This is a record of the proceedings in the Supreme Court bench hearings on the Constitutional validity of Aadhaar, which began on Feb 13, 2018. You may read the previous days’ proceedings here: Day 1, Day 2, Day 3, Day 4, Day 5, Day 6, Day 7, Day 8, Day 9, Day 10, Day 11, Day 12, Day 13, Day 14, Day 15, Day 16., Day 17, Day 18, Day 19, Day 20, Day 2, Day 22, Day 23, Day 24, Day 25, Day 26, Day 27, Day 28, Day 29, Day and Day 31.
Senior advocate Rakesh Dwivedi resumed his submissions for the State/ UIDAI. He quoted two professors from Georgetown university and Stanford law school on conflict of human rights. He also cited a book of Emmanuel Kant. He discussed reasonable and legitimate expectation of privacy from a UK judgement and said that context is very important. A criminal might not have any expectation of personal autonomy whereas a common man will.
Dwivedi read a judgment of the Constitutional Court of South Africa to argue that only a person’s inner sanctum is protected from other conflicting rights. As a person moves into communal relations, her personal space also shrink.. He said that it has to be considered whether private life is protected outside the home, because people frequently give up their privacy in these conditions. He said that the judgments of the European Court don’t take into account the issue of reasonable expectation of privacy.
Dwivedi said that the Indian position on reasonable expectation of privacy is closer to the United States than Europe. He said Individuals live in communities and their personality is shaped by imbibing cultural and social values of the society. Regulations are designed to protect objective principles that define reasonable expectation of privacy.
Dwivedi argued that Indian needs innovation and development of knowledge, and also that the right to privacy is subject to the rights of others to lead ordinary lives. He argued that the only question is whether the restriction on the right to privacy is proportionate to the government purpose. He said that nothing else can be taken into account. He said that the Petitioners have applied the wrong standard in arguing that the restriction on rights should be least intrusive. Dwivedi said that there is a vital state interest in ensuring that welfare benefits are not dissipated, and data mining to ensure this is permitted. (MediaNama: He had argued that it is not possible earlier?)
Dwivedi read passages from Justice Chandrachud’s plurality opinion in the privacy judgment. He said that in the public sphere, the right to privacy is diluted. He said that the entire Aadhaar activity is in the relational and public sphere. He said that demographic information and facial photograph don’t have any privacy concerns. There is no reasonable expectation of privacy. He said that at the requesting entity point, it’s all dispersed and decentralised, and so it doesn’t deserve the level of protection that the CIDR is given.
Justice Chandrachud said that the point seems to be that core biometric information has higher privacy concerns. He said that that does not mean that there is no privacy concern elsewhere.
Dwivedi said that he agrees, and that he’s just saying that the reasonable expectation of privacy varies according to context. He said that petitioners have cited no judgments involving identity cards. He said that 120 countries use biometric passports and nineteen European countries use biometric ID cards. He said that the CJEU or the ECHR have never expressed any concerns with biometric ID cards.
Dwivedi said that we don’t need to go to Europe for proportionality, because India developed the test in 1952 in V. G. Row’s case. He said that the Indian Supreme Court has never accepted the requirement that a restriction on fundamental rights be least intrusive.
Dwivedi said that in the privacy judgment, it has been said that if you willingly put up your personal information on Facebook, then you may not have a right to privacy in that information.
Dwivedi cited some American judgments. Ohio v Akron, which was about disclosure requirements to authorities in abortion cases. He also cited the case of Doe v Reed, which was about disclosure of signatures on a referendum campaign. He then cited the UK Supreme Court judgment in Wood v Commissioner of Police, which said that the taking of photographs in itself does not violate privacy. Dwivedi said that the American judgments cited by the AG on fingerprints have all been approved by the US Supreme Court.
