International Journal of Socio-Legal Research 108

Volume 5| Issue 3|August 2019 |ISSN-2393-8250

CYBER SURVEILLANCE & DATA PRIVACY LAW : THE

RECONCILIATION
Pankaj Kumar Sharma*
INTRODUCTION :
Over the past two decades, the evolution of cyberspace has impacted almost
every aspect of human life. The increase in the speed, volume, and range of
communications that cyberspace offers has undeniably affected the way
societies interact.1 Although the Charter of Fundamental Rights of the
European Union distinguishes the right to privacy and the right to data
protection as two different fundamental rights, this is more in the nature of a
formal distinction.2 Scholars in the field opine that the right to data protection
has been characterized by strong links to the right to privacy.3 Today, privacy
is more widely discussed among academics, policy analysts, and journalists4
than it was when Uneasy Access was published in 1988. At that time, privacy
was still an emerging concern. To be sure, federal and state lawmakers had
been steadily expanding privacy protections for data and communications
since the mid-19705 in response to threats posed by computer and
surveillance technologies.5 The concept of privacy is a multi-dimensional
one, yet scholars across time and space have attempted to confine it to a single
definition. Warren and Brandeis in their seminal essay enunciated that the
right to privacy was based on a principle of “inviolate personality”, thus

*Law Scholar, the ICFAI University, Dehradun

1
Liaropoulos, A. A Human-Centric Approach to Cybersecurity: Securing the Human in the
Era of Cyberphobia, 14, JOURNAL OF INFORMATION WARFARE, 15, 15 (2015).
JSTOR
2
Raphael Gallert and Serge Gutwirth, The Legal Construction of Privacy and Data
Protection, 29(5), COMPUTER LAW AND SECURITY REVIEW 522, 524, (2013). JSTOR
3
GLORIA GONZALES FUSTER, THE EMERGENCE OF PERSONAL DATA
PROTECTION AS A FUNDAMENTAL RIGHT OF THE EU, Chapter 5 (2014)
4
See. e.g. AMITAI ETZIONI, THE LIMITS OF PRIVACY 1-2 (1999) (noting the current
agitation about protecting privacy).
5
See MARC ROTENBERG, THE PRIVACY LAW SOURCEBOOK I999, at 1-I73 ( l 999)
(identifying ten federal privacy statutes enacted between I970 and 1988 and four additional
privacy stalutes enacted through 1999).
 International Journal of Socio-Legal Research 109
Volume 5| Issue 3|August 2019 |ISSN-2393-8250

laying the foundation for a concept of privacy, which we understand as

control over one’s own information.6
INSTRUMENTS OF PRIVACY CONCERN IN CYBERSPACE
The privacy principle was already a part of common law and the protection
of one’s home as one’s castle, but new technology made it important to
explicitly and separately recognise this protection under the name of privacy.7
The issue of data protection, especially unauthorised data access, though
traditionally unprioritised, has recently gained much traction due to the
increasing number of news reports regarding various instances of
unauthorised data access as a threat to individual privacy. In the case of
unauthorised data access, more than the frequency of the instances, it is their
sheer magnitude that has shocked civil society and especially civil rights
groups. The whole idea to frame cyber surveillance provision i.e. sec 69 of IT
Act is derived from section 5(2) of the Indian Telegraphs Act 1885 legislated
by British government. Section 5(2) of the Telegraphs Act states the grounds
of Public emergency and the Interest of public safety, on the occurance of
which transmissions can be intercepted and detained for the interests of the
sovereignty and integrity of India, the security of the State, friendly relations
with foreign states or public order or for preventing incitement to the
commission of an offence. when section 69(1) of IT Act was drafted, it had
absolute acquaintance with the said provision. But after the enforcement IT
Act amendment act 2009, its scope was enlarged by adding one more ground
i.e. 'investigation of any offence' to intercept, monitor or decrypt any
computer resource.

