Author: Aadya Rastogi, UPES

In 2015, the Indian Government launched the Smart Cities mission (SCM) which aimed to modernize 100 cities by integrating Information and Communication Technologies (ICT) and the Internet of Things (IoT)  in order to improve the overall quality of life and foster urban development. By 2025, the Smart Cities Mission gained significant success by completing 90% of its proposed projects, hence progressing rapidly. This initiative has led to the growing implementation of digital technologies in urban governance which includes the collection and analysis of data from multiple sources, such as citizens, infrastructure and environment aimed at enhancing efficiency, public service, delivery and citizen engagement.

However, the extensive use of data collection and surveillance technologies has raised legal complexities. Smart cities involve continuous monitoring and data collection, including the use of technologies like AI-powered cameras, facial recognition, and real-time monitoring poses risks to individual privacy and the potential misuse of personal information. In India, digital surveillance has shifted from targeted to mass surveillance, with attempts to integrate public and private information of citizens without robust privacy laws and external oversight. 

Right to privacy being a fundamental right makes any state action involving data collection and surveillance subject to constitutional scrutiny. India remains without a comprehensive data protection law, resulting in citizens lacking statutory rights over their data. This situation raises considerable legal issues related to the use of surveillance technologies. Consequently, there must be accountability mechanisms in place to ensure that both state and private entities engaged in smart city projects are held accountable for any data breaches, misuse, or infringements of rights.

Smart cities, due to their interconnected nature and reliance on digital technologies  possess a heightened "attack surface",  making them vulnerable to various cybersecurity threats. Data breaches pose a major risk in smart cities, where large amounts of personal and sensitive data are gathered and analysed. Such breaches can lead to privacy infringements, identity theft, financial fraud, and have other adverse effects on individuals and organizations.

Furthermore, ransomware attacks have emerged as a common threat, wherein attackers encrypt data and demand a ransom for its decryption. The prevalence of Internet of Things (IoT) devices in smart cities creates a broader target for these types of attacks. A notable incident in India involved the Pimpri Chinchwad Municipal Corporation (PCMC) Smart City Project, which experienced a ransomware attack that resulted in an estimated loss of 5 crore rupees. The integration of IT systems into urban infrastructure makes it susceptible to hacking and malicious activities. The Northeast blackout in August 2003, triggered by a software error, impacted 55 million users, emphasizing the weakness of power grids.

Moreover, there are several sectors within smart cities that are particularly vulnerable to cyber threats, such as the transport systems, healthcare databases, law enforcement systems and power and water grids. The WannaCry ransomware attack demonstrated the potential for significant disruption to healthcare systems, as hospitals were locked out of patient records leading to compromise in patient privacy and medical identity theft. Another notable incident was the Bay Area Rapid Transit (BART) service experienced a shutdown affecting 19 trains and over 1000 passengers in November 2013 due to a cyber incident. 

The implementation of technologies such as CCTV networks, facial recognition systems, predictive policing tools, and biometric databases can result in mass surveillance, profiling, discrimination, and a chilling effect on free speech, thereby directly affecting fundamental rights given in the Indian Constitution.

The incorporation of these technologies facilitates large monitoring of individuals, raising concerns regarding mass surveillance. This situation fosters a situation where both private and public information is continuously collected, potentially without sufficient legal protections or individual consent.

The use of these surveillance technologies has a direct impact on fundamental rights guaranteed by the Indian Constitution like Article 21 which implicitly safeguards the right to privacy. The Supreme Court of India, in K.S. Puttaswamy v. Union of India, recognized privacy as an essential component of Article 21. Moreover, the persistent threat of surveillance can discourage individuals from exercising their rights to free speech and assembly provided under article 19 of the constitution, as they may fear that their legitimate actions could be observed or misinterpreted by authorities. 

The authority of the state to impose surveillance measures for security purposes is not absolute and is subjected to constitutional restrictions and judicial review.  In this context, courts have evolved the doctrine of proportionality as the principal framework for settling conflicts between state power and individual liberty. The proportionality test involves several components like legitimate Aim, Rational Nexus, necessity, proportionality balancing and Procedural Safeguards. In K.S. Puttaswamy, the Court clarified that like most other fundamental rights, the right to privacy is not "absolute" and can be overridden by competing state interests, subject to the satisfaction of certain tests and benchmarks.

Further, the concept of reasonable restrictions under Article 19 of the Indian Constitution ensures that any limitations on freedoms, such as speech and expression, must be justified. ​The Supreme Court, in Shreya Singhal v. Union of India , reinforced the importance of clear definitions and proportionality in assessing such restrictions. ​The Court struck down Section 66A of the Information Technology Act, 2000, because its vague provisions could suppress dissent and were not within the scope of permissible "reasonable restrictions". 

Judicial scrutiny also plays a vital role in preserving the rule of law. The Supreme Court of India's judgments in K.S. Puttaswamy v Union of India has provided a framework for testing the existing system of laws governing surveillance, emphasizing individual liberty as a counterweight to state power.

