Privacy in Digital Age: Judicial Approach in South Asia

Abstract

With the advent of Information and Communication Technology (ICT), every aspect of human life has been heavily dependent on information systems, electronic tools, and networks. The use of information technology eased daily life and business. Information technology is advancing day by day. New technologies like Artificial Intelligence, Machine Learning, the Internet of Things and other similar technologies have more serious interventions into human life than ever. These technologies are facilitating real-time communications and information sharing and thereby enhancing the enjoyment of democratic practices and developments. At the same time, new threats and vulnerabilities have also emerged in the use of these technologies. One major issue that emerged through the intervention of information technology is the privacy of the individual. Information technology is contributing to the development and collection of more digital data about individuals than ever. Data automation, collections of data from various public services like e-commerce, e-governance, extraction of the individual data through surveillance, and interceptions of private communications are major issues that are threatening the privacy in digital age. To address these threats and vulnerabilities in privacy, it is important to develop better cyber policy.

POLICY ISSUE

With the advent of Information and Communication Technology (ICT), every aspects of human life have been heavily dependent to the information systems, electronic tools, and networks. The use of information technology eased daily life and the business. The information technology is advancing day by day. New technologies like Artificial Intelligence, Machine Learning, Internet of Things and other similar technologies have more serious interventions into human life than ever. These technologies are facilitating real-time communications and information sharing and thereby enhancing the enjoyment of the democratic practices and developments. At the same time, new threats and vulnerabilities have also emerged in the use of these technologies. One of major issue emerged by the intervention of the information technology is privacy of the individual. The information technology is contributing on development and collection of more digital data about individuals then ever. Data automation, collections of data from various public services like ecommerce, egovernance, extraction of the individual data through surveillance and interceptions of private communications are major issues that are threatening the privacy in digital age. To address these treats and vulnerabilities in privacy, it is important to develop a better cyber policy.

TARGET AUDIENCE

Parliament, Government Ministry, Courts and Law Enforcement Agencies, Human Rights Activists

RECOMMENDATIONS

1. Cyberlaw or policy should be developed through an open, transparent, and accountable manner respecting human rights that includes Privacy.
2. Inclusive & multi-stakeholder engagement should be adopted for better cyber law and policy.
3. Judiciaries should step up to protect individual’s rights like the right to privacy when there is a legislative gap.

THE RESEARCH

I PROTECTION OF PRIVECY AND
DEVELOPING CYBER POLICY

Privacy is the “right to be free from unwarranted intrusion and to keep certain matters from public view” (Law 2015). The Supreme Court of India declared, in Justice K.S. Puttaswamy (Retd) v. Union Of India (2017) that ‘right to privacy is protected as an intrinsic part of the right to life and personal liberty. Cyber policy is a generic term used to represent various issues in cyber spaces and digital privacy is one of them. A better cyber policy includes better legal and policy framework too. With the technological advancement and its intervention in individual privacy, there is growing concern on the developing a better legal framework. Resolution 68/167 of United Nations General Assembly (UNGA) expressed deep concern at the negative impact that surveillance and interception of communications may have on human rights. UNGA affirmed that the rights held by people offline must also be protected online. The UNGA called upon all States to respect and protect the right to privacy in digital communication.

Cyber policy requires both governmental and nongovernmental solutions, as well public education and strong security through technical standards. One of major issue of the developing cyber policy is to consider the various stakeholders’ interests and harmonize them. Global Partners Digital, an UK based cyber policy think tank, has identified four elements of multi stakeholder approach of developing cyber policy: (i) Open and accessible; (ii) Inclusive of stakeholders’ views; (iii) Consensus driven and Transparent; and (iv) Accountable. Center for Democracy and Technology (CDT), a pioneer tech policy organization based in Washington, USA has emphasized that the Policy processes must be based on the principles of openness, collaboration, and a respect for human rights. Any policy should be based on a method that assures consistency of the results obtained through the various development phases and diverse stakeholders that need to participate in the strategy development process. Policy processes must be based on the principles of openness, collaboration, and a respect for human rights. The development of a strategy should be based on a method that will assure consistency of the results obtained through the various development phases and diverse stakeholders that need to participate in the strategy development process.

