IAPP had organized a half day session at IIIT Bangalore in which the Privacy issues surrounding Aaadhaar was discussed in the light of the recent Supreme Court judgement. A summary of thoughts shared by the undersigned in the meet is reproduced here.

The reference to the Nine member Bench of Supreme Court was made during the discussion in the smaller bench on the Constitutional validity of Aadhaar in which one point brought out by the Government was that Privacy is not a fundamental right. Sensing the danger of the argument being held valid on account of the two earlier judgments of the Supreme Court namely the M.P.Singh and Kharak Singh judgments, one of which was from a 8 member bench, the CJI quickly set up the Nine member bench which in double quick time came up with its massive judgement and cleared the path for the smaller bench to proceed with the Aadhaar hearing under the specific consideration that Privacy is a Fundamental right.

Once this issue is settled, the Government will have to justify the Aadhaar Act under one of the “Reasonable Restriction” clauses under Article 19(2).

In this context, the issues before us are to understand

a) Does Aadhaar per-se violate Privacy?

b) Does the mandating of Aadhaar for social benefits violate Privacy?

c)Does Linking of Aadhaar to PAN violate Privacy?

d) Does leaking of Aadhaar Data through e-hospital app violate privacy

e) Does leaking of Aadhaar data through biometric device violate Privacy?

f) Once biometric is compromised, is there a way out to put the clock back?

We must recognize that Aadhaar was perceived as a data base of demographic and biometric data linked to a random number. This number was supposed to be held confidential by the owner and presented with his biometric to those agencies which needed to verify any particular parameter associated with the Aaadhaar such as the name,address, father’s name, data of birth etc. The query was supposed to be always answered in binary Yes or No and aadhaar data was not supposed to travel on the internet.

However in its implementation, Aadhaar is now used as an ID card and any authorized person who seeks information is allowed to download the entire aadhaar information on his systems where the data along with the Aadhaar number resides. The query is answered not only with the biometric but also on OTP over the registered mobile. There are also authorized APIs that lift the data from the Aadhaar server and populate forms at the User end. e-Hospital application was one such application which was at the center of the recent suspected data breach.

Similarly, wherever biometric devices are used, the biometric has to be captured and then transmitted to the Aadhaar server for authentication. Though the transmission is encrypted, it is possible for a copy of the encrypted bio metric to be stored at the device end as was. This was detected in one instance where E Mudhra and Axis bank had sent stored biometric for authentication and UIDAI had filed a criminal complaint.

Since the devices would be under the control of the intermediaries, even if UIDAI ensures an audit of the devices before it is approved, there is a possibility of them being tampered with subsequently.

The current generation of biometric devices and the technology adopted for referring the captured biometric to the UIDAI server does not seem to be secure enough to prevent storage of biometric and this could be a Privacy threat.

Thus in most cases Privacy information leakage occurs at the user end and not at the UIDAI end.  Hence what is required by UIDAI to ensure is a process by which users take the responsibility for leakage of Aadhaar data.

Currently this is determined by the provisions of ITA 2000/8 under Section 79 and 43A along with other provisions.

The issue of Aadhaar and Privacy should therefore be seen in the context of how the Aadhaar intermediaries obtain the consent of the Aadhaar users and whether it satisfies the internationally accepted principles of disclosure, minimal usage, security, limited period retention etc.

Some of the legal luminaries do consider that “Consent” being a “Contract”, it cannot be used to circumvent the abrogation of “Fundamental Rights”. In view of this, the consents need to be carefully drafted to avoid litigations.

Compliance therefore becomes a challenge to the companies who need to use “Data” as the raw material for their business.

If Aaadhar related privacy issues are to be tackled there is need to relook at the technology by which Aadhaar data base is accessed by the intermediaries who provide various services using Aadhaar as an ID. Government also should stop treating Aadhaar as an ID card which can be shared at various usage points to be photocopied and used.

If before the Aadhaar hearing comes up again in the Supreme Court, the Government issues a policy guideline on how Aadhaar data base is to be used, it may strengthen the argument to defend the Aadhaar system, Otherwise there could be a danger of impossible restrictions being imposed by the Court which may need change of many of the use cases which is under contemplation.

Naavi

A high profile Privacy Summit had been organized at Taj West End by CCAI (Corporate Counsel Association of India) along with IAPP in which several issues of Privacy were discussed in the emerging technology environment.

The undersigned participating in one of the sessions on presented his views on the relationship between Cyber Security and Cyber Insurance.

A Summary of thoughts presented in this connection are reproduced here:

Cyber Insurance has two parts namely the First Party Coverage and Third party coverage.

