Listen to this article:
Mumbai: On October 31, 2022, the Delhi police raided the New Delhi and Mumbai homes of The Wire’s founding editors Siddharth Varadarajan, M.K. Venu, Sidharth Bhatia, deputy editor Jahnavi Sen and business head Mithun Kidambi, taking away phones, computers and iPads.
The raids were in connection with a case of alleged defamation, forgery and cheating registered against the editors based on a complaint by the Bharatiya Janata Party’s Amit Malviya for a series of reports that were retracted by The Wire upon finding them inaccurate.
Hard disks from two computers used by the company’s accounts staff were also seized. The raiding teams reportedly sought, and took, passwords to official and personal email accounts belonging to one or more staffers, and asked some of those raided to disable passcodes from their devices.
According to a statement issued by The Wire, no hash value (a unique numerical value issued to maintain integrity of digital data) or cloned copy was given at the time of seizure.
Article 14 has reported earlier that rules in India regarding search, seizure and admissibility of electronic evidence fail to address the distinct and vulnerable nature of digital evidence. India lacks a clear legal framework on minimum evidence-gathering standards to render such digital evidence admissible.
In 2021, a group of academicians filed a writ petition in the Supreme Court seeking guidelines on how academic work held within digital devices must be treated after a police raid and seizure.
In its response to the petition, the Union Ministry of Home Affairs said an “accused cannot claim the right to privacy” when computers, tablets, laptops, mobile phones, etc are used for committing crime or may have vital information related to a crime under investigation.
In August 2022, the Supreme Court asked the government to file a detailed affidavit, with reference to international practices, on search, seizure and preservation of digital and electronic data. On November 2, a Delhi court ruled that it was unconstitutional for an investigating agency to demand the password of an electronic device.
In its July 2018 report, the committee of experts on a data protection framework for India stressed on “informed consent” for processing of personal data and recommended, besides a high-powered statutory authority for enforcement, deterrent penalties for wrongful processing of data.
While the draft Bill submitted by the committee was amended, introduced in Parliament and later withdrawn by the government, chairman of the committee, Supreme Court Justice (retired) B.N. Srikrishna, told Article 14 that the absence of a law on protecting data privacy opens the gates for police to interpret existing rules on search and seizure. Indeed, police should be required to follow a separate search and seizure procedure for collecting any digital evidence from devices, he said.
“Police must be able to demonstrate the need to gather the data without consent,” said Srikrishna, 81. “Simply saying the purpose is a criminal investigation is not adequate, in my opinion.”
Without such a legal framework that has passed the test of constitutionality, any coercion in collecting personal data as evidence in an investigation would be an invasion of privacy and an infringement of a Constitutionally guaranteed fundamental right to privacy of personal data, he said.
Excerpts from the interview.
What are the codified rules and laws governing the privacy of the data on our devices today?
Currently, there is no law at all today for personal data privacy. The only law today is under the IT Rules which are patchy, inadequate and not comprehensive. The law on personal data protection was recommended by the Committee of Experts for recommending a Data Protection Framework for India (which I chaired). The committee recommended it in 2018 along with the draft Bill. That Bill went through several revisions at the hands of bureaucrats and ministers before it became the Personal Data Protection Bill, 2019. This Bill was sent by the Parliament to a joint parliamentary committee, which made extensive changes to our draft, added some 85 amendments before it was withdrawn due to criticism from all quarters.
Today, other than the IT rules, there is nothing in India that deals with personal data protection. The provisions in the Indian Penal Code, 1860 cannot be directly applied to data.
They are provisions that can be applied with regard to physical objects when investigating a crime. How to seize data is not something of a grey area in the absence of a comprehensive law.
In the absence of a data privacy law, what are the dangers that citizens face?
The danger in the absence of a clear-cut law is that the police will interpret the law in any manner that is convenient to them. The data is on your computer; that data the police cannot touch without your consent. Even under the IT Rules, there is a consent provision. There should be a separate warrant to seize the device and a separate procedure to search and seize data electronically.
Personal data privacy has been declared to be a fundamental right. This fundamental right arises from Article 21 of the Indian constitution, which guarantees your right to life and liberty. The police cannot say they can shoot you and kill you. Nor can they say, I’ll come and take you away, because there is a law which deals with the manner of and limits subject to which the fundamental right under Article 21 can be abridged, like the Criminal Procedure Code (CrPC) 1973.
Under the CrPC, the police need to obtain a warrant to enter your house or arrest you. The same principle should apply if they’re dealing with data, because data privacy is also a fundamental right under Article 21. It is as sacrosanct as one’s right to life and liberty, both of which are protected under Article 21.
