RECONCILING PRIVACY AND FREEDOM OF SPEECH AND EXPRESSION IN THE DIGITAL LANDSCAPE IN INDIA BY - PONNI J
RECONCILING
PRIVACY AND FREEDOM OF SPEECH AND EXPRESSION IN THE DIGITAL LANDSCAPE IN INDIA
AUTHORED
BY - PONNI J
ABSTRACT
Communication
is an important life skill that enables us to effectively express ourselves.
The advent of computers and internet has revolutionised communication sector.
The growth of social and digital media has been catalysed by the human instinct
to communicate and connect with his fellow humans. It is all about establishing
and maintaining personal connections at a larger scale. Social media platforms are
third-party websites or applications that facilitate social interaction and
content-sharing among its users. Mainly used for social interaction and access
to news and information, social media has become an inevitable part of our
daily life. The speed and range of communication over these media are vast. One
can post his views globally in double quick time. Though there are many
advantages for social media, lack of regulation has led to chaos. Internet
being a borderless network faces certain inherent problems with regard to its
regulation. A website might be hosted in a particular country, run by staff in
another country and the person posting objectionable content might be from yet
another country. This creates problems regarding jurisdiction. Jurisdictional
issues are only a tip of the iceberg. The advancement of the technology is so
quick that identification of newer and novel methods made available to
customers and bringing them all under various laws and regulations itself is a
herculean task and implementation of the same is yet another. Free speech is a
key feature of the internet. But free speech is often hampered by content
regulation by tech giants. Another problem is lack of privacy. The moment we
discuss buying something, we have ads popping up on our social media pages
suggesting to buy a particular brand. This shows the level of surveillance the
tech giants have on us. In this digital panoptic on, privacy has become a myth.
In this back drop, the Government
of India released Information Technology (Guidelines for Intermediaries and
Digital Media Ethics Code) Rules, 2021 to regulate social media, digital media
and OTT platforms. The Digital Data Privacy Act 2023 was also enacted to
protect digital personal data. This article examines the contours of
right to free speech and right to privacy in the digital sphere introspecting
the recent rules and enactments.
INTRODUCTION
The
twenty first century has witnessed a tremendous advancement in technology and
this has influenced almost all walks of life. The invention of computers and
internet is regarded as the fastest technological revolution of all times.
Prior developments in technology have been gradual such as the move from the
telegraph to telephone, radio and television, video telephony to satellites. However,
with the advent of computer networks and internet there was a lightening change
and every state is dependent upon interconnected computer networks for all its day-to-day
activities including communication, transportation, medical care, education,
governance. Increasingly people in the information society are becoming
involved in online services, online contracts, electronic commerce, online
transactions, and online publications.[1]
Use of computer systems became inevitable in all fields. Social media is the
buzz word today. Social media users are bestowed with capacity to communicate
to a large crowd without time or place constraints. Such speed and range of
communication brings with itself certain problems also of which few shall be
discussed in detail.
There
comes the doubt if the autonomy and dignity of the individual can be reconciled
with the vastly accelerated movement of information in an electronic environment. Today, sharing is the norm and
keeping private is an exception. The actual problem is that this digital age is
characterised by an enormous capacity to collect, store and manipulate data and
thereby carry out digital surveillance on individuals. It is true that social
media provides opportunities for individuals to reach out to people minimizing
geographical and cultural borders. But this scale and range of communication
which is seen as a boon can become a bane as the information shared can be
recorded and used against the individual undermining his right to Privacy.
PRIVACY AND FREEDOM OF EXPRESSION DICHOTOMY
In this digital age, freedom of
expression and privacy are mutually reinforcing rights. Though the advancement
in communication technology has fostered freedom of expression and democratic
participation, a person may in realizing his right to free expression incidentally
or intentionally encroach upon another’s right to privacy and vice versa. On
one hand, digital technologies have facilitated the exercise of freedom of
expression and the sharing of information but on the other hand they have also
greatly increased the risk of violations of the right to privacy by enabling
storage and manipulation of personal data. Conversely, the laws and measures to
protect the right to privacy undermine freedom of expression.
