MHA notification: Debate on digital surveillance must move beyond privacy and data protection laws

On December 20, 2018, the Union Ministry of Home Affairs issued an order authorizing ten central agencies to intercept, monitor and decrypt any information generated from any computer, drawing legitimacy from the Information Technology Act (2000) and associated rules. It is not clear if the order intends to be an executive fiat for blanket surveillance, or whether each specific instance of surveillance that is undertaken will still have to go through the process of obtaining permission from the Union home ministry.

Even if the order intends to only facilitate targeted surveillance based on case-by-case clearance, the danger lies in the safeguard of ‘judicial application of mind’ in processing each request for interception being reduced to a farcical, exercise ofmindless approval of letters.

Going by the long history of telephonic surveillance, which is backed by the same procedural safeguard for prior permission, this anxiety is well-justified. Consider this: a 2014 RTI application by the Software Freedom Law Centre found that the Union Home Ministry approves close to 7500-9000 requests for phone interception every month, which at the least, amounts to 250 authorisations per day! The sheer numbers make it practically impossible to exercise reasoned and deliberated judgment on every application.

The popular debate triggered by this controversial order has identified the ‘solution’ to both mass surveillance and ineffectual procedural safeguards in a robust privacy and personal data protection framework for the country. There are calls for subjecting the order (and Section 69 (1) of the Information Technology Act (2000) from which it draws its legitimacy) to the ‘necessity and proportionality’ test mandated by the Supreme Court decision in Justice K.S. Puttaswamy vs Union ofIndia, popularly known as the ‘privacy judgment’ of 2017. The debate on amending the personal data protection bill, to strengthen citizens’ right to be left alone through new provisions for parliamentary and/or judicial oversight of digital surveillance practices, has been rekindled.

But this is where it will be very useful to pause, take a deep breath, and re-consider. Just by putting in place a strong privacy and personal data protection legislation, will we be able to protect the citizenry from proclivities of the state to flex its surveillance muscles?

Belling the surveillance cat

Take the case of the European Union. It has a sound legislative framework in the GDPR and Directive 2016/680 on processing of personal data for detection and investigation of criminal offenses. The provisions seek to balance the competing considerations of individual privacy and public interest imperatives for the effective discharge of law enforcement functions in the digital age. Additionally, the European Parliament and the European Court of Justice (ECJ) have constantly been striving to curb the excesses of member states with respect to their dataveillance practices, even prior to the adoption of the GDPR.

The most famous instance of this is the European Parliament resolutionsuspending participation in the United States’ panspectronic Terrorist Finance Tracking Program, after the Snowden revelations. The ECJ has come out with equally revolutionary rulings in 2014 and 2016, striking down a bulk data retention directive for "exceed(ing) the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society."

But to the dismay of civil society activists, despite this formidable legal-judicial framework, member states continue their cavalier surveillance practices. In June 2018, 62 organisations, community networks, and academics submitted an Open Letter to the European Commission highlighting how at least 17 member-states are implementing national measures mandating general and non-targeted bulk data retention, in flagrant violation of the ECJ’s rulings.

Worst of all, there are indications that within the EU’s legal system “mass surveillance” is being accepted as the “new normal”, in an about-turn from the ECJ’s stance of zero tolerance, the case of Big Brother Watch being a worrisome illustration of this. In this case, 16 NGOs and individuals, led by Big Brother Watch, filed an application against the United Kingdom before the European Court of Human Rights (ECHR) challenging the UK GCHQ’s mass surveillance practices for being violative of the right to privacy.

The ECHR ruled in the petitioners’ favour, but there was a catch. While the court found an issue with the lack of procedural safeguards, it explicitly confirmed that bulk surveillance with tighter safeguards was permissible, in a marked departure from the ECJ’s earlier rulings on the very idea being anathema to democracy. Some have interpreted this as a sign of the political pressures being navigated by the ECHR.

This is but the latest manifestation of a problem that is well-known to political theorists – privacy and data protection laws are not an effective fix to the surveillance tendencies of modern states, originating in the social control and disciplining that drives the ruling elite. As the legal scholar David Flaherty (1989, pp 22/69) observed in the 1980s, authorities usually end up as ‘legitimators’ of new technology, shaping marginal changes in the operating rules rather than foundationally questioning the culture of surveillance.

Look for the solution in organised politics

But this does not mean there is no hope. It just means that the ‘legal-juridical’ realm may not be where the solution lies, especially when we recognise that the culture of surveillance is but one of the many ways through which ruling classes deploy the state for legitimating their domination. As Engels and Lenin have highlighted, it is only organised politics that can mount an effective challenge to the unbridled power of the state. This will transform “the state from a special force for the suppression of a particular class to (one focused on the) suppression of the oppressor”.

We need to take some lessons from the Dalit panthers in Tamil Nadu and the women’s movements that took to the streets in the 1980s to rattle the status quo and the elite consensus, or more recently, the Indian farmers, who marched in thousands to express their agony and anger at the state failing them. Freedom from surveillance needs to become part of the political agenda, and hence needs to be raised as a political demand in a cogent, organised fashion. It is the street where the digital surveillance and bio-surveillance projects (DNA profiling Bill) of the Indian state have to be challenged, along with draconian legislation such as the Unlawful Activities (Prevention) Act and the Armed Forces (Special Powers) Act.

There is also a lesson here for the digital rights community. Until now, their resistance against mass dataveillance has been ambiguous and fragmented, marked by a failure to link digital rights conversations to broader political agendas of social justice movements. Within a wider data environment that is creating deep distrust and polarisation in society as well as exclusion and exploitation in the economy, the right to be left alone – among the most cherished individual rights – can only be won if the idea of the right to data is understood for its public value. The answer to the never-ending streams of surveillance news lie in alternative ideas of data governance; not just the protection of personal data, but ideals and norms that address datafication of society, economy and polity.

This article was first published in Firstpost.

Focus Areas
Resource Type