Merriam-Webster defines "surveillance" as "keeping a close watch on someone or something" [1] in the relevant context, this would refer to real-time surveillance or interception - particularly of data and communication in the electronic sphere or internet - intercepted through telecommunication systems which is conducted by a government with legal approval, with private entities not being entitled to conduct surveillance.

In India, the Indian Telegraph Act, 1885, and Information Technology Act, 2000, largely govern surveillance, dealing with call interception and data interception respectively. As for the organizations that primarily conduct surveillance in India, government agencies such as the Central Bureau of Investigation, National Intelligence Grid, and others are the main actors in this regard.

The IT (Procedures and Safeguards for Interception, Monitoring, and Decryption of Information) Rules of 2009 [2] laid out guidelines for the interception of communication, to be read alongside section 69(2) of the IT Act [3]. Correspondingly, Rule 3 states that only certain competent authorities can issue orders for interception or monitoring of any information of any computer resource or mobile phone.

The protection of personal data is enshrined under the Right to Privacy, which is assured under Article 21 of the Constitution of India which states the right to life and personal liberty [4] ; the analysis that this provision includes the right to privacy was held by the Supreme Court of India in Justice K.S. Puttaswamy v. Union of India (2017) [5] , wherein privacy was established as a facet of personal liberty, thus confirming it as a fundamental right which must be protected whilst engaging in necessitated surveillance.

However, the lack of a data protection legislation in India further deepens the grey area that remains regarding ensuring the balance of the right to privacy with the surveillance of private communication - an issue faced globally, though with less safeguards in some countries than others. This is demonstrated by the survey, conducted in October 2019 by UK-based security firm Comparative, that assessed 47 countries and their methods of conducting surveillance whilst protecting privacy [6].

Only five countries were found to have suitable safeguards; meanwhile, most were found to be actively conducting surveillance on their citizens and further sharing the gleaned information, with India being one of the most noted offenders due to the data protection bill being yet to take effect.

Legal Perspective.
In Justice K.S. Puttaswamy v. Union of India (2017) [7], the Right to Privacy was stated by the Hon'ble Supreme Court to be a fundamental right under Articles 14, 19, and 21 of the Constitution of India. As such, any actions which restrict the right to privacy - such as surveillance - can only be justified through being prescribed by law, which would require the surveillance to be necessary to achieve a legitimate aim and proportionate to that pursued aim.

Restrictions to the fundamental right to privacy certainly exist, noted by the Supreme Court in multiple instances: restriction by a just, reasonable, and fair procedure established by law[8] is valid, as is restriction due to an important counteracting interest which is either superior or if there is a compelling state interest that must be served [9]; further, a person voluntarily entering controversy may not be able to avail the protection of the right to privacy [10].

Thus, the gray area that exists in maintaining a just balance between instances which require surveillance and the right to privacy - particularly in terms of private communication - is clear.

The Right To Privacy Under Surveillance Allowances In India

As for legislation regarding Internet surveillance in India, the Information Technology Act, 2000, contains the related provisions; considering that in this contemporary age, communication over the internet encapsulates the majority of what would be considered "private communication" in terms of vulnerable data, this form of interception is the most relevant with regards to surveillance of private communication.

The IT Act authorizes the Government under Section 69 to conduct surveillance of internet data, on various broad grounds relating to the nation's interests. In due succession, the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009,lay down the procedural law related to the surveillance conducted under Section 69.

Section 69 of the IT Act allows for the interception, monitoring, and decryption of digital information as long as it is done in the interest of India's sovereignty and integrity and other such goals, or the prevention of or investigation of an offense; however, it notably includes the addition of "the occurrence of public emergency of the interest of public safety", which largely broadens the ambit of power allowing for surveillance by discretion.

Whilst the IT Interception Rules stipulate the procedure that must be followed for a valid issuance of interception directions, there is a lack of provision for judicial authorisation or surveillance oversight, despite their being the best-suited for carrying out legal tests and ensuring interference with privacy carried out in this manner is compliant with the principles of proportionality and necessity.

In terms of consent prior to the collection of personal data specifically, Rule 5 of the IT Rules 2011 does require the consent of the subject to be delivered in writing; however, this rule does not apply to all forms of personally identifiable data, but purely to sensitive personal data or information - which significantly narrows the application of the rule necessitating consent before personal data collection.

Nevertheless, in a step which affirms the protection of privacy, the High Court of Bombay in the case of Vinit Kumar v. Central Bureau of Investigation (2019) [11] observed that in the absence of risk to the people or the interest of public safety, orders for interception of phone calls and tapping cannot be justified. This offers a strong backing to the principle of protecting privacy with regard to phone tapping and interception, which are particularly concerning forms of surveillance, in all circumstances other than specific risk to the public at large — a necessary judgment, as it vastly reduces the scope of discretion which surveillance authorities may take in deciding whether call interception or tapping is warranted, which previously likely led to circumstances wherein unnecessary interception of data was justified under the reasoning of discretion in surveillance.

Comparative Analysis with surveillance laws of the United Kingdom, European Union, and South Africa

In the United Kingdom, the Regulation of Investigatory Powers Act, 2000[12] governs investigation and surveillance conducted by governmental bodies, as well as providing guidelines for public authorities, such as these governmental bodies, other departments, or the police force pertaining to the correct process for the obtaining of any private information, with the main causes allowing surveillance and investigation involving crime, terrorism, or other public safety or emergency needs. As for the continent of Europe, member countries of the European Union have tended to also follow the Regulation of Investigatory Powers guidelines as a guiding legislation; the Data Protection.