Dwivedi said that the Petitioners have relied heavily on the ECHR’s judgment in Marper, but actually, Marper supports the case of the State. He said that Marper has drawn a distinction between fingerprints and DNA profiling, and examined them separately. He said that Marper was decided on the context of crimes, where the collection and retention of personal data actually casts stigma. He argued that the ECHR in Marper focused on a lack of consent, and fingerprints being “non-neutral” in the context of identification for crime purposes. Those conditions don’t apply in the case of Aadhaar.
Dwivedi said that the Marper judgment held that the relevant test is that of “appropriate safeguards”, not 100% or near to 100%. He repeated that the Marper judgment stressed that it was only being decided in its specific context. He said that Marper has been distinguished by the UK Supreme Court in  UK Supreme Court, Gaughran v Chief Constable, where there was no collection of cellular samples, and acquitted people were not sampled. He said that this shows how it is always a contextual enquiry.
Dwivedi said that the Petitioners cases are all in the crime context or about censuses, which have been upheld by this Court.
The Bench rose for lunch, reassembled at 2:30 pm.
Dwivedi came to the issue of metadata. He continued his submissions on how the cases relied on by Petitioners are incorrect. He referred to the Digital Rights Ireland case relied on by various counsel. He said that the Petitioners have cited cases on metadata (such as Digital Rights Ireland) which involved large scale storage of metadata that was completely unrelated to any State purpose. He said that in the Digital Rights case, the metadata stored involved identifying the date, time, location, duration of communication, and the nature of the machine used. In that context, the Court held that this metadata allows for complete profiling.
The metadata at stake in those cases was much more intrusive. Dwivedi said that in US v Westinghouse, the Supreme Court of the US said that the standard is one of “adequate safeguards”, and that is the standard that should be applied. Dwivedi said that petitioners have cited US v Jones, which was about a GPS device. Aadhaar does not have a GPS. Some Wi-Fi may be used at the time of sending the information to the CIDR, but not otherwise. He made the proposition that there is no question of privacy infringment when safeguards are adequate.
Dwivedi said that the full court of the CJEU has recently issued an opinion saying that the ECHR judgments are only declaratory.
Justice Sikri said that at least they declare the law. Dwivedi replied that it doesn’t have to be enforced. He said ECHR judgments are only declaratory and are not binding on the contracting states to the European Union.
Dwivedi next came to the issue of adequate safeguards. He said that in G. Sunder Rajan v State of TN, about the Kundankulan nuclear power plant, the Court held that apprehensions that something like Fukushima would recur could not be a ground to stop the project. After a point, it must be left to destiny. The Court held that setting up a nuclear power plant would help to guarantee the right to life under Article 21, in the larger public interest – and that there were adequate safety measures.
The CJI had also written a judgment in this case. He asked Dwivedi to read some paragraphs.
Dwivedi said that three propositions emerge. First, that safeguards can be read into Article 21. Degrees of safeguards will vary – for nuclear plants it will be one, and for CIDR is another. Secondly, the standard must be “adequate safeguards”. The risk can never be zero. And thirdly, there must be constant vigilance. Dwivedi said that they are always improving and upgrading their safety, and after the Srikrishna Report, they will upgrade more.
Dwivedi asserted again that the test is adequate safety. And that safety is always an ongoing project. A work in progress. Data protection. Authentication accuracy… all of them bound to improve. He said that this proposition has also been adopted by the US Supreme Court in NASA v Nelson, which was about background checks of NASA employees. He said that the US Supreme Court has discarded the least restrictive standard. He said that the Aadhaar Act has enough security and control.
Justice Chandrachud pointed to the part of the judgment that said that an iron-clad disclosure bar is not required. Dwivedi agreed.
Dwivedi pointed to the part of the judgment that said that data breaches are always possible, and that possibility can’t be a ground to strike down data collection. He said that they are not even going that far. They have provided a complete bar on sharing, and what is available with the REs is totally dispersed. The extent of privacy is much more diluted. And there is consent and a bar on using for anything other than authentication.
