The Indian government proposes new data retention rules: Will privacy be compromised?

By Asheeta Regidi The Indian government is reported to have started the process of drafting rules for Section 67C of the Information Technology Act, 2000, India’s data retention law. Under these rules, intermediaries, or internet service providers, or websites and apps like Facebook, Whatsapp and Gmail, may be required to collect and store data. Data retention in a limited manner is normal and in fact, necessary for the security of the country.  Problems arise, however, when anti-terrorism measures are used as a justification for a mass invasion of people’s private lives. Data retention laws, without the necessary safeguards, can quickly become a ‘legal’ means of violating people’s fundamental right to privacy. Public outcry prevents legalization of mass retention of metadata Data retention can take many forms. One is mass retention of metadata. Many countries have been attempting to introduce laws legalizing the mass retention of metadata. Metadata includes data of internet usage and telephone, such as time and duration of telephone calls, IP addresses, IDs of senders and receivers of emails, log-in and log-off times for e-mail use, etc. Such data excludes the actual content of the e-mails or the messages. While governments argue that metadata does not reveal personal details of the individual, this is not true. An individual’s entire internet history can be traced out using just the metadata. The European Union introduced the Data Protection Directive in 2006, which mandates the retention of metadata of internet and telephone usage. Under the EU Directive, there was no requirement for a threat or emergency for the data retention. It was continuous, for all individuals and without justification. As a result, the directive was challenged by human rights activists before the European Court of Justice. In 2014, the ECJ struck down the Directive on the grounds of infringement of privacy. Similarly, in the Czech Republic and Argentina, the data retention laws were partly struck down for being unconstitutional in cases filed against them by privacy activists. In Brazil, a data retention bill was proposed, but could not be passed due to the public outcry following it. Mandatory metadata retention laws in Australia  Australia is one of the few countries to have mandatory data retention laws. Under Australia’s  Telecommunications (Interception and Access) Amendment (Data Retention) Act, 2015,  ISPs are mandated to store metadata of the internet usage of all Australians. The Australian law has made some exceptions to the data collected—web-browsing histories are exempted, and social media providers like Facebook, Whatsapp and Instagram are also exempt. All records must be maintained for 2 years. Interestingly, Australians are reported to feel that the need for security justifies the invasion of their privacy, and prefer the data retention. This is perhaps why the Australian law on data retention is valid even today. Mass data retention: Most violative of privacy Another type of data retention is mass data retention, which forms a part of mass surveillance programs carried out by the NSA in the US and the CMS in India.  Mass data retention will involve collection and retention of every piece of information regarding everyone’s internet usage. The government can order the collection of your e-mail content, your messages, your phone calls, your pictures and videos sent, the websites you visit, and for no reason at all. Interestingly, this mass surveillance is not authorized by law, whether in India or the US. In India, Section 69 of the IT Act allows the interception, monitoring and decryption of information for a limited period of 2 months. Even in the US, there is no mandatory data retention law. Under the Electronics Communications Transactional Records Act, the ISPs in the US are required to retain data for a maximum period of 90 days, and only upon the request of a government entity. As a result, there are no safeguards whatsoever for mass surveillance; there is no time limit on the period for which the surveillance can continue, no restriction on the type of data that can be collected and who it can be collected from. This is the most violative form of data retention. Limited data retention The last type of data retention is that permitted by Indian surveillance law—data retention for a specific purpose and for a specific period of time. This is the least violative form of data retention. For example, the Government may direct an internet service provider (ISP) to retain and monitor the communications of a particular region on receiving a terrorist threat. Or the Government can order an entity like WhatsApp to decrypt and monitor the messages of a suspect. The Supreme Court of India has always ensured privacy It is to be seen which type of data retention will be chosen by the Indian government in their current endeavor to frame rules under Section 67C. There is scope for regulations that violate people’s privacy. It is very likely, however, that a public outcry against any such laws violating privacy will have the Supreme Court’s support. For example, telephone interception is permitted by Section 5(2) of the Indian Telegraph Act, 1885. The Supreme Court upheld the validity of telephone interception, but subjected it to a number of safeguards that were absent in the Act. This includes limiting the time and purpose of the interception. Even when the validity of blocking of websites under Section 69A of the IT Act was challenged, the Supreme Court upheld it only on account of the number of procedural safeguards contained in the rules. The reactions of the Supreme Court to surveillance without adequate safeguards in the past are therefore very encouraging. The author is a lawyer with a specialisation in cyber laws and has co-authored books on the subject.