In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.
The final hearing commenced on January 17, 2017. Summaries of the arguments advanced in the previous hearings can be found here.
Senior Counsel Rakesh Dwivedi resumed his arguments for the Respondents. He began with referring to jurisprudence from the United States, the United Kingdom, South Africa and the European Union, to describe how privacy should be constructed in the Indian context. He argued that Indian jurisprudence is more in line with that of the United States, than the European Union. He stated that that former lays greater emphasis on the ‘reasonable expectation to privacy’. He then quoted a Harvard Law Review article, for the proposition that privacy should be tempered by considerations such as national security, efficiency, and entrepreneurship. He argued that that was especially true in the Indian context, where innovation and development should have more emphasis than privacy.
The counsel made reference to Justice Chandrachud’s opinion in Puttaswamy, and argued that social welfare could be a legitimate purpose for processing of data. Coming back to the construction of privacy, he argued that all Aadhaar data was in the public, relational sphere. He submitted that privacy is diluted in these realms, so there is a reduced expectation of privacy over data such as demographic data, and facial photographs. He reiterated that data with the Requesting Entities was dispersed, and therefore didn’t require the same level of protection as the CIDR.
Justice Chandrachud sought a clarification, if the submission was that core biometrics had a higher privacy interest, as opposed to demographic data, such as one’s address. He countered that the implication was not that the privacy interest in such data was gone. He gave the example of a woman and her address. He argued that she might give her address out for various purposes, but still had immense privacy interest in that information. The counsel responded that their argument was simply that privacy varies according to context.
The counsel argued that India had developed the appropriate tests in VG Row, much before any other jurisdiction. He reiterated the three-fold requirement of legality, necessity and proportionality. He noted that Indian jurisprudence generally did not adopt the due process standard. The counsel then addressed some of the cases that had been cited by the Petitioners, and attempted to distinguish them on facts.
Post lunch, the counsel resumed his submissions, with the issue of metadata collection. He attempted to distinguish the present case from Digital Rights Ireland, which had been cited by the Petitioners. The counsel argued that there were different types of metadata, and the data in question in those cases had been much more intrusive than what is collected by the Aadhaar authentication. He reiterated that the test is that of ‘appropriate safeguards’. He cited the case of Sundar Rajan v State of Tamil Nadu, which dealt with the Kundankulan nuclear power plant. He argued that the court had examined whether adequate safeguards had been in place, and had given due weight to economic benefits such as the increase in welfare, poverty alleviation etc. He argued that the Court in Sundar Rajan had held that apprehensions and fears could not be allowed to override the justification of the project. The counsel reiterated that the standard would be of ensuring adequate safeguards, and the risk would never be zero.
The counsel argued that the Aadhaar Act imposes a complete bar on sharing of the data, factors in consent, and the data with Requesting Entities was in any case disbursed and decentralized. He argued that the Petitioners had not suggested any way of improving the system, and only wanted it dismantled.
Justice Chandrachud asked what remedy was present in case of breaches. The counsel responded that the Information Technology Act would be applicable, which had penal provisions. Further, the route of contractual damages could be taken.
The counsel then described the EU Data Protection Directive, arguing that the purpose of the Directive was very different, with the aim being to ensure free flow of data. He argued that in contrast, Aadhaar didn’t allow any sharing of data. He argued that as a result, the absence of a regulation such as the Directive, or the General Data Protection Regulation would have no bearing on the matter at hand. He reiterated that the protections in the Aadhaar Act were sufficient, and even higher than those provided by the EU instruments. The counsel then went over the various provisions of the Directive and Regulation that govern the processing of sensitive information.
The counsel then resumed his submission with respect to metadata, as a response to the surveillance concerns raised by the Petitioners. He argued that the Petitioners had not appreciated the distinction between different types of metadata, such as system metadata, process metadata, business metadata etc. He argued that each had to be examined separately. He submitted that Aadhaar authentication only collected limited technical metadata.
The Chief Justice asked why the data had to be retained, and what sort of data was actually retained. The counsel drew the Court’s attention to an affidavit he had submitted, as well as the relevant circular which prescribes the metadata that is collected. He argued that it was all system related metadata, which allowed the UIDAI to exercise control over the Requesting Entities. He argued that information such as location data, the purpose for authentication, was not collected in the process.
The hearing will continue on April 25, 2018.