United States: A Fragmented Approach
Where the EU has a streamlined approach, America is much more sectoral and industry-specific about privacy. So much so, in fact, that the United States does not even have any kind of “federal comprehensive” privacy law similar to the GDPR; rather, it relies upon a patchwork of sectoral laws, for example, HIPAA, which covers health data, and COPPA, which governs children’s data. Beyond concerns for consumer protection, the concept of privacy protections in America does not have a higher level of recognition or embracing of privacy as an accepted right.[i]
The legal umbrella that the U.S. has given to state surveillance is broad, from agencies working within the states to that specifically of the context of the USA PATRIOT Act and the FISA. This legislation allows for the broad collection and monitoring of data on the part of agencies like the NSA without even requiring a warrant. The Edward Snowden revelations in 2013 highlighted the mass scope of US surveillance programs and triggered a global debate on privacy, with certain reforms, such as the USA FREEDOM Act enacted in 2015 that placed very modest restrictions on bulk collection.[ii]
India: Privacy and Surveillance
India has embarked on a journey regarding privacy and surveillance that is very new to the world recently. Such a journey has followed the judgment delivered by the Supreme Court in Justice K.S. Puttaswamy v. Union of India where the Court enacted privacy as part of Article 21 of the Constitution.
India, however, does not have its own comprehensive data protection law like the GDPR. The newly enacted Digital Personal Data Protection Act, 2023 has received a lot of flak for the broad exemptions it provides to surveillance by the state, especially on grounds of national security.
A Comparative Analysis: That Equilibrium
This kind of comparative analysis clearly reflects that the EU prioritizes individual privacy and robust data protection through strong enforcement mechanisms, while in the U.S., the framework gives out a pragmatic sector-specific approach with an emphasis on national security over comprehensive privacy rights. India is at crossroads and situated between identifying privacy as a fundamental right and state surveillance needs in a rapidly digitizing society.
The GDPR is often called the world’s gold standard that indeed governs other countries’ privacies regulation, such as Brazil’s Lei Geral de Proteção de Dados (LGPD) and Japan’s Act on the Protection of Personal Information (APPI).
On the other hand, U.S. style model has been impactful for countries such as Australia having a sectoral approach. The Indian legal trajectory of state actions makes ample sense under its Puttaswamy decision, wherein privacy rights can be seen emerging but the expansive surveillance powers provided to state agencies still are a matter of greater controversy.
State Surveillance Mechanisms: Instruments and Constitutional Effects
In this age of rapidly advancing technological know-how, the tools and mechanisms of state surveillance have long since outgrown the old-fashioned wiretap and physical spying modes.
Modern surveillance heavily depends on digital technologies that provide for monitoring what individuals do, which raises most critical concerns relating to privacy rights and state overreach. A number of countries, including India, have raised issues about proliferation of surveillance technologies such as facial recognition systems and data retention laws through internet monitoring programs impacting the fundamental rights protected under Article 21 of the Indian Constitution-Justice K.S. Puttaswamy v. Union of India.[iii]
Facial Recognition Technology: Privacy Concerns
State surveillance has been one of the most pivotal tools for facial recognition technology over the globe.
It is the process by which algorithms are deployed in order to recognize a person based on facial features and most cameras in public spaces lack any input but them used mostly in real time. In most countries like the United States and China, the technology is dominantly used, and in India, it has been gaining popularity with projects like NAFRS. The NAFRS offers facial recognition data integration from a variety of databases supporting the identification of suspects, tracking individuals, and preventing crime. FRT can enhance public safety, but its use does raise constitutional and significant issues related to privacy, of which the right to privacy and abuse of power are two pertinent examples. Indeed, the Supreme Court of India in Puttaswamy emphasized that privacy infringement should come through the tests of legality, necessity, and proportionality.
Despite all this, FRT is mostly conducted without broad legislative support and independent oversight, making it vulnerable to abuse. The mass collection of data and biometric profiling only heightens concerns of discrimination and wrongful identifications but remains contrary to due process. Data Retention Laws: A Double-Edged Sword The other core element of state surveillance is data retention laws, which oblige the retention for extended periods of citizens’ records of communication and internet activities.
These laws are always insisted on the grounds of national security and anticrime of terrorism, terrorist acts, and well-organized criminal activities in justification.
Provisions under Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, mandate internet service providers and digital platforms to store metadata for definite periods from the information of their users. See IT Rules, 2021. Data retention, while helpful to criminal investigations, poses gigantic risks to privacy. Bulk collection of personal data becomes significantly contributing to enormous amounts of data, frequently without proper safety controls to avoid access by unauthorized parties or abuse. The lack of a comprehensive data protection law in India elevates those risks because criticisms of the Digital Personal Data Protection Act, 2023 point toward broad exemptions for state surveillance activities. Internet surveillance and mass surveillance operations
Internet monitoring programs now form the basic tool of state surveillance, wherein governments monitor online activities and intercept communication going through the cyber spaces; they also track social media. Fine examples of the same are Central Monitoring System, India, and Network Traffic Analysis, India. CMS helps to have live monitoring of all the telecommunication in the country and NETRA analyzes the internet traffic for keywords and patterns indicative of threats to national security.[iv]
Such programs, designed to advance national security, function at obtuse levels of obscurity and oversight.
As the courts are not reviewing it, nor does the parliament, there is every probability that this law will lead to abuse, a chilling free speech and free expression which is equally protected under Article 19(1)(a) of the Indian Constitution.
It was this focus of the Supreme Court in the judgment in Puttaswamy that highlighted the importance of how any such invasion is justified by law directed at a legitimate goal and proportionate to the objective that seeks stricter regulation of such mechanisms of surveillance.
Author- Kaustubh Kumar, in case of any queries please contact/write back to us via email to chhavi@khuranaandkhurana.com or at Khurana & Khurana, Advocates and IP Attorney.
References
[i] HIPAA, Pub. L. No. 104-191, 110 Stat. 1936; COPPA, 15 U.S.C. § 6501-6506.
[ii] Sharma, Analyzing India’s Data Protection Regime, 14 NUJS L. Rev. 145, 2024.
[iii] (2017) 10 SCC 1
[iv] Rao, The Rise of Internet Surveillance in India, 22 Indian J. Const. L. 67, 2023