Privacy Laws vs. Criminal Investigations in India: Balancing Technology with Public Safety

Digital technology has revolutionised communication, data storage, and information access. However, it poses challenges in balancing individual privacy with public safety. In India, this unpredictable balance is threatened by rapid technological advancement coupled with an evolving legal landscape. The digital age has brought forth significant challenges in balancing privacy rights for demands of criminal investigations. This rapid increase in the use of technology has created an imbalance between the privacy of an individual and the safety of the public.  The relatively slow pace at which legislative and judicial responses are laid down is also creating a path ahead filled with intricacies related to the issues between privacy protection and public safety. This article covers these issues by analysing the shaping of the legal landscape in India concerning privacy, communications security, and the issue of access by law enforcement to encrypted communication, besides the evolving legal boundaries of surveillance.

Evolution Of Privacy Laws In India

The legal regime relating to privacy in India has undergone significant alteration, especially after the landmark judgement of the Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India (2018). In this case, it was held that the right to privacy was indeed a fundamental right under Article 21 of the Indian Constitution. This judgement set the ground for a more robust regime of protection against violations of the privacy of an individual by laying down the necessary ground for framing of legislation and subsequent judicial decisions. However, such a right to privacy is not absolute; there are certain exceptions. These exceptions are primarily related to national security, public order, and criminal investigation.

The Information Technology Act, 2000 was thus one of the first attempts to address the issues related to digital interactions. It also includes data protection and cybercrimes. It has had its fair share of criticism because many point out that it is outdated in light of rapid technological advancement. To that effect, and to make amends for the aforementioned omissions, the recent Digital Personal Data Protection Act, 2023 aims at establishing a recent data protection system, similar to global standards such as the General Data Protection Regulation. The DPDP Act aims to regulate the processing, collection, and storage of personal data in a manner that would allow individuals to exert more control over their information.

Encrypted Communications: Boon To Privacy, Challenge To Law Enforcement

Encrypted communication is considered one of the major challenges for achieving a balance between privacy and criminal investigation. Encryption is a vital technology that safeguards digital communications' confidentiality by making sure that the digital message can only be readable by the receiver of the communication. This necessarily creates something very difficult for law enforcement agencies because they might need to intercept these messages during an investigation.

WhatsApp and Signal are similar encrypted messaging apps that have come into prominence, and it looks like a problem for law enforcement in India. These services have used end-to-end encryption so that even the service providers themselves will not be able to access the content of messages. This fully ensures privacy for users but, at the same time, is viewed as a formidable barrier in investigations, especially those involving terrorism, organised crime, and other serious offences.

Others have even suggested making "backdoors" or special mechanisms that would allow law enforcement to decrypt communications when necessary. However such proposals have met with strong opposition from privacy advocates and technology companies. These opponents argue that weakening encryption could compromise the security of all users. This will further expose them to potential cyber threats.

Law Enforcement Power To Access Data 

The question of how law enforcement accesses data in India is another important issue in the context of balancing privacy with public safety. Essentially, digital data stored on servers, smartphones, or other devices tends to be an important part of any criminal investigation that law enforcement agencies need to conduct. On the other hand, there are rigid legal boundaries to avoid misuse and protect individual privacy when it comes to access to this data.

Application of the IT Act and its series of amendments represents the legal procedure for data access in India. The law allows law enforcement agencies to request data from service providers or individuals, provided due process is followed by the issuance of a warrant or court order. Notwithstanding these rules, there is still an apprehension of overreach by law enforcement agencies in cases of mass surveillance or mass data collection sans due oversight.

More recently, the problem of cross-border data access has remained an additional issue of complexity. It is a big problem to have access to information housed on servers located outside India. The US Clarifying Lawful Overseas Use of Data Act- for example -provides a way to meet that challenge by creating a framework for accessing cross-border data. However such legislation may give rise to questions related to jurisdiction and conflict with privacy laws of other countries.

Legal Boundaries Of Surveillance

Surveillance practices in India have given rise to debates over the balance between the protection of life and liberty, and the right to privacy of individuals. It includes tools assisting police and other law enforcement to keep surveillance and track crimes, such as CCTV cameras, face recognition, and phone tracking. At the same time, they raise concerns about privacy and mass surveillance.

Legal constraints on the surveillance of data depend on the contents of statutory law, court judgments, and constitutional safeguards of that country. The legal framework necessary for the supervision or interception of communications is provided by the Indian Telegraph Act, 1885, and the IT Act. These statutes are more often considered outdated and quite frail in terms of guaranteeing protection to privacy.

