New Delhi: In India, there is no judicial oversight over how the government intercepts electronic communications, according to the Country Legal Frameworks Resource (CLFR) — a set of resources compiled by the Global Network Initiative, a non-governmental organisation formed in 2008 to protect human rights like online free speech and privacy.
The CLFR examines governments’ legal authorities to intercept communications, obtain access to communications data, or restrict content of communications.
Amid allegations against the Narendra Modi government over the Pegasus snooping row — that it had bought the spyware from Israel as part of a $2 billion defence deal in 2017 — here is a look at what the laws of India and four other democracies in the world say about electronic interception, and how much judicial oversight there is over the interception process.
Laws allowing interception: India allows interception of electronic communication under the Indian Telegraph Act, 1885, and the Information Technology Act, 2000.
Under the IT Act, the IT Rules, 2009, specify the procedure and safeguards the government must follow for interception, monitoring, and decryption of information.
The Code of Criminal Procedure (CrPC) allows courts and law enforcement agencies to ask for information including electronic communications during an investigation.
In cases that pertain to national security or public safety, sections of the IT Act, together with the Telegraph Act, allow a home ministry secretary at the Centre, or home department secretary in a state or union territory, or an individual above the rank of joint secretary, to authorise an interception in writing.
In case of an emergency, prior approval of such a government official may not be required. An officer who is at the inspector general of police level or above, may carry out the interception, according to CLFR research.
Judicial or independent oversight: According to the CLFR, in the case of India: “There is no judicial oversight over the interception process.”
However, there is a review committee established under the IT Rules, 2009, that meets once every two months to review if an interception order is lawful and valid. The committee can cancel an interception order and ask for the information obtained via interception to be destroyed.
If interception has been carried out during an emergency, the relevant government official must be informed within three working days and the order must be confirmed in seven working days if the interception needs to be continued.
United States of America
Laws allowing interception: The US allows interception mainly under three laws — The Omnibus Crime Control and Safe Streets Act of 1968 (also called the ‘Wiretap Act’), the 1978 Foreign Intelligence Surveillance Act (FISA), and the 1995 Communications Assistance for Law Enforcement Act (CALEA).
Intelligence agencies are allowed to intercept communications under Executive Order 12333.
The US government can also ask for disclosure of stored communications under the Stored Communications Act (SCA), and the USA Patriot Act.
In 2018, the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) amended the SCA to say that cloud service providers may also be required to share user data.
In addition, the National Emergencies Act (NEA) gives the US President the power to declare national emergencies. The act outlines how the presidential power may treat electronic communications during an emergency.
Judicial or independent oversight: The SCA requires the government to issue a subpoena to a telecom service provider if the government agency requires user data like telephone records.
To obtain email communications, US law enforcement is “generally” required to have a judicial warrant.
Court orders for interception under the Wiretap Act are valid for 30 days, and under FISA, they are valid for 90 days to a year. Any extensions to either order must be approved by the issuing court.
Laws allowing interception: The Regulation of Investigatory Powers Act 2000 (RIPA) permits senior cabinet ministers the power to issue an interception order based on an application from an intelligence or law enforcement agency.
The Intelligence Services Act (ISA), 1994, allows the secretary of state — based on a request from the Security Service, the Intelligence Services or Government Communications Headquarters (GCHQ) — to issue a warrant for intercepting a “wireless telegraphy” service.
The Communications Act, 2003, gives the secretary of state the emergency power to suspend or restrict a telecom service in a matter of national security.
Judicial or independent oversight: Under RIPA, an ‘Interception of Communications Commissioner’ is appointed to review how the interception powers given by RIPA are used by those with the power.
The Investigatory Powers Tribunal, set up under RIPA, “hears complaints in relation to powers granted under RIPA”.
Under the Protection of Freedoms Act, 2012, and RIPA, local authorities must get judicial approval from a local magistrate to obtain communications data from a service provider.
However, there is no judicial oversight to approve any authorisations or interception warrants issued by law enforcement agencies or intelligence agencies.
There is only an appointed ‘Intelligence Services Commissioner’ under RIPA, who reviews how the powers granted under ISA are used.
Laws allowing interception: The German Telecommunication Act (or Telekommunikationsgesetz) allows for electronic interception. The Act asks that telecom service providers have the necessary technical and organisational facilities required to intercept communications approved under the law.
Under the German Code of Criminal Procedure (or Strafprozessordnung), an order for interception can only be issued where there are facts to cast suspicion of a “serious” criminal offence.
“The German government does not have the legal authority to invoke special powers in relation to access to a communication service provider’s customer data and/or network on the grounds of national security,” the CLFR says, adding: “German government agencies do not have special powers that can be invoked in time of national crisis or emergency.”
Judicial or independent oversight: Germany’s Code of Criminal Procedure says a court order is required and to obtain a court order to allow interception, a public prosecutor’s office must request for it. In more urgent circumstances, the public prosecutor’s office itself may issue the order for interception, but the same must be confirmed by the court in three working days, else the order becomes invalid.
Laws allowing interception: France allows for electronic communications under the French Criminal Procedure Code (CPP), the Customs Code, and the French Code of Post and Electronic Communications (CPCE).
A law introduced in 2015 set up an independent commission called the ‘Commission for Oversight of Intelligence Gathering Techniques’ (CNCTR).
Judicial or independent oversight: Under this 2015 law, intelligence gathering can be done only with authorisation from the prime minister or a PM’s designee. The prime minister’s authorisation is granted only after the Commission gives its recommendation on how lawful the interception would be. The Commission’s word is not binding and the PM can go ahead with her/his decision. However, the Commission can challenge the interception order at France’s Supreme Administrative Court, the Conseil d’Etat.
Under CPP, interceptions are conducted under the authority and supervision of the investigating judge. The decision does not bear the status of a judicial decision, hence it is not subject to appeal before any judge.
The validity of data disclosure requests issued during investigations in hot pursuit or in preliminary investigations, may be challenged before the investigations appeal court.
(Edited by Gitanjali Das)