6
SHRADDHA KULHARI, BUILDING-BLOCKS OF A DATA PROTECTION
REVOLUTION: THE UNEASY CASE FOR BLOCKCHAIN TECHNOLOGY TO
SECURE PRIVACY AND IDENTITY, 23, (2018). JSTOR
7
Samuel Warren and Louis Brandeis, The Right to Privacy, 4, HARVARD L.J. (1890) [as
cited in Judith DeCew, Privacy, The Stanford Encyclopedia of Philosophy, Spring 2015
<https: plato.stanford.edu/archives spring2015 entries privacy > accessed on 11 July 2019
 International Journal of Socio-Legal Research 110
Volume 5| Issue 3|August 2019 |ISSN-2393-8250

Further on 20 December 2018, the Ministry of Home Affairs issued an order

granting authority to 10 Central agencies, to intercept and monitor individual
computers and their receipts and transmissions under powers conferred on it
by sub-section 1 of Section 69 of the IT Act, 2000, read with Rule 4 of the IT
(Procedure and Safeguards for Interception, Monitoring and Decryption of
Information) Rules, 2009”.8
EFFECT OF IT AMENDMENT ACT, 2009 :
the amendment of this provision lies in the inclusion of the term “for
investigation of any offence”. By including the term, scope of the law
increases many more times because eventualities covered under the five
conditions of Indian Telegraph Act are far less than the eventualities covered
under the additional sixth condition of IT Act, simply because there are lakhs
of cases under investigation.9 This issue widely emerged among the citizens
that made a law student to file a PIL in the Allahabad High Court to challenge
the constitutional validity of sec 69.10
EFECT OF IT (PROCEDURE & SAFEGUARDS FOR
INTERCEPTION, MONITORING & DECRYPTION OF
INFORMATION) RULES, 2009 :
The important aspect regarding the rules is that an individual may not even
know if her electronic communications are being intercepted or monitored. If
such surveillance comes within her knowledge, due to the obligation to

8
http://egazette.nic.in/WriteReadData/2018/194066.pdf
9
Ram Narain, Sec 69 of the IT Act: Fears of violation of privacy may not be unfounded,
HINDUSTAN TIMES, (July 11, 2019, 01:51 PM),
https://m.hindustantimes.com/editorials/sec-69-of-the-it-act-fears-of-violation-of-privacy-
may-not-be-unfounded/story-CLqIDix78GTVpHSqaaMJaO_amp.html
10
https://barandbench.com/wp-content/uploads/2019/01/Saurabh-Pandey-v-UOI-PIL.pdf
 International Journal of Socio-Legal Research 111
Volume 5| Issue 3|August 2019 |ISSN-2393-8250

maintain confidentiality and provisions in the Official Secrets Act 192311, he

would not be able to know the reasons for such surveillance.12
Also, the time period within which such intercepted data can be retained with
the government agency, is up to 60 days which may extend to 180 days as per
Rule 11, IT (Procedure and Safeguards for Interception, Monitoring and
Decryption of Information) Rules, 2009.13 The said rule certainly legitimizes
“Continuous Surveillance” in every respect.
POLITICAL ASPECT:
In a democratic country such as India, there can be a possibility that
provisions enforcing cyber surveillance might be invoked for political gains
of bureaucrats to intercept and monitor the data of the 'individuals interested
in opposition party'. The political history of India is evident of the fact that
powers conferred by constitution are covertly misused for self-interest. The
national emergency of 1975 is sufficient to indicate such malicious intention.
It is a matter of hypocrisy that on one hand the government has drafted the
Personal Data Protection Bill, 201814 to ensure safety of individual privacy
from third party interception, and on the other hand the Ministry of Home
Affairs intends to mass cyber surveillance by issuing notification to grant
powers to 10 enforcement agencies in the same year. Also, there is no
provision in the said bill that authorises government agency to process data
‘for investigation of any offence’ unlike section 69 of IT Act. This