The first party coverage refers to the costs incurred by the insured after a breach on invoking DRP/BCP, Payment of Regulatory Fines, Cost of audit and assessment of the breach, forensic investigation of the breach, litigation, ransom payments data breach notification cost etc. These are all costs incurred by the Company for which reimbursement is sought.

The third party coverage refers to the loss suffered by customers (including public) arising out of the breach at the insured facilities. This depends on the claims made by the outsiders. Consequent to the recent Privacy judgement, it is expected that the litigation in this domain may increase and as a result even the cost of cost of cyber insurance may also increase.

Cyber Security Risk Management includes four elements namely Mitigation, Avoidance, Absorption and Transfer (Insurance). While Mitigation is the responsibility of the IS team, Avoidance is a business decision and Absorption is a management decision. Risk Transfer through Cyber Insurance is a decision in which all the stake holders namely the Information Security, Business and Management  should all take together.

In many companies, the decision on Cyber Insurance may be taken at the CFO level as a budgetary provision.

Ideally, Cyber Security personnel should be involved both at the time of taking of a Cyber Insurance policy as well as at the time when Claim is preferred.

When a Claim is preferred the Insurance Company will naturally contest to say

-Breach was caused out of negligence

-Breach was caused by insiders or other reasons not covered under the policy

-Breach occurred long time back and was not detected in time and was not plugged in time to reduce the damage

-At the time of taking the policy, the risk was known and not disclosed.

-Coverage is limited to part of the loss only, because the insured is a co-insurer in part because the assets were undervalued at the time of underwriting

–Policy has sub limits and hence not payable in full, etc.

No Insurance company will be/can be magnanimous as to say…I will ignore all your follies and pay whatever you ask.

At the same time, the Company needs to defend

-It was not negligent

-Root cause of loss is within the risks covered

-Assets are fully valued at the time of the underwriting

-Breach was detected in time and acted upon

-Reasonable action is taken to legally defend the claims against the company and pursue claims against the persons causing the breach, So that Insurance company can step into the shoes of the insurer and pursue its claim against the end beneficiaries of the breach etc.

Company has to all provide evidence that reasonable Security practice is in existence today, yesterday and through out the life of the policy.

All this can be done only by the Information Security team and not by the CFO. It is for this reason that the Information Security team should be at the center of a decision on Cyber Insurance all the time.

There are some challenges in the Cyber Insurance including lack of adequate metrix to measure the security posture of an organization so that a “Risk based Premium” is determined beyond the usual claims of “I am ISO 27001/PCI-DSS compliant” etc.

Challenges are also noticed since normally it takes a time for breaches to be identified and addressed.

It is also not easy for the Information Security professionals to clearly understand the different limitations in the Cyber Insurance contract and since Insurance contracts are contracts of “Utmost Faith” and can be voided by the Insurance company if it can prove that the insured had not shared all relevant information at the time of making his proposal. It is also a challenge to value the assets insured so that the Insurance Company does not limit the claims on the grounds of “Under valuation of Assets”.

As regards the response to a breach when identified, a Company needs to have a clear policy based on the obligations under the Cyber Insurance contract to decide if the breach has to be reported (even when there is no claim preferred) and for all the actions required to be taken such as filing of a Police Complaint, conducting internal forensic assessment, etc.

It is also necessary for the Company to avoid mis-communication to the public and press which can cause more harm to the reputation of the company and increase the losses under claim.

In view of the complications involved in a Cyber Insurance Contract and the high stakes involved, there  is therefore a need to obtain appropriate consultation from experts before a Cyber Insurance contract is purchased by an entity.

During the discussions the difficulty of the Insurance companies to assess the Cyber Risk and link it to the Premium was also discussed due to lack of information on cyber crimes in general. The Insurance companies are therefore forced to base their premium fixation on the cost of re-insurance. This has prevented the Cyber Insurance companies from providing appropriate credit to the security measures taken by the insured to reduce the Cyber Risks and more effort is required in this direction so that investments made on Cyber Security should reduce the cost of insurance at least to some extent.

Naavi

A Round table was held at National Law School of India, Bangalore, the premier law education institute in the country on assessing the impact of the Supreme Court order on Right to Privacy on Cyber Space and Data Protection. Dr Professor Nagaratna, Dr Professor Subbarao, from NLSUI led the discussions and several other invited guests from IT industry, Advocates, Police, Research scholars participated in the consultation program.

