulations have received significant public backlash. Transparency at the cost of anonymity seems to be a common underlying theme between India and the European Union (‘EU’).
The onus of holding the State accountable to standards of “reasonability” will invariably fall to the judiciary, either by suo motu action or at the instance of civil society organizations.
This leads one to question what mechanisms are available to check the State’s infringement of an individual’s right to privacy.
For India, the answer lies in the Supreme Court’s affirmation of the right to privacy as a fundamental right, as upheld in the matter of Justice K.S. Puttaswamy (Retd.) versus Union of India (2017). However, fundamental rights are not absolute. The Constitution allows “reasonable restrictions” on the right to free speech to protect the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence. This gives the State enough leeway to legally ask for personal data, when it determines that its sovereignty is threatened.
The onus of holding the State accountable to standards of “reasonability” will invariably fall to the judiciary, either by suo motu action or at the instance of civil society organizations. This means that it is important to nurture a resilient and robust civil society within India. Some organizations, such as the Internet Freedom Foundation and Centre for Internet and Society, are already treading on this path. In addition, a robust legal framework for data privacy protection against infringement by both State and non-State actors is the need of the hour.