The Pegasus Case: A New Chapter in the Privacy Saga
Authored by Rohitkumar Rout, a 1st-year student at CNLU, Patna.
“In my considered opinion, Right to Privacy of any individual is essentially a natural right, which inheres in every human being by birth. Such right remains with the human being till he/she breaths last. It is indeed inseparable and inalienable from human being. In other words, it is born with the human being and extinguish with human being.”
- Justice Abhay Manohar Sapre.
In Justice K.S. Puttaswamy (Retd.) and Ors. v. Union of India (UOI) and Ors., the Supreme Court of India held that the Right to Privacy is guaranteed to every individual by the Constitution of India, and the same forms an integral part of Article 21 of the Constitution in particular and Part III of the Constitution on the whole. While unanimously recognising the Right to Privacy as a fundamental right, the Nine Judge Bench overruled the decisions made in M.P. Sharma & Ors. v. Satish Chandra, DM, Delhi & Ors.and Kharak Singh v. The State of U.P. It, therefore, established the status of the Right to Privacy as a fundamental right, integral to the life of every individual, in addition to laying down a foundation for the further enactment of data protection legislation. However, to date, there exists no legislation that addresses the Right to Privacy in particular. The recent Pegasus scandal accentuates the need for concrete legislation concerning privacy in general and data privacy, in particular, to safeguard the Right to Privacy that the Constitution itself has guaranteed. Through the means of this article, the author aims to shed light on the recent Pegasus scandal, what are its implications for Indian citizens and the need for legislation that addresses privacy concerns.
The Pegasus Scandal: A Brief Overview
India woke up on July 19 to explosive revelations by a consortium of news publications concerning activists, journalists, politicians, and other bureaucrats purportedly being monitored illegally by employing Pegasus, spyware created and marketed by Israeli technology firm, NSO Group. Pegasus is spyware that infects devices and spies on its victims by sending data to a master server without their permission. In its most basic form, it can infect devices linked to the internet. Experts claim, however, that some updated versions can infect phones even if the user does not click on any links or messages. Pegasus infects victims' phones and PCs by exploiting flaws in widely used programmes such as WhatsApp, iMessage, and SMS. The malware seeks to get "root privileges" so that it may take control of the device. Following that, the programme can turn on the camera and microphone depending on instructions from a remote master server, as well as a peep into chats, contacts, and data backups. In addition, it can also record speech, access the calendar, and read SMS and e-mails. Until it is found, the spyware might continue sending signals to the master server.
These allegations were based on a document leaked to a non-profit Paris-based media, Forbidden Stories and Amnesty International, which then worked together with a group of media houses comprising The Guardian, The Washington Post, Le Monde, and The Wire to examine further and publish the list. The list consists of 50,000 telephone numbers belonging to individuals recognised as potential targets via Pegasus between 2016 and June 2021. At least 65 business leaders, 85 human rights activists, 189 journalists, and over 600 politicians and government officials, including heads of state, prime ministers, cabinet ministers, ambassadors, military, and security officers, are among those on the list. There were over 300 Indian politicians, activists, businesspeople, and journalists on the list.
The NSO Group, which developed and licenced the Pegasus spyware, has disputed the existence of such a list. It claimed that the spyware is solely intended for use in criminal investigations and that it is only exported with the permission of Israel's defence ministry.
While the existence of a number in the list does not imply that it was hacked, according to The Guardian, Amnesty International’s Security Lab has tested 67 of the phones linked to these numbers and found that “23 were successfully infected and 14 showed signs of attempted penetration”.
Supreme Court’s Stand on the Issue
The Apex Court, on October 27, 2021, ordered a probe into the allegations of unauthorised monitoring using the Israeli tech firm NSO Group's Pegasus spyware, to be led by retired SC Judge R.V. Raveendran. The court has given the committee seven terms of reference, which are essential facts that must be established in order to decide the case. These questions vary from who purchased Pegasus and whether the programme was used against the petitioners in the case to what laws justify the use of such spyware on civilians. The court has also requested the committee to submit suggestions on a legal and policy framework for cyber security to protect citizens' Right to Privacy. In eight weeks, the committee is slated to submit its report.
Current Indian Statutes Concerning Data Privacy
The Constitution does not expressly recognise the Right to Privacy as a fundamental right. However, the courts have incorporated the Right to Privacy into other fundamental rights, such as freedom of speech and expression under Article 19(1)(a) of the Indian Constitution and the right to life and personal liberty under Article 21. However, these Fundamental Rights under the Indian Constitution are subject to justifiable constraints imposed by the state under Article 19(2) of the Constitution. The Nine Judge constitution bench of the Hon'ble Supreme Court declared the Right to Privacy as a fundamental right, subject to certain reasonable constraints, in the landmark case of Justice K.S. Puttaswamy (Retd.) and Ors. v. Union of India (UOI) and Ors. There is currently no explicit legislation in India addressing data protection or privacy. The Information Technology Act, 2000 and the Indian Contract Act, 1872 are the important data protection regulations in India. After two years of contemplation, in December 2021, the Parliamentary Joint Committee on the Personal Data Protection Bill, 2019 put forward its report, which included, recommendations and a redrafted version of the law, named the “Data Protection Bill, 2021” (hereinafter referred to as the “PDP Bill”). Some key aspects of the report are discussed further. The report submits that the PDP Bill should cover both personal and non-personal forms of data within its ambit till an additional framework is established to distinguish between personal and non-personal data. Moving on, the report stands by the controversial clause mentioned in the earlier Personal Data Protection Bill of 2019 wherein the central government will have the authority to exempt any agency of the government from the provisions of the act. It however adds a qualification that - "subject to just, fair, reasonable and proportionate procedure. " Data breaches have been given due importance in the report and the committee, in furtherance of the same has recommended that clause 25(3) should comprise of a 72-hour reporting period for breach of data. Furthermore, Section 3(8) of the PDP Bill, defines a "child" as a person who has not completed eighteen years of age and entities that collect data of children, therefore have to adhere to a different set of rules and regulations.
In light of the various facts and incidents above, one can safely arrive at the conclusion that privacy is an essential element of human life, and its significance has been growing by the day. As technology evolves by leaps and bounds each day, the wave of digitalisation poses a more significant threat to human rights and values that lie at the core of democracy. In order to ensure and safeguard the Right to Privacy, India needs concrete legislation to be enacted, the foundation stone for which has already been laid down by the Supreme Court.
 Justice K.S. Puttaswamy (Retd.) and Ors. v. Union of India (UOI) and Ors., AIR 2017 SC 4161.  M.P. Sharma & Ors. v. Satish Chandra, DM, Delhi & Ors., 1954 AIR 300.  Kharak Singh v. The State of U.P., 1963 AIR 1295.  Justice K.S. Puttaswamy (Retd.), supra note 1.