Participating in the discussion, the undersigned shared his views on the subject reproduced below:

Assessing the Impact of Supreme Court’s Order on Right to Privacy on Cyber Space and Data Protection

Discussion@ NLSUI, 31^st August 2017

A Note By Naavi

Law is meant to be complied with by the Citizens. Hence it has to be written in a manner that is easily and precisely understood by the stake holders. A well written law brings better compliance than a law that people cannot properly understand. This principle also applies when laws are made by way of Jurisprudence developed in major Judgement of superior Courts. If the Judgement are precise and lucid, it will be well understood by the citizens and there will be better compliance. We need to assess this Judgement keeping this basic principle in mind.

The Order

The Bench in its 547 page judgement has given out a one page order signed by all the judges making just one major point namely:

“The right to Privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution”.

Additionally the order specifically mentions that the earlier judgements in the M.P.Singh and Kharaksingh Cases have been over ruled.

Apart from the order, individual judgements have been given by 5 judges and the other four have given a common judgement. Some of these individual judgements list some conclusions after reflections and other citations from Indian and foreign judgements.

The operating part of the judgement is however limited to the declaration that Right to Privacy is a “Fundamental Right”. It means that the Government cannot make any law that infringes the right any previous laws made can be challenged. However, the Right is subject to the “Reasonable Restrictions” under Article 21 and it would be the line of defense whenever a law is challenged.

While infringement of the Privacy Right by the State can empower a citizen to claim damages from the Government, it cannot be used to claim damages from a Non State body.

Impact on Non State Bodies

Individuals and Companies who are not State bodies shall be liable on the basis of any law made by the Government to protect Privacy of a Citizen as per the obligation under the Constitution.

At present no law exists specifically to protect the Privacy of an Individual. However, Information Technology Act 2000/8 has certain provisions which afford protection to “Personal” data of an individual in electronic form which is collected and processed by a corporate entity.

Lack of Definition of Privacy

In the Judgement, it has been admitted that there is no acceptable definition of “Privacy” as it prevails in India. Earlier, the various judgements of the Supreme Court including the Kharak Singh judgement used the concept of Privacy Right as a “Right to be left alone”. It was mostly viewed in the context of “Physical Privacy”.

Additionally, some of the Judges have made reference to “Information Privacy” where “Right to decide how information that is related to the Privacy of a person may be collected and used” is recognized as a facet of Privacy. Again this is not part of the order and hence not binding under this judgement.

The current judgement did not add an acceptable definition of Privacy in its final order though different judges in their reflections made many remarks.  At least one Judge (Justice Chelameswar) categorically stated “….Definitional uncertainty is no reason to not recognize the existence of the right of privacy…. “.

As a result the “Right to Privacy” is now sought to be defended with a vague understanding of the definition of “Privacy”. Citizens and Companies will have to therefore consider protection of Privacy of other Citizens and not to infringe them without having a clear understanding of what right they are really protecting.

If there is any dispute whether a “Right” is infringed and what is infringed is the “Right to Privacy”, then a reference would be required to be made a Court to define on a case to case basis whether the “Right which was infringed was in deed a Right to Privacy”.

The public will therefore look for the specific legal provision where the Privacy Right is mandated to be protected to find out whether they are indeed compliant with law or not.

For example, in cases where ITA 2000/8 applies, public and companies will look for the definition of “Personal Information” and “Sensitive Personal Information”. It also has certain sections like the Section 43A, Section 72A, Section 79, Section 65, Section 67C, Section 66E, Section 69, Section 69B, Section 70B etc. where different aspects of Privacy are referred to. All this applies to electronic documents other than excluded documents under Section 1(4). They do not apply to non-electronic documents or oral statements.

Courts have the right to not only interpret the law but to write the law

Justice Chelameswar has however made an interesting statement which implies that any decision of the Court in this regard may not necessarily be dictated by what is provided in the law.

 According to him

“To sanctify an argument that whatever is not found in the text of the Constitution cannot become a part of the Constitution would be too primitive an understanding of the Constitution and contrary to settled cannons of constitutional interpretation”

What this observation means is that even if the Constitution or any law does not mention something in the text of the law, the Court can still interpret the law to contain such text by way of an interpretation.

This makes law completely arbitrary and leaves not only interpreting what is written in the law but also import any other text not present there in as if the law is being “Re written”.

When we remember that Justice Chelameswar and Justice Nariman, who are part of this bench were also the Judges who in the Shreya Singhal Case struck down Section 66A considering that Messaging is no different from Publishing and Words used in the section were vague and also refused to read down the provisions and retain the section but insisted that it has to be struck down, it is surprising that they have now changed their view completely.

In this judgement the Court is ruling on “Protection of Privacy” without freezing on what is meant by “Privacy”. This is not considered vague. Also now the Court is read to not only “Read down” but also “Write down” law in any manner in which the Judges consider it correct.

