Hitchhiker’s Guide to State Surveillance and Data Privacy in India

Garima Agarwal is a 4th-year undergraduate student pursuing BBA.LLB(Hons.) from O.P Jindal Global University. Her interest revolves around the intersection of law with art and technology.
- Mon August 9 2021

This article discusses the recent Pegasus snoopgate that was reported by The Wire and highlights the unchecked and unethical alleged Government surveillance in India. Through this article, the author argues in favour of a dire need for India to enact a comprehensive data protection legislation to actualize the Right to Privacy guaranteed under the Constitution. The article also presents a comparative analysis of data protection regimes around the world that can act as a model for India. 


Mass surveillance in India through phone tapping, social media monitoring etc., is an age-old tale. Surveillance is often cited to be necessary to protect the sovereignty of the nation, combat terrorism, prevent crime and avoid social unrest. However, the revelations made by the Wire as  part of its “Pegasus Project” is a transgression from lawful surveillance conducted by the Indian law enforcement authorities. According to reports, over 300 verified Indian phone numbers of Indian journalists, ministers and Government officials were targeted through Pegasus. [1]

The leaked database accessed by Forbidden Stories and Amnesty International’s Security Lab confirmed that database contained phone numbers of around 40 Indian journalists of which some were even confirmed to have been compromised. This surveillance scandal has put the Indian Government on the spot to be answerable for such breach of privacy. 

Background: Pegasus

Pegasus is a spyware or malware designed by the Niv Shalev Omri Group Technologies (hereinafter, ‘NSO Group’), an Israeli spyware firm. NSO Group claims to sell its software only to 'vetted' government clients to combat terrorism and crime, [2]  and takes advantage of the zero-day vulnerability to hack into the phones or devices of the individuals.

Zero-day vulnerabilities refer to the vulnerabilities which have been newly discovered by the developers themselves and they had ‘zero days’ to fix the issue or provide an update to solve the issue. Earlier, hacking into someone’s phone would require clicking on a link which could be a link sent through WhatsApp or Messages but now because of zero-click attack the phone can even be hacked by an unanswered missed call.

NSO’s objective vetting process for clients combined with the statement of the India’s IT Minister stating that “only lawful interception of electronic communication is being carried out” leads one to strongly believe the Indian Government’s involvement with Pegasus. It is also pertinent to note that there has been no clear denial by the IT Minister about the same. [3]

India’s Current Standing

The current laws in place in India are outdated and ineffective. Presently, in the absence of any defined legislation on data privacy, India resorts to the Telegraph Act, 1885 (hereinafter, ‘Telegraph Act’) and the Information Technology Act, 2000 (hereinafter,IT Act”). The former deals with interception of calls while the latter deals with the interception of data. Together, they lay out a procedure for lawful interception of electronic communications by the Government if “a due procedure of law'' is followed.

For example, Section 5(2) of the Telegraph Act, and Section 69 of the IT Act ensure that any interception, monitoring or decryption that is carried out follows "the due procedure of law". [4] While the Telegraph Act is limited to telephonic conversations only, the IT Act covers all types of communication including the ones which are done using a computer resource. [5] Here, the Government still has a leeway to conduct monitoring activities or use software like Pegasus if “a due procedure of law'' is followed.

The interception, however, can only happen when it is approved by the Secretary of the Ministry of Home Affairs, who empowers the State to intercept and monitor communication. [6] Any surveillance done without the sanction of the Government which results in stealing of a computer resource or communication is a punishable offence under Section 43 and Section 66 of the IT Act for data theft and hacking respectively. [7] Despite the provisions in place that disallow the Government from illegally hacking into individual’s devices, on 6th August 2021 the Centre disallowed Rajya Sabha MPs from asking questions about Pegasus, holding the matter to be subjudice.  Moreover, there are no laws under which one can approach the courts when they come to know before, during or after they have been a victim of surveillance. This lacuna gives an upper hand to the Executive to conduct secret electronic surveillance which pose a threat to free speech. 

Furthermore, individuals are not even safe from the surveillance conducted by a purely private body. [8] Section 43A of the IT Act read with Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 enable individuals aggrieved by the wrongful loss to seek compensation owing to the ‘body corporates’ failure to adopt reasonable security practices. However, what makes it more devastating is that aggrieved individuals cannot seek compensation under Section 43 of the IT Act when their right to privacy has been infringed by these private bodies since the perpetrators do not come under the definition of ‘State’ under Article 12.

Road Ahead: Mass Surveillance Reforms

Under Article 12 of the Universal Declaration on Human Rights, Article 17 of the International Convention on Civil and Political Rights, and Article 21 of the Indian Constitution, India has recognized the right to privacy as a fundamental right. 

