The recently-notified Information Technology Rules, 2021 (“IT Rules”) have invited raised eyebrows on many aspects, one of which is the government’s power to demand information from intermediaries. To place some of that debate in an interesting comparative context, this piece compares the IT Rules with China’s National Intelligence Law, 2017 (NI Law).
At the outset, it should be noted that the two instruments being compared are fundamentally different in some sense. The Indian IT Rules, framed in exercise of surveillance powers under Section 69 of the Information Technology Act, 2000 read with Section 5 of the Telegraph Act, 1885, are expressly aimed at regulating data-sharing and other obligations of intermediaries.
The Chinese NI Law, on the other hand, is a general national security law with broad provisions that implicitly cover intermediaries, effectively imposing on them a duty to share data with the state in some eventualities.
Nonetheless the two instruments are eerily similar in terms of their practical operation, and it is that similarity that this piece seeks to explore.
Overview: Three Parameters of Comparison
Both the Indian and the Chinese regimes empower governmental agencies to order intermediaries to share information with them. Under the Indian IT Rules, any authorised government agency may order an intermediary to share any “information under its control or possession” and render “assistance” to the government agency, and the intermediary is obligated to comply with the order within 72 hours of receiving it.
This duty is traceable in large part to the aforementioned provisions of the IT Act and Telegraph Act, although the 72-hour condition is a new addition introduced by the IT Rules.
Under the Chinese NI Law, national intelligence agencies enjoy a wide power vis-à-vis all individuals and organisations including intermediaries. These powers are phrased with different severities. For instance, Article 14 of the Law provides that agencies can “request” for “necessary support, assistance, and cooperation” from “organs, organisations, and citizens”.
Article 16 takes a harsher tone; it provides that agencies may “enter relevant restricted areas and venues”, “learn from and question… institutions, organisations, and individuals”, and “read or collect relevant files, materials or items”.
Article 7 supplements both these provisions by imposing a duty on “[a]ll organisations and citizens” to “support, assist, and cooperate with national intelligence efforts”. To entities that fulfil these duties, Article 7 promises state “protection”; to those who fail to do so, the implied message is punishment.
There are three critical parameters on which the two regimes make for an interesting comparison. These are:
(i) The purpose for which governmental agencies may demand information from intermediaries
(ii) The burden of justification and transparency imposed on governmental agencies before demanding information
(iii) The level of judicial oversight involved in the process
Readers may note, as a preliminary point, that the proposed data protection laws of neither country would affect this inquiry. Under both proposed regimes, while consent is ordinarily required before an intermediary can be asked to share personal data with any third person, an exception is made in cases where data-sharing is required by law.
Section 12 of the draft of Indian Personal Data Protection Bill, 2019 provides that the principle of consent does not apply where the “processing” of data—which includes its sharing—is required “under any law for the time being in force”, which would include the IT Rules framed under the IT Act and the Telegraph Act.
More specifically, Section 35 provides that the Central government may grant immunity to authorised agencies from the rigours of the law if necessary for preservation of public order, security of the state etc.
Section 36 states that the provisions of the law shall not apply where personal data is required for the “prevention, detection, investigation, and prosecution” of any offence. Likewise, Article 13 of the draft Chinese Personal Information Protection Law provides that consent need not be obtained where any law or regulation provides otherwise, and Article 35 specifically exempts state actors from obtaining consent where the same would “impede state organs’ fulfillment of their statutory duties and responsibilities”.
Purpose of Data Collection
Under the Indian IT Rules, the purposes for which government agencies may direct intermediaries to share information are:
(i) “For the purposes of verification of identity”
(ii) “For the prevention, detection, investigation, or prosecution, of offences under any law for the time being in force”
(iii) “For cyber security incidents”
Of these, the first purpose is vague and overbroad for not specifying why the government agency might want to “verify” the identity of any person. Individuals often have a valid interest in preserving their anonymity against the state, and that interest should not be interfered with absent reasonable cause.
The idea behind (i) is obviously to expand the scope of information that governmental agencies may obtain. One could suggest that condition (i) has to be read with conditions (ii) and (iii) such that the government agency may ask for information for identity verification only if such verification is required for “detection, investigation, or prosecution, of offences” or for reasons of “cyber security”.
