Transparency at the cost of anonymity seems to be a common underlying theme among India, the European Union, and the United States.
———–
IN April this year, India’s Cyber Emergency Response Team (‘CERT-In’) issued certain directions for the prevention and reporting of certain incidents. These directions require data centres, Virtual Private Service (‘VPS’) providers, cloud service providers and Virtual Private Network (‘VPN’) service providers, to register and maintain certain subscriber/customer information for a period of five years. It also requires companies to mandatorily enable logs of all their information and communications technology systems, maintain them securely within the Indian jurisdiction for a period of 180 days, and provide access to this data to the CERT-In upon demand.
Last week, the CERT-In extended the timeline for compliance, granting three more months to implement these directions. These directions are intended to “protect the sovereignty of India” and control the commission of cyber crimes. But one of several criticisms of the CERT-In directions is that it raises data privacy concerns for users of such VPN/VPS services, and these privacy concerns become acute in the absence of a legal framework for data privacy in India. In the last few years, India has stepped up regulatory controls on internet media, raising concerns about an individual’s right to privacy, more specifically, anonymity on the internet.
In the last few years, India has stepped up regulatory controls on internet media, raising concerns about an individual’s right to privacy, more specifically, anonymity on the internet.
Also read: The Personal Data Protection Bill 2019: Do you have the Right to be Forgotten from the Internet?
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 were introduced to ensure an “Open, Safe & Trusted and Accountable Internet for all Indian Internet Users”. The Rules regulate digital media news publishers and one of its provisions allows government access to the user account details maintained with the publishers of news and current affairs. This provision similarly drew industry apprehension as an overreach of the State’s authority since it requires the intermediaries to identify the first originator of the information, thus shattering the veil of anonymity in certain circumstances.
Similarity with trends in Europe
India is neither first nor unusual in its move to regulate the cyber-world, in a manner that prioritises State security and sovereignty. In June, the European Parliament and Council reached a provisional agreement to compel crypto providers to provide identifying information on all digital asset transactions, under its Transfer of Funds Regulations. These regulations are intended to strengthen anti-money laundering requirements to ensure that crypto transfers can always be traced and suspicious transactions can be blocked. But these regulations have received significant public backlash. Transparency at the cost of anonymity seems to be a common underlying theme between India and the European Union (‘EU’).
The onus of holding the State accountable to standards of “reasonability” will invariably fall to the judiciary, either by suo motu action or at the instance of civil society organizations.
The “Brussels Effect” is a term coined to denote the global replication of standards and laws enacted by the EU. Considering India’s draft Data Privacy Bill was heavily influenced by the EU’s Global Data Privacy Regulations, it is likely that India’s crypto regulations would also follow the EU’s pattern.
Earlier this year, the Digital Markets Act was passed in the EU, effectively meaning that in the EU, companies like Google can no longer collect data from different services to offer targeted ads without users’ consent, and that Apple must allow alternatives to its App Store on its products. The Digital Markets Act was followed by another law called the Digital Services Act, intending to curb social media’s societal harms by requiring companies to more aggressively police their platforms for illicit content or risk billions of dollars in fines. Though these laws are a welcome counter-balance to Big Tech’s growing power over individuals and their data, it is likely that where Big Tech’s over-reach is curbed by the State, the State’s over-reach may begin.
Also read: Need to rein in Big Tech before it gallops beyond control
Though the United States’ laws don’t regulate big tech as stringently as in the EU, the State’s access to an individual’s data is not uncommon. For instance, for nearly twenty years from 2001-2019, following the events of September 11, 2001, the U.S. ran a program called the “Call Records Details” program, which compelled telecom companies to disclose telephone call records details, upon request by the National Security Agency. The program was shut down in 2019 amid views that the program was expensive but offered low utility of the call records collected.
How to check the State’s abrogation of privacy
This leads one to question what mechanisms are available to check the State’s infringement of an individual’s right to privacy.
For India, the answer lies in the Supreme Court’s affirmation of the right to privacy as a fundamental right, as upheld in the matter of Justice K.S. Puttaswamy (Retd.) versus Union of India (2017). However, fundamental rights are not absolute. The Constitution allows “reasonable restrictions” on the right to free speech to protect the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence. This gives the State enough leeway to legally ask for personal data, when it determines that its sovereignty is threatened.
The onus of holding the State accountable to standards of “reasonability” will invariably fall to the judiciary, either by suo motu action or at the instance of civil society organizations. This means that it is important to nurture a resilient and robust civil society within India. Some organizations, such as the Internet Freedom Foundation and Centre for Internet and Society, are already treading on this path. In addition, a robust legal framework for data privacy protection against infringement by both State and non-State actors is the need of the hour.
