Editor's Note: The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains.
India is undergoing a digital revolution, with an ever-growing reliance on technology and the internet permeating daily life. With nearly 1.3 billion people, it is the world's second-largest internet market, experiencing a rapid influx of data and an expanding digital infrastructure.
While the Digital Personal Data Protection Act of 2023 has emerged as a cornerstone of the country's data governance framework, it simultaneously casts a long shadow over individual privacy rights. The government's increased access to personal data, under the guise of national security, raises urgent questions about the balance between state control and civil liberties.
India's advanced surveillance programs, bolstered by tools like the Central Monitoring System and Network Traffic Analysis, position it as a formidable digital power. However, the increasing centralization of surveillance threatens the right to privacy, as recognized in the landmark 2017 Justice K.S. Puttaswamy v. Union of India case before the Supreme Court of India.
The expanding surveillance ecosystem
India's surveillance infrastructure has evolved into a comprehensive network of interconnected systems. While these technologies can promise enhanced national security, they also risk enabling mass surveillance, often without adequate checks and balances.
Central Monitoring System. The CMS empowers the government to directly monitor communications across mobile, landline and internet platforms. Deployed without requiring service provider authorization, this tool facilitates unprecedented access to personal data, raising concerns about unchecked state overreach.
Network Traffic Analysis. Developed by the Defence Research and Development Organisation, NETRA monitors internet traffic to flag suspicious keywords. By analyzing emails, social media posts, and Voice over Internet Protocol calls, it creates opportunities for pre-empting threats. However, its scope for mass data collection undermines individual privacy.
National Intelligence Grid. Born after the 2008 Mumbai attacks, NATGRID aggregates data from financial, immigration and telecommunications records to pre-empt security threats. While effective in theory, the vast data consolidation lacks adequate oversight, leaving room for abuse.
Facial recognition technology. India's ambitious deployment of FRT is set to establish the world's largest biometric database. Though aimed at aiding law enforcement, its lack of regulatory oversight opens avenues for misuse, from targeting minorities to suppressing dissent.
Pegasus spyware scandal. The 2021 Pegasus revelations shocked the nation, exposing the use of sophisticated spyware to surveil journalists, activists and political opponents. The incident underscored the vulnerability of India's surveillance framework to misuse and lack of accountability.
Legislative gaps in oversight. India's surveillance programs operate under outdated laws like the Indian Telegraph Act, the Information Technology Act and the Code of Criminal Procedure. These statutes, designed for simpler times, fail to address the complexities of modern surveillance technologies. The absence of clear judicial or legislative oversight compounds this problem, leaving surveillance systems prone to abuse.
Implications for privacy and civil liberties
India's surveillance ecosystem is underpinned by tools and technologies that inherently encroach on fundamental rights. Surveillance disproportionately impacts marginalized communities and stifles democratic freedoms, including the right to dissent and freedom of expression.
The lack of transparency and accountability in these programs compounds public distrust. The Puttaswamy verdict, which enshrined the right to privacy as a constitutional guarantee, mandates stringent adherence to principles of legality, necessity and proportionality. Yet, the DPDPA, with its vague definitions and expansive exemptions for government agencies, undermines these principles.
Programs like CMS and NETRA facilitate mass surveillance, treating all individuals as potential suspects. This sweeping approach not only undermines the presumption of innocence but also fosters a chilling effect on free speech and association.
High-profile breaches, like the 2019 Aadhaar leak, demonstrate the risks associated with centralized databases. Without robust safeguards, such systems jeopardize not only personal privacy but also national security.
The pervasive nature of surveillance discourages free expression, with individuals self-censoring their views for fear of state retribution. This "chilling effect" weakens democratic engagement, silencing dissenting voices and curbing civil society's role.
In addition, the broad exemptions granted to the government under Section 17 of the DPDPA allow for personal data processing without consent in cases of national security and public order. However, the absence of oversight mechanisms makes it difficult to hold state agencies accountable for misuse.
Balancing surveillance and privacy: Lessons from Puttaswamy
The Supreme Court's decision in K.S. Puttaswamy v. Union of India was a landmark one in Indian jurisprudence, affirming the right to privacy as fundamental. The judgment introduced the proportionality test, requiring that any infringement of privacy must meet the criteria of legality, necessity and proportionality.
The decision stated anyrestriction on fundamental rights must be based on clear, accessible laws. India's surveillance programs, authorized through executive orders rather than specific statutes, fail to meet this standard.
To meet the necessity criteria, the court said surveillance measures must address a pressing social need. Broad mandates under CMS and NETRA presume a constant state of emergency, undermining this criterion.
On proportionality, the court determined that even if justified, measures must be proportionate to the objectives they seek to achieve. Mass data collection without clear limitations often exceeds this threshold.
The Puttaswamy judgment highlighted the need for judicial oversight and independent monitoring of surveillance activities. However, India's current framework remains inadequate, with limited transparency and insufficient checks on government power.
The DPDPA's limited scope
The DPDPA introduces several measures aimed at enhancing data protection. However, Section 17, which permits the government to process personal data without consent for broad reasons such as "public order" or "national security," has become a focal point of criticism. The act fails to establish independent oversight mechanisms or judicial review, leaving surveillance activities largely unchecked.
While inspired by the EU General Data Protection Regulation, the DPDPA lacks the rigorous accountability frameworks that underpin the European model. This oversight gap exacerbates the risks of abuse, with little recourse for individuals whose rights are infringed.
Toward a balanced approach
For India to navigate its digital transformation responsibly, it must prioritize the protection of individual rights alongside national security. A balanced approach requires independent oversight, legislative amendments, adoption of privacy enhancing technologies and public engagement.
Surveillance activities must be subject to judicial review or oversight by independent regulatory bodies to ensure accountability and transparency.
The DPDPA should be revised to narrow exemptions, define ambiguous terms, and establish stricter procedural safeguards for surveillance.
Encryption, anonymization and other privacy-focused tools should be integrated into surveillance systems to mitigate the risks of misuse.
Finally, involving civil society and privacy advocates in policymaking can ensure diverse perspectives are considered, fostering trust in state mechanisms.
Conclusion
The DPDPA has brought India into the fold of nations with comprehensive data protection laws.
However, its provisions on state surveillance highlight a growing imbalance between the government's security interests and individual privacy rights.
By strengthening safeguards and ensuring accountability, India can lead the way in creating a surveillance ecosystem that aligns with democratic values.
As India strides into the digital future, its commitment to safeguarding constitutional rights will define the resilience and inclusivity of its democracy. Striking the right balance between surveillance and privacy is not just a legislative challenge but a moral imperative.