Therefore, data privacy cannot be taken away, unless there is a valid law passed by the appropriate legislatures. First, such a law must be passed by the legislature, no executive action can abridge this fundamental right. Secondly, the law must declare why it wants to infringe the fundamental right under Article 21.
Finally, they will have to demonstrate that it was required to be done and could not be done by a different method. You want to kill a mosquito, you would use a swatter, not a howitzer. This is known as the doctrine of proportionality, which has to be maintained.
It is only when these three principles are scrupulously observed can the law pass the test of constitutionality. It can then be said that the state has the authority to take your data without consent, for a legitimate purpose, and in a manner that is proportionate and for the objective to be achieved.
Do Indian citizens have the right to protect themselves against incriminating themselves?
That is under the constitution itself. Under Article 20(3), no person accused of any offence shall be compelled to be a witness against himself.
The right against self-incrimination must be read along with the CrPC, which also has similar provisions.
For the understanding of citizens who may face a police raid, in the absence of a data protection law, what are the rights that the constitution accords? Am I allowed to tell the police that I will not give up my passwords?
Now the courts have held that the accused in a criminal case cannot be forced to give the password of his electronic device, even if the investigating agency takes it away.
They may do what they like, even break it, but the accused is not obliged to give investigators the password.
Only recently there has been a court ruling on this reported by newspapers. The accused cannot be forced to give police their passwords.
The police probably don’t even know this, nor the public. Just like procedures such as a narco analysis would require consent, it is similar with data protection. Narco analysis is not permitted without the accused’s consent, because it is an infringement of his fundamental rights. It would be the same with passwords. Both situations are covered by Article 20(3) of the constitution.
Is such invasion of privacy an infringement of citizens’ rights?
Yes, very much, it is an invasion of and infringement of a fundamental right. Everyone has a constitutional right of protection of personal data, and seizing the data must be warranted under a constitutionally valid law. That is what we recommended in the report. That is precisely what the Supreme Court has said too. Fundamental rights like the right to privacy cannot be taken away except by a valid legislative mandate. And that legislation must declare why it is taking the right away.
If you remember the 2019 Bill, it simply said the government could without consent access private data on vague grounds, like for protection of sovereignty and so on. That was utterly illegal, according to me. Fortunately, the 2019 Bill was withdrawn.
Police must be able to demonstrate the need to gather the data without consent. Simply saying the purpose is a criminal investigation is not adequate, in my opinion.
When a policeman comes and knocks on your door, what do you tell him? Why are you coming here? If he wants to take you to the police station, you would say show me the arrest warrant. There are multiple Supreme Court judgments that lay down how police officers are to behave during an investigation, how the police are to deal with the accused and more. Unfortunately, those are not being followed.
Whether it was the Bhima Koregaon investigation or The Wire case, investigating officers and raiding teams have failed to provide a hash value or cloned copy of digital evidence. How serious is this breach of procedure?
If they raid an office and take documents, they are obliged to give a copy, a signed copy, of whatever document or objects that are seized and taken away. There is no reason why this principle should not apply to seizure of data or devices containing data. If an article is taken that contains data, a clone or a hash value must be provided.
Even in a fresh legislative exercise, the basic approach of those drafting the new law must be to make sure that the requirements of constitutionality are fulfilled. Those are the three principles I gave you.
One of the reasons for seeking private data may be in furtherance of investigation. But when officers come to take this data, why is it that they do not follow the requirements of the CrPC? In a criminal case, investigators will seize a weapon, other objects, like a vial of poison, etc, and do a panchnama (a record of witness testimony). If the material seized is data, why should this not be done? What is the difference? The fundamental right to privacy of data arises from the same Article of the constitution.
The law that was withdrawn would have slid us into an Orwellian state where personal data is seized ostensibly for an investigation in violation of constitutional principles and the right to personal data privacy, leaving free Big Brother to constantly snoop on the citizens. I’ve said that before. There was an order during the pandemic that made the Arogya Setu app mandatory for some things, and I spoke up to say this was utterly illegal. The authorities promptly modified the order to say that Arogya Setu was not mandatory, but optional.
What should civil society do?
Educate people, move the courts. The constitutional courts are established to act as bulwarks against unconstitutional and illegal action by state authorities. You can knock at the door of the court. If the court is not sensitive, educate people, and protest democratically without crossing the borderline of law. That is the only other resort available to the people.
This interview published with permission from Article 14, a website focussed on research and reportage on issues related to the rule of law.