Posted on August 2, 2021
Authored by Ritika Acharya*
Image Source: Afternoon Voice
Introduction
In June 2021, numerous reports emerged about a spyware called ‘Pegasus’ being used by the Indian government (“Government”) to hack the mobile phones of over 300 journalists, human rights activists, business persons, and politicians. Developed by a private Israeli firm, the Pegasus spyware when targeting a mobile phone, has the ability to read messages, track and record calls, track user activity within apps, gather location data, access video cameras in a phone, or listen through their microphones.
Besides being a grave violation of both human rights and legal rights, such surveillance has broader implications for cross-border data transfers between India and other jurisdictions. India’s data protection practices are already viewed internationally with skepticism, given that it lacks a comprehensive law protecting its citizens’ data. This article aims to analyse how the Pegasus scandal may impact the transfer of data between India and the EU, especially in light of the judgement rendered in July 2020 by the Court of Justice of the European Union (“CJEU”) in C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems Ruling”).
Infraction of Indian Law
Although it is legal for the Government to carry out interception and monitoring as per the standards laid down by Section 69 of the Information Technology Act, 2000, (“IT Act”). In no circumstance does the IT Act permit interception through the use of spyware. Rather, installing spyware on a computer or a mobile device constitutes a cybercrime under Section 43 and Section 66 of the IT Act.
So far, the judicial precedents in India have upheld an individual’s right to privacy as being inclusive of the use and control over one’s mobile phone/electronic device. The Hon’ble Supreme Court in People’s Union for Civil Liberties v. UOI has concluded that any interception by means of hacking/tapping of a phone, is an infringement of Articles 14, 19, 21 of the Constitution. Unauthorized interception through spyware also violates the doctrine of proportionality set out by the KS Puttaswamy v. UOI judgement, as per which any invasion of privacy should be proportionate to the goal it seeks to achieve. Since Pegasus is not a lawful method of Government interception and no information has been released by the Government about the purpose for which it deployed the spyware. This makes the Government’s use of Pegasus arbitrary and in excess of its powers.
A Summary of the Schrems Ruling
In the Schrems Ruling, the CJEU took a detailed look at the ‘Privacy Shield’ mechanism of data transfer between US and EU. It found certain US surveillance practices such as PRISM and UPSTREAM invasive of Europeans’ privacy. The Court held that the US did not provide for an essentially equivalent, and therefore sufficient, level of data protection as guaranteed by the General Data Protection Regulation (“GDPR”) and the EU Charter of Fundamental Rights (“CFR”).
The legal basis of US surveillance programmes was not limited to what was strictly necessary and would be considered a disproportionate interference with the rights to protection of data and privacy, since they did not sufficiently limit the powers conferred upon US authorities and lacked actionable rights for EU subjects against US authorities. Thus, the CJEU invalidated the Privacy Shield. EU companies had to refrain from transferring data to the US under the Privacy Shield framework as a result of the Court's decision. Companies who continue to transfer data through a legally invalid mechanism face a fine of €20 million or 4% of their global turnover, whichever is greater, as per Article 83(5)(c) GDPR.
How Might Pegasus Violate the Schrems Ruling?
The transfer of data from EU to India is quite common, particularly when EU companies outsource their data processing to Indian companies. If the Government uses Pegasus to spy on Indians, it could invariably end up accessing any EU subjects’ data in the possession of Indians. This is a real possibility, considering that the scope of Pegasus could be much broader than what the news reports suggest. Consider the following scenario – European company A transfers the data of EU subjects to Indian company B. The Government then deploys Pegasus to spy on the business operations of company B. In doing so, it gains unauthorized access to EU subjects’ data.
The Government’s surveillance through Pegasus may not be in line with the Schrems Ruling because it would highlight the Government’s failure to safeguard EU subjects’ data and the lack of actionable rights for EU subjects against Indian authorities. Given the scarcity of information about how Pegasus has been used and exactly who all it has targeted, it is unclear whether there lies any legal remedy for Indians against the Government’s misuse of Pegasus, let alone whether EU subjects would have any legal remedy should their data be indirectly spied on.
Unchecked snooping through Pegasus could also evidence that India does not maintain adequate data protection as per the GDPR standards. If this surveillance is expanded to EU subjects’ data, it would bring the Government under fire of the EU regulatory authorities. Transborder data flows are vital for India’s exports of services and the EU is one of the key markets for India’s ICT-enabled services.
Currently there are no official reports of the Government tapping into EU subjects’ data through Pegasus, but the danger still persists. The Pegasus revelations might prompt the European Commission to conduct a probe into the matter in relation to surveillance of EU subjects. Hence, it is essential to put in place stronger barriers to maintain unfettered data access by the Government.
Conclusion
Following the revelations, activist Saket Gokhale filed an RTI query to the IT Ministry’s finance division and the computer emergency response team (CERT-IN) regarding budgetary allocation for Pegasus. Though CERT-IN stated that it had no information relevant to the query, the integrated finance division stated that the query is within its scope and that it may have information regarding the Indian government's purchase of Pegasus licenses.
Writ Petitions and PILs have also been filed in the Supreme Court seeking an independent enquiry for a probe led by a serving or retired Supreme Court judge to look into allegations that Pegasus was used to spy on journalists, attorneys, government ministers, opposition lawmakers, and civil society activists, among others. The Petitioners also want the Government to reveal whether it or any of its agencies have secured licenses for Pegasus and/or have employed it in any way, either directly or indirectly, to conduct surveillance.
There has been no official response yet to either the RTI or the petitions. There are inconsistent positions with Government officials having denied the allegations. The extent of spying that was done and perhaps is still being done, is unknown. It will be interesting to see how the Pegasus saga plays out.
*Ritika Acharya is a Researcher at IntellecTech Law who takes a keen interest in technology law. She is also a law student at Maharashtra National Law University (MNLU) Mumbai, with a passion for reading and writing.
Comments