BUILDING CYBER POLICY: JUDICIAL
APPROACH

There are various stakeholders that contribute in law and policy making/building. Though law made parliament are the major source of law making, judiciaries are also important institutions in common law system. Specially, the judgments that laid down principles by the Supreme Courts are considered as law itself in the form of Precedence. Some of court interventions [e.g. US Supreme Court in ACLU v. Reno, 1996] are significant for the development of the cyber policies around the world. By the virtue of these judgments, robust and better cyber laws and policies have emerged. In 1996, John Perry Barlow wrote famous “A Declaration of the Independence of Cyberspace”. It was written primarily in response to the passing into law of the Telecommunications Act of 1996 in the United States. Earlier, Barlow, along with John Gilmore and Mitch Kapor, founded the Electronic Frontier Foundation [EFF] in July, 1990 to promote Internet civil liberties. EFF started its defense of digital rights through litigation. The first ever case EFF defended was Steve Jackson Games, Inc. v. United States Secret Service, 816 F.Supp. 432 (W.D.Tex., 1993). For the first time, a court held that electronic mail deserves at least as much protection as telephone calls. In USA there were more debates on digital rights as there were more attempts of new laws to control digital rights. 1997 was another milestone on defending digital rights. That year, the American Supreme Court, in ACLU v. Reno, struck down the 1996 Communications Decency Act, which censored the Internet by broadly banning “indecent” speech. Since then, Congress has passed number of versions of the Child Online Protection Act (COPA), a federal law that would criminalize constitutionally protected speech on the Internet. Each time the law has been challenged by the ACLU and declared unconstitutional. In Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 (19 January 2017) the Australian court discussed whether the mobile phone network information and incoming call information held by the Operators were “personal information”. Further, it was also examined that whether anonymous mobile network data, such as Geo location data and URLs visited, might still be “personal information” because it could be linked to identify subscriber and billing information. The Federal Court held that, “personal information includes information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.” In the case of Roman Zakharov v. Russia [2015 ] the European Human Rights Court tested the legality interception of communications. The Court held that there had been a violation of Article 8 of the Convention [ECHR], finding that the Russian legal provisions governing interception of communications did not provide for adequate and effective guarantees against arbitrariness and the risk of abuse which was inherent in any system of secret surveillance, and which was particularly high in a system such as in Russia where the secret services and the police had direct access, by technical means, to all mobile telephone communications. In Bara and others versus Președintele Casei Naționale de Asigurări de Sănătate, Casa Naţională de Asigurări de Sănătate and Agenţia Naţională de Administrare Fiscală (ANAF) [Rumania], European Court of Human Rights examined the legality of the transfer of information by state agencies to each others use. Without sufficient safeguard, the European Court of Justice declared such transfer will violates the protection given by Article 10 of Data Protection Directive. Court held, In order to satisfy the requirement of fair processing of personal data under Article 10 of Directive 95/46/EC a public sector body must inform the data subjects in advance of the transfer of their personal data to another public sector body for the purposes of the recipient body unless it has already done so. Furthermore, the recipient controller of the data, in order to satisfy the fair processing requirements under Article 11(1) of Directive 95/46/EC, must also inform the data subject in advance as to their identify, the purpose of the processing and any further information necessary for the fair processing of the data.

BUILDING CYBER POLICY: JUDICIAL APPROACH
IN SOUTH ASIA

In South Asia, the Judgment of Supreme Court of Nepal in Babu Ram Aryal, et al. vs Government of Nepal et al. (2016), is one of leading judgment that led foundation for new cyber law, which includes the Privacy and Data protection. In this case, police had reportedly collected call detail records of 500,000 calls and tens of thousands of SMS in the course of investigation into the 2012 murder of Justice Ran Bahadur Bam, the then Judge of Supreme Court of Nepal. The Court ruled that it was illegal to provide details of an ‘individual’s private phone call details and SMS’ for ‘unpermitted objectives.’ Moreover the Court ordered that district court permission be obtained by if call details records and SMS messages need to be accessed for criminal investigations.

