India: New laws needed to protect citizens from invasive profiling

There is an increase in the Orwellian nature of schemes and programmes being launched in India, in spite of the absence of concrete privacy and data protection laws. While a major step towards mass surveillance was taken a few years ago in the form of “Aadhaar”, the central and state governments have subsequently adopted schemes which involve collection and processing of voluminous amounts of data.

A 12-digit identity

The Unique Identification Authority of India (UIDAI) was set up in 2009 and is responsible for assigning every citizen with a twelve-digit unique identity number (Aadhaar) after collecting their biometric and demographic data, which is stored in centralised databases. Termed to be the world’s largest identification project, the Aadhaar scheme received severe criticism from privacy advocates.1 However, the government has continued to link various social welfare schemes to the Aadhaar number2, which is blatantly antithetical to the Supreme Court order stating that obtaining an Aadhaar is purely voluntary3, thus making it mandatory for people to provide the government with data in return for an identification number. The government is shielding the centralised storage of such data with Section 43A of the Information Technology Act, which does not extend to government bodies as the data collected by them is not in furtherance of engaging in commercial or professional activities.

States’ mechanisms of surveillance

While the debate around Aadhaar continues, states across the country have been implementing their own mechanisms of surveillance in the name of tackling crime.4 For example, the New Delhi Police has submitted a proposal for setting up a centre to monitor social media behaviour in furtherance of predicting unwarranted movements and terrorist attacks.5 However, the surveillance mechanisms have not just been restricted to tackling crime. States have adopted the “smart grid” project which identifies cities from different states and aims at developing them into “smart cities”6. As part of this project, the government aims at installing “smart meters” across households and other establishments, which will replace the existing traditional meters.7 Although, this prima facie does not reveal the surveillance prospects of such schemes, smart meters inherently constitute an element of real-time surveillance. Smart meters collect real-time data on energy consumption and communicate the same to the service provider at short intervals. This provides the energy supplier with information about the patterns of electrical appliance usage in one’s home, thus making it possible to trace the daily routine of an individual’s life.8

The state of Telangana is in the course of establishing an enforcement agency called “Integrated People Information Hub” as an initiative of 'smart policing', which claims to tackle and control crime in the state.9 The initiative aims to store the citizen’s name, name of the mother, name of the father, date of birth, Aadhaar number, address, voter ID, mobile number, driving license and a crime number in the system.10 The ambit of the information gathered is also expected to extend to intimate details of a citizen’s daily life and routine. This is a flagrant violation of the Principle of Least Privilege, which mandates that any system or programme should only have access to data that is essential for a legitimate purpose. Not only this, but the mass surveillance scheme also defies the privacy principles as propounded by Justice (retired) Ajit Prakash Shah Law Commission of India.11

Central monitoring system

The Indian government is steadily moving towards a mass surveillance regime with its Central Monitoring System (CMS) becoming fully operational. Through this system, the government looks at automating the “lawful interception and monitoring of telecommunications”, which includes data and voice records from the internet, landlines and mobile phones.12 Using the pretext of crime control and reduction, the government has adopted the Crime and Criminal Tracking Network and Systems along with CMS, which can prove to be mass surveillance in disguise, and therefore exposing personal data in a jurisdiction that enjoys a deficit in data protection and privacy laws. Furthermore, the central government also adopted schemes such as Lawful Intercept and Monitoring (LIM) - a surveillance mechanism monitoring all forms of mobile and internet usage, including GPRS data and recharge history, and the NatGRID - a government anti-terrorism scheme, which functions using big data and data analytics to trace and track suspected terrorist activities.13

As Michel Foucault rightly interprets Jeremy Bentham’s idea of “Panopticon”, mass surveillance by enforcement bodies has a “chilling” effect on the behaviour of individuals, thus restricting their individual liberty. While it can be argued that such a model will control criminal behaviour, it is a serious impediment for a majority of the citizens.

Ambiguity around the right to privacy

The dearth of data protection and privacy laws to govern surveillance, data collection and retention have only added to the existing imbroglio. Although, the right to privacy has been read into Article 21 of the Indian Constitution - which guarantees the right to life - through numerous judgments over the years14 In another case, the Supreme Court was confronted with the right to privacy in light of the Aadhaar programme (Unique Identity Scheme). The Attorney General had argued that the right to privacy is not a fundamental right guaranteed in the Constitution of India and therefore, the scheme cannot be challenged on the same ground. The issue currently stands unresolved and has been referred to a larger bench. The existing ambiguity about the right to privacy has resulted in an increased precariousness with respect to the legality of surveillance mechanisms. Similarly, while the IT Act and the Telegraph Act do contain provisions with respect to data retention and interception of communications, these do not address the centralised collection and storage of data by government authorities.13

India in need of a comprehensive set of laws and guidelines

In the age of big data, as state and central governments continue to take steps towards further surveillance and data collection, it is important to pass laws which protect the privacy of an individual and ensure the security of their data. These laws can be drawn and adopted from jurisdictions around the world which have implemented concrete guidelines on data protection and privacy. For example, although the United States does not have a blanket data protection law, information and privacy is safeguarded on a sector-by-sector basis through the respective laws and regulations. Section 5 of the Federal Trade Commission Act covers issues of privacy with respect to consumer protection. Similarly, breach of any of the provisions under the Electronic Communications Privacy Act leads to the imposition of criminal sanctions.