This inconsistency in judicial approach creates needless confusion to companies who would like to be compliant with law.

With this approach of laying down law without clarity is undesirable. As a result, any law can be interpreted by the Court any time and what is written in the law is immaterial.

In such a scenario, compliance is almost impossible and Businesses will not be able to invest in technologies and build an infrastructure or brand without the constant fear that law may be re-interpreted by a Court in a different manner and make their business illegal.

ITA 2008 approach to Privacy Protection

ITA 2008 defines Personal Information as any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. (Notification of 11^th April 2011).

The sensitive Personal information is defined as password,  financial information such as Bank account or credit card or debit card or other payment instrument details ,  physical, physiological and mental health condition; sexual orientation;  medical records and history;  Biometric information;  any detail relating to the above clauses as provided to body corporate for providing service; and  any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

Under Section 72A, any person disclosing personal information in violation of an agreement with the data subject is liable for 3 year imprisonment.

Under Section 43A, which is applicable only to companies, a company handling “Sensitive Personal Information” needs to implement “Reasonable Security Practices” failing which it would be liable to pay compensation.

Under Section 43, any person who “Diminishes the value of information residing inside a computer” or obtains unauthorized access to information (whether personal, or sensitive personal or any other) is liable for payment of compensation and additionally for 3 year imprisonment.

Further there is data retention requirements (Sec 67C, sec 65) bodily privacy protection, (Sec 66E), Disclosure and interception related issues (Sec 69, 69B, 70B) for which punishments are prescribed. Section 79 is a complete reproduction of internationally accepted norms of privacy protection as applicable to information intermediaries.

ITA 2000/8 however provides emphasis on “Contract” with the data subject which gets translated into “Informed consent”. Hence any company dealing with privacy related information has to focus on obtaining a proper consent after a proper disclosure of why an information is being collected, what all information is collected, how they are used, how they are shared, how they are secured, how long they are retained etc.

The law is reasonably robust, though there is lacuna in its implementation. Companies are negligent in not going for a structured ITA 2008 compliance exercise despite nudging by the Government through various means.

Now the Government is contemplating a separate law on Data Protection for which a committee led by another retired Judge of Supreme Court (Justice Srikrishna) is working. Since this is a “Data Protection law”, it has to address only what ITA 2008 has already addressed. It is expected that it would focus on the administrative part of the data protection including appointment of a data commissioner, replacing the Adjudication and Cyber Appellate Tribunals with a separate system. Hopefully there will be not much of a need to ticker with ITA 2000/8 itself to ensure that the two laws are not contradictory.

What Can change after the Judgement?

Now that this judgement elevates Privacy to the status of a “Fundamental Right” there will be a greater attention from the Privacy advocates and there would be a number of frivolous litigations on e-commerce players who are today banking on the “Contractual Permissions” from the data subjects.

The common approach of business is to offer a service under the specific condition that certain data is shared and it may be used by them in a certain manner in which they generate some additional revenue.

In a way the data subject “Trades” his personal information for a benefit. Whether he gets a fair price for his data or whether he is allowing the data processor to get free data is perhaps a point of debate. We however have to recognize that the world is already recognising the IPR laws in which often the author/inventor gets some small revenue and transfers the rights to a business entity which makes a windfall. These imbalances in data trade cannot be easily regulated by law and should be left to the NGOs and better education of the consumer.

Businesses like Data Anaytics, Advertising etc. survive only on collection and use of personal data. Some businesses can do with de-identified data but many need value which comes only with identified data. In the digital economy “Data” is considered an important commodity just like “Oil” and hence imposing irrational curbs on its usage in the guise of “Privacy” will be counterproductive.

Additionally “Privacy” is always at logger head with Security and even the Judges in this judgement have recognized this. Hence Government and Companies will try to justify certain practices on the basis of security requirements while whether there were “Compelling reasons” for the same will remain eternally a debate in Courts.

What is required now is for development of good enforcement machinery which will guide the Companies in India to protect the Privacy of individuals and ensure that a fair price will be paid to them whenever personal data is used for commercial purposes.  How this will be done is the challenge for the Data Protection Act in the anvil.

Technically, apart from De-Identification, Regulated Anonymity concepts provide a strategy for striking balance between Privacy Rights and Security requirements. They need to be harnessed in the Data Protection regime.

Industry therefore may continue to follow the principles of Data Protection under ITA 2008 as its obligation for “Privacy Protection” and await the Data Protection Act for any review of its strategies.