The concept of privacy has myriads of meanings and its
ambit is ever widening. Earlier privacy was believed to be limited to personal
space and physical boundaries, now it refers to privacy of personal information
also. Basically, privacy is the right to be left alone.[2]It
is the right to be free from unwanted interferences into one’s personal life. The
right to privacy finds place in almost all Human Rights instruments including Article
12 of the Universal Declaration of Human Rights (UDHR)[3],
Article 17 of the International Covenant on Civil and Political Rights (ICCPR)[4],
as well as Article 8 of the European Convention on Human Rights (ECHR).[5]
National laws also recognize privacy as a
fundamental right. Most countries have the right enshrined in their
constitution or other statutes. The privacy jurisprudence in India stems from
an extensive interpretation of Article 21.[6]
The right to privacy in Indian constitutional law can be traced back to the dissenting
judgment in Kharak Singh v. State of Uttar Pradesh[7] a
case claiming that police surveillance and domiciliary visits of accused was
violative of Article 21 and the court declared the domiciliary visits at night
to be unconstitutional. Another important case is Govind v. State of Madhya
Pradesh[8] where Supreme
Court dealt with domiciliary visits and harassment by the police and held that
the right to privacy must encompass and protect the personal intimacies of the
home, the family, marriage, motherhood, procreation and child rearing, and is
subject to restriction only on the basis of compelling public interest. A nine
judges bench of the Supreme Court of India in Justice K.S. Puttaswamy (Retd.) &Anr. v. Union of India & Ors[9]
unanimously held that the right to privacy is
protected as an intrinsic part of the right to life and personal liberty under Article
21 and as a part of the freedoms guaranteed by Part III of the Constitution.
The court urged the need for the implementation of a new law relating to
data privacy.
Privacy adheres not merely in a
boundaried space but in the ability of the individual to choose and be
autonomous. When it comes to internet, a person has the right to choose what he
does and to keep private his personal information. Though users believe they
have complete autonomy over the flow of their personal data on cyberspace it is not true. Whatever
we do on the internet leaves a digital foot print. Today, exchange of personal
information via electronic means is part of a conscious compromise through
which individuals voluntarily surrender information about themselves and their
relationships in return for digital access to goods, services and information. The
moment we discuss buying something, we have ads popping up on our social media
pages suggesting to buy a particular brand. This shows the impact tech giants
have on privacy of internet users. Bringing in the analogy of right
against surveillance to surveillance in internet paradigm, in a country like
India where targeted surveillance of an individual based on a criminal record
requires high standards to be followed, it is never easy to mandate collection
and storage of data of every internet user.
Freedom of
expression is the mother of all the other liberties. A robust protection of
freedom of speech and expression is hall mark of a democracy. In a democracy
the right to free expression encompasses within it the right of an individual
to speak as well as the right of the community to be informed. Freedom of
speech and expression finds place in almost all human rights instruments
including Universal Declaration of Human Rights, International Covenant on
Civil and Political Rights and European Convention on Human Rights.
Everyone has the freedom to seek receive and impart
information through all media regardless of frontiers.[10]Art
19(2) of International Covenant on Civil and Political Rights, 1966 states that
“Everyone shall have the right to hold opinions without interference. Everyone
shall have the right to freedom of expression; this right shall include freedom
to seek, receive and impart information and ideas of all kinds, regardless of
frontiers, either orally, in writing or in print, in the form of art, or
through any other media of his choice.” Art 10 of European Convention on Human
Rights says every one shall have freedom of expression which includes “freedom
to hold opinions and to receive and impart information and ideas without
interference by public authority and regardless of frontiers.” Thus, the
essence of freedom of speech and expression is the act of seeking, receiving
and imparting information or ideas irrespective of the medium used. A person
has as much freedom of expression over internet as he has on print media or any
other media.
The Indian constitution recognises freedom of
speech and expression as a fundamental right.[11].
The right is subject to reasonable only on grounds of sovereignty and integrity
of India, security of the state, friendly relations with foreign states, public
order, decency or morality, or in relation to contempt of court, defamation or
incitement to an offence. Any act or provision imposing restrictions on freedom
of speech and expression on grounds other than those mentioned in the
Constitution amounts to violation of freedom of speech and expression. The Supreme Court in the celebrated judgment
of Shreya
Singhal v. Union of
India[12]struck down Section 66A
of the Information Technology Act which authorised police to arrest people for
social media posts construed “offensive” or “menacing”.
