Right to privacy: A Stop sign?

The Supreme Court’s verdict upholds the citizen’s right, but how the government and its Aadhaar project respond is to be seen

Mohammed Afeef Bengaluru

The Supreme Court of India on August 24 upheld the right to privacy as a fundamental right under Article 21 of the Constitution. The circumstances under which the apex court passed this judgment makes it a ray of hope in dark times, with a government aggressively out to undermine the right to privacy of individuals and push the Aadhaar scheme at any cost. The Supreme Court upheld the inherent value of a constitutional democracy which lies in the protection of constitutional rights from the whims and fancies of the majority. 

The referral 

It was Mukul Rohatgi’s submission of August 2015 which was responsible for the nine-judge constitutional bench hearing the case. His submission argued that privacy is not a fundamental right; the three-judge bench of the Supreme Court which was hearing the case on Aadhaar and norms for the compilation of demographic biometric data by the government considered Rohatgi’s submission ‘a constitutional challenge.’ The bench, led by Justice J. Chelameswar, referred the case to a larger bench to resolve the constitutional question at the heart of the issue. 

In the same order that referred the case, the court held that the enrollment for Aadhaar was to be voluntary. The government, in open defiance of the order, made the Aadhaar card mandatory for subsidies, services, and benefits through Section 7 of the Aadhaar Act. Subsequently, Aadhaar has become necessary to file income tax returns by linking one’s PAN card and now the government is bordering on the absurd by making it mandatory for a death certificate. 

Now that the court has upheld the right to privacy, what does it mean for these aspects of the Aadhaar project: Mandatory collection of demographic and biometric data, collection and storing of information by private parties, authentication of one’s identity based on biometric data, maintaining a data repository of identities, the possibility of profiling and several other concerns regarding individuals’ informational self-determination. 

What the judgment did and did not do? 

The matter before the court was never about the constitutionality or validity of Aadhaar as a scheme, it was about the existence of the right to privacy, and, if it did exist, what the right meant. The court, along with holding privacy as a fundamental right, filled the right to privacy with content and laid down the constitutional standards for limiting the right. It thereby set up the constitutional framework within which cases are to be decided in future. 

The concept of privacy was discussed at length, with different judges having different formulations of it, often overlapping. An essential feature common to all their understandings was that it meant ‘the right to be left alone’ or freedom from unwanted intrusion by State or non-State actors. For instance, Justice R.F. Nariman linked bodily privacy, informational privacy, and the privacy of choice. Justice D.Y. Chandrachud, writing for three other judges, stated: “Privacy has distinct connotations including (i) spatial control; (ii) decisional autonomy; and (iii) informational control. Spatial control denotes the creation of private spaces. Decisional autonomy comprehends intimate personal choices such as those governing reproduction as well as choices expressed in public such as faith or modes of dress. Informational control empowers the individual to use privacy as a shield to retain personal control over information pertaining to the person.” 

The two aspects of privacy that are relevant for questioning the Aadhaar project are the concepts of bodily privacy and informational privacy. Privacy of the body entitles an individual to the integrity of the physical aspects of personhood; this clearly includes biometric data since it is extracted from fingerprints and iris scans, which are inherent to an individual’s personality. 

Informational privacy as a concept has many facets: it includes informational self-determination, which allows the individual to determine what personal information can and cannot be made public. The reasonable expectation of privacy includes that the information provided by the individual will be treated appropriately by the data collector, that it will be used only for the purposes for which it was collected, that it will not be disclosed to third parties except with consent, that it will be accessible to the individual, that the data collector shall only collect personal information from data subjects as is necessary for the purposes identified for such collection, and  that the collection of personal information has to be on the basis of consent. 

These concepts are relevant to Aadhaar since the project mandatorily requires individuals to provide biometric data for the State (UIDAI) to collect, store and use for authentication for different purposes such as accessing bank accounts, paying taxes, and so on. This clearly violates the principle of informational self-determination and reasonable expectation of privacy, but is it justified in law? 

Does Aadhaar pass the test? 

One of the highlights of the judgment was the setting of a high standard for the State to restrict the right to privacy based on the principles of fair, just and reasonable restriction. The three-pronged test set out is that, first, there must be a law in existence to justify an encroachment on privacy, which is an express requirement of Article 21. For no person can be deprived of his life or personal liberty except in accordance with the procedure established by law. 

Second, the requirement of a need, in terms of a legitimate State aim, ensures that the nature and content of the law which imposes the restriction falls within the zone of reasonableness mandated by Article 14, which is a guarantee against arbitrary state action. 

Third, the means which are adopted by the legislature are proportional to the objective and needs sought to be fulfilled by the law. Proportionality is an essential facet of the guarantee against arbitrary State action because it ensures that the nature and quality of the encroachment on the right is not disproportionate to the purpose of the law. 

Now, does Aadhaar pass the test? The second requirement, of being a legitimate State objective, doesn’t seem to be causing any problems, as even the judgment of Justice Chandrachud pointed out: “There is a vital state interest in ensuring that scarce public resources are not dissipated by the diversion of resources to persons who do not qualify as recipients. Allocation of resources for human development is coupled with a legitimate concern that the utilization of resources should not be siphoned away for extraneous purposes.” 

Therefore, it is true that the “efficient, transparent, and targeted delivery of subsidies, benefits and services” is a legitimate State interest. As per my assessment, the first and the third test would be crucial; the first test of ‘procedure established by law’ would also include the valid legal procedure for bringing about the law, and since the Act was brought in as a money Bill as a way of circumventing the Rajya Sabha, the State would have a tough time defending it. The third test puts the onus on the State to demonstrate that in order to achieve its legitimate goal (efficient delivery of subsidies, benefits and services) the forced collection of biometric data and using it to authenticate identity as a pre-condition for delivering social welfare and otherwise is proportionate and required for achieving the said ends. 

Given that the biometric system is prone to error, the failure of which is denying social welfare to several citizens across the country, it will be a tough task for the State to even demonstrate the success of the project in dispensing welfare. 

Other issues for the court 

It is also important to note that the Aadhaar Act, 2016, has a chapter on data protection in consonance with informational privacy principles enumerated in the judgment albeit with loopholes, such as the absence of a grievance redressal system for individuals. However, as Prasanna S.  pointed out, the UIDIA started accumulating data long before the enactment of the data protection law mentioned. So, was the data collected without legal basis? This is another aspect the court will have to decide.  

Further, since the current data protection law under Aadhaar is insufficient in dealing with all the informational privacy concerns highlighted in the judgment, how will the court respond in the context of the government’s drive to make Aadhaar mandatory? The judgment might not have declared Aadhaar unconstitutional, but it certainly puts the government in an uncomfortable position.