11
Section 5(2) of the Official Secrets Act, 1923 - If any person voluntarily receives any secret
official code or pass word or any sketch, plan, model, article, note, document or information
knowing or having reasonable ground to believe, at the time when he receives it, that the
code, pass word, sketch, plan, model, article, note, document or information is communicated
in contravention of this Act, he shall be guilty of an offence under this section.
12
Anita Gurumurthy, Are India’s laws on surveillance a threat to privacy?, THE HINDU,
(July 12, 2019, 02:10 PM), https://www.thehindu.com/opinion/op-ed/are-indias-laws-on-
surveillance-a-threat-to-privacy/article25858338.ece/amp/
13
Period within which direction shall remain in force.— The direction for interception or
monitoring or decryption shall remain in force, unless revoked earlier, for a period not
exceeding sixty days from the date of its issue and may be renewed from time to time for
such period not exceeding the total period of one hundred and eighty days.
14
https://www.meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
 International Journal of Socio-Legal Research 112
Volume 5| Issue 3|August 2019 |ISSN-2393-8250

contradiction indicates towards the prospective threat to law enforcement of

the country.
STATUS OF RIGHT TO PRIVACY IN INDIA
India is a signatory to the Universal Declaration on Human Rights and the
International Convention on Civil and Political Rights. Article 1215 of the
former and Article 1716 of the latter recognize privacy as a fundamental right.
Though a member and signatory of these conventions, India does not have
laws which provide a right to privacy to citizens. For the purpose of filling
this lacuna in the law, the Courts in India have tried to enforce a right to
privacy to its citizens through two manners, Firstly, recognition of a
constitutional right to privacy which has been read as part of the rights to life
and personal liberty embedded in Art. 21 of the constitution.17 Secondly, a
common law right to privacy which is available under tort law and has been
borrowed primarily from American jurisprudence. It must be mentioned at
the outset that the privacy is not a very strongly enforced right in India and
there are a number of exceptions to the right to privacy which have been
carved out by the Courts over a period of time.18
the overly broad contours of the proposed amendment to the Intermediary
Rules confer unchecked powers on the executive, reminiscent of the
arbitrariness that led to the famous Shreya Singhal case.19 In the absence of
judicial or legislative oversight, such powers result not only in a

15
Art. 12 of UDHR - No one shall be subjected to arbitrary interference with his privacy,
family, home or correspondence, nor to attacks upon his honour and reputation. Everyone
has the right to the protection of the law against such interference or attacks.
16
Art. 17 of ICCPR - No one shall be subjected to arbitrary or unlawful interference with his
privacy, family, home or correspondence, nor to unlawful attacks on his honour and
reputation.
17
K. S. Puttaswamy v. Union of India, Writ Petition (Civil) No. 494 of 2012 (Sup. Ct. India
Aug. 24, 2017).
18
https://cis-india.org/internet-governance/blog/state-of-cyber-security-and-surveillance-in-
india.pdf/view
19
Shreya Singhal v. Union Of India [AIR 2015 SC 1523]- The Supreme Court struck down
Section 66A of the IT Act, 2000, as unconstitutional on grounds of violating Article 19(1)(a)
of the Constitution of India.
 International Journal of Socio-Legal Research 113
Volume 5| Issue 3|August 2019 |ISSN-2393-8250

disproportionate restriction on individual fundamental right to privacy, but

also have far-reaching consequences for other freedoms - a chilling effect on
the freedom of speech and association and democratic participation. cyber-
security experts caution that it’s not possible to create a “back door”
decryption to target one individual, and that tampering with encryption can
compromise security for all.20 The anonymity of internet allows all of us to
live duplicitous life. More easily and potentially more successfully than in the
past.21
Although the Idea of unlimited state sovereignty today is no longer
undisputable, the pivotal obligation of a state to protect its citizen’s security
makes the right to do so one of the bedrock feature of this concept.22
RISING NECESSITY OF CYBER SURVEILLANCE BY THE STATE
Even though unintended encroachment to data privacy, the primary object of
cyber surveillance has been the protection from cyber-security threats. The
cyber security discourse is predominantly shaped by the notion of national
security. Cases such as the cyber-attacks on the online banking system in
Estonia, the defaced government websites in Georgia, and the use of the
Stuxnet worm to harm Iran‘s nuclear program demonstrate the importance
and the increasingly crucial role of cyberspace for national security. As a
result, states have defined cyber-security in their military and security
doctrines as a new domain of conflict.23 Cyber security concern is now indeed
indispensable because of the increased pervasiveness of technology in our
society.
Apart from conventional military based external force, cyberspace has
become an equivalent modern platform which questions the security of a