Naavi

www.naavi.org

31^st August 2017

The deliberations of the Round table are likely to be collated and submitted by NLSUI to the Government and the Srikrishna Panel on Data Protection.

Naavi

(This is in continuation of our discussion on Justice Chelmeshwar’s part of the judgement in the Privacy case)

While the nine eminent judges went about their mission to declare “Privacy As a Fundamental Right”, they also encountered the problem defining what is “Privacy”.

The challenge of defining Privacy Rights without a definition of Privacy has confronted law makers as well as law followers which has not been appreciated much in the past. Now it is interesting to see that even the nine judges are unable to agree on how to define “Privacy Right”.

Justice Chelmeshwar uses his Judicial freedom to

-first admit that ” Whether it is possible to arrive at a coherent, integrated and structured statement explaining the right of privacy is a question that has been troubling scholars and judges in various jurisdictions for decades.” and

-then to say “In my opinion, there is no need to resolve all definitional concerns at an abstract level to understand the nature of the right to privacy….Definitional uncertainty is no reason to not recognize the existence of the right of privacy….“.

He then concludes that “for the purpose of this case, it is sufficient to go by the understanding that the right to privacy consists of three facets i.e. repose, sanctuary and intimate decision. Each of these facets is so essential for the liberty of human beings”.

These three facets “repose”, “sanctuary” and Intimate Decision” are picked from academic concepts postulated by a US author Bostwick.

“Repose” refers to freedom from unwarranted stimuli, “sanctuary” to protection against intrusive observation, and “intimate decision” to autonomy with respect to the most personal life choices. All these are covered under the concept of Privacy being “Right to be Left Alone”.

Unfortunately, the definition does not form part of the order and is not handled similarly by other Judges. Hence it remains one of the opinions of the nine judges.

This means that search for an acceptable definition of Privacy continues even after this judgement.

Though Privacy Invasion is recognized  from State as well as Individuals and Companies, the judgement does not provide proper guideline on how the stake holders need to respond.

Of course it is understood that the Government cannot make any laws that infringes on the Privacy Rights subject to “Reasonable Restrictions” as per Article 19 of the Constitution.

However, when Privacy invasion occurs either by the State or another individual or a Company, there is no wisdom on how the affected individual would be compensated. For this we need to await a law from the Government.

Presently law is being contemplated on “Data Protection” which is not directly equal to “Privacy Protection”. In the absence of an agreed definition of Privacy, it is not easy to define what information/data can be considered as “Relevant for Privacy Protection” and has to be protected in the Data Protection Act.

Other judges have used the term “Information Privacy” to identify personal information in data form and state that “Right to control collection and dissemination of such personal information” is “Privacy Rights in the Data world”.

This is acceptable for the Privacy Protection in data form but inadequate when protection of Privacy is to be considered when information is handled orally or through non electronic written form.

The Judgement does not clarify this and therefore the Government formulating Data Protection Act or Companies and Individuals who look at ITA 2008 for Privacy protection in data form are not wiser when privacy has to be protected in non-elctronic form.

Additionally, several stray aspects of life are loosely cited as examples that may define different facets of Privacy. For example, Justice Chelmeshwar reflects on ” Decision to stop medical treatment by a patient”  or a decision of a woman to bear or not bear a child, or abort pregnancy as Privacy issues. The reflections go on into many other areas including right to work and chose the type of work, right to travel, right to chose a place of residence, as other areas where the principles of Privacy can be extended.

Justice Chelmeshwar has even delved into political issues by commenting

“I do not think that anybody would like to be told by the State as to what they should eat or how they should dress or whom they should be associated with either in their personal, social or political life.”

Similarly other judges have included the Right to sexual orientation as part of Privacy in their reflections.

By making such comments in the body of the judgement, all these issues are being projected as part of “Privacy Rights” which in future will come up to Supreme Court in the form of writ petitions from the Citizens of India trying to protect their fundamental rights.

No doubt that this is a feather in the cap of Indian democracy that our Judiciary considers that an information that if I post in my WhatsApp that “I ate Masala Dosa at Vidyarthi Bhavan today ” and some body forwards it outside, it can be contested as “Violation of my Privacy Rights”. But.. is this what Privacy Right protection all about?

Adding these reflections in the Judgement without a proper confirmation on either acceptance or rejection of the same by a majority of judges as a part of the final order has only brought in more confusion to the public and was completely avoidable.

Now individuals and companies are placed in a dilemma if these individual reflections are to be treated as part of the order or ignored. This will only help frivolous litigations in future from which no body but the Privacy advocates benefit.

