The Tell-Tale Location: Google PINs and bail
Taking a look at an interesting judgment from India's Supreme Court
Welcome back to Legitimately Interested, my fortnightly newsletter on data protection and privacy!
In the Privacy Roundup section of the last issue, I mentioned how the Indian Supreme Court had reserved its judgment on an interesting case (the case is Frank Vitus v. Narcotics Control Bureau and others) - it involved an accused person out on bail for an alleged offence committed under the NDPS Act (Narcotics, Drugs and Psychotropic Substances). One of the conditions of bail, was that the accused had to provide the police with a Google PIN location of his whereabouts to enable them to track him - this was then challenged before the Supreme Court for violating his right to privacy. Let’s see what happened.
Issue in Focus
Long story short, the Supreme Court said that this condition did violate the accused person’s right to privacy.
The judges go into seeing how sharing Google locations work (through testimony provided by Google), and come to the conclusion that from Google’s privacy policy it is evident that users have control over how their location is shared. In addition, the judges consider how sharing a location PIN doesn’t enable real time tracking of the user, or their device. They also note how even if the PIN were to coincide with a user’s location at a given time, this would (a) be the static location pinned by the user; and (b) only be accessible to others when a user affirmatively shares the PIN with them by clicking on the share button.
The Court’s ruling against the investigative agency here rests on two observations: (i) that imposing any bail conditions which allow for constant vigilance of a person is arbitrary, and ‘undoubtedly’ violates the accused person’s right to privacy and is an unwarranted intrusion into their private life. They also mention that technology can’t be used to track every movement of a person, even if it is for investigative purposes, (ii) that the condition as it stands, would be redundant, since dropping a location PIN doesn’t allow for someone’s live location to be monitored, and therefore, does not help the investigative agency.
According to me, this is definitely a desirable verdict - in a time when there are serious concerns regarding the use of technology and privacy concerns in policing, a ruling like this goes a long way towards protecting not only privacy rights, but human rights. Fundamental rights being applicable to people even during periods of trial or incarceration, ensures that there are checks on potential abuses of power through the criminal justice system, which are particularly prevalent against those prisoners and undertrials who are from marginalised communities (taking the example of the recent Supreme Court hearing on caste discrimination in prison labour).
However, I do still have some questions and observations.
Firstly, the Court says that ‘In some cases, this Court may have imposed a similar condition. But in those cases, this Court was not called upon to decide the issue of the effect and legality of such a condition.’ This could mean that this assessment is contextual, and the outcome may be different depending on the offence in question, i.e, what the individual happens to be accused of.
Secondly, the Court repeatedly makes the observation that a user retains full control over whether they are able to share their location or not, which is one of the reasons that they find this condition redundant. The second reason is that a Google PIN would only allow the police to check the static location of the individual. This reasoning may itself not matter - if the real issue at play is whether one’s right to privacy is violated or not, then for lack of better phrasing, whether or not the condition is redundant, is redundant. For example, suppose the condition had been to provide the investigative agency had asked for a live location to be shared - here also, the user is technically in control of simply turning off the live location if they wanted. Would this affect the determination? It would in fact be more of a violation of the right to privacy.
Third, there does seem to be some echo of proportionality, since one of the points of reasoning is that the person’s guilt is yet to be established, and therefore, any bail conditions should be put on them with restraint. This raises a similar question as in the first point, on whether the ruling might have been different in the case of a more heinous crime or if the accused was a flight risk - some clarity on this may have been useful as a precedent. In fact, the Court cites an earlier judgment which says - A prisoner, be he a convict or undertrial or a detenu, does not cease to be a human being. Even when lodged in the jail, he continues to enjoy all his fundamental rights including the right to life guaranteed to him under the Constitution.
All of these points do dilute the protection given to accused persons under the right to privacy, since it seems very fact specific - a judgment based much more on the principles of privacy and proportionality, or applying the tests laid down in the judgment providing the right to privacy (KS Puttaswamy v. Union of India), might have provided some more clarity akin to a bright line rule. While this does protect the rights of accused persons, I wonder whether this can be uniformly applied in future cases - especially as technologies like facial recognition are increasingly used for the purpose of policing. This case would have been a good opportunity to lay down some rules and go into a more detailed consideration of the broader issues of technology in policing, when it may have utility, and how it can be used in a privacy conscious manner. This could have even been referred to a Committee or recommended for some sort of consideration by policy makers.
Finally, some food for thought which even goes against my own stated position is the utility of using a Google PIN in these cases with some safeguards. For instance, a bail condition to periodically report to the office of the investigative agency/the Court/police station comes at considerable expense to many Indian accused persons who cannot afford travel expenses. In these situations, especially for accused persons from marginalised communities and who are poorer, sharing a Google PIN may actually be more economical. I don’t have an easy answer to this - can this be considered at the expense of their privacy? Could there be checks put in to make sure that location sharing isn’t abused by the authorities? Just one of those many conundrums of doing privacy law in India.
Privacy Roundup
UK ICO releases paper on compliant way to use AI and personal data and guidance on reading privacy notices
Google makes changes to policy oversight resources, causing worry among regulators
Amendments to Malaysia’s data protection law to be tabled before its Parliament
Texas privacy law goes into effect
Hamburg Commissioner for Data Protection and Freedom of Information publishes discussion paper on LLMs and Personal Data (English summary here)
Read Carey Lening’s interesting post on the FTC enforcement against Calmara
EDPB adopts statement on DPAs role in AI Act framework, EU-U.S. Data Privacy Framework FAQ and new European Data Protection Seal
Read this interesting article by Malavika Raghavan on rule making under India’s DPDPA, on the IJLT Blog
EU charges Meta over pay-or-consent and violating EU antitrust rules
Australia Communications and Media Authority fines Telstra for publishing customer phone numbers publicly
Read this new paper by scholars Gianclaudio Malgieri and Margot E Kaminski on stakeholder engagement in data and AI governance
That’s a wrap on issue 9! Feel free to reach out to me on LinkedIn (although I am checking this a bit lesser now) for suggestions on topics which I could cover, or contact me at the coordinates on my website.
Very interesting read!