Though
freedom of expression over internet is much celebrated, lack of regulation can
lead to anarchy. In absence of a proper system of regulation by the government,
companies arbitrarily decide which content to regulate and how i.e. whether to
remove it or post warning or to conduct a fact check or to control its virality
by making it visible to only few using algorithm. The company may arbitrarily
choose to suspend an account for expressing certain words but at the same time
allow another to continue with the account even when he has also expressed the
same words.[13]The
government of India has from time-to-time enacted appropriate legislations and
allied rules to adapt to the changing times.
INFORMATION
TECHNOLOGY ACT AND ITS EFFECT ON PRIVACY AND FREE SPEECH
Till
recently the IT Act, 2000 and the rules made thereunder were the only
legislations to deal with privacy and free speech over the internet.
Information Technology Act, 2000 contains a few provisions related to the
individual’s privacy but they are not exhaustive in nature.Under the Information Technology Act, 2000,
a body corporate who is possessing, dealing or handling any sensitive personal
data or information of an individual, and is negligent in implementing and
maintaining reasonable security practices in protecting the data and results in
wrongful loss or wrongful gain to any person, then such body corporate may be
held liable to pay damages to the person so affected[14].
It is important to note that there is no maximum limit specified in the Act for
the compensation that can be claimed by the affected party in such circumstances.
The Act penalises the act of intentionally or knowingly capturing, publishing
or transmitting the image of a private area of any person without his consent,
under circumstances violating privacy of that person.[15]
Section 72 of the Information Technology Act, 2000 deals
with a circumstance under which any person who, in pursuance of any of the
powers conferred under the IT Act Rules or Regulations made thereunder, secured
access to any electronic record, book, register, correspondence, information,
document or other material without the consent of the person concerned,
discloses such material to any other person. The person making such disclosure is
liable to be punished with imprisonment for a term which may extend to two
years, or with fine which may extend to Rs 1,00,000 or with both.[16]Disclosure
of information knowingly and intentionally, without the consent of the person
concerned and in breach of the lawful contract is punishable with imprisonment
for a term extending to three years and fine extending to Rs 5,00,000[17].
Under Section 69 of the Act, which is an
exception to the general rule of maintenance of privacy and secrecy of the
information, provides that where the Government is satisfied that it is
necessary for the interest of the sovereignty or integrity of India, defence of
India, security of the State, friendly relations with foreign States, public
order, for preventing incitement to the commission of any cognizable offence
relating to above, or for the investigation of any offence, it may issue directions to intercept,
monitor or decrypt any information generated, transmitted, received or stored
in any computer resource.
Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal Data or Information) Rules,
2011 deals with the protection of “Sensitive personal
data or information of a person”, which includes the personal information
relating to passwords, financial information such as bank account or credit or
debit card or other payment instrument details; sexual orientation; medical
records and history; and biometric information. The rules mandate for
collection and processing of personal data. However, there is no mention about nature
of consent to be obtain. Under the provisions, a mere opt out system where the
fiduciaries have a default setting to collect and process personal data unless
the user opts out from it would suffice.
Any
introspection on free speech jurisprudence in connection with IT Act would
always start from the draconian provision under S.66A which was struck down as
unconstitutional as it
arbitrarily, excessively and disproportionately invades the right of free
speech and upset the balance between such right and the reasonable restrictions
that may be imposed on such right.[18]
This
legislation was more than two decades old and couldn’t by itself regulate the
present-day digital revolution. With so much of fake news and misinformation
proliferating especially in the difficult times of the pandemic, the Government
of India was compelled to take actions to regulate communication over internet.
This paved way for the IT (Intermediary guidelines and digital media ethics
code) Rules 2021.