The surveillance regime was first challenged in the case of PUCL v Union of India (hereinfater, "PUCL"). The case clarified the position of Right to Privacy with respect to Government surveillance which involved tapping of phones. The judgement held that the Right to Privacy is covered under the Right to Life and Personal Liberty under Article 21 of the Constitution and it includes privacy of telephonic conversations.

Subsequent to the PUCL judgement, Rule 419(A) was incorporated in the Indian Telegraph Rules 1951, allowing phone tapping only in extraordinary circumstances under the authorization of the Union or Home Ministry. [9] Even after the PUCL judgement, we still see wiretapping happening in the case of Niira Radia Tapes and in other cases of mass surveillance that go unreported and undetected. [10]

The landmark judgement of K.S Puttaswamy v. Union of India [11] (hereinafter, “Puttaswamy”) upheld the Right to Privacy under Articles 14,19 and 21 of the Constitution. The Court held that the tapping of phones by the State infringes Article 19 and 21 of the Constitution and must be subjected to a higher degree of threshold which must be justified under Article 19(2) of the Constitution. The Court also made it pertinent that such actions of the State are sanctioned by law and follows the Proportionality and Legitimacy Test, (hereinfater, "Test of Proportionality") i.e., the action of the State must be proportionate to the need for such interference. [12]

Though the Right to Privacy has been held to be a fundamental right through judicial pronouncements, India, until now, does not have a legislation regulating and protecting the privacy of its citizens. The 2019 Data Protection Bill (hereinafter, “Data Bill” or “Bill”) still has not seen the light of the day. Though the Data Bill is said to solve our privacy issues, [13] there are still some concerns that need to be addressed before it becomes an Act.

Section 35 of the Data Bill under Chapter VIII gives the Central Government the power to exempt any agency of the Government from the application of the legislation to obtain or access an individual’s personal data. The Data Bill exempts the Government in almost every possibility ranging from matters of national security to maintaining friendly relations and gives blanket authorization to the Government to conduct dragnet surveillance. Moreover, it does not stand the Test of Proportionality as laid down in the Puttaswamy judgment. 

The Data Bill tabled in the Parliament is different from the bill drafted by the Srikrishna Committee. In the bill drafted by the latter, the Government could have such unbridled power to access data only in matters concerning the national security, sovereignty and integrity of India while standing the Test of Proportionality. Further, the Data Bill also allows the Government to have access to anonymized and non-personal data under Section 91(2). This again raises an alarm regarding the privacy of the individual as the data can easily be deanonymized leaving no recourse available for the individual. [14] There must be an independent Data Protection Authority that has adequate resources and can effectively investigate breaches and order redressal mechanisms. It must be ensured that while intercepting communication, the authority must protect privacy and other human rights.

While the Data Bill has tried to encompass almost all necessary provisions regarding collection, storing and processing of data; it has left out an important chapter on 'Surveillance Reforms’[15] A separate chapter on Surveillance Reforms is required to correct the existing surveillance system in India and to introduce judicial oversight for the same. Since under the current surveillance system, the Government must proceed only with Centre State sanctions, it does not enstate confidence on the competency of such authorities, especially if specific circumstances requiring surveillance existed. [16] 

Further, the provisions must apply to both the private individuals/ enterprises and the Government and the surveillance must be sanctioned by a competent judicial authority. The person under surveillance must be kept on loop or must be informed after the completion of the same and the intercepted communication must be deleted after a point of time. 

Overview of Surveillance in Europe and Australia

It is pertinent to understand the framework of data protection and redressal mechanisms that have been established by other democracies. This is because such an understanding will provide us with the tools to establish a robust framework for data protection and privacy domestically. Presently, the USA has a strong civil rights protection, the European Union has the General Data Protection Regulations (hereinafter,GDPR”), and Australia has the Australian Privacy Principles (hereinafter,APPs”) for regulating this space.  [17]

The GDPR is one of the strongest data protection legislations around the world. It imposes heavy penalties on organisations who are found to breach their regulatory framework. [18] Companies might have to pay a penalty up to 20 million Euros or 4% of their annual turnover, whichever is higher. However, while the GDPR provides a robust way to protect the private lives and human rights of people; it does not impose any regulation on large-scale government surveillance. Governments are allowed to access personal data without consent in matters of “national security,” “defense,” or “public security” concern; but the terms have not been defined. While the Court of Justice of the European Union has pronounced that such undefined terms would in no way conflict with the EU Data Protection Regulation and will follow the international and regional human rights laws, recent years have only seen a rise in surveillance.  [19]

On the other hand, the Australian Privacy Act (1988) mandates all organizations, agencies including the Australian Governments, organisations with an annual turnover of more than $3 million to conform to the APPs. [20] With respect to security cameras and drones, any personal information collected by them through surveillance must be compliant to the APPs. They are required to inform the individual whose image has been captured or whose image might be captured before recording it. Moreover, the information has to be destroyed once it is no longer needed. [21] 