Despite these pronouncements, concerns persist regarding the practical implementation of judicial oversight. For instance, illegally obtained evidence is usually admissible in Indian courts as long as it is relevant, which weakens the incentive for authorities to adhere to due process. Highlighting the need for robust judicial review and transparency to ensure that surveillance measures do not become tools for unchecked state power, but rather remain within the bounds of a constitutional framework.

India has developed a regulatory and policy framework to govern its digital landscape.​ This framework is primarily built around the Information Technology Act, 2000, and more recently, the Digital Personal Data Protection Act, 2023. 

The Information Technology Act, 2000, stands as the foundational legislation for cyber law in India. Enacted to provide legal recognition to electronic commerce and electronic governance, it came into force across India on June 9, 2000.  The key provisions of this Act include legal Recognition of Electronic Documents and Digital Signatures, Cybercrime Offenses and Penalties, E-Governance and Regulatory Powers. 

The Digital Personal Data Protection Act, 2023, is India's first comprehensive data protection law, establishing a framework for processing personal data within the country. This Act regulates how businesses collect, use, share, and delete Indian citizens' personal data. The key features of the Act include data Fiduciary Obligations, Individual Rights, consent Mechanisms and power to impose penalties for Non-Compliance potentially reaching up to ₹250 crores. 

Despite progress, most surveillance frameworks continue to fall short as deficiencies in India's regulatory framework have been recognized. For instance, immediately following its implementation, the IT Act faced criticism for lacking essential provisions and inadequately addressing numerous legal concerns. The Shreya Singhal v. Union of India is a landmark case that highlighted the ambiguity of the IT Act.

 Even with the introduction of the DPDP Act, there remain concerns regarding government exemptions and the independence of Data Protection.  Although the IT Act encompasses various cybercrimes, the progression of technology consistently introduces new types of cyber threats, necessitating ongoing updates and modifications to the legal framework.  Effective enforcement and redress mechanisms are vital for the successful operation of cyber laws. The lack of narrowly defined statutory limits permits the State to normalize mass surveillance under the pretext of security, thereby undermining the nature of reasonable restriction provided in the constitution. 

Some reforms that can be introduced in the digital landscape include the prior judicial approval for surveillance, proof of necessity to monitor, strict privacy rules in sectors where consumer information is at the most risk and establishment of data protection tribunals. 

In conclusion, the link between cybersecurity in smart cities and the safeguarding of fundamental rights within a constitutional framework is complex. Smart cities provide advantages like efficiency, public safety, and governance, but their dependence on extensive data collection, surveillance systems, and automated decision-making brings up significant legal and constitutional issues. While cybersecurity measures may be justified for national security and public order, they cannot exist in a legal separation from fundamental rights. 

Moreover, the right to privacy is not absolute, it can only be limited according to the principles of legality, necessity, proportionality, and procedural safeguards. Yet, the real-world application of these principles is lacking, as current surveillance systems are marked by executive power, weak oversight, and limited transparency. 

Thus, the article emphasizes that the main issue is not the validity of cybersecurity as a state goal, but the lack of a strong rights-based governance framework. Without independent oversight, effective data protection enforcement, and rigorous proportionality assessments, smart city technologies may normalize mass surveillance and threaten constitutional democracy.

• G. Kannan & S.Kasim Nasheer, Rejuvenation of Urban Governance through Smart Cities Mission in India, Vol. 6, Issue 6, November-December 2024, Rejuvenation of Urban Governance through Smart Cities Mission in India - IJFMR 

• ARYENDRA SHARMA, Technologies in Urban Policies and Smart cities in India, JETIR, Volume 8, Issue 5 https://www.jetir.org/papers/JETIR2105139.pdf

• P. Bajpai and R. Enbody, Preparing Smart Cities for Ransomware Attacks,  (ICDIS), 2020 Preparing Smart Cities for Ransomware Attacks | IEEE Conference Publication | IEEE Xplore 

• Manoj Dattatrye More Cyber attack: Tech Mahindra in soup as PCMC refuses to pay for loss, parties seek probe Cyber attack: Tech Mahindra in soup as PCMC refuses to pay for loss, parties seek probe | Pune News - The Indian Express

• V. Boyko & M. Vasilenko, SMART CITY» IN THE CONTEXT OF CYBERSECURITY: INCIDENTS, RISKS, THREATS «SMART CITY» IN THE CONTEXT OF CYBERSECURITY: INCIDENTS, RISKS, THREATS | Municipal economy of cities

• Mahmoud Gad & Ibrahim Abualhaol Securing Smart Cities Systems and Services: A Risk-Based Analytics-Driven Approach 2018 Securing Smart Cities Systems and Services: A Risk‐Based Analytics‐Driven Approach - Transportation and Power Grid in Smart Cities - Wiley Online Library

• Clapp, Jeffrey, The Unique Identity Project: Surveillance Society and Democratic Culture in Aravind Adiga’s India, 2019 The Unique Identity Project: Surveillance Society and Democratic Culture in Aravind Adiga’s India | Semantic Scholar

• Graham Greenleaf, Promises and illusions of data protection in Indian law, International Data Privacy Law, Volume 1, Issue 1, 2011, Pages 47–69, https://doi.org/10.1093/idpl/ipq006