Dwivedi said that in Aadhaar, there is criminal liability; no exception whatsoever for core biometrics; there has been no breach so far. Dwivedi said Petitioners should suggest improvements if any, not just ask for it to be knocked off. (MediaNama: Where? How? There is no reporting mechanism for security issues provided)
Dwivedi said they are also working on a data protection law and that the draft law will be out by May.
Justice Chandrachud said that one area that requires consideration is remedies for breaches. Dwivedi said that the IT Act provides for penalties, and penalties have been imposed on Airtel etc
The CJI said that offences are one way, but there is no monetary compensation under Aadhaar Act. Dwivedi said IT Act provides for some penalties. They also have disincentives in their contracts.
Dwivedi said that the Court and the government should work in coordination as the two great wings of State, and not in opposition. The sword should be unsheathed only in the last resort.
Dwivedi read Section 43A of the Act.
Justice Sikri pointed out there are instances where damage needs to be proved. He was not sure if it would pass the adequacy of privacy test.
Dwivedi said that the Court can suggest alternate measures.
Justice Chandrachud remarked that that would be legislative function.
Dwivedi suggested that the Court should be like a doctor and save as much as possible of the Act. Doctor’s approach.
Dwivedi said that the data protection context is totally different in the EUGDPR context. He said that that directive goes very far. He read the GDPR object recitals and emphasized that free flow of information within EU and between member states is the most important concern. However, he said that they are not doing that with Aadhaar. Aadhaar is not about free flow of data, but no flow of data. He said that this has no bearing on Aadhaar, and in any case, the Srikrishna Committee is handling it.
Justice Chandrachud said that the EUGDPR envisages a ban on biometric data processing.
Dwivedi replied that there are exceptions and state laws can provide for them, with appropriate safeguards. He read out the exceptions, which include legitimate State interests with appropriate safeguards. He said that member States have been left free to make laws.
Justice Chandrachud said that that is subject to the test of proportionality.
Dwivedi said that he is not disputing that.
Justice Chandrachud pointed to Article 9 of the GDPR that prohibits processing of personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership or the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person…
Dwivedi pointed to Para 2 containing exceptions and said that the EU is now contemplating a biometric ID card.
Justice Chandrachud humorously asked whether they are planning to seed it with Aadhaar.
Dwivedi said even earlier all political parties collected all kinds of information on which village wants what facility etc.
Dwivedi then read Regulation 26 and authentication, metadata and surveillance arguments by petitioners. He said that the petitioners have completely misunderstood the concept of metadata. He quoted from a book called The Data Warehouse Life Cycle Tool Kit.
Dwivedi said that UIDAI collects only “limited technical metadata.”
Justice Chandrachud asked whether it was necessary to retain metadata and why.
Dwivedi said It is important to exercise control over requesting entities. He pointed to pages 66, 67 etc in the 9th March affidavit filed by the Union of India. He said that there is no data about location or purpose of transaction, but only about the system, and that’s required for audits.
Justice Sikri asked him to confirm that they are not collecting metadata about the person but only about the machine.
Dwivedi said yes.
Sikri J asked about Registered ID.
Dwivedi said arguments of petitioners are self contradictory. On the one hand they allege no control over REs but if they want to exercise control, the petitioners complain of surveillance. He said that they do not take IP address or location of the devices.
Justice Chandrachud pointed to section 17 and proviso to Regulation 26 and how they reinforce that authority for itself or through any other entity under its control collect “authentication transaction data”, and asked for its meaning.
Dwivedi said that it’s the data pertaining to a specific transaction, and there is a bar on storing purpose.
Just as the Bench was rising for the day, Shyam Divan said that he had a point of information. The State cited the case of V.G. Row, which first laid down the principle of proportionality. V. G. Row’s son, S.G. Vombatkere, is one of the petitioners in this Aadhaar challenge.
The Court rose for the day. To resume at 11:30am on the 25th April 2018.