Digital Personal Data Protection Act, 2023

The DPDP Act balances the scales for an individual's right to privacy with the requirement for processing data for lawful purposes, including investigation of crimes. While the Act institutes detailed principles for the protection of data, it allows for very strong exceptions in the case of law enforcement agencies.

Exemption in respect of the Act:

• Criminal investigations: The provision of the Act, particularly Chapters II and III, dealing with obligations of data fiduciaries and rights of data principals, respectively, shall not apply if the processing of personal data is necessary for the "prevention, detection, investigation, or prosecution of any offence" or contravention of Indian law. This exemption provides a wide mandate to law enforcement agencies in the processing of data regarding criminal investigations without being subject to the usual data protection requirements.

• National security and public order: The Act exempts certain state instrumentalities from some of the most important data protection obligations, such as data erasure and rights to correction or erasure, for processing in the interest of national security, public order, or prevention of incitement to cognizable offences. In particular, this grant enables the government to overlook certain data protection principles on grounds of national security and public order concerns.

• Law enforcement: The data fiduciary shall share personal data with law enforcement agencies based on a written request by such agency for the prevention, detection, or investigation of an offence or a cyber incident. This therefore overrides all other mandates on sharing data with any third party and, therefore, underscores the privileged access that law enforcement enjoys over data.

The Act recognises that the police and other law enforcement agencies must have access to and process personal information relating to the investigation of crimes and other matters affecting national security. However, the Act does not go on to provide the nature of specific safeguards or oversight mechanisms relating to processing by law enforcement.

The Information Technology Act, 2000

The main focus of the Act is to give legal recognition and regulate the cybersecurity of all forms of electronic transactions. Here is how the Act approaches the balance between the use of technology and public safety:

• Issue of directions for interception, monitoring or decryption: Under Section 69, the Central Government and the State Governments have, altogether, overriding powers of interception, monitoring, or decryption of any information transmitted, received, or stored in any computer resource. This condition prima facie gets exercised if necessary for such reasons as:

  • Sovereignty and integrity of India

  • Defence of India

  • Security of the State

  • Friendly relations with foreign states

  • Public order

  • Preventing incitement to cognizable offences

  • Investigation of any offence

While the Act requires recording of reasons for such action in writing, it does put the national and public interests above the privacy concern of the individual related to the digital information.

• Power to block public access to information: Section 69A empowers the Central Government to block information to prevent activities that threaten national security, sovereignty, public order, or preventing crimes, which becomes imperative. This reflects that the Act has put much emphasis on public order and national security concerns, even when access to information needs to be restricted.

• Assistance to law enforcement: Section 69(3) provides that a person and intermediary shall extend access to information or technical assistance, as may be specified by the law enforcement agencies, failing which there is imprisonment, or/and fine, thus indicating the gravity of the law..

• Protected systems and critical information infrastructure: Under the Act, the government can declare a particular critical information infrastructure as a "protected system" and permit access to it only to authorised personnel. Unauthorised access shall be punished, thus securing vital infrastructure.

• Penalty for data breach and privacy violation: While the Act is itself a protection against misuse of technology, it has laid penal provisions about hacking, data breaches, and violation of privacy under Sections 43 and 66E:

  • Section 43: This section contains provisions about unlawful access to the computer system, data breaches, spreading viruses, and damaging the network. Penalty in the form of compensation to the affected persons.

  • Section 66E: Capturing, publishing or transmitting the image of a private area of any person without consent along with imprisonment attracts fines.

• Limited recognition of privacy in confidentiality and non-disclosure: Sections 72 and 72A, respectively, provide for penalties for disclosure of information without authorization and for misuse of personal data obtained under lawful contracts. This goes to show that limited protection is extended in privacy.

The key observations from the Act are as follows:

• DPDP Act, 2023- A Change in Direction: In this regard, it must be noted that the IT Act, 2000, preceded India's more full-fledged data protection regime provided under the DPDP Act, 2023. The latter statute laid down a much more fair and stringent regime of data protection principles and rights for the data principals. However, as we said, even the 2023 Act keeps several of these exemptions in place for law enforcement agencies during criminal investigations, showing how the scales of balance between privacy and security continue.

• Explicit safeguards against police action not provided: While the IT Act points in the direction of a proper balance between concerns for privacy and security, it does not go into specific details regarding safeguards or oversight mechanisms in regard to access and processing of data by police agencies. This becomes a very important safeguard against misuse of broad discretionary powers given to police agencies and violation of individual rights.

