Republic of India

The Constitution of 1950 does not expressly recognize the right to privacy.[1467] However, the Supreme Court first recognized in 1964 that there is a right of privacy implicit in the Constitution under Article 21 of the Constitution, which states, "No person shall be deprived of his life or personal liberty except according to procedure established by law."[1468]

There is no general data protection law in India. In June 2000 the National Association of Software and Service Companies (NASSCOM) urged the government to pass a data protection law to ensure the privacy of information supplied over computer networks and to meet European data protection standards.[1469] The National Task Force on IT and Software Development had submitted an "IT Action Plan" to Prime Minister Vajpayee in July 1998 calling for the creation of a "National Policy on Information Security, Privacy and Data Protection Act for handling of computerized data." It examined the United Kingdom Data Protection Act as a model and recommended several cyber laws including ones on privacy and encryption.[1470] No legislative measures, however, has been considered to date.

In May of 2000, the government passed the Information Technology Act, a set of laws intended to provide a comprehensive regulatory environment for electronic commerce.[1471] The Act also addresses computer crime, hacking, damage to computer source code, breach of confidentiality and viewing of pornography. Chapter X of the Act creates a Cyber Appellate Tribunal to oversee adjudication of cyber-crimes such as damage to computer systems (Section 43) and breach of confidentiality (Section 72). After widespread public outcry, sections requiring cyber-cafes to create detailed records about their customers' browsing habits were dropped. The legislation gives broad discretion to law enforcement authorities through several provisions. Section 69 allows for interception of any information transmitted through a computer resource and requires that users disclose encryption keys or face a jail sentence up to seven years.Section 80 allows deputy superintendents of police to conduct searches and seize suspects in public spaces without a warrant. This section in particular appears to be targeted at cyber-cafe users where an estimated seventy-five percent of Indian Internet users access the web.[1472] Section 69 gives tremendous powers to Controller of Certifying Authorities (CCA) to direct interception of any information transmitted through any computer resource. This direction is only to be given if the CCA is satisfied that it is necessary or expedient so to do in the interests of the following:-the sovereignty or integrity of India, the security of the state, friendly relations with foreign states, public order, or for preventing incitement to the commission of any cognizable offence.[1473] Section 44 imposes stiff penalties on anyone who fails to provide requested information to authorities, and Section 67 imposes strict penalties for involvement in the electronic publishing of materials deemed obscene by the government. Chapter III of the Act gives electronic records and digital signatures legal recognition, and Chapter VI authorizes the Government to appoint a CCA, who will license certifying authorities before they can operate in India and will act as the repository of all Digital Signature Certificates issued under the Act.

Following the enactment of the IT Act the Ministry of Information Technology adopted the Information Technology (Certifying Authorities) Rules in October 2000 to regulate the application of digital signatures and to provide guidelines for Certifying Authorities.[1474] The Digital Signature regime in India has become operational with effect from February 2002. The CCA has also appointed numerous licensed Certifying Authorities includingSafe Script, National Informatics Centre, the Institute of Development and Research in Banking Technology, and Tata Consultancy Services.

There is also a right of personal privacy in Indian law. Unlawful attacks on the honor and reputation of a person can invite an action in tort and/or criminal law.[1475] The Public Financial Institutions Act of 1993 codifies India's tradition of maintaining confidentiality in bank transactions.

In March 2000 the Central Bureau of Investigation set up the Cyber Crime Investigation Cell (CCIC) to investigate offences under the IT Act and other high-tech crimes.[1476] The CCIC has jurisdiction over all of India and is a member of the Interpol Working Party on Information Technology Crime for South East Asia and Australia. Similar cells have been set up at the state and city level, for example in the state of Karnataka and the city of Mumbai. In June 2002 the central government authorized the National Police Academy in Hyderabad to prepare a handbook on procedures to handle digital evidence in the case of computer and Internet-related crimes.[1477] The government is also considering establishing an Electronic Research and Development Centre of India to be responsible for developing new cyber-forensic tools. India's Intelligence Bureau is reported to have developed an e-mail interception tool similar to the Federal Bureau of Investigation's Carnivore system, which it claims to use in anti-terrorist investigations.[1478] In April 2002, India and the United States launched a cyber-security forum to collaborate on responding to cyber security threats.[1479]