In India, Karmanya Sing Sareen v. Union of India (2016), famously known as WhatApps Case, is one of interesting case where right to privacy brought into the judicial test. In this case Karmanya Singh Sareen and Shreya Sethi filed the petition at Delhi High Court when WhatsApp changed its privacy policy in September 2016, and announced that it will be sharing data with Facebook. The petitioners claimed violation of user privacy and that their data hadn’t been protected. The WhatsApp prosecutor claimed that Whatsapp is end to end encrypted and technically no third party can read the messages and the data sharing with Facebook does not include messages so the privacy is not compromised. In 25 September, 2016 Delhi High Court ruled that WhatsApp has to delete user account information of all users who had opted to delete their account and that it couldn’t share information with Facebook up to the order date. The court recognized that Right to Privacy as a Fundamental Right and should be protected in digital world as well. In Shreya Singhal v. Union of India (2013), The Supreme court decided that the Section 66A is vague and causes the chilling effect upon speech and thus fell foul upon Article 19(1). Similarly under “public order” restrictions of Article 19(2) is applicable only to incitement with proximate relation to public order and not upon advocacy. Therefore, the Section 66A was struck down on this very ground. In this regard, the major discussion court held was upon three fundamental aspects of freedom of expression: discussion, advocacy and incitement. As per court’s opinion, the discussion or advocacy of any cause irrespective of its popularity is the right of people; however such discussion and advocacy should not result to incitement.

Muhummad Ruhul Amin Khandaker (Bangladesh), however, is a bad example of court judgement where The High Court Division Bench termed Khandaker’s post as a “derogatory statement” and thus sentenced him to undergo three years rigorous imprisonment. The decision fails to distinguish between the right of a citizen to voice his opinion about the functioning of the government authorities on any media and a ‘true threat’. The Bytes for All v. Federation of Pakistan ( Best known as the YouTube Case) a very significant case where Pakistani court asked for the localization of the You Tube.

BABU RAM ARYAL & OTHERS V. GOVERNMENT
OF NEPAL: A REGIONAL MILESTONE

The Supreme Court of Nepal Judgment on the case Babu Ram Aryal et. al. v. Government of Nepal et. al (2016) is one of major judgment that lead a new cyber legislation, special privacy and data protections in Nepal. The case was spurred by a news report in Kantipur Daily, which reported that Nepal Police had collected over 500,000 CDR and 60,000 SMS and for the purposes of investigating a murder case [Of late Justice Ran Bahadur Bam, then sitting Supreme Court Judge]. However, the report disclosed that Nepal Police didn’t get significant clue form those collected data’s. Instead, those information were used for entertainment possible threatening to the relevant individuals including blackmailing by the Nepal Police personnel. Law enforcement agencies were misusing the discretionary power given to them at administrative level. Up until that point, the Petitioners had assumed that the retrieval of SMS and call records by police probably affected a small number of individuals. The case was filed as Public Interest Litigation at Supreme Court of Nepal in 2012. After four years long legal battle, the Court delivered the judgment by a joint Bench hearing that comprise of Chief Justice Right. Hon. Kalyan Shrestha and Justice Devendra Gopal Shrestha. The Supreme court upheld the petition filed by the Petitioners. The final hearing was held on 2072/10/21. and the Final Judgment was published on 2073/10/21. Major principles led down by the judgment are:

Right to Privacy is privy of Individual and it is related right to be alone: The Judgment is very clearly based on legal reasoning. This judgment on again emphasize that the Right to Privacy is an individual’s very privy and inherent rights. Guarantee against any unnecessary intervention by the government or any third party in an Individual’s personal work and activities are the objective and substance of the modern era Right to Privacy. The Judgment also upheld that the Right to Privacy is any individual’s rights remain alone. Or, it is related with right to be alone.

