Pegasus project – a conspectus of laws of surveillance and the concerns over privacy

Thursday 25 November 2021

Gagan Anand
Legacy Law Offices, New Delhi, Delhi

Shreya Pahwa
Legacy Law Offices, New Delhi, Delhi

The Pegasus Project investigation was brought to light by the Paris-based, non-profit media group, Forbidden Stories and Amnesty International. The reports have revealed a widespread misuse of NSO Group Technologies’ spyware, Pegasus. As per NSO, Pegasus was developed to be sold exclusively to vetted governments to aid law enforcement agencies and intelligence departments to fight crime and avoid terrorism. Yet, according to the leaked data, the spyware was being used as hacking software instead of its conventional use as a surveillance tool.

Potential targets of the spyware include 300 telephone numbers belonging to some of the most talked-about Indians. The list comprises opposition politicians, diplomats, government officials, a sitting judge of the Supreme Court, business persons, journalists and scientists, among others. The Press Club of India stated ‘It is the first time in the country’s history that all pillars of our democracy – judiciary, parliamentarians, media, executives and ministers – have been spied upon and that the snooping has been done for interior motives’.[1] So far, four or five petitions have been filed in the Supreme Court by veteran journalists. The petitioners allege that the military-grade surveillance is a gross violation of their right to privacy and constitutes a crime under sections 66, 66B, 66E and 66F of the Information Technology Act 2000 (‘IT Act’).

Domestic legal framework

To begin with, Article 21 of the Indian Constitution now incorporates the right to privacy as a fundamental right under its purview from the day the Supreme Court of India pronounced its judgment in the case of K S Puttaswamy v Union of India.[2] Thus, post the 44th Constitutional Amendment, the government cannot derogate from this provision even if a state emergency is proclaimed.

Presently, no law in India specifically stipulates the remedies against infringement of the right to privacy. The Personal Data Protection Bill (PDP Bill),[3] which was formulated to codify some aspects of the right to privacy, protection against infringement, offences and penalties, has languished in Parliamentary Committees since 2019.

At present, the remedies for protection against phone tapping could be sought in the Information Technology Act 2000 (IT Act) and the Indian Telegraph Act 1885 (Telegraph Act). Under the IT Act, section 69 permits the ‘interception, monitoring and decryption of digital information if satisfied that it is necessary or expedient to do so, in the interest of the sovereignty of India, defence or security of India or for the investigation of an offence’.[4] Hacking, which is precisely done by the Pegasus software, is forbidden under the IT Act.

Under section 5(2) of the Telegraph Act, ‘phone-tapping or the interception of telephone calls is allowed on the occurrence of public emergency or in the interest of public safety’.[5] The constitutionality of this provision was challenged in the case of People’s Union for Civil Liberties v Union of India[6] before the Honourable Supreme Court where, at the outset, it was believed that messages could be intercepted in the situations mentioned above, which are sine qua non for the exercise of this power. Thus, the apex court upheld the constitutionality of the provision, subject to a few procedural safeguards which were later codified in Rule 419A[7] of the Telegraph (Amendment) Rules 2007. At first glance, therefore, we could say that the use of Pegasus software can be justified only to the extent of its benefits as stated under the above-mentioned provision.

Currently, India’s legal framework lacks specific legislation in respect to surveillance. Even the existing ones have many shortcomings, the main issues being the centralisation of powers and the absence of independent judicial oversight.

International standards

As stated by the NSO Group, the Pegasus software is designed to retrieve data of suspected criminals, terrorists or persons who threaten national or international security. Still, its use to target journalists, lawyers, civilians and other people at higher authority depicts gross violations of International Human Rights Law, which includes Article 12 of the Universal Declaration of Human Rights (UDHR) and Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Both these provisions protect the people from arbitrary and unlawful interference with one’s privacy, family, home or correspondence and from attacks on their honour and reputation. In addition, these international laws establish a right to privacy on the individuals, violations of which have repercussions on other fundamental rights.

Under international law, states are allowed to impose restrictions on the right to privacy only when those restrictions are provided for in the law and are necessary and proportionate to achieve a legitimate aim. The same applies to surveillance as well, but, at the moment, no law exists that provides for the same. Thus, states should ensure human rights and not interfere with them. Furthermore, Article 51 of the Constitution of India directs that the State shall endeavour to foster respect for international laws and treaties to promote international peace and security.

The NSO Group failed to take necessary actions to prevent the misuse of the spyware they created. The kind of surveillance that the software supports goes against the standards of legality, necessity and proportionality and is akin to sneaking into not only the target person’s life but also into anyone they interact with, where their entire routine could be monitored. Thus, India, notwithstanding its obligation, has used the software unlawfully and has knowingly violated its right to privacy.

Harmonising domestic legal framework with international standards

India’s democracy is multi-faceted. Judicial precedents and the Apex Court have reiterated that India’s domestic legal framework must be construed harmoniously with the international legal obligations. Domestic law must accommodate international law as it bridges the gaps in the law of the land.

There have been instances where international laws have been implemented even without legislative approval. In the case K S Puttaswamy v Union of India, the Supreme Court observed that in the absence of any specific prohibition in the municipal law, international law forms parts of the Indian law or as a part of the Fundamental Rights. It further expressed an inherent tension between the two fundamental aspects – rights and limitations. This tension is to be resolved by balancing the two so that they harmoniously coexist with each other. In addition to this, in the case of Vishaka v State of Rajasthan,[8] the Court expressly referred to the Convention on Elimination of All Forms of Discrimination Against Women (CEDAW) in the absence of any domestic norms concerning this issue.


With the advancement in technology, such situations are likely to become common with more complex issues that we have no answer to at the moment. Therefore, appropriate laws need to be framed to tackle such situations so that the balance between the rights of the government and that of the users is maintained, and that limitations are also set for any future use of spyware.