The Indian Telegraph Act, 1885

This Act regulates telegraphs but is silent on modern privacy laws or data protection. It was, in fact, enacted to address telegraph infrastructure and its operations and hence pre-digital era.

Key provisions:

• Government interception: Section 5(2) permits interception by the government in emergent conditions due to national safety or public security. Thus, this is a security-friendly provision with some regard for privacy, provided such interception should be duly justified in writing.

• Press messages: Although interceptions are allowed, the Act grants protection for press messages from accredited correspondents if that has not been prohibited under Sec 5(2).

• Confidentiality offences: The Act has made any unauthorised act affecting message secrecy, whether by tampering with or unauthorised disclosure, an offence.

Considerations

• Outdated application: The Act designed in the 19th century does not account for the forms of communications today

• No protection of modern data: Unlike the DPDP Act, 2023, the Telegraph Act deals with no modern data protection or rights of data subjects.

The Supreme Court of India has iterated that “judicial oversight and safeguards must be undertaken so that the surveillance powers are not misused.” Cases such as People’s Union of Civil Liberties vs. Union of India (2003) have pointed out the deficiency in framing clear guidelines and ensuring accountability on issues related to surveillance. These judicial pronouncements and the regulatory framework for modern technologies, like facial recognition and geolocation tracking, are still in their initial stages. It directly raises concerns about the privacy and civil liberties of people.

Ethical And Social Implications

The issue of balancing between the privacy of an individual and public security has certain ethical as well as social implications. These are as follows:

1. Ethical issues to consider:

• Utilitarian view: The loss in terms of privacy would be gained regarding safety and the prevention of serious harm. There might be times when one has to sacrifice privacy for a greater degree of security.

• Deontological view: In this case, one should not disclose or violate basic privacy rights even if benefits are potentially resulting from such situations. Again, it focuses on individual control and self-respect.

2. Principle of proportionality: Accordingly, it requires the level of threat to be balanced with the level of surveillance. Undue or non-discriminating surveillance can be considered unethical, or it can even be a violation of privacy.

3. Slippery slope: Any compromise in privacy will, over time, lead to more and more intrusive measures, normalising widespread surveillance and erosion of democratic values.

Effects on individuals

1. Freedom and choice:

• Chilling effect: The knowledge of being watched by "Big Brother" can decrease creativity and self-expression.

• Psychological effects: The knowledge that you are constantly under surveillance will increase anxiety and stress levels.

2. Trust in institutions:

• Erosion of trust: Excessive or untransparent surveillance erodes public confidence in an institution and questions the institutional commitment to the protection of individual rights.

• Legitimacy: Transparency and accountability are key elements in sustaining public trust.

3. Social inequality and discrimination:

• Targeting and bias: This would include practices that may affect marginal groups, leading to discrimination.

• Data security: Data breach incidents or other forms of data abuse may lead to severe consequences for individuals, such as identity theft, and financial loss.

That is, a balance between privacy and public safety has to be shaped in relation to ethical principles and taking into consideration such broad impacts on the protection of individual freedoms and societal trust.

Balancing Technology And Privacy

It is complicated to find a balance between technology and privacy. The laws must be updated according to the pace of current technology. The DPDP Act is a giant leap forward, but it requires further fine-tuning and more adjustments to handle new technological developments.

Both needs of privacy and law enforcement can be met with advanced technologies. For example, privacy-enhancing technologies anonymize and encrypt data with controlled access to protect privacy while allowing investigations. Homomorphic encryption (mathematical operations to be performed on encrypted data without compromising the encryption) and secure multiparty computation are innovative techniques that enable encrypted data processing without breaking its security.

This would mean a consolidation of control rules to ensure that the powers of surveillance and access to data are performed within legal and ethical boundaries. It would further enable transparency regarding the application of such powers and would be able to generate public confidence through the safeguard of the rights of the individual. Other measures could include independent review bodies, greater transparency of the utilisation of surveillance technologies, and stronger sentencing of those convicted of misusing data.

Conclusion

The challenge facing India today is to strike an appropriate balance between the laws on privacy and the needs of criminal investigation in our modern digital world. Laws must be updated, new technologies deployed, and careful oversight exercised to achieve protection for both privacy and public safety. Efforts toward this must be weighed carefully against the risks and benefits involved, with justice, transparency, and accountability as guiding principles.

This balance cannot effectively be achieved without the cooperation of governments, technology companies, and the general public. In that respect, policymakers, technology experts, and civil society need to come together and establish laws that protect human rights while at the same time advancing the course of law enforcement agencies. The legal and regulatory frameworks of India during this process will be important in determining what exactly would be the extent of privacy and public safety in the times to come.