INTERMEDIARY
GUIDELINES AND DIGITAL MEDIA ETHICS CODE 2021 AND ITS IMPLICATIONS FOR PRIVACY
AND FREE SPEECH
The
Government of India, in exercising its powers under S.87of the Information Technology
Act, 2000, framed the of Information Technology (Intermediary Guidelines and
Digital Media Ethics Code) Rules, 2021 (new IT Rules) superseding the earlier
Information Technology (Intermediary Guidelines) Rules 2011 at a time when
debate over right to privacy and freedom of expression over social media was at
its peak. The rules purport to regulate intermediaries, social media
intermediaries, OTT Platforms and digital media publishers. Part I of the rules
deal with definitions. Part II deal with due diligence by intermediaries and
grievance redressal mechanism and Part III deal with Code of Ethics in relation
to digital media.A
faction of people believed it to be a much awaited much needed legislative
measure to regulate the over-the-top, online news portals etc., but another
faction recognized it as deceptive exercise of government surveillance and
censoring violating fundamental right to freedom of speech and expression.In
2023 the rules were amended inter alia to bring in online gaming platforms also
under the purview. The important provisions which have an impact on user’s
privacy and freedom of speech and expression are discussed.
These
new rules brought in a grievance redressal mechanism for the ordinary users of
social media. The new guidelines have classified digital social media into two
parts namely social media intermediaries and significant social media
intermediaries. The significant social media intermediaries are those digital
platforms having more than fifty lakh users and aremandated to follow certain additional
due diligence.
The
rules stipulate that non-compliance with due diligence will take away their
immunity under the safe harbour provisions. Due diligence includes publishing
the rules and regulations, privacy policies and the user agreement in English
or any language specified in eighth schedule to the Constitution for accessing
the computer resource. The platforms are required to inform each user the
privacy policy, user agreement, rules and regulations in language of his choice
and ensure that the users do not host, display, upload, modify, publish, transmit, store,
update or share any information that belongs to categories prohibited under the
rules.[19]The
users shall be warned at least once every year that noncompliance with the
rules and regulations, privacy policy or user
agreement might get the
access terminated or get the non-compliant information removed or both.[20]The
rules mandate intermediaries to establish a robust grievance mechanism for
receiving and resolving complaints from the users of victims. Intermediaries
shall appoint a grievance officer to deal with such complaints and share the
name and contact details of such officer. The grievance officer shall
acknowledge a complaint within 24 hours and resolve it within 15 days from its
receipt. The total number of complaints received is to be reported to the
Government every month.
The rules prescribe certain
Additional due diligence to be followed by significant social media
intermediaries. A significant social media intermediary should have a physical
contact address in India and appoint a chief compliance office RTO ensure
compliance with the Act and rules. These intermediaries should have a nodal contact
person resident in India for 24x7 coordination with law enforcement agencies. A
resident grievance officer shall be appointed who shall deal with resolution of
complaints made under grievance redressal system. The social media
intermediaries are duty bound to publish a monthly compliance report enumerating
the details of the complaints received and action taken and the details of
contents removed proactively. Though the rules were released with
the promise of empowering the ordinary users and controlling the tech giants,
in effect the rules have an adverse effect on the privacy and freedom of
expression of the users. The most controversial provisions are dealt hereunder.
TRACEABILITY MANDATE
Internet has gained popularity
because of its range and speed. Another aspect that catalyzed growth of use of
this medium is the sense of anonymity that it gives to the user. However, the
IT Rules 2021 mandate significant social media intermediaries providing
messaging service to enable identification of the first originator of the
information on its computer resource upon an order passed by a court of
competent jurisdiction or an order passed under section 69 of the IT Act by the
Competent Authority as per the Information Technology (Procedure and Safeguards
for interception, monitoring and decryption of information) Rules, 2009. Such
an order can be passed only for the purposes of prevention, detection,
investigation, prosecution or punishment of an offence related to sovereignty
and integrity of India, security of the state, friendly relations with foreign
states, or public order or of incitement of an offence relating to above or in
relation with rape, sexually explicit material or child sexual abuse material
punishable with imprisonment for a term of not less than 5 years.[21]
This
rule mandating intermediaries to provide for tracing of the originator of the information on their
platforms if required by a court of competent jurisdiction or competent
authority is most debated area. End to end encryption is the most secured way to transfer
data online because when messages are end to end encrypted, only the sender of
the message and the receiver of the message can view the message and not by any
one else in between including the messaging service company. Allowing tracing
the originator would imply breaking down encryption. Breaking down of
encryption will have serious repercussions on user’s privacy.