Directive established for the protection of data additionally ensures the right to privacy of individuals is not violated, as it regulates the processing of data in the European Union. A particularly notable recent development internationally which has gained prominence for its pronouncement on the surveillance of private communication infringing on the right to privacy is the case of AmaBhungane Centre for Investigative Journalism v. Minister of Justice (2021) [13].

Heard by the Constitutional Court of South Africa; this case also held certain provisions of the South African legislation on surveillance i.e., the Regulation of Interception of Communications and Provision of Communication-Related Information Act 2002 (RICA), as unconstitutional. This case arose when the Petitioners approached the Court to challenge the constitutionality of a number of provisions of RICA, with the Court holding the concerned provisions unconstitutional.

The above judgment was made due to the lack of legal provisions ensuring the notification of subjects of surveillance as soon as would be possible without jeopardizing the surveillance itself, as well as safeguards as a whole; this includes safeguards to address that the interception-granting decrees are obtained ex parte, to ensure that the obtained data is managed lawfully with no unlawful interference, and notably to provide adequate safeguards where the subject of surveillance is a journalist or practicing lawyer to avoid the risk of infringing the confidentiality of client communications or a journalist's sources.

Various sections were noted to be necessarily included in revisions to the law, mandating disclosure of the subject's profession if they are a practicing lawyer or journalist to the judge allowing for specific directions regarding confidentiality to be issued, as well as mandating a post-surveillance notification to be issued to subjects within ninety days of the expiry of directed surveillance.

It is also notable that RICA does not discriminate between intimate personal communication and ordinary private communication which would not lead to objections regarding disclosure. It is important to note that the right to privacy grows in importance and intensity as the intimate nature of the personal information increases; a lack of distinction between ordinary and intimate communication allows for highly invasive privacy violations to take place without repercussion - not only on the subjects, but the third parties whose communication with them has been intercepted.

As such, the post-surveillance notification mandate allows for the subject to be afforded the opportunity to ensure the interception was lawful as well as hinder illegally-obtained interceptions from taking place. This was significantly noted in the legal community worldwide, as a strong stance on protecting the right to privacy and the intimate personal information of individuals whilst accepting the need for surveillance in certain scenarios.

The progressive understanding of data protection and right to privacy exuded by the South African Constitutional Court is pioneering as an example for courts worldwide in recognising the cognisant approach necessary to create legislation and issue judgements relating to technology, personal data, the right to privacy, and boundaries to surveillance.

Whilst the scenario in South Africa and to an extent, European Union nations, is comparatively more progressive and advanced in proactively protecting privacy and overseeing surveillance of private communication where it is necessitated, the Indian sphere mainly lacks a comprehensive legislation to govern data protection, post which it would be relatively at par considering that the right to privacy has been established as a fundamental right and the need for justified reasoning behind any surveillance has been noted by the judiciary, as mentioned above.

Considering that topics in relation to data are ever-evolving with the fast-paced progress of technology and relatively recent in themselves, it is important that legislative and judicial authorities in India and worldwide ensure that a progressive stance is taken towards these issues and an understanding of their importance is obtained to allow for laws and courts to protect people and their privacy with any surveillance activity being closely monitored and rigorously accountable to supervision.

Conclusion:
Overall, there has been increasing recognition that surveillance ought to require a judicial order to be conducted[14]; this, along with certain additional safeguards, would have a great effect on validating the right to privacy to the extent of protecting private communication as far as possible while under surveillance.

The establishment of an oversight mechanism to monitor all stages of interception for legal compliance and domestic and international obligations:
As well as an independent accountability system to guarantee monitoring and transparency of the process would aid this goal, as would the institution of an independent national data protection authority for investigation and redressal where necessary. Further, the need for a comprehensive and enforceable data protection legislation to be passed is significant; however, with these steps, the balance between the right to privacy and surveillance of private communication can be struck in an effective and sustainable way.

Foot-Notes:

1. Surveillance, Merriam-Webster Dictionary (11th ed. 2003).
2. Rule 3, Information Technology (Procedures and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009.
3. Section 69 (2), Information Technology Act, 2000.
4. India Const. art. 21.
5. Justice K.S. Puttaswamy v. Union of India (2017), 10 SCC 1.
6. Data privacy laws & government surveillance by country: Which countries best protect their citizens? (2019).
7. Justice K.S. Puttaswamy v. Union of India (2017), 10 SCC 1.
8. Maneka Gandhi v. Union of India (1978).
9. Gobind v. State of Madhya Pradesh (1975), AIR 1378.
10. R. Rajagopal v. Union of India (1994), 6 SCC 632.
11. Vinit Kumar v. Central Bureau of Investigation (2019) Bom 3155.
12. Regulation of Investigatory Powers Act 2000.
13. AmaBhungane Centre for Investigative Journalism NPC v. Minister of Justice and Correctional Services (2021) ZACC 3.
14. UN High Commissioner for Human Rights, Report on the Right to Privacy in the Digital Age, UN A/HRC/27/37, 30 June 2014