Survey exercise carried out by IT Dept at Newsclick and Newslaundry offices violated safeguards for right to privacy laid out in Puttaswamy verdict

The manner in which Income Tax Department officials conducted surveys at the offices of Newsclick and Newslaundry is, on the face of it, in abrogation of proportionality test for preservation of the right to privacy prescribed in the Supreme Court’s landmark Puttaswamy judgment, as well as Section 133A of the Income-tax Act and the applicable Information Technology Rules, writes VINEET BHALLA.

————-

ON September 10, Income Tax Department officials conducted survey operations under Section 133A of the Income-tax Act at the offices of the news websites Newsclick and Newslaundry in Delhi. These surveys, which were seemingly carried out without prior notice to either organization, lasted for about 12 hours each, from noon on September 10 till midnight at both offices.

According to the statement released by Newsclick, as part of the survey operation, the Income Tax Department (IT) team impounded the phone of Newsclick’s Editor-in-Chief Prabir Purkayasth, took away documents from the office premises, and took email dumps of Purkayasth, another editor, and various administrative and financial accounts related to Newsclick. The phones of the employees and staff present at the office were temporarily seized too, and they were not allowed to use their computers and work.

As per Newslaundry’s statement about the survey, co-founder and CEO Abhinandan Sekhri’s personal mobile phone, laptop and a couple of office machines were taken control of by the IT team, which then took copies of all the data on these devices without providing signed hash value of the copied data to Sekhri. Sekhri was told that he couldn’t consult his lawyer since “the law requires [him] to comply without seeking legal advice”.

Since then, both the Editors Guild of India and the Delhi Union of Journalists have condemned and expressed concern at the survey exercise, terming them as blatant attempts to intimidate both organizations and the press in general.

It is pertinent to note that Newsclick is under investigation by the Enforcement Directorate and the Economic Offences Wing of the Delhi Police. The former had raided their office earlier this year as well. Newsclick has contested the allegations in court.

Similarly, Newslaundry was also visited by an IT team in June. No allegations against either organization stand proven at this stage.

Did the surveys violate the fundamental right to privacy?

The impounding of Purkayasth’s phone, and the cloning of data from Sekhri’s personal phone and laptop certainly appear to be intrusions into their privacy, since these devices contain the individuals’ personal and professional data as well, rather than just data pertaining to the subject of the IT teams’ enquiry.

The right to privacy was recognized as a fundamental right protected by the Constitution of India by the Supreme Court in its landmark Puttaswamy judgment in 2017. Like all other fundamental rights, however, the apex court clarified that the right to privacy is not absolute, and can be overridden by competing state and individual interests.

The main test for determining whether privacy was infringed advanced by a majority of the nine-judge Constitution bench is the proportionality test, espoused by the plurality opinion of Justice D.Y. Chandrachud (written on behalf of the Chief Justice J.S. Kehar, Justices R.K. Agrawal and S.A. Nazeer, and himself) and the opinion of Justice S.K. Kaul).

As per this, three factors must be reviewed: legality (that is, the existence of a law), legitimate goal (that is, the law should seek to achieve a legitimate state aim), and proportionality (there should be a rational nexus between the objects and the means adopted to achieve them). The impugned action must also satisfy the test of “just, fair and reasonable” procedure under Article 21 of the Constitution.

Also read: One year of Right to Privacy: Looking at expansion of rights and impact on pending constitutional bench cases

What Section 133A of Income-tax Act and applicable Information Technology Rules say

Does section 133A of the Income-tax empower IT officials to take control of, and make copies of data from, personal devices of any person in an unregulated manner? Clause (i) of sub-section (3) of the section allows IT authorities to “place marks of identification on the books of account or other documents inspected by him and make or cause to be made extracts or copies therefrom”.

The legal parameters for any government officers to “intercept, monitor or decrypt” information in any computer resource are set out in the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009. As per these rules, the order for interception, monitoring or decryption of information under Rule 3 must be communicated to the “person in-charge of the computer resource” as per Rule 12. As per Rule 13, such a direction must be made in writing to the latter by the officer carrying out the order.

The impounding of devices and copying of personal information from personal devices by the IT officials fits within the definition of interception in the Rules, as the said definition, provided in Rule 2(l), includes the “viewing, examination or inspection of the contents of any direct or indirect information”.

Moreover, the proviso to section 133A(3) of the Income-tax Act specifically states that impounding of “books of account or other documents” can be done by an IT authority only after recording reasons for doing so. Additionally, the proviso to section 133A(6) states that an Assistant Director or a Deputy Director or an Assessing Officer or a Tax Recovery Officer or an Inspector of Income-tax can carry out a survey only after obtaining the approval of the Joint Director or the Joint Commissioner as the case may be.

In both the survey exercises, neither was any order for interception furnished by the IT officials, nor did they share any recorded reasons for impounding computer devices. Without the requisite transparency, it is not possible to ascertain whether the requirement of the proviso to section 133A(6) was met.

Thus, their actions prima facie fail the legality criterion.

Also read: A predictable letdown: The journey from Right to Privacy to Aadhaar verdict

Why was signed hash value of copied data not given?

Every digital storage device has a unique own hash value in the form of a 16-digit alphanumeric code. This hash value can change with the slightest alteration or modification in the device.

Therefore, when such devices are seized by State authorities, it is crucial to record its corresponding hash value, and give a copy of the same to the owner of the device. This process does not take more than a few minutes.

This is crucial for forensic evidence collection because any addition, deletion or modification made in the device after its seizure would cause a consequent change in its hash value. The hash value is, therefore, vital to check the integrity of a digital device, and its safety from unauthorized change.

How, then, can the cloning of data from personal devices without providing a signed hash value of the same be justified as a proportionate means to achieve whatever object the IT officials had? This is a blatant disregard of an integral principle of sound digital evidence, as it fails to, for instance, safeguard against the IT officials falsely claiming to have found something incriminating in the data copies.

Clearly, then, the proportionality criterion of the test is not fulfilled as well.

Also read: After Washington Post Exposé India Needs to Amend Rules on Electronic Evidence

Which law requires compliance without seeking legal advice?

While there exists a rather limited right to legal counsel in India, it is still astounding that State officials prevented an individual from consulting his lawyer while taking control of his personal data, and told him that he is legally mandated to comply with their demands without seeking legal advice.

Once again, there is nothing in section 133A of the Income-tax Act that enables such a direction. In the absence of any procedure for the curtailment of what is a basic legal right, this specific directive also fails to satisfy the test of “just, fair and reasonable” procedure.

Through this analysis, one is led to the inescapable conclusion that the manner in which the survey exercises were carried out were prima facie violative of Sekhri’s and Purkayasth’s fundamental right of privacy, and outside the bounds of the provisions of both section 133A of the Income-tax Act and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules.

Using unlawful means to pursue even lawful means is improper. If, as is being speculated, it was done purely to harass media companies for critical reporting, then it represents a danger that further weakens press freedoms in India.

(Vineet Bhalla is a Delhi-based lawyer, and part of the editorial team at The Leaflet. The views expressed are personal.)