20
Supra note 19
21
Allen, Anita L. Gender and Privacy in Cyberspace, 52, STANFORD L.R., 1175, 1195
(2000). JSTOR
22
Dominik Eisenhut, Sovereignty, National Security and International Treaty Law, 48,
ARCHIV DES VÖLKERRECHTS, 431, 431, (2010). JSTOR
23
Supra note 2
 International Journal of Socio-Legal Research 114
Volume 5| Issue 3|August 2019 |ISSN-2393-8250

state. In the era of cyber warfare, the security and sovereignty of a state in the
cyber space plays a significant role in protecting its citizen from external
cyber security threats. It is the duty of a responsible sovereign state to apply
all the possible measures to ensure the safety of its masses. Sometimes for the
purpose of preventive measures or for investigation of any offence that
challenges the integrity and sovereignty of state, it becomes necessary for the
state to take into account the data of citizens. Since criminal activities also
have become digitized, law enforcement must visibly patrol the Internet. In
addition, the police may need to operate covertly. To investigate serious crime
and predict crime or terror attacks, predictive analysis, access to social media
accounts and big data analytics could provide significant aid for law
enforcement.24 For this purpose, section 69 of IT act regulates the actions of
cyber surveillance by government agencies to the data of citizens.
PREVENTION OF MISUSE OF CYBER SURVEILLANCE
PROVISION:
With the advent of state interference in individual privacy, the data protection
concerns take place with sufficient cause. It is indeed necessary to prevent the
misuse of cyber surveillance law because these laws contain sufficient
instruments to infringe the data privacy laws. Keeping in view the prospective
misuse of section 69, the central government made the rules under
Information Technology (Procedure and Safeguards for Interception,
Monitoring and Decryption of Information) Rules, 2009.
Rule 3 of this regulates the scope of power conferred to government agencies
so as to avoid the arbitrariness and provides the prerequision of an order by
the competent authority to intercept and monitor individual data. For this
purpose “competent authority” contains (i) the Secretary in the Ministry of

24
Stephanie K. Pell and Christopher Soghoian, Your Secret Stingray's No Secret Anymore:
The Vanishing Government Monopoly over Cell Phone Surveillance and Its Impact on
National Security and Consumer Privacy, 28, HARVARD J. LAW & TECH, 1-35 (2014).
JSTOR
 International Journal of Socio-Legal Research 115
Volume 5| Issue 3|August 2019 |ISSN-2393-8250

Home Affairs, in case of the Central Government; or (ii) the Secretary in

charge of the Home Department, in case of a State Government or Union
territory, as the case may be. The role of the Review committee under Rule
22 is quite significant: The committee shall sit at least one in two months in
order to check any arbitrariness in the exercise of these powers and setting
aside the directions which contravenes the provisions of these rules. Also,
Rule 24, prohibits unauthorised persons to intercept or monitor individual
data, failing which may punish them under relevant provisions of IT Act. As
per Rule 25, Even if such data is processed with authorisation it can’t be
disclosed by intermediary to any person other than the designated officer.
It is indispensable to note that these rules indicates the intention of the state
to exercise cyber surveillance in such a manner that violation of individual
privacy in minimum.
PREFERENTIAL TREATMENT TO CYBER SURVEILLANCE :
A Government which abdicates its responsibility has no right to be in the
Government. A Citizen who wants the Government to abdicate its duty is
himself failing in his duty as a citizen. The Constitution of India guarantees
every citizen the right to life and personal liberty under Article 21. The
Supreme Court, in Justice K.S. Puttaswamy v. Union of India25 ruled that
privacy is a fundamental right. But this right is not unbridled or absolute. The
Central government, under Section 69 of the Information Technology Act,
2000, has the power to impose reasonable restrictions on this right and
intercept, decrypt or monitor Internet traffic or electronic data26
If, in a case, a law confers the preferential treatment to right to privacy over
cyber surveillance by state, the aftermaths are not favourable to the security
of the state as a whole. In that condition there has to be sufficient amendment
in other laws including IPC or POTA to enforce such law and this would

