Digital Evidence vs. Right to Privacy: A Comparative Study between India and the EU

Introduction

We are heading into the era of digitization. Like the good chunk of people who are reading this article, I also seem to believe that almost everything has been transformed into it’s digitized version and saves us lot of time and effort. And we are right. From the physical money in our pockets to using UPI payment methods, from standing in long lines for paying the bills to doing the same with one click, from buying cassettes and CDs to using the beloved Spotify, everything has been digitized. So have the processes for  collection and use of evidence in legal proceedings. There’s an increasing use of various electronic devices and the internet to which has totally changed the game of collection and use of evidence in criminal and civil proceedings. Now, the digital evidence like e-mails, text messages, and social media do play significant role in modern legal arena. But the big question here is if the comfort and ease of digitization worth risking people’s privacy. Right to privacy is a matter of human rights and constitution, and hence our question particularly significant in jurisdictions like India and the European Union (EU).

This article provides a comparative analysis of Indian and EU legal frameworks, in order explores this complex relationship between digital evidence and the right to privacy.

What do we mean by Digital Evidence ?

Any information that can be stored and transmitted in a digital form, and has probative value, can be called ‘digital evidence’. So data from our smartphones, computers, cloud services, various social media platforms, and surveillance systems, all can be considered as ” digital evidences” Consideration of digital evidence bring with it some unique challenges of its own. Fide est servanda, meaning that faith must be kept. Due to it’s intangible and easily alterable nature, digital evidence raises concerns about authenticity, admissibility and chain of custody. 

Keeping their pace with the advancing technology, law enforcement agencies now increasingly use digital trails to investigate crimes, which has proven to be very useful. But looking from a different angle, using these tools to gather such evidence may be an infringement upon personal privacy, especially when such access to such data is non-consensual and not backed with any judicial authorization. Now the issue which raises here in a just legal mind is fiat justitia ruat caelum because how could such an infringement of privacy could be just.

The Right to Privacy in India

The landmark case of Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) of India had recognized the right to privacy as a fundamental right under Article 21 of the Constitution. The highest judicial body of India, the Supreme Court, laid emphasis on the fact that privacy includes the right to control dissemination of personal information, protection against surveillance, and informational self-determination.

Despite of this recognition, the legal framework for the regulation of digital evidence  and protecting privacy of it’s citizens, is fragmented. Information Technology Act, 2000 (IT Act) is the primary statute that governs digital evidence in India. Sections 65A and 65B of the Indian Evidence Act, 1872 deal with the admissibility of electronic records. However, the IT Act neither has comprehensive provisions for data protection nor for government surveillance oversight. These deficiencies create room for potential abuse of discretion, undermining the principle of audi alteram partem, especially in situations where surveillance orders are passed ex parte.

In order to address these current deficiencies, Digital Personal Data Protection Act, 2023 (DPDP Act) has been proposed. This Act introduces consent-based data processing and establishing a Data Protection Board. Yet, there’s still unchecked intrusion into people’s personal lives, as the India law still allows for broad exemptions for state surveillance in the interest of national security. One could justify state surveillance with the principle of salus populi suprema lex esto, but such a broad exception must be balanced with individual rights.

The Right to Privacy in the European Union

In contrast with India, the EU has provided it’s people with a robust legal framework for privacy and data protection. The Charter of Fundamental Rights of the European Union (Article 7 and 8) guarantees the right to privacy and the protection of personal data. The General Data Protection Regulation (GDPR), which came into effect in 2018, reflects the principle of ubi jus ibi remedium (where there is a right, there is a remedy). It has set up stringent rules for data processing, necessitating transparency, purpose limitation, data minimization, and accountability.

GDPR creates a high standard of privacy compliance globally due most significant feature of extraterritorial application. It means that it’s provisions apply to any entity processing the data of EU residents, regardless of the entity’s location.

With GDPR, a strong jurisprudence on matters of  surveillance and privacy has been developed by EU courts. In Digital Rights Ireland Ltd v. Minister for Communications (2014), the Court of Justice of the EU (CJEU) invalidated the Data Retention Directive for violating privacy rights. Similarly, in Schrems II (2020), the CJEU struck down the Privacy Shield agreement between the EU and the US over inadequate protection of EU citizens’ data. Such rulings by EU courts uphold fiat justitia, even at the cost of major international agreements.

Comparative Analysis: India vs. EU

1. Legal Recognition and Framework:

Nullum crimen sine lege. Where the GDPR of EU provide it’s people with a detailed and an enforceable mechanism for data protection and privacy and which is supported by judicial enforcement through the CJEU, the Indian law calls for specific statutory clarity.  It has recognised right to privacy as a fundamental right very recently and lacks a comprehensive legislative framework.