A primary source of inspiration for the Indian government could be the data protection laws and guidelines in the European Union. The European Union’s General Data Protection Regulation (GDPR) came as a significant change to the data protection laws in the EU after the previously enacted EU Data Protection Directive of 1995. The GDPR constitutes a broad set of guidelines to ensure the security of personal and public information of individuals and applies uniformly to all EU member states. Not only this, but the EU parliament has also proposed a draft Police and Criminal Justice Data Protection Directive, which would govern the processing of personal data of individuals by authorised bodies. The GDPR along with data protection directives form a comprehensive set of laws and guidelines which provide a blanket protection to citizens from the invasive profiling or analytical mechanisms.

Australia has the Commonwealth Privacy Act of 1988, which was amended in 2000. This Act applies to all government organisations, credit reporting agencies and private sector entities.

In a stark contrast to this, government bodies have not been interpreted to come within the ambit of Section 43A of the IT Act in India. This is a serious predicament in light of the existing surveillance schemes where the government bodies collect and store information in centralised databases. There is an impending requirement of the Indian legislators to draft and implement regulations which focus primarily on data protection of individual citizens. The same can be taken from various countries which have the requisite laws in place and these can then be modified to fit into the Indian context. While these laws and regulations develop and take shape in India, it is crucial to avoid exploitation of personal information and data of the individuals in the absence of such laws.



1. Chinmayi Arun, Privacy is a fundamental right, THE HINDU, 18th March 2016, Critique of the Aadhaar Bill 2016, CIS India, 16th March 2016,; Vanya Rakesh, Aadhaar Act and its Non-Compliance with Data Protection Law in India, CIS India, 14th April 2016, Sunil Abraham, Surveillance Project, CIS India, 5th April 2016, Software Freedom Law Centre, Evaluating the Aadhaar Bill against the National Privacy Principles, 11th March 2016,

2. K. Balchand, AADHAAR to be linked to MNREGS wages, THE HINDU, 7th October 2011, Aadhaar Mandatory for Availing Subsidised Foodgrains from PDS, THE HINDU, 9th February 2017,

3. Justice K.S. Puttuswamy (Retd.) & Another vs. Union of India & Others,

4. V.S. Palaniappan, Police to step up city’s surveillance, THE HINDU, 20th June 2012, Kritika Sharma, Delhi police stay one step ahead of criminals using digital technology, DAILY MAIL, 16th September 2013,

5. Tohid Ahemed Queshi, Delhi Police to set up centre to analyse social media content, LIVEMINT, 8th June 2014,

6. India – Puducherry smart grid pilot to be expanded to 87,000 meters, METERING AND SMART ENERGY INTERNATIONAL, 22nd October 2013, Ericsson bags India smart meter deal, METERING AND SMART ENERGY INTERNATIONAL, 21st April 2016,

7. Piyush Goyal, We should look at a smart meter in every home, THE HINDU BUSINESSLINE, 16th February 2016,

8. Cheryl Dancey Balough, Privacy Implications of Smart Meters, 86 CHI.-KENT L. REV. 161, 166 (2011).

9. Srinivas Kodali, Hyderabad’s ‘Smart Policing’ Project is Simply Mass Surveillance in Disguise, THE WIRE, 8th February 2017,

10. A centralized database of citizens in the state of Telangana is under consideration, TECH FIRSTPOST, 31st January 2017, Thejesh G N, Hyderabad Police have Orwellian plans for you, they’re building a surveillance hub, 2nd February 2017,

11. Report of the Group of Experts on Privacy, Chaired by Justice AP Shah, Former Chief Justice, Delhi High Court,

12. India’s proposed mass surveillance programme seen as a blow to internet freedom, INTERNATIONAL BUSINESS TIMES, 10th February 2017,

13. a. b. State of Privacy in India, PRIVACY INTERNATIONAL,

14. Gobind v. State of M.P. (1975) 2 SCC 148; R.Rajagopal & Another v. State of Tamil Nadu & Others (1994) 6 SCC 632; PUCL v. Union of India (1997) 1 SCC 301. Unique Identification Authority of India & Anr. v. Central Bureau of Investigation (2014)

Add new comment