Considering the vague reflections included in the judgement, it would not be surprising if tomorrow, in a divorce case, husband or wife may claim “Privacy Right” not to be “husband and wife” or  “Transfers in Jobs” may be contested as “Right to Privacy” and so on. The capacity of this judgement leading to nuisance litigations is very high because of the numerous reflections being made part of the judgment document though they are not part of the final order.

For the time being, it may therefore be better to ignore these stray comments since they are not part of the final order or form a majority common decision. Government when it frames the Data Protection law should not give weightage to all these different instances of life as “Privacy Issues” and make life unbearable.

In these facets, the Judgement reflects an attitude of the Court to consider the judgement as an erudite academic essay  without the need for concluding it properly with either acceptance or rejection of a point of view.

Similarly when a decision of multiple judges are involved, if individual opinions are not consolidated into groups with indication of which judge agrees or rejects the issue, and further export it into the final order, the communication to the public remains incomplete.

As a result, after such a judgement, stake holders are not wiser than what they were before. Perhaps they are more confused than before.

The “uncertainty” created out of such “Vague” judgments can be avoided if Judges consider that a Judgement is not written to show case how much the Judge knows about a subject but how much the public needs to know in solving a legal problem.

[P.S: I am aware that it is not customary for anybody to make comments on the judgement particularly when it comes from the highest Court of the land.

But in the hope of Courts rendering judgments which can be read and understood by common people without the need for intermediaries, I have found it necessary to express these views.

Commercially, if there is more the confusion in the market, better it is for consultants like us because some body is needed to interpret the interpretations rightly or wrongly and present it again to some other Court so that debate can continue.

But law is not meant for creating commercial value to consultants and lawyers. Law has to be simple and understandable by the Citizens and other stake holders so that they can comply with them without the assistance of a third party.

Voluntary compliance will suffer if law is vague and complicated and the trend has to change towards law being lucidly explained. This may not be possible in the writing of the law but it is possible in the judgement. Hence even if Law can be vague but Judgement should be precise. I hope we will see short and precise judgement particularly when it involves concepts that need to be understood by Citizens and adopted as part of their life styles.

The touch stone of the “Privacy Judgement” is whether this judgement can be understood by the common man on the street who is the subject who has to enjoy “Privacy” as a “Fundamental Right”. If “Privacy Law” is meant to be understood as a PG Diploma course, then Law of Privacy will remain an elite concept and does not reach to the masses.

Naavi

• The alacrity with which the honourable Supreme Court constituted a 9 member bench to review “Whether Privacy is a Fundamental Right” and the release of the voluminous judgement before the retirement of Chief Justice Mr Kehar indicates that the CJI wanted a “Historic” judgement to go on record. The Court has succeeded in this objective though it has raised many other questions which could surface because of the judgement.

Though the Order was a simple order re-iterating what we all agreed and practiced that “Privacy is an important human right respected in a democratic society”, it appears that it has prepared a ground which may enable the other bench reviewing the Aadhaar Act to take a decision to strike down the Aadhaar Act as unconstitutional.

While the final order does not give any indication of such an inference, the detailed reading of some parts of the Judgement where some reflections of the judges are available,  provide such an indication.

The reflections buried in different judgments are not binding as the order itself. But there is a possibility that any reflection of even a single judge,  could be quoted in future judgments as if that is part of the views of the Nine members of the bench.

It is important for us to remember that what is outside the order is only an opinion and if it is by one or two of the judges, it should be considered as the opinion of those judges and not as a “Unanimous” or “Majority” decision.

With this background we may try to observe some of the observations contained in the judgement of honourable Justice Chelmeshwar (Pages 267-310) which need some special mention.

The Judgement notes three aspects as the crux of the enquiry namely:

1. Is there a fundamental right to Privacy under the Constitution of India?
2.If it exists, where is it located?
3.What are the contours of such right?

The Supreme Court appeared perturbed that in the Aadhar Case, the Government made a statement that in view of the M.P.Sharma and Kharak Singh judgements, “Privacy may not be considered as a Fundamental Right under the Constitution”.

The existence of some earlier judgments which held such view was considered as a hindrance for the Aadhar bench to rule otherwise. There was therefore a need to arm the Aadhar Bench with a clarification that “Privacy is Fundamental Right” so that the argument of the Government on the lines that it is not could be nipped in the bud.

The Bench was therefore categorical to state that the M.P.Singh and Kharak Singh judgments are “Over ruled”.

In order to arrive at a judgement as it finally turned out, an elaborate justification has been provided through out the 547 page judgement form 100’s of earlier cases from India and abroad.