2. Admissibility of Digital Evidence:

In the EU, digital evidence it must be collected in accordance with GDPR and human rights principles. Illegally obtained evidence may be excluded if it breaches privacy standards. Ex turpi causa non oritur actio.

In India, digital evidence has to comply with Sections 65A and 65B of the Indian Evidence Act. The Anvar P.V. v. P.K. Basheer (2014) judgment had mandated strict compliance for the admissibility of electronic records, aligning with lex specialis derogat legi generali.

3. Surveillance and State Powers:

EU mandates proportionality and necessity in surveillance, with stronger judicial checks. EU courts have declared Bulk surveillance programs invalid for lacking adequate safeguards.

Indian laws create room for the misuse of quod principi placuit legis habet vigorem. Section 69 of the IT Act and the Telegraph Act, 1885 allow for government surveillance without transparent judicial oversight in most cases. 

4. Consent and Data Processing:

Consensus facit legem. Consent must be should be genuine, informed, and not illusory.

GDPR mandates that the consent must bee free, specific, informed, and unambiguous with strict enforcement mechanisms.

Under the DPDP Act, consent does form a basis for data processing, but has a weaker effectiveness as it makes exceptions for state.

5. Remedies and Enforcement:

India is still lacking an independent regulatory authority with enforcement powers to deal with matters of privacy breaches, thereby limiting ubi jus ibi remedium.

The EU’s Data Protection measures, so as to ensure ensuring effective remedies for privacy violations, provides it’s Authorities with investigative powers, power to impose fines, and renders them as independent bodies.

Challenges in Balancing Digital Evidence and Privacy

In order to achieve a decent and effective balance between digital evidence and privacy rights, several challenges need to tackled: –

Uniform Standards :  Indian law creates room for inconsistencies in judicial decisions and potential abuse of power by lacking in uniform protocols for digital forensics and data collection.

Technological Advancements: Lex prospicit non respicit. The law of the land should be dynamic and should keep pace with advancements. With evolving technology like artificial intelligence and biometric surveillance pose new threats to privacy, and call for adaptive responses and future-ready laws.

Cross-Border Data Flows: Extra territorium jus dicenti impune non paretur. When data is stored in foreign servers, jurisdictional issues arise, reflects the challenge of international enforcement. While EU emphasises on adequate protection in third countries before allowing data transfer, India is still developing its cross-border data transfer framework. 

State Surveillance vs. Individual Liberties: Necessitas non habet legem cannot become a blanket justification for violating rights. Many try to justify surveillance by citing the reason of Security interests. But lack of transparency and accountability mechanisms create possibilities of disproportionate intrusions. 

Recommendations

1. Comprehensive Legislation: India requires comprehensive data protection legislation. Such legislation should come with strong oversight and limited exceptions. The Indian provisions of DPDP Act could be harmonized with global privacy standards like the GDPR.
2. Judicial Authorization: Prior judicial approval must be mandated for surveillance and access to digital evidence must, in order to ensure proportionality and necessity. Dura lex sed lex  must be applied even to state agencies.
3. Capacity Building: Training in lawful digital investigation techniques and data handling should be provided to Law enforcement agencies.
4. Data Localization and International Cooperation: Clear rules must be established data localization by India in and cooperation with EU jurisdictions must be established so as to facilitate lawful cross-border evidence sharing.
5. Public Awareness: Citizens should be made aware of their privacy rights and the legal remedies, so as to promote accountability.

Conclusion

With all the serious privacy risks it brings, digital evidence cannot be completely dispensed with, considering the increasing technological advancement. But it should be appropriately regulated in order to protect our fundamental and human right to privacy. On one hand the balanced EU framework which seeks to safeguard privacy alongside digital forensics, the Indian law arena still requires a lot of evolvement. A comparative study exposed the need for India to adopt more stringent privacy protections, judicial safeguards, and transparency mechanisms, to achieve a balance between effective law enforcement and the right to privacy.

This balance most be achieved not just for sake of merely fulfilling a legal necessity but it is a democratic imperative in the information age. Our laws must keep pace with the evolving technology, and ensure that justice is served to its people without them having to compromise constitutional and basic human freedoms. Fiat justitia ne pereat mundus.

 

References

1. Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.
2. Anvar P.V. v. P.K. Basheer, (2014) 10 SCC 473.
3. Digital Rights Ireland Ltd v. Minister for Communications, CJEU, Case C-293/12.
4. Schrems II, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, CJEU, Case C-311/18.
5. Indian Evidence Act, 1872.
6. Information Technology Act, 2000.
7. Digital Personal Data Protection Act, 2023.
8. General Data Protection Regulation (EU) 2016/679.
9. Charter of Fundamental Rights of the European Union, 2000.