Former Supreme Court Judge and the main architect of India’s privacy bill, Justice B N Srikrishna on Friday said that if the government uses spyware like Pegasus to snoop on its citizens without legal backing, then it is unconstitutional and such moves can be legally challenged.
Srikrishna headed a committee to prepare Personal Data Protection Bill (PDP) which has been approved by the Cabinet and is slated to be tabled in the ongoing winter session of the Parliament. He said that assuming the draft bill comes out as it is, there are sections which begin by saying that "no data would be collected by the government agencies but except under the authority of the parliament legislation."
It was recently revealed that Israeli spyware Pegasus was used for hacking into Facebook-owned WhatsApp instant messenger for snooping on activists, lawyers and journalists across the world including India. There also have been allegations that the Indian government was using Pegasus to spy on citizens.
“The moment you say this (and) if they (government) collect the data tomorrow without an Act permitting it, is an illegal thing and they are answerable under various laws including this (data protection) law. Once the Parliament passes (the Bill), it cannot give them a blanket cheque...under the name of data security. If they did it, it would be unconstitutional,” said Justice Srikrishna, during a panel discussion at Carnegie India’s Global Technology Summit here. He was responding to a question related to the role of PDP for dealing with hacking incidents like Pegasus spyware being used on citizens and making a distinction between national security and political surveillance. The co-panellists included Bhairav Acharya, public policy manager at Facebook and Rahul Matthan, partner at law firm Trilegal.
“There must be a clear definite objective about what purpose you want to do it; the authority who can authorise it, (and) the procedure, which must also be fair and equitable. If all these tests are answered in positive, then it is constitutional else it is unconstitutional,” said Srikrishna.
The proposed Personal Data Protection Bill is said to have provisions that can trigger far-reaching implications for big tech firms such as Google and Facebook that operate out of India, requiring them to re-tune their businesses. These global technology companies have been arguing that the proposals will shoot up their operating costs and in some cases, prohibit delivering some internet services. Several global corporations and corporate entities who are operating in India have also raised concerns about data localisation requirements.
“Data privacy does not give you the right to keep the data where you want. Data privacy gives you the right not to share it with anybody without your (users') consent. Now if there is another law which says whoever you give it to, must keep it in India under a valid law, surely you are also (bound) by that law,” said Srikrishna. He was replying to a question, whether one’s right to informational privacy includes the ability to choose to keep the data overseas and not in India. “For example, it is your right to bank your money. But if you choose it to keep in the a bank in England, you, of course, have to deal with foreign exchange in India and take permission from Reserve Bank of India.”
To another question about why social media giant Facebook does not have a data centre in India, despite having many of those in countries such as Singapore and the US, Srikrishna said that earlier there was no control mechanism (in India). “They thought, it was not worthwhile; you can sit in America, Singapore and carry on with it. Now the writing on the wall is very specific. They also know, there is this difficulty where the data centre has to be located. Now they are thinking about it and (as per the law) they will have it in India too.”
Srikrishna said the idea behind the Bill was that the critical data would remain only in the country and the sensitive personal data could be kept anywhere else abroad but with a live mirror copy here. The reasoning was that, the usual process like mutual legal assistance treaty (MLAT) would take 18-24 months. MLAT is an agreement between two or more countries for the purpose of gathering and exchanging information, in an effort to enforce public or criminal laws.
“Sometimes you need it (information) at the drop of a hat. So that was one of the biggest worries,” said Srikrishna. “When you keep your servers in foreign countries, it is subject to their jurisdiction. There are countries, where the law makes it obligatory for the data to be revealed to an investigative agency there. (The data of the) citizen of this country is lying somewhere else in the foreign country, open to authorised access by the investigative agencies there, but my own investigative agency has no access to it,” said Srikrishna.
During the discussion, Bhairav Acharya of Facebook said there a need for some form of global interoperability of privacy data regimes as there is a danger that the competition between the regimes might become adversarial. “It is not good for the users and for the industry. A harmonious regime is a way forward,” said Acharya. He said that it would be good if the Indian regime interacts peacefully with the European and American regimes and "I am glad to say that the (draft) bill does that. It does put in place a regime that harmoniously interoperates with other countries and also recognises the interests of Indian users. I do hope this structure is not tampered with,” said Acharya.