Recent news reports provide a sneak peek into the blueprint for the National Cyber Coordination Centre in India. According to a 2012 Report of the Institute for Defence Studies and Analysis, India’s intelligence agencies and their policy development wings are extremely fragmented. Thus, the decision to prefer a central authority that would coordinate between different intelligence departments is good, and should be heralded. However, surveillance strategies typically raise concerns over the right to privacy. Surveillance agencies are empowered to monitor, record, and intercept communications that may even be private, and access stored private information. While intelligence collection is required for ensuring security, procedural safeguards are required to ensure that the right to privacy is not violated. In this article I discuss privacy concerns in the context of their accountability to the electorate and hope to provide a solution that treads the fine balance between right to safe and secure environment and the right to privacy.
The devil lies in the details
Not all intelligence and information collection agencies in India are established under a statute. For instance, National Intelligence Grid (NATGRID), Unique Identity Authority of India (UIDAI now proposed to be replaced by the National Identity Authority of India), Intelligence Bureau (IB), do not have statutory backing. Other agencies, such as the Computer Emergency Response Team-India (CERT-In) and National Infrastructure Information Protection Centre (NIIPC), have been envisioned under the Information Technology Act, but its structure and procedures have not been dealt with. Right to private communications was held to be a fundamental right by the Supreme Court of India under Article 19 and 21. However, communications can be intercepted in case of “public emergency” or “in the interest of public safety”.
Checks against agencies that conduct surveillance and collect information are often not borne out of the enactments under which they are constituted. For instance, the Telegraph Act did not require surveillance agencies to adhere to procedures that protected the right to privacy. It was only after the Supreme Court delivered its decision in PUCL vs. UOI (1997), Rules were notified to provide safeguards to privacy in case of interception of telephone calls. The Rules require permission to intercept from the Home Secretary, which are reviewed by a Review Committee. Similarly, the Information Technology Act, 2000 does not provide guidelines to Computer Emergency Response Team-India or the National Infrastructure Information Protection Centre on how they may use surveillance powers. Under various provisions of the enactment (Sections 69: interception or monitoring or decryption of any information; and Section 69B: monitor and collect traffic data or information) the government is empowered to monitor online communications. The enactment however delegates the power to specify procedural safeguards to surveillance. Admittedly, the safeguards provided under the Telegraph Act have been notified under the IT Act as well. But the question remains, should the manner in which a fundamental right can be impinged, even on the ground of public interest, be left to the discretion of the executive?
While delegated legislation has developed to provide procedural safeguards to surveillance activities, there is merit in statutory provisions to this effect. Delegated legislation, such as Rules and Regulations, do not require prior approval of the democratically elected representatives. They are neither proposed by a member, or subject to in-depth scrutiny by a parliamentary committee that has expertise on the subject. Rules are deemed to be passed by the parliament once they have been tabled for a period of time, unless they are specifically objected to by a member. Past experience is telling in this respect. The Information Technology Rules, 2011 relating to the rights of citizens to express themselves on the internet are in force despite an assurance to review the Rules by the Minister for Information Technology. On the other hand, statutes undergo rigorous scrutiny by the parliament and allow for citizen engagement at various stages of development. A number of information collecting, sharing and monitoring agencies have been set up without concomitant legislations. The UIDAI, which is established under the Planning Commission, is not a statutory body.
Similarly, the Crime and Criminal Tracking Network and System, launched by the Home Ministry, is not sanctioned by Parliament. The NATGRID, which links various databases between intelligence and investigative agencies on the one hand and service providers, such as telecom companies, banks, etc, to enhance our counter terrorism capabilities is also not established through an enactment. Functions performed by these entities and the powers they wield are likely to impinge the rights of citizens to privacy. These bodies are not guided by statutory principles for protecting the fundamental right to privacy. Therefore, the need for accountability in relation to these agencies is higher.
Parliamentary scrutiny of surveillance agencies
Indian law enforcement, surveillance and security agencies have preferred to stay in shadows, protected from demands of accountability. While these agencies are responsible to the parliament through the Ministers, their accountability has been limited as: (a) there is no requirement for ministries to provide detailed reports about the functioning of these agencies to parliament; (b) annual reports that discuss their working are very skeletal (see here at page 24 – MHA’s annual report that discusses NATGRID). These agencies are also exempt from scrutiny of citizens under the Right to Information Act. The RTI provides a blanket exemption to intelligence agencies such as IB and RAW and to other agencies when the information dealt with is sensitive in nature.
While such protections are warranted, given the nature of the information that they deal with, adequate mechanisms for accountability need to be developed to ensure that these agencies function within the fold of the policies envisioned by the legislature and the rights it seeks to protect. The parliament, as the representative of the people, has the onus to ensure that agencies established by the government function according to the demands of national interest. This may be done through means of direct accountability of officers from these agencies to the parliament, frequent detailed reports of their working, and institution of a parliamentary committee that oversees intelligence agencies across ministries. In developed democracies, intelligence agencies are responsible to the legislature and have to frequently justify their actions to the elected representatives.
For instance, the Government Communications Headquarters (GCHQ) that conducts surveillance in the UK, is responsible to the Intelligence and Security Committee, which comprises parliamentarians though it is not a parliamentary committee. Government officials are statutorily required to share information with the Committee. The Committee is answerable to the PM and through him to the parliament. The Committee Reports are debated in parliament. In response to the recent allegations arising from the Snowden leak, that the GCHQ relied upon the US surveillance systems to monitor British citizens, the agency is due to submit its report to the Committee. On the basis of the Report, the Committee will decide its future action. Such scrutiny ensures that agencies maintain the balance between national security and individual liberties. It also helps the legislature innovate solutions in real-time to circumstances such as those in the UK today.
Need for Safeguards against “Big Brother”
The fractured politics of today have made the Opposition voices stronger. The decision to roll-out National Counter Terrorism Centre was shelved when it was rejected by various regional party led governments. Any move to increase surveillance, needs to be balanced with safeguards of parliamentary oversight and statutory protection of the right to privacy. In the absence of these rudimentary good governance checks and an overarching law on privacy, the surveillance program would fail to secure the people’s buy-in and only increase the trust deficit between the elected and the electorate.
The Report of the Group of Experts on Privacy too had noted the importance of accountability to ensuring privacy. It stated that “accountability provides directions for enterprise wide implementation of privacy. For the commitment to accountability, organisations are expected to undertake a trust building exercise in respect of its responsibility towards privacy.” How the government will undertake trust building exercise remains to be seen.