Right to Privacy denounces any Intervention by Government or any third Party: The Judgment states, “This [Right to Privacy] concept fully denounces any intervention of the government or the third party in any individual’s life. That’s why it is also said that a man without privacy is a man without dignity (Para 2).” The Judgment analyzes the nature and scope of the Right to Privacy very well. It says, “As executive itself shall function under the provision of law. Uncontrolled access to information cannot be prerogative of executive. Instead, [Executive] protect the data bank where such information is stored in any situation and should deny any unauthorized access without specific legal measures even if in exceptional cases. Not protecting or not able to protect or leaking the information and giving the unauthorized access to the information due to fear or influence by other amounts non performance of duty and in some extent it is a criminal act (Para 9).”

Any Collection of CDR and other digital information without due process of law is illegal: This case established a milestone precedence on the protection of right to privacy and data protection where the final judgment upheld our plead and declared that any collection of information with out due process of law is an illegal act even if it is collected for the purpose of investigation of crime by police. This case also established that right to privacy is individual’s privy right and it is related with right to be alone. This case also established that the concept of right to privacy fully denounces any intervention of the government or the third party in any individual’s life. That’s why it is also said that a man without privacy is a man without dignity. The Judgment protects the right to privacy and requires a specific legislation under the Article 28 of the Interim Constitution, 2006 of Nepal (the then applied). In absence of specific legal provision, the Judgment says, considering that no one will have unauthorized or unlawful access on the individual’s private information, the Writ of Mandamus is issued not to act or let any other to act against this universality and make such arrangement on prevention of such act against the defendant and Directive Order is issued to make relevant law to address on the issue referred above.”

District Court Permission is required: The case establishes procedure for immediate remedy as well. The Judgment says, “It is also ordered to initiate departmental action to those who disseminated the information unlawfully and prosecute under prevailing laws who did unlawful intervention or demand access with coercive action and issue an order not to disseminate such information or ask to stop any such dissemination of information. Where there is necessity of information on the course of specific investigation of a crime, until the law is made and provide an arrangement for the permission of access to information, it is ordered to arrange the mechanism of receiving the permission form the District Court. “

CONSCLUSION

Based on the above facts and analysis we can come to conclusion that digital privacy also gets the same level of protection hitherto protected in other form. Various court judgments discussed above emphasized that the privacy is an individual’s privy and inherent rights. Even if legislative law does not protect this fundamental right, a responsible judiciary, in common law system, also can intervene in this regard.

METHODOLOGY & DATA

The research is based on case law method where various judgments were collected through secondary data collection.

SOURCES/REFERENCES

1. https://www.eff.org/about/history
2. https://www.aclu.org/about/aclu-history
3. https://bib.irb.hr/datoteka/808228.AK_Method_for _CS_strategy_development_NATO_SPS_2015.pdf)
4. https://www.itgovernance.co.uk/blog/list-ofdata-breaches-and-cyber-attacks-injanuary-201-2/
5. http://www.wired.co.uk/article/hacks-databreaches-in-2018
6. https://bib.irb.hr/datoteka/808228.AK_Metho d_for_CS_strategy_development_NATO_S PS_2015.pdf
7. https://cdt.org/issue/securitysurveillance/cybersecurity-2/
8. https://www.gpdigital.org/publication/multistakeholderapproaches-to-national-cybersecuritystrategy-development/
9. https://www.oecd.org/sti/ieconomy/cybersec urity%20policy%20making.pdf
10. Law. J. (2015) Oxford Dictionary of Law. Oxford: Oxford University Press

Aryal, Babu Ram, Privacy in Digital Age: Judicial Approach in South Asia (October 30, 2018). CPR South 2018, Policy Brief. Available at SSRN: https://ssrn.com/abstract=3275123 or http://dx.doi.org/10.2139/ssrn.3275123