But such a reading would effectively render the first requirement redundant —conditions (ii) and (iii) would have been sufficient to permit collection of identity-related information for the specified purposes. Hence, the insertion of condition (i) is disconcerting.
The Chinese National Intelligence Law is even vaguer in this respect. In fact, there is no dedicated provision in the law that lists out the valid purposes for which the power may be exercised.
The only relevant provision in this regard is Article 2, which lists the purposes towards which national intelligence efforts are geared. Somewhere in this list are the vague words “the welfare of the people”— which, as any constitutional lawyer would tell you, is practically tantamount to “whenever the state wants”.
Justifications and Transparency: Questions of Accountability
The second parameter for comparison is the burden placed on governmental agencies to be transparent and accountable. It is settled law in India that privacy infringement cannot be justified by simply stating the purpose of it; a case must additionally be made out for its proportionality vis-à-vis the purpose cited. While the Indian IT Rules do provide that the order issued by the governmental agency must be a written order and “clearly” state the “purpose” for which the information is sought, there is no requirement for reasons to be written in the order. Further, there is no requirement that the order issued by the governmental agency be published or even communicated to the persons whose information is sought to be obtained by the government.
In other words, the governmental agency can compel intermediaries into supplying information without any public accountability.
The Chinese Law at once performs worse and better than the Indian Rules. It performs worse because no provision in the Law even requires the publication of a written order, let alone a reasoned one, before information can be demanded from intermediaries.
At the same time, there is a subtle but important suggestion in Article 10 that agencies may use only “necessary” means and tactics to carry out intelligence efforts. This is supplemented by Article 31, which prescribes that intelligence agency personnel who exceed their powers under the Law shall be liable for prosecution and punishment.
The absence of an analogous safeguard under the Indian Rules is disappointing.
Intermediary Liability, Absence of Judicial Oversight
To make it worse, both regimes provide for criminal penalties that may visit the intermediary in case it fails to comply with the agency’s request.
Rule 7 of the Indian IT Rules stipulates that intermediaries shall lose the statutory ‘safe harbour’ protection—i.e., immunity from civil and criminal liability for content hosted passively by them on their platforms—in case they breach any of the provisions of the Rules.
On the other hand, Article 28 of the Chinese National Intelligence Law prescribes criminal penalty for “obstructing national intelligence work institutions and their staffs’ lawful carrying out of intelligence work”.
Given that Article 7 imposes a duty on all individuals and organisations to cooperate with the relevant agencies, it appears that non-furnishing of the information sought would amount to “obstruction” within the meaning of Article 28. This framework is complemented by the draft Chinese Personal Information Protection Law, under which intermediaries “bear responsibility for their personal information handling activities” and are prohibited from “engag[ing] in personal information handling activities harming national security or the public interest.”
On top of these stringent provisions, both regimes are marked by a complete absence of judicial oversight. A power that permits serious privacy infringement must be subject to judicial control in some way.
But government agencies under the two regimes are not required to obtain any judicial warrant before demanding information from intermediaries; neither do intermediaries have the option to appeal the agency’s order before a tribunal. This puts intermediaries in a tough spot every time an agency demands private information from them—the prospect of saying ‘no’ is thin.
In any event, the intermediary under the Indian Rules is given merely three days to comply (no similar period is specified under the Chinese regime), which is too short a time to agitate legal remedies against potential privacy infringement. A subsequent challenge to the agency’s actions would not be beneficial since data sharing is (more or less) permanent and irreversible.
These facets of the Indian and Chinese regimes—vague purposes, minimum accountability, and lack of judicial oversight coupled with harsh penalties—render governmental agencies virtually unaccountable for privacy infringement while demanding data from intermediaries.
The two nations would do well to revise these aspects and put in place a more democratic system of data sharing.
(Shrutanjaya Bhardwaj is a practising advocate in Delhi and Sonipat, and a research consultant with the Center for Communication Governance, NLU Delhi. His primary academic interest lies in constitutional law, media law and statutory interpretation. This is an opinion piece, and the views expressed are the author’s own. The Quint neither endorses nor is responsible for them.)