Surveillance is required in the criminal justice system to fight crime and terror. However, it is imperative to understand that there is a level up to which a democracy can stand surveillance. With rapidly advancing technology, there is a constant and continuous need for evaluation and modification of laws to prevent misuse and abuse of rule of law. [22]  

Overall, the existing regulations in India do not provide substantial or adequate data protection, and thus there is an urgent need for robust data protection laws. The acute absence of an independent body overseeing state surveillance or a system of checks and balances is being abused by the Executive leading to a violation of citizens’ privacy rights. 

India must enact a data protection law that conforms to international standards and takes surveillance by both the Government as well as private enterprises into account. The Australian example of data privacy is a model that must be applied by India too. Moreover, the Judiciary must be given due power to oversee if due process of law is followed in specific instances of surveillance. 

Presently, the existing legislations do not incorporate data protection, and the proposed Data Bill grants exceptional powers and exemption to the Government to violate citizens’ data privacy. This especially since the Government would also have the power to intermediaries to provide non-anonymous data, interfering with day-to-day privacy too. Thus, in order to combat the far-reaching consequences of state surveillance, there is an urgent need for implementation of surveillance reforms.


The views expressed above are solely of the author's 



[1]  IFF “IFF's Statement on Hacking Revelations Made by the Pegasus Project” (Internet Freedom Foundation July 19,2021), available at <https://internetfreedom.in/iffs-statement-on-hacking-revelations-made-by-the-pegasus-project >, accessed July 24, 2021

[2] Ibid

[3] Sudhanshu Pathania, “Personal Data Protection Bill & the Surveillance Framework in India”, Live Law, July 27,2021, available at < https://www.livelaw.in/columns/personal-data-privacy-bill-information-technology-act-2000-constitution-178197?infinitescroll=1 >, accessed July 30, 2021

[4] Siddharth Sonkar “Privacy Delayed Is Privacy Denied”, The Wire May 24, 2021, available at < https://thewire.in/tech/data-protection-law-india-right-to-privacy >, accessed July 24, 2021

[5] Section 69, Information Technology Act, 2000

[6] Supra note 3

[7] Tanmay Singh and Anushka Jain, “Surveillance Reform Is the Need of the Hour”, The Hindu July 19, 2021, available at < https://www.thehindu.com/opinion/op-ed/surveillance-reform-is-the-need-of-the-hour/article35414371.ece >, accessed July 30, 2021

[8] Supra note 4

[9] People's Union of Civil Liberties v. Union of India AIR 1997 SC 568

[10] Akansha Kumar, “Radia Tapes: How One Woman's Influence Peddling Led to a Snake Pit”, The Quint February 2, 2018, available at < https://www.thequint.com/explainers/what-are-niira-radia-tapes-explained#read-more >, accessed July 24, 2021

[11] Justice K.S.Puttaswamy(Retd) vs Union Of India (2017) 10 SCC 1

[12] Ibid at Para 636(vi)

[13] Aashish Aryan ‘ Justice Srikrishna: Data protection law would have held govt to account’, The Indian Express, July 23 2021, available at < https://indianexpress.com/article/business/project-pegasus-justice-srikrishna-data-protection-law-would-have-held-govt-to-account-7417689/ > accessed August 1, 2021

[14] Natasha Lomas, ‘Researchers Spotlight the lie of 'Anonymous Data', available at < https://techcrunch.com/2019/07/24/researchers-spotlight-the-lie-of-anonymous-data/ >, accessed July 30, 2021

[15] Supra note 3

[16] Supra note 7

[17] Prabhu Mallikarjun, ‘Pegasus rising: Data protection bill could save govt from accountability’, The Federal, July 20 2021, available at < https://thefederal.com/news/pegasus-rising-data-protection-bill-could-save-govt-from-accountability/ > accessed on August 1, 2021

[18] “The EU General Data Protection Regulation” Human Rights Watch October 28, 2020, available at < https://www.hrw.org/news/2018/06/06/eu-general-data-protection-regulation >,  accessed July 30, 2021 

[19] Ibid 

[20] “The Privacy Act”, OAIC, available at < https://www.oaic.gov.au/privacy/the-privacy-act/ >, accessed August 6, 2021 

[21] “Security Cameras”, OAIC, available at < https://www.oaic.gov.au/privacy/your-privacy-rights/surveillance-and-monitoring/security-cameras/ > accessed July 30, 2021

[22] “UPR Documentation”, OHCHR UPR Contribution Submissions, available at < https://uprdoc.ohchr.org/ > accessed July 24, 2021