The morning session was mostly spent in reading pertinent references from the landmark KS Puttaswamy vs Union of India judgment on privacy as a fundamental right.
Senior Advocate Shyam Divan began by reading differnet parts of the privacy judgment pertaining to:
- dangers of profiling through integrating different sets of data
- concept of informational privacy
- impossible to visualise in advance all the possible harms that can result from proliferating data sets
- complex issues surrounding big data and power
- limitations on privacy – there must be a law, there must be a legitimate State aim, and there restriction must be proportionate
- privacy is an integral element of the right to life, and that any limitation must be within the constitutional framework “Privacy is the constitutive core of human dignity and the foundation of ordered liberty. It recognises the individual’s right to control vital aspects of their life. It is not lost or surrendered merely by being in a public place.” Shyam Divan: “The interpretation of privacy must be flexible, to meet evolving challenges.” (from the judgment)
- privacy harms can result both from State and non-State actors.
Mr. Divan quoted opinions of different judges from the privacy judgment:
- Justice Chandrachud’s plurality opinion from the privacy judgment
- From Justice Chelameswar’s concurring opinion:
- the Constitution as securing freedom for every generation of Indians.
- the interrelationship of Articles 19 (freedom) and 21 (life and personal liberty) of the Constitution.
- privacy as consisting of “repose, sanctuary and intimate decision.”
- fundamental rights are the firewall between the individual and concentrated State power.
- From Justice Bobde’s concurring opinion:
- the Constitution transformed Indians from subjects under a monarch to citizens of a Republic.
- privacy grounded in Indian intellectual thought – Mr Divan stressed the link between privacy, dignity and liberty.
- privacy as a “traveling right”and a springboard to other rights, such as speech, association and assembly.
- From Justice Nariman’s concurring opinion
- privacy is not an elitist concept.
- the State’s argument that privacy was an elitist concept seemed to spring from its defense of the Aadhaar Act.
- in order to restrict privacy, the State’s interest must be “compelling.”
- From Justice Kaul’a concurring opinion
- that some people may not attach great importance to privacy is no reason to deny recognising it as a right.
- Edward Snowden, data profiling, the definition of data profiling as well as the potential of profiling far both good and evil.
- digital footprints, and the various kinds of powers that big data can exercise. “Privacy is a constraint not just on State power but also non-State power.”
- privacy as the right of the individual to control information about herself.
- privacy of children requires special concern.
- privacy is particularly important in a country as diverse as India.
Mr Divan finally read aloud the unanimous conclusion of the nine judges that held that privacy is a fundamental right under the Indian Constitution and handed over a two-and-a-half page summary of the privacy judgment to the Court, reiterating that the Supreme Court judgment affirms that privacy has always been a fundamental right, and the correct position has been established by a number of judgment after Kharak Singh.
Mr Divan summarized 8 key takewaways from the privacy judgment:
- Privacy is a natural right, a condition precedent to the enjoyment of any other fundamental right, it includes the right to control the dissemination of information.
- The sanctity of privacy lies in its relationship with dignity. Privacy is a postulate of human dignity itself. This is the second element of the privacy judgment.
- Privacy is integral to liberty and freedom. Privacy is more than a derivative right, it is a foundational right.
- Privacy has both negative and positive components. In its negative concept, it protects the individual from the State. In its positive aspect, it casts an obligation upon the State to protect individuals from non-State actors.
- Privacy is not an elitist concept. The subordination of civil and political rights to econmic and social rights has been used for some of the most egregious violations in history.
- Knowledge is power. Information in silos, when aggregated, can be a threat to freedom.
- Privacy can be restricted only by a law that is just, fair, and reasonable.
- The rule of law and the necessity of judicial remedies.
Mr. Divan began with the statement of objects and reasons of the Aadhaar Act, that talks about the need for proof of identity, identification of beneficiaries, transfer of benefits etc. He read out the Preamble and the Long Title and discussed the definitions clause, including the definition of “authentication process” and “authentication record”, which is a record of the time of authentication, the identity of the requesting entity, and the response. Mr. Divan stressed that both the time and the requesting entity are known.
Mr. Divan read out the definition of “benefits” and of “biometric information.” He proceeded to compare the definition of “core biometric information” (clause J), and compared it with clause g (“biometric information”), and highlighted that both clauses are open-ended.
Mr. Divan read out the definition of “enrollment agencies”, and said that even after the Act, the system remains privatised. Similarly with the definition of “registrar”, he pointed out that as in the pre-Act regime, the registrar need not be a government body. He noted the definition of requesting entities as the entities that submit biometric information to the CIDR for authentication.
Mr. Divan drew attention to the “curious” definition of resident as a person who has lived in India for at least 180 days in the last twelve months.
Highlighting Section 3, on enrolment, he pointed out that the words used are “shall be entitled to obtain.” describing the enrolment as an entitlement. “Consequently, getting an Aadhaar number is a right, not an obligation.” Mr. Divan reiterated that the authentication process is probabilistic. Addressing the requirement of counselling, he stated that the concept of informed consent, which is reflected by the counseling requirement, would become completely illusory if the mandatory character of Aadhaar were upheld.