Wiretapping is regulated under the Telegraph Act of 1885. There have been numerous phone tap scandals in India, resulting in a 1996 decision by the Supreme Court which ruled that wiretaps are a "serious invasion of an individual's privacy"[1480] The Supreme Court recognized the fact that the right of privacy is an integral part of the fundamental right to life enshrined under Article 21 of the Constitution. However, the right is only available and enforceable against the state and not against action by private entities. The Court also laid out guidelines for wiretapping by the government. The guidelines define who can tap phones and under what circumstances. Only the Union Home Secretary, or his counterpart in the states, can issue an order for a tap. The government is also required to show that the information sought cannot to be obtained through any other means. The Court mandated the development of a high-level committee to review the legality of each wiretap. Tapped phone calls are not accepted as primary evidence in Indian courts. However, as is the case with most laws in India, there continues to be a gap between the law and its enforcement. According to prominent NGOs, the mail of many NGOs in Delhi and in strife-torn areas continues to be subjected to interception and censorship.[1481]

In March 2002 the Indian Parliament, in a rare joint session, passed the Prevention Of Terrorism Act (POTA) over the objections of several Opposition parties and in the face of considerable public criticism. The National Human Rights Commission, an independent government entity, criticized the measure finding that the existing laws were sufficient to combat terrorism.[1482] The law codifies the Prevention of Terrorism Ordinance that in turn builds on the repealed Terrorists And Disruptive Activities (Prevention) Act (TADA). It gives law enforcement sweeping powers to arrest suspected terrorists, intercept communications, and curtail free expression. Critics argue that the experience of TADA and POTA shows that the power was often misused for political ends by authorities and that POTA does little to curb those excesses.[1483] Chapter V of POTA deals with the interception of electronic communications, which also creates an audit mechanism that includes some provision for judicial review and parliamentary oversight; however, it remains to be seen how effective such mechanisms will be in practice.[1484] In certain high-risk states such as Jammu and Kashmir, search warrants are not required and the government from time to time bans the use of cellular telephones, long distance phones, and cyber-cafes.[1485] India's Enforcement Directorate, which investigates foreign exchange and currency violations, searches, interrogates and arrests business professionals, often without a warrant.[1486]

On December 13, 2001, the Indian Parliament was attacked by five heavily armed intruders and gun men. A case was duly registered, investigated and prosecuted under the provisions of POTA after it was enacted. The trial court judge convicted the accused persons. On appeal, the New Delhi High Court held that intercepted telephone conversations of the three persons charged under POTA for plotting the attack on the Parliament, were not admissible evidence, although the High Court had previously held that telephone conversations could qualify as admissible evidence under the Indian Evidence Act, the Indian Telegraph Act and the Indian Penal Code, and that it was open for the trial court to consider the intercepts under these laws while deciding the case. The Central Bureau of Investigation appealed against the High Court order and on September 5, 2003 the Supreme Court set the Delhi High Court judgement aside, allowed the appeal and decided that intercepted communications between the accused in the House of Parliament are admissible.

A prominent expose of government corruption by the web portal Tehelka sparked a growing debate on the appropriate balance between the press and personal privacy. Telehka's investigative journalists covertly filmed high-level officials accepting bribes and army officers groping call girls as part of their expose on how official corruption operates in India.[1487] While some critics admit that the journalists did shed much needed light on a murky subject, they argue that there should be some restrictions on the press' behavior.[1488] India authorizes the use of illegally obtained evidence that wouldtherefore allowjournalists to present such evidence in court. Similar questions arose in relation to the transcripts of tapped phone calls released to the press in a match fixing scandal surrounding the national sport of cricket in April 2000.[1489]

The Government of India has initiated steps for enacting a law on Convergence. The proposed Communications Convergence Bill 2001 was tabled in both Houses of Parliament in the second half of 2001. The Parliament referred it to the Standing Committee on Information Technology which gave detailed recommendations at the end of 2002 and forwarded them to the government.The government is likely to make changes to the Bill in line with some of the Committee's recommendations, and to submit it to the Parliament. The bill aims to create a "super regulator," the Communications Commission for India, to oversee voice and data (including telecom, broadcasting, and Internet) communications.[1490] Chapter XIV of the Bill covers the interception of communications and penalties for unlawful interception. Section 63 has been criticized by business groups for placing a significant burden on service providers to provide the government information about their customers, and allow law enforcement to intercept any communication under a very low standard.[1491]

In February 2003, India convicted its first cyber-criminal when a Delhi High Court sentenced Arif Azim on the charges of online cheating. In the said case, Arif Azim, while working for a call centre near Delhi stole the credit card information that belonged to an American citizen and used it to order a color television and a cordless hand phone. This case has highlighted the security and privacy risks for companies to outsource some of their processing operations in India where there is a lack of a clear privacy legal framework. At the time of writing,

The Indian government is currently considering the idea of enacting a detailed law on data protection under the initiative of the Ministry of Communication and Information Technology.[1492]