The Court is examining whether ordering an accused to drop his Google pin location to the Investigation Officer throughout the period of his bail is violative of his right to privacy
By Prof Upendra Baxi
It is a sound rule that one does not write on a sub judice matter, as public communication on pending issues may prove prejudicial to litigants and even contemptuous of courts. This admirable rule, and conduct, also extends to oral remarks made during a preliminary hearing.
We must emphasise at the outset that what was reported with Directorate of Enforcement vs Raman Bhuraria, [Diary No. – 23447 – 2023; per Jasmeet Singh, J February 08, 2023] was only a preliminary observation by Justice Abhay S Oka and Justice Pankaj Mithal of the Supreme Court of India (SCI). The matter concerned a condition for bail that required the accused to drop his active Google pin location from his mobile to the Investigation Officer throughout the period of his bail and was seen by the SCI as a “prima facie violative of his right to privacy”.
This case will be fully heard on both sides as the hearings develop. The Court is further to explore this issue, challenging a Delhi High Court judgment granting conditional bail to the internal auditor of Shakti Bhog Foods Limited (SBFL) in a money laundering case alleging a bank loan fraud of several crores.
Another bench—comprising Justices Abhay S Oka and Ujjal Bhuyan—decided on February 23 (Frank Vitus vs Narcotic Control Bureau & others, concerning a Nigerian national accused and imposing the same Google pin bail condition) to issue notice to Google India Private Limited to file an affidavit along with the necessary documents explaining fully the working of Google pin. This is because the issue concerns “whether such condition infringes right to privacy”. The SCI does not implead Google, but just requests information regarding the device and the way it works.
In the most general understanding, a Google pin on a digital map involves pinning locations at specific spots where instead of using a real pin, the “pins” are placed by clicking on the spot one wants to mark to facilitate return later. But obviously, more detailed understanding is required when dealing with its use for enforcement of constitutional justice values and the human right to privacy (such as informational privacy), especially when private digital companies begin to play a decisive role in law enforcement and even adjudication while relentlessly chasing, to a point of total impunity, transnational power, profit, and privilege.
As Justice Oka orally observed, in the earlier case: “You must explain to us the practical effect of such a condition. Once a person is set at liberty, certain conditions are imposed. But here you are tracking their movement after grant of bail, isn’t this violative of right to privacy?” Advocate Zoheb Hussain appearing for the Enforcement Directorate is reported as having said: “In the good old times, when bail is given, they are required to report to the IO every week. This is only technology facilitating the same thing.”
However, the SCI seemed to be constitutionally anxious because the bail conditionality involved “tracking the movement of the accused.” Also, rigorous examination, is now opened on the issue whether the SCI in Puttuswamy case ruled, as argued, that “crime prevention is a valid reason for infringing upon right to privacy”.
The matter has been posted for December 12 for further consideration. The further progress of hearings and the eventual SCI outcome remain significant not just for privacy right professionals, but for social movement actors in India and elsewhere. We here briefly explore the international dimensions of possible uses of interoperability (across various digital platforms and devices) provided by the digital industry in the contexts of law enforcement institutions and networks.
Protection of “data across borders” has emerged as a recent concern with legislators, official public policymakers, some academics and activists. Several approaches have emerged. First, the design of general data protection regulation (GDPR); second, the affirmation of the human right to privacy and third, data localisation requirements.
At the threshold, the crucial distinction between content data and non-content data must be borne in view. GPDR do not pertain to the former as digital corporations readily yield information, for example, about matters such as subscriber names and addresses, IP addresses and credit card information. US companies’ transparency reporting suggests substantial, even massive, voluntary disclosure in response to foreign governments requests for non-content data each year.
On the other hand, when the sought-after information is about content data, disclosure or sharing requests, an inordinate length of time is taken in many countries (led by the US). Or more importantly, the digital corporations may decline such requests, thus acting as private adjudicators and enforcement decision-makers, displacing State decision-makers.
Digital corporations may do so on various grounds, and some are importantly related to human rights of privacy and commodification of freedom of information that is now new property (big data) in their sole control. Certainly, in situations of authoritarian legality, the corporate claim to digital sovereignty may so oust the courts as to aggravate further arbitrary arrests, detentions, incarcerations, punishments (even capital punishment), and state censorship.
Nor can one entirely overlook the fact that corporate governance practices often foster the very same contexts and conditions for such “legality” by obtaining immunity and even impunity precisely by corporate complicity with human rights crimes. These crimes include crimes against health, agri-crimes, ecocide, toxic torts, mass disasters, child labour and violations of decent work conditions (as defined by the International Labor Organisation).
The claims of digital sovereignty are often as pernicious as those of territorial sovereignty for the earth’s peoples. What is needed, and contemporary standards of international law so provide, is greater accountability and responsivity for acts of sovereignty at least as prescribed by the core international human rights standards.
It is for this reason alone that one welcomes the democratic assertion of everyone’s right in personal data as a fundamental right in Article 8(1) of the Charter of Fundamental Rights of the European Union and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU). One needs an international treaty regime which protects a human right to data protection as an aspect of the right to privacy. Pending this, as in the Indian SCI contexts, one awaits the full force of human right to privacy to exert against assertions of complete immunity claimed, and enjoyed, by digital corporate conduct.
The third strategy is data localisation. Mandatory data localisation requires that data must be held within the country, and this enables domestic law enforcement to access the data pursuant to the content of communications (or a copy of such content) involving a country’s residents and/or citizens. Undoubtedly, this archival measure may increase the business costs (e.g., building additional data storage sites and maintenance of copies of data, but may imperil the innovative digital potential. Further, even if somewhat useful for security and law enforcement, one cannot rule out, or discount altogether, the privacy costs to the citizenry by the augmentation of domestic surveillance prowess because the governments may gather data for law enforcement, unless vigilantly controlled by the judiciary.
In this respect, the new Indian law—The Digital Personal Data Protection Act, 2023—includes a concept of a significant data fiduciary (“SDF”) which extends to exceptionally large data controllers. However, the criteria are overbroad. The government may notify (under Section 10) as SDF entities that pose “(c) potential impact on the sovereignty and integrity of India;(d) risk to electoral democracy; (e) security of the State and (f) public order”, among other similar factors not specifically enacted.
Moreover, an SDF entity must conduct privacy audits by an independent privacy auditor and conduct privacy impact assessments (PIA) in a manner to be prescribed by the government. But the histories of PIA suggest at least two perspectives: the PIA may be seen either as a register of struggles of power where “large organisations” may effectively cede some “substantial power” that “they exercise over citizens or consumers”, or alternatively as a “natural development of rational management of techniques”.* What needs wider public discourse is the scope and content or the social architecture of PIA—ensuring that the right to privacy is not overwhelmed by merely expedient “policy” considerations.
—The author is an internationally-renowned law scholar, an acclaimed teacher and a well-known writer
———————————————-
* I derive words in quotation marks from the valuable analysis in Roger Clarke, “Privacy Impact Assessment: Its Origin and Growth”, Computer Law & Security Review, 25: 2, pp. 123-135.(2009).