In the process of trying to defend “Privacy” as a “Fundamental Right” which perhaps was deliberately omitted by the framers of our Constitution,  the bench arrived at a new “Principle of Interpretation of Constitution”  that “Written Text of the Constitution” has no sanctity. Despite the noble intentions of the bench to protect Privacy even against the Aadhaar legislation, I consider that this new principle of interpretation of written text of constitution is a dangerous trend and needs to be reviewed.

The essence of the argument put up by the Judge to support inclusion of Privacy” as a “Fundamental Right” was that “Whatever is written in the Constitution is valid only in the light of the interpretation that the Supreme Court may provide”. In other words, this means that the Court holds a view that Constitution is written not in the legislature but in the Court room.

This was stated in no uncertain terms in page 284 of the Judgement in the reflections of Justice Chelmeshwar where it is stated

“To sanctify an argument that whatever is not found in the text of the Constitution cannot become a part of the Constitution would be too primitive an understanding of the Constitution and contrary to settled cannons of constitutional interpretation.”

The statement of Justice Chelmeshwar legitimizes the right of the Court to ignore the words of text used in the Constitution and give any meaning as the majority of judges of a bench agree upon.

It is difficult to agree with this contention that there is no “sanctity” in the words of the written constitution since if this is extended to other aspects of constitution, the respect for the Constitution may be in jeopardy.

Fortunately this is the reflection of only one of the 9 judges and not a part of the nine member order and it has to be treated as such.

Additionally, there is inherent contradictions within the judgement which also says

“The Constitution ….is a testament created for securing the goals professed in the Preamble…… ‘We the People’ of this country are the intended beneficiaries of the Constitution. It must be seen as a document written in the blood of innumerable martyrs..” etc.

If Constitution is a document written in blood of the martyrs, can what is omitted to be written be considered casually and inserted as an interpretation?…..

Should not the Bench asked the Government to amend the Constitution by adding the specific words into the Constitution and preserved the sanctity of the written text?

While the Court is quick to point out that the Government does not have the right to amend the Constitution easily, it asserts it’s own right to interpret it in a manner which is not written and what had been earlier upheld by M.P.Singh and Kharak Singh judgement.

This appears to a judicial over reach to usurp the function of a legislature which could be accomplished only with a two third majority perhaps with the approval of the majority of State legislatures.

At one place the Judgement says that “… Rights arise out of custom, contract or legislation, including a written Constitution…” but it does not accept that in Indian Custom, health information is not considered a “Private Information” and not sharing health condition with relatives is considered as a “Rejection of closeness of relationship”.

This thought that “though Privacy is not part of the written constitution in Part III, it should be implied” runs through the judgement and ends with a declaration that “Privacy is a Fundamental Right”.

The judgement will definitely create a hurdle for the Government in making any legislation in future since the Courts may take a view that some thing in the proposed law violates “Privacy” and therefore cannot be considered valid.

It will be a running battle for the Government to convince the Supreme Court for each of its legislation even if they are passed by both houses of Parliament.

It appears that what Mr Kapil Sibal as a senior functionary of Congress could not achieve in the Rajyasabha seems to have achieved by arguing in the Court and getting a favourable judgment.

To ordinary citizens however, it appears that the Judgement is an assertion of the Judiciary that their interpretation is supreme whether some thing is written or omitted in any law.

The judgment seriously undermines the power of legislature and leaves them with no power to make any law since even what is not written in the Constitution can be imputed by a group of Judges if they are in sufficient number.

Now this principle that “Written words in the Constitution is subordinate to the interpreted views of the majority of the judicial bench” will reflect in the Ram Janmabhoomi judgement or Uniform Civil Code or Special Status of Kashmir etc. In future even if a Constitutional amendment is passed by the Parliament, the judiciary can still use its “Power to Interpret” and give meaning which is not an intention of the legislature.

This could be one of the undesirable impacts of this Judgement.

In the light of the developments, I foresee that the Aadhaar Act will come under a serious threat of rejection in the coming days and cause a serious embarrassment to the Modi Government. Government needs to be prepared for this reverse. In the past we have seen legislature making retrospective laws.

In this judgement, Supreme Court paused the Aadhaar case and altered the judicial environment  for a case under process with this order. It was in effect like retrospective legislation and represented creative thinking of the outgoing CJI.

Naavi

[This is in continuation of our debate on the Privacy Judgement]

The Puttaswamy judgement from the 9 member bench of the Supreme Court which was hailed as a “Historic” judgement ended up with a simple declaration that “Right to Privacy is a Fundamental Right under the Indian Constitution which is subject to the reasonable restrictions applicable to all such rights”. Let us now look at how this decision affects the three stake holders we identified for this issue of “Privacy” namely,

While “Physical Privacy” can be defined as coming within “Touching distance” between two individuals, we still need to define whether “Touching distance” is zero cms or 5 or 10 centimeters and whether the distance has to be different for different body parts. Additionally, exception has to be made for Mumbai locals where physical privacy is most of the time less than zero cms.