25
Writ Petition (Civil) No. 494 of 2012 (Sup. Ct. India Aug. 24, 2017).
26
Supra note 19
 International Journal of Socio-Legal Research 116
Volume 5| Issue 3|August 2019 |ISSN-2393-8250

make India a haven for Criminals, Naxalites and Terrorists. It will prevent
Police from undertaking any search or preventive arrests, impose restrictions
on public for prevention of offences etc., since all such provisions will be
restrictive of the Right to Privacy in one sense.27 Those who swear by the
constitution has to swear by the “Primacy” of “We the People” and cannot
ignore the security of people even before worrying about providing guarantee
of the Right to Privacy.28
RECOMMENDATIONS TO RECONCILE THE PRIVACY
CONFLICT :
The intricate challenge is that in-between the surveillance and the privacy
lays the personal data—the new gold from a commercial perspective, a
resource in the fight against terrorism from a security perspective, and a future
threat of human rights from an individual perspective. There is no simple
solution to the paradox.29
Laws enforcing Cyber surveillance and individual’s data privacy are two
sides of a coin. In every case, one would overshadow another. hence the
conflict is inevitable. It can be deduced that legal flexibility of conflicting
points shall be the possible reconciliation, that’s presented as below:
1. As per Rule 7 of Information Technology (Procedure and Safeguards
for Interception, Monitoring and Decryption of Information) Rules,
2009, every direction issued by competent authority to intercept or
monitor individual’s data shall contain the ‘reasons’ for such
direction. It is recommended that such ‘reasons’ should be
communicated to the person whose data is to be intercepted or
monitored, through reasonable means of communication. Provided

27
https://www.naavi.org/wp/allahabad-high-court-admits-pil-against-section-69-notice-2/
28
Ibid
29
Hagen, Janne, and Olav Lysne. Protecting the Digitized Society—the Challenge of
Balancing Surveillance and Privacy, 1, THE CYBER DEFENSE REVIEW, 75, 87, Spring
(2016). JSTOR
 International Journal of Socio-Legal Research 117
Volume 5| Issue 3|August 2019 |ISSN-2393-8250

that, the government may ascertain a specific category of “persons

with excessive degree of suspicion” regarding whom the government
agencies need not bound by the aforementioned rule. For instance-
habitual offenders or proclaimed offenders. This may probably act as
sufficient justification for breach of data privacy.
2. It is recommended that government agencies shall have access to any
category of data except that of “Genetic data” as defined in section
3(20) of the Personal Data Protection Bill, 2018.30
Provided that, the government may ascertain a specific category of
“persons with excessive degree of suspicion” regarding whom the
government agencies shall not bound by the aforementioned rule. For
instance- habitual offenders or proclaimed offenders.
The sole rationale for the presented recommendation is that, the uniqueness
of genetic information, it is contended, entitles it of greater privacy protection
than other types of information.31 The dilemma for privacy advocates is not
simply the almost inexhaustible opportunities for access to data but also the
intimate nature of those data and the potential for harm to persons whose
privacy is violated. Against this backdrop of increasing use of genetic
information, scholars, legislators, judges, and the public have asserted that
genetic information is entitled to additional levels of privacy protections
because it is virtually unique among health-related data.32

30
“Genetic data” means personal data relating to the inherited or acquired genetic
characteristics of a natural person which give unique information about the behavioural
characteristics, physiology or the health of that natural person and which result, in particular,
from an analysis of a biological sample from the natural person in question.
31
Gostin, Lawrence O., and James G. Hodge. “Genetic Privacy And The Law: An End To
Genetics Exceptionalism, 40, JURIMETRICS, 21, 23, (1999). JSTOR
32
Ronald M. Green 8: A Matthew Thomas, DNA' F W: Distinguishing Features for Policy
Analysts: ll HARVARD J. LAW & TECH, 57 (1998). JSTOR