TAKE DOWN
WITHOUT OPPORTUNITY TO BE HEARD
Audi
alteram partem is the primary rule of natural justice. It would only be fair to
hear the user before taking down a content that he has posted. The rules
mandate that intermediaries shall remove or disable access within 24 hours of
receipt of complaints that expose the private areas of individuals, show such
individuals in full or partial nudity or in sexual act or is in the nature of
impersonation including morphed images.[22]In
case of take down of content on its own accord, intermediary is bound to give users an opportunity to be heard. In
cases where significant social media intermediaries remove or disable access to
any information, a prior intimation shall be communicated to the user who has
shared that information with a notice explaining reasons for such actions and
the user must be given a reasonable opportunity to question the action taken by
the intermediary.[23]
An intermediary upon receiving an
order of a court or being notified by the appropriate government or it’s
agencies through authorized officer should not host or publish any matter which
is prohibited under any law relating to the sovereignty and integrity of India,
public order, friendly relation with foreign states etc.
The
intermediary has to consider takedown orders by a court or government agency
within 36 hours. There is no provision for the user whose content is removed to
have his say on the removal. In a country like India with diverse cultural and
political sensibilities, it is certain that, an intermediary may receive
hundreds of complaints every day. It would be practically impossible for the
Chief Compliance Officer to scrutinize each complaint on merits. So it is
likely that to avoid liability for the intermediary, legitimate forms of free
expression might be suppressed. This could undermine freedom of speech and
expression which ensures an individual’s right to express one’s opinion.
AUTOMATED CENSORSHIP
Rule 4(4) requires Significant Social Media
Intermediaries to endeavour to deploy technology-based measures, including
automated tools, to proactively identify and block sexual abuse material or
information identical to previously removed information.[24] AI
enabled technology is not error free and are prone to failures. AI
enabled techniques can err in identifying particular types of content including
sexual abuse material. A proper mechanism of human oversight is required to
protect the interests of free speech.
CENSORSHIP OF NEWS PLATFORMS AND OTT PLATFORMS
Changes
in technology and the society has brought news platforms to the online terrain.
Though print and broadcast news media are regulated under Press Council of
India Act and Cable TV Networks (Regulation) Act, the online news media
remained largely unregulated till recently. The Intermediary Rules 2021 lays down
a code of ethics for publishers of online news. As per the rules a complaint
alleging violation of code of ethics may be filed by any person. Under the
rules, there is a three-level grievance redressal mechanism. At level one,
there is a grievance officer appointed by the publisher to look into the matter
at the primary stage. The decisions of the grievance officer are subject to
review by self-regulating bodies of experts in the industry that are required
to be registered with the government. The third level is an interdepartmental
committee with wide powers. The committee will be headed by an authorised officer of the ministry not
below the rank of a joint secretary and looks into the complaints referred to
it by the self-regulating body or by the ministry. The head of the Inter
Departmental Committeecan direct blocking of certain content. Though on paper
there is an ideal step by step structure envisaged, the Inter Departmental
Committee may also take up certain matters suomotu, before the first two tiers
are exhausted.This leads to unnecessary interference by the Central government
in censoring news and current affairs. The rules therefore evidently lack a
proper check and balance system against the government interference in
curtailing free speech.
The Digital Data Protection
Act, 2023 in Reconciling Privacy with Free speech
The
Digital Personal Data Protection Act 2023 was brought in with the objective of
enhancing right to privacy of an individual by providing for protection of data
obtained and stored digitally or data obtained by other means and then
converted to digital form. The Act emphasises the need of explicit consent from
the individuals whose data is being processed. The data principal also has the
right to access information about the processing of his data,[25]
to withdraw consent at any time, to request corrections or erasure of data[26],
nominate representatives to act on his behalf in case of death or incapacity[27]
and file grievances.[28]
Under
the Act, the data fiduciaries, the entities responsible for collecting and
processing personal data and are duty bound to ensure data accuracy and
completeness, establish robust security measures to prevent data breaches,
notify the Data Protection Board of India and affected individuals in case of breaches
and delete data after the purpose.[29]
Data fiduciaries must exercise extra-caution while processing the personal data
of children or disabled as it is mandatory to obtain consent of parent or
guardian.[30]
The Act recognises some data fiduciaries and imposes additional obligations,
including the appointment of a data protection officer and the undertaking of
impact assessments and compliance audits.