“Cyber Privacy” depends on “Informational Proximity” and we can devise means of defining this. For example, in Facebook, “Friends” should have more accessibility than public. Similarly in Whats App group, the group members should have more proximity than e-mail contacts.

Hence some thing said in a Whats App group may not be a privacy invasion where as the same thing said in an e-mail could be. Some comment passed by a “Friend” in  Face book may not be a Privacy objection where as the same comment made by a non-friend could be.

Presently neither our Judiciary nor Police make distinction of who made a comment and whether the comment was made in a restricted group (eg Whats App) or in public place (eg Twitter, website) before charging them under defamation or obscenity etc. They will continue to make the same mistake under Privacy invasion also.

There was also no debate on Anonymity, Pseudonomity or “Regulated Anonymity” either as components of Information Privacy or as solutions to privacy protection.  Neither the petitioners nor the Government attorneys nor the advisers to the Judges brought out such issues as part of the Privacy debate.

The bench had an opportunity to debate such issues instead of simply debating earlier judgments, cutting and pasting the previous judgments into the current judgement and making it a 547 page volume.

Privacy as a Mental State

In my opinion, “Privacy” is a “State of mind”. A person may be amidst a crowd and still feel his privacy is not invaded. On the other hand he may be sitting in a closed room but filled with anxiety  that his privacy is being invaded.

“Mental Privacy” as a “State of Mind” of one individual is outside definition of the Physical definition of “Right to be left alone” or “Right to control dissemination of of privacy information”,.

It is also outside the definition of  Cyber Privacy as  “Keeping a certain virtual distance”.

It is for each individual to declare what are his/her mental privacy boundaries.

Section 66A of ITA 2008 which was scrapped,  did have a link to such concept but the Supreme Court which handled the Shreya Singhal Case did not understand it.

Most Cyber Stalking victims have a psychological condition where what is not “Privacy Invasion” for most may be considered by them as “Privacy Invasion”. This is a “Deemed Privacy Invasion” and would be a factor to be considered in the “State of the Mind” definition.

Under this concept Privacy boundaries would be different from a Man and Woman, Boy and Girl, Friend and Stranger, from a relative to a non relative, from a City bred person to a Villager and so on.

Using one yard stick for all would not be a good idea.

Without being able to define “Privacy” any attempt to grant a “Right” and call it “Fundamental” appears to be a fruitless exercise.

The Data Protection Legislation

Now when the new Data Protection law comes into being, it will again use the definition of “Personal Information” and “Sensitive Personal Information” as used in ITA 20008 and define what constitutes “Breach of Privacy of an individual through his information”. It will be a repetition of what is already there.

The Privacy of information in oral form or in hand written paper form would be outside the Data Protection Act or ITA 2008 and since there is no definition in the Constitution, we will not have any clarity on this issue.

In the absence of law for non electronic information, when a hand written diary of a person is accessed by another, he has to move the High Court or Supreme Court  as a “Constitutional Right” and claim compensation.

On the other hand, had the Nine Member bench advised the Government to amend the constitution and add “Privacy” as a specific right along with a definition, then there would have been progress in Privacy legislation in India. This was missed by the bench.

In this context, the 547 magnum opus is a great effort but of little practical utility for the Citizens.

Impact on Corporate Entities

The Corporate entities and Others who collect information from public in electronic form are today covered under ITA 2000/8. They have “Privacy Principles” equivalent to the international practices . ITA 2000/8 defines data protection in terms of a need to obtain consent and enter into a contract with the data subject.

The current judgement has no impact on this corporate handling of personal data.

One of the judges has briefly mentioned GDPR without naming it. But even he has not proceeded further to discuss what would be the impact of overlapping international privacy legislation on an Indian Corporate entity bound by the Indian laws on Privacy.

Does Indian law apply only to Indian subjects and international laws apply only to those international citizens based on their individual nationalities?.

It could be an interpretation. But the bench did not find it necessary to address such practical problems faced by the industry in India.

This is another point fo failure of this high profile decision.

Summary

Overall therefore I am disappointed with the Judgement and consider it as a “Lost Opportunity” to bring clarity to the Privacy regime in India.

Hashing the 547 pages of Privacy Judgement

Supreme Court Judgement on Privacy as a Fundamental Right… What changes?

Reference: