A nine-judge Constitutional bench of the Supreme Court unanimously declared on Thursday that Indian citizens enjoy a fundamental right to privacy.
This right, they said, is intrinsic to Article 21 of the Constitution, which guarantees the right to life. In doing so, the court dealt a blow to the Union government, which had argued that privacy was an ordinary right. A citizen now has the right to approach the Supreme Court directly for the protection of his privacy, which the Centre had denied by arguing that privacy was protected under several laws and there was no need to exalt it to the status of a fundamental right.
This judgement emanated from a challenge to Aadhar, a 12-digit unique identification number that was envisaged as a tool to plug leakages in the public distribution system, but has gradually been made compulsory for obtaining a wide range of welfare benefits and services, even a death certificate.
But does the declaration of privacy as a fundamental right in any way affect the legitimacy of Aadhar, for which the government collects biometric data such as fingerprints and iris scans? The Supreme Court did not pass any comments on the validity of Aadhar in Thursday’s verdict, presumably because the Aadhar Act is set to be tested for constitutionality by a separate five-judge bench. But in elucidating the right to privacy, the court provided clues as to how it may deal with Aadhar when the case eventually comes up for adjudication. In articulating the challenges privacy faces in the information age, the court indicated that protection of data is of paramount importance. In that sense, a data protection law could become a prerequisite for the implementation of Aadhaar.
At the same time, the judges, without exception, held public interest to be a reasonable restriction on the right to privacy. This opens a big door for the government to sustain and expand Aadhaar: it can argue that making service and resource delivery, and utilisation of public funds more efficient – the original justification for creating Aadhaar – is in public interest.
The nine-judge bench wrote six separate but concurring judgements. Justices DY Chandrachud, Rohinton Nariman and SK Kaul spent much space on the aspect of information privacy, the most important aspect of the challenge to Aadhaar. Those opposing Aadhaar have, for one, pointed out that vast caches of personal information stored in the Aadhaar database have been leaked over the last two years.
The judges also pointed out that advancements in technology and the internet present problems that go beyond conventional notions of bodily privacy. In his opinion, Kaul reflected on the dilemma of the information age:
“The impact of the digital age results in information on the internet being permanent. Humans forget, but the internet does not forget and does not let humans forget. Any endeavour to remove information from the internet does not result in its absolute obliteration. The footprints remain. It is thus said that in the digital world preservation is the norm and forgetting a struggle.”
Given the permanence of digital information and the danger of its abuse, both Kaul and Chandrachud emphasised the creation of a strong legal structure to secure citizens’ data – in all aspects, not just within the narrow confines of Aadhaar.
They referred to the report of the erstwhile Planning Commission’s Group of Experts on Privacy, submitted in 2012, which suggests two key guidelines for handling citizens’ data: collection limitation and purpose limitation. Data should be collected only for a specific purpose and used for that purpose alone. The judgement does not direct the government to implement the report, but by referring to its recommendations, it provides a window into the court’s idea of a data protection law.
This is where Aadhaar may get into trouble. The government has essentially established a sweeping data collection mechanism, purportedly for ensuring “good governance; and efficient, transparent and targeted delivery of subsidies, benefits and services”. Specific uses were mandated only later through notifications that vastly expanded the scope of Aadhaar, encompassing everything from income tax returns to death certificates. It was thus post facto creation of objectives that were not explicitly mentioned when data was collected for Aadhaar.
As for purpose limitation, the expert group said “a data controller shall collect, process, disclose, make available, or otherwise use personal information only for the purposes as stated in the notice after taking consent of individuals”.
Question of consent
A key contention against Aadhaar is that at the time of enrolment, explicit consent is not taken for expanding the usage of the data. In fact, the unique identification number was first publicised as voluntary, as the Supreme Court acknowledged in 2015 when it prohibited making Aadhaar compulsory. If the collection and purpose limitations recommended by the expert group are applied, the government would ideally be required to seek consent for using Aadhaar data every time it creates a new purpose. Such a set-up, though, is currently missing.
The government had told the apex court during the proceedings that a committee under a retired Supreme Court judge was reviewing data protection. Kaul and Chandrachud record this statement in their judgement and hope that a law would soon be in place. Warning against the danger of creating a “big brother” state, a concern those opposing Aadhaar have constantly raised, Kaul stated:
“Knowledge about a person gives a power over that person. The personal data collected is capable of effecting representations, influencing decision making processes and shaping behaviour. It can be used as a tool to exercise control over us like the ‘big brother’ State exercised. This can have a stultifying effect on the expression of dissent and difference of opinion, which no democracy can afford. Thus, there is an unprecedented need for regulation.”
Therefore, to save Aadhaar, the Centre may have to show that its overwhelming public interest overrides the fundamental right to privacy. It may also have to narrow down the scope of Aadhaar and bring a data protection law that ensures explicit consent is taken from citizens whose information is sought to be collected.