Though
the Act appears to be perfect in delineating the rights of data principals and
elaborating the duties of data fiduciaries and data processors, there are
exceptions in favour of Governmental interventions on individual privacy. The
data principal rights and data fiduciary obligations (except data security) do
not apply in cases of prevention and investigation of offenses and the
enforcement of legal rights or claims. The central government also holds the
authority to grant exemptions for specific activities, such as government
processing for state security and public order, as well as research, archiving,
or statistical purposes.[31]
This excessive discretion given to the central government may lead to
arbitrariness. The challenge lies in finding a balance between the right to
privacy and reasonable exceptions on government processing of personal
data.
The
Act empowers Central Government to block access to information in the interest
of the general publicif requested by the Data Protection Board.Allowing the
government to selectively block stories would definitely undermine the freedom
of speech and expression.
CONCLUSION
The
digital space is ever-expanding and the laws regulating this sphere have to
continuously expand to keep pace with the developments. Till recently the
decades old Information Technology Act was the sole legislation specifically
dealing with right to privacy and freedom of expression in the digital sphere.
Government issued rules from time to time to cope with developments coming up
in the field. Intermediary Rules were introduced at a time when the Data
Protection bill was already tabled definitely strike at the root of privacy by
mandating internet platforms to trace the originator of information as it
practically amounts to end of end-to-end encryption. The rules will have
serious effects on freedom of expression as it gives power to government to
regulate news and entertainment available online. The government has brought
immense changes to the way the internet will work in India just by amending the
rules under pre-existing sections of Information Technology Act. The framing of
rules without proper public consultation shows it was a product of haste. This
governance framework for regulating intermediaries bringing with it such
far-reaching consequences on liberty of individuals is already the subject of
challenge at the court of law and the fate shall be decided by courts. The
Digital Personal Data Protection Act though marks a watershed in the privacy
jurisprudence in India and appears to effectively protect the personal privacy
of citizens, in turn jeopardises the freedom of expression of the people. The
Act has a peculiar section imposing certain duties on the data principal. An
act that was brought to protect privacy of individuals posing obligations or
duties on such citizens itself casts doubt on the motive of the government. The
Act deceives the citizens by giving them a feeling of Data Principal is the
king where in fact Government is the King. Giving too much discretion to the
government may lead to anarchy. The efficacy of the regulation lies in
balancing the individual interests of free speech and privacy with the public
interest or the national interest.
[1]Dr.Bimal Raut, Judicial Jurisdiction in The Transnational
Cyberspace, 2, (Jain Book Agency 2004)
[4]International Covenant
on Civil and Political Rights (adopted 16 December 1966, entered into force 23
March 1976) 999 UNTS 171 (ICCPR)
[5]European Convention for the
Protection of Human Rights and Fundamental Freedoms, November 4, 1950, ETS No.
5, 213 UNTS 221.
[6] INDIA CONST. art. 21 ‘No person
shall be deprived of his life or personal liberty except according to procedure
established by law.
[7]AIR 1963 SC 1295
[8]AIR 1975 SC 1378
[9] AIR 2017 SC 4161
[11] INDIA CONST. art. 19 (1)(a)
[12]AIR
2015 SC 1523
[13]The
perfect example would be cases where Donald Trump was allowed to post abusive
or misleading content which would have been removed if it had been posted by an
ordinary person.
[19] Information Technology
(Intermediaries Guidelines) Rules, 2021, Rule 3 (b)
[20] Id, Rule 3(c)
[21] Id, Rule4(2)
[25] The Digital Personal Data Protection
Act, S.11, No.22, Acts of Parliament, 2023 (India)
[31] Id S.17