There has been no data put out regularly, for instance, on how many tapping requests were turned down, or some analysis of what was really achieved from the tapping or cyber-snooping, much less by an independent body.
In the bad old days, before a nine-judge bench of the Supreme Court ruled that privacy was a fundamental right, citizens had little recourse when, for instance, either the government tapped their phones or some intelligence agencies got access to, say, their email records. Sure, if such information is made available to citizens on a 24×7 basis, it will defeat the purpose of an investigation, but what if this was just a fishing expedition, an attempt to get data to embarrass the individual, or a blackmail effort by a rogue officer? Sure, there are procedures/protocols that have been put in place to guard against this, but these are in-house ones. There has been no data put out regularly, for instance, on how many tapping requests were turned down, or some analysis of what was really achieved from the tapping or cyber-snooping, much less by an independent body. Not surprising, then, that the Justice Srikrishna panel said the design of the current framework for tapping/hacking “lacks sufficient legal and procedural safeguards to protect individual civil liberties”. As for the oversight mechanism, the Srikrishna panel cited an RTI reply to say the “review committee has an unrealistic task of reviewing 15,000-18,000 interception orders in every meeting, while meeting once in two months”. Indeed, even the SC’s Puttaswamy judgment of 2012 talked of all such interceptions needing to meet the tests of “necessity, proportionality and due process”. That is why, Srikrishna suggested that India needed a law on interception that builds in checks like having a non-partisan committee examining the intercepts, why they were ordered, and what they revealed.
So, it comes as quite a surprise that, after all this, the government’s data protection Bill continues to try to arm the government with overarching powers to snoop, and to commandeer information from any ‘data fiduciary’—the technical term for a company that collects data. While the Bill, for the most part, is in keeping with what the Srikrishna panel suggested, there are notable deviations. Some of them are easily explained. While the Srikrishna panel wanted a copy of all data collected to be kept within the country, the government has relaxed this considerably. While what is called ‘critical’ personal data has to be kept only within the country, ‘sensitive’ data can be sent overseas with the consent of the user, and there are no restrictions on the rest of the data; only a small part of all data collected falls in either the ‘critical’ or ‘sensitive’ categories. This is clearly bowing to the interests of countries like the US, but to the extent that India has business with the US, this may be a sensible compromise.
The biggest, and most problematic, deviation from the Srikrishna panel is the one that allows the government—in the name of national security and ‘sovereignty and integrity of India’, ‘public order’, etc—to “direct that all or any of the provisions of this Act shall not apply to any agency of the Government” subject to certain safeguards and an oversight mechanism that are to be specified later. In other words, the government can give full powers to snoop, whenever it wants, to any of its investigative agencies, irrespective of whether this is an invasion of privacy. It is theoretically possible that the safeguards will be good enough, but if the Bill is passed in its current form, it is giving the government too many powers without the discipline of an independent oversight mechanism.