Coming to Section 4 he reiterated the compromised enrolment procedure and stated that, under Section 4(3), the data can be used as proof of identity for any purpose.
On Section 6, which provides for updation of data, he pointed out that “biometric information changes over time.” He would elaborate this point later.
He presented Section 7, as the one which effectively allows Aadhaar to be made mandatory for receipt of benefits or services. He stated that this provision negates the right of the individual to identify herself in a reasonable alternative manner.
Mr Divan proceeded to read out various sections of the act: Section 8 – which deals with requesting entities, Section 10 on the central information data repository, Section 14 establishing the UIDAI, Section 23 laying out the powers and functions of the UIDAI.
He noted here that the UIDAI has been given vast powers, for example, to add to the biometric indicators (such as DNA), under regulations. The UIDAI is allowed to contract out the security of the database. He stated that this raises security concerns, and has been documented and shown in the record. Further, Mr. Divan pointed out that the UIDAI has the power to deactivate an Aadhaar number. He said that this is effectively a power to deprive an individual of all her Civil rights.
Mr. Divan pointed to Section 23(3), which allows UIDAI to enter into memoranda of understanding with other bodies, public and private.
Coming to Chapter VI of the Aadhaar Act, which deals with protection of information, Mr. Divan stressed that all the information the Act says you cannot share has already been shared. To this, Justice Chandrachud asks how a breach of the statutory provision affects the constitutionality of the statute itself.
Mr. Divan replied that the statute is unconstitutional because it seeks to sanctify the Aadhaar program, which is incompatible with a free and open democratic republic. He said that this argument would be developed further, and for now he was trying to place some facts on record.
Justice Chandrachud said that there were two claims. First, that the program is unconstitutional. And second that there have been breaches that need to be plugged. He asked Advocate Divan if he would be making both arguments.
Mr. Divan stated that the key question was whether an individual is entitled to protect herself by making a choice about which method to use to identify herself. The breaches help to substantiate the strength of this basic claim – the claim to make a choice. He said that the concern is that you will end up having a complete surveillance society of this system in its present form is allowed to stand.
Continuing with his commentary on the Aadhaar Act, Mr Divan stated that when you know the time and the requesting entity, the purpose of authentication would automatically be known. He pointed to Section 32 of the Act with the Aadhaar Enrolment Regulations, which provides for storage of metadata. He said that he was not saying that somebody is sitting and tracking you. The point is that the architecture enables a surveillance State.
Justice Chandrachud said that one important question that the Court would have to consider is that in today’s networked world private parties are tracking everyone in great detail. So how does the interpolation of an Aadhaar number really change anything.
Mr Divan agreed that this is an important point, and says he will address it in some detail.
The Chief Justice formulated a set of propositions that he said were the basis of this case. “Your concern is regarding the involvement of private entities without any state control; even if the Aadhaar scheme is optional and restricted to subsidies, benefits and services, the state has no proprietary over the digital autonomy of theindividual in view of the conferment of power on third parties; and in context of data sharing, the entire Act is unworkable.”
Mr. Divan agreed that CJI had captured his submissions correctly.
Kapil Sibal questioned whether a single form of identity, to which everything is linked, is safe.
Justice Chandrachud repeated an observation that he had made before “can’t you obviate the problem of aggregation of data sets by specifying in law that data can be used only for the purpose that it is collected.”
Mr. Divan described the distinction between private parties and the State. “With private parties I can opt out.”
Justice Chandrachud asked to what extent did one have an actual choice in today’s world, even with respect to data shared with private parties.
Mr. Divan replied that the State has for more power with respect to an individual. He would demonstrate this when he talked about State Resident Data Hubs.
Justice Sikri said that one question was to what extent Aadhaar can be used. Whether only for subsidies and whether there was a constitutional line that could not be infringed, that, if crossed would be a violation of privacy.
Mr Divan said that in a democracy, there has to be a certain amount of trust between State and individual. So if an individual says that she has an alternative way of identifying herself, the State needs to accord that basic trust and respect and allow it, as long a that alternative is reasonable. This is especially so because biometrics are probabilistic.
Mr Divan continued on through various sections of the Act: Section 47 where an individual has no right to complain in case of a violation of the Act, and only the UIDAI has that power, Section 48 which allows the government to take over control of the entire record by citing a public emergency, Section 51 which allows for delegation, Section 53 the power to make rules and regulations, Section 57 which allows the use of Aadhaar to establish identity for any other purpose.
Justice Sikri asked what the harm was if you were just giving the number and nothing else, no biometrics.
Mr. Divan said that you may not want to have this information spread around. The number when used with other information publicly available can be compromising.
Justice Chandrachud said that the biometric information remains only with the CIDR.
Mr. Shyam Divan said that this is not so. He described the example of fingerprints being skimmed off.
The hearing will continue at 11:30am tomorrow