The Pegasus snooping row continues to haunt BJP and India’s national security again after two years. It was in November 2019 when reports of a breach of data of few Indians via Whatsapp by Pegasus broke out in public. A lawsuit was filed by Whatsapp on 31st October 2019 in a Court in California, USA alleging that the Israeli NSO Group had targeted some 1,400 WhatsApp users globally with this spyware and had violated US and California laws as well WhatsApp’s terms-of-service.

Whatsapp alleged the NSO group by saying that the spyware Pegasus was sold to multiple government and private agencies due to which hundreds of Indians might also have been affected. On 20th May 2019, this vulnerability was communicated by Whatsapp to CERT-In (the Indian Computer Emergency Response Team), which is a government-mandated information technology (IT) security organization. The purpose of CERT-In is to respond to computer security incidents, report on vulnerabilities, and promote effective IT security practices throughout the country.

According to WhatsApp, during April-May 2019, NSO used WhatsApp servers, located in the United States and elsewhere, to send malware to approximately 1,400 mobile phone users globally. After this, the debate on this issue took place in Rajya Sabha in November 2019 and further saw no attention for the next two years until now. It was the Justice BN Srikrishna Committee report that suggested a data protection bill which is still pending before a Joint Parliamentary Committee. Even though the Right to Privacy has been termed as the fundamental right under Article 21, the government under the Telegraph Act of 1885 and the Information Technology Act, 2000, can intercept the communication ‘legally’ for specific reasons. Thus, it will be a laborious task to get justice for all those who have found their names recently in the Pegasus list.

What does the Law Say About Snooping and Surveillance? Do these laws protect the Right to Privacy?

The request for interception of communication can occur only through a senior police official, moving towards the Home Secretary and then final approval from a committee headed by the Chief Secretary of the State or the Cabinet Secretary at the Center. The reason behind the surveillance should only be ‘in the interest of the sovereignty and integrity of India’.

Only a detailed investigation of this issue can reveal whether the snooping was done by the government, or by any government officials who might have misused his/her power, or some private party hacked it which becomes a cause of concern for our nation! According to a report published by Software Law and Freedom Centre (SFLC), more than 1,00,000 telephones are intercepted by the government every year. 

If we look at the U.S, Electronic surveillance is considered a search under the Fourth Amendment which protects the citizens from arbitrary search and seizure. The U.S law prescribes for the route under which first a warrant has to be obtained from the court in each case and the search to be conducted has to be justified. Apart from this, a specific time period has to be mentioned during which the surveillance will be conducted and the portion of the conversation to be intercepted has to be mentioned too! 

Can Any Government Buy the Pegasus Software? 

The snooping row has taken a whole new turn. The owner of the software made a public statement saying that the ‘potential’ list being circulated is in no way associated with the NSO group. The BDS Movement or Qatar could be behind this whole controversy, said the CEO. He also assured that an internal inquiry will be conducted in his company and if it is found that some client used their system to track journalists or human rights workers, they will be cut off immediately. 

There are four rules on the basis of which the NSO group runs. These are : 

  • Sell the software to only governments, and not companies/individuals. 
  • Don’t sell the software to every government. Not every government in the world should have these tools. 
  • Don’t activate the system, just install it, instruct the user how to use it, and leave.
  • Work under the Defence Ministry’s regulatory oversight.  

Need for a Privacy Law in India: Privacy Delayed is Privacy Denied

It’s been more than two years since the people of India have got the Right to Privacy as the fundamental right but still, the government has failed to provide a law to exercise this effectively. The PDP Bill has still not become an Act. Since the private bodies do not constitute ‘state’ within the meaning of Article 12 and the Indian Constitution does not allow writ remedies against the purely private bodies, Indians have very limited recourse available under Section 43A of IT Act, 2000 read with Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (Privacy Rules). 

Indian individuals can claim compensation from the corporations only if there are issues with the data related to ‘sensitive personal data which only includes defined categories of information like instance, passwords, health data, financial data, or biometrics. The list of ‘sensitive personal data can also include phone numbers, home addresses, political opinions, religious beliefs, or any other personal information, but these are not covered under the Privacy Rules. Quite a few people have been able to claim compensation under Section 46 of the IT Act.

It will also be difficult to file a writ petition against the state if a private party breaches citizens’ privacy and can easily escape from it saying that the government failed to prevent the breach. Also, a major reason why the Right to Privacy is always neglected is that neither the government nor the businesses get any incentive to respect our privacy. The Indian Courts can still intervene and impose such responsibility on the state. 

Analyzing the Surveillance Law In India

The whole debate of sharing the data and surveillance would stop if everything is carried out under a judicial warrant. The absence of privacy law or any independent body like the Privacy Commission deprives Indians of necessary safeguards.  It was in 2012 when the Planning Commission published a report by Justice AP Shah on Privacy Issues. According to the report, the national privacy principles of India should be the following : 

Principle of Notice

• Principle of Choice and Consent

• Principle of Collection Limitation

• Principle of Purpose Limitation

• Principle of Access and Correction

• Principle of Disclosure of Information

• Principle of Security

• Principle of Openness

• Principle of Accountability 

With the help of Privacy Commissioners and Self-regulating organizations (SROs) and co-regulation, it would be easy to implement and enforce the policies in a wide range of industries. Just like the IT rules 2021, an Alternate Dispute resolution Mechanism should be developed that includes provisions for offenses, penalties, and remedies in the Privacy Act. 

Under the Indian Telegraph Act, 1885, draft rule 419B should be adopted with immediate effect. It will require the disclosure of Call Data Records (CDR) or Call Detail Records, to the law enforcement agencies. The court must be provided with documentary evidence before the disclosure of such records which will prove that such disclosure is necessary to protect an individual from a possible threat. The draft rule should be amended according to the Justice AP Shah Committee report.

With respect to Section 67C of the IT Act, the data retention period must be specified. Not mentioning the time period to retain the data can easily create chances for potential abuse and deprive a citizen of their “right to be forgotten”. Different types of data should have different retention periods. After the retention period is over, the data should be destroyed and if the authorities want to store the data further, then conditions must be specified for that too! Similarly, section 80 of the IT Act that allows police officials to conduct searches and seizures in public places without a warrant, should be amended by listing down the conditions under which the search can take place. Everything should be done with the help of a judicial warrant. 

While the government can take any action under the law, stating it to be of national interest. Phone tapping of ministers, journalists, and social activists can be easily justified by the government and in the end, citizens won’t have the time, money, and mechanism to seek any help. It is high time that the Parliament passes the PDP Bill and the government further works to draft a privacy act too! Implementing the Right to Privacy on the ground will be a gift from the government to the citizens of the largest democratic country. 

References : 

  1. Legal Options for those who have their names in Pegasus Snooping List
  2. Justice AP Shah Committee Report


DISCLAIMER: The author is solely responsible for the views expressed in this article. The author carries the responsibility for citing and/or licensing of images utilized within the text.