SC 9 Judge Bench on the Fundamental Right to Privacy – Day I

Following from the five-judge bench’s decision yesterday, a nine-judge bench was constituted today to determine the existence of a fundamental right to privacy. Arguments were advanced on behalf of some of the petitioners today. A background to this hearing, and the larger Aadhaar case can be found here.

Senior counsel appearing for Mr. Mathew Thomas commenced arguments today. He began by arguing that both M.P. Sharma v. Satish Chandra (MP Sharma) and Kharak Singh v. State of Punjab (Kharak Singh) were decided when AK Gopalan v. State of Madras (Gopalan) held the field. The view adopted in AK Gopalan was that different fundamental rights operated in individual silos and were to be read separately. This decision was overruled by an eleven-judge bench in R. C. Cooper v. Union of India (RC Cooper).

It was argued that neither of the two decisions in question could be considered good law with respect to their interpretation of fundamental rights, given that the basis for these judgments i.e. AK Gopalan was overruled.

Further, the observation in MP Sharma that there is no right to privacy within Article 20(3) of the Constitution could not extinguish a general right to privacy. With respect to Kharak Singh, it was pointed out that the minority view in the case applied had the correct test and consequently, liberty was not a residuary expression and inherently contemplated privacy.

It was argued that the concepts of privacy and liberty could not be separated. If life and liberty were considered inalienable, so was privacy, as the former could not exist without the latter. Characterising the American jurisprudence on privacy as being rooted in the concept of liberty, and the continental understanding emerging from dignity, he argued that the Preamble to the Indian Constitution considered both to be inalienable values. He contended that privacy was the essence of liberty, and that human development and exercising choice required internal privacy.

It was pointed out that pursuant to the Court’s decision in Maneka Gandhi v. Union of India (Maneka Gandhi), Articles 14, 19 and 21 had to be read together. These rights, he argued, could only exist under a limited government. He pointed out that equal protection of laws under Article 14 would also protect liberty. Similarly, the exercise of choice secured under Article 19 would also require liberty.

On being posed a question from Justice Bobde regarding the facets and contours of the right to privacy, the senior counsel argued that privacy had multiple dimensions. While the Supreme Court had recognised four of these in Gobind v. State of Madhya Pradesh – spatial privacy, informational privacy, decisional autonomy and full development of personality, these were not exhaustive.

The bench also asked if the constitutional right to privacy was broader than the common law right, to which the counsel responded in the affirmative. Justice Chandrachud sought to know if the fundamental right to privacy was applicable horizontally, and if the state had an obligation to legislate to protect this right. This too, was answered in the affirmative.

Senior counsel Soli Sorabjee, who was also appearing for one of the petitioners, argued briefly that the absence of an express right to privacy under Part III of the Constitution did not imply that it did not exist.  He contended that the right to privacy could be deduced from other existing right just as the freedom of the press has been deduced from Article 19(1)(a).

Next, arguments were made by the senior counsel on behalf of S.G. Vombatkere. He argued that there was an unbroken like of decisions recognising a right to privacy for over forty years, and contended that this was an occasion to affirm, and not regress from established precedent.

Further, he clarified that the right to privacy cannot be defined with any specificity. Being multi faceted, it is not capable of an exhaustive definition and therefore must be developed on a case-by-case basis.

He also cited I R. Coelho v. State of Tamil Nadu to emphasize that the Constitution is a living document and the law must continue to evolve in accordance with modern realities.

It was argued that the right to privacy emanates from a joint reading of Articles 14, 19 and 21. He also emphasised that the right to privacy was enshrined under the International Covenant on Civil and Political Rights as well as the Universal Declaration of Human Rights, thereby forming a part of India’s international obligations. He also brought to the Court’s notice that the UN had recently appointed a Special Rapporteur on Privacy and published a preliminary report on Privacy in the Digital Age, signifying that privacy is a contemporary international concern. The Chief Justice remarked that the report acknowledges privacy as a basic human right. Justice Chandrachud questioned the counsel regarding data protection being distinct from privacy. He opined that data protection must be regulated by law, and that privacy could not be considered absolute. At this stage the counsel clarified that he was not contending that the right to privacy was absolute, but merely that it be developed on a case by case basis.

He argued, that what was sought was that privacy be recognised as a fundamental right. Relegating it to the status of a mere common law right would leave it vulnerable to state action and legislation. This hierarchy, in the counsel’s opinion, was an essential limitation on the state’s power.

Moving on, he argued that the fact that the Supreme Court had, over time, articulated over thirty unenumerated rights under Article 21 also went to signify that privacy is a fundamental right.

He reiterated that the majority view in Kharak Singh had been overruled, as made evident in Satwant Singh Sawhney v. D. Ramarathnam, RC Cooper as well as Maneka Gandhi. Tracing the development of the jurisprudence on fundamental rights, he explained RC Cooper had overturned the prevailing view since Gopalan (that fundamental rights operated in distinct silos). In 1976, Maneka Gandhi expressly overruled the majority view in Kharak Singh. In 2014, the Supreme Court reiterated in Mohamad Arif v. The Registrar, Supreme Court and Ors that pursuant to RC Cooper, the minority view in Kharak Singh was good law. Read together, it was contended that the statements in the majority decision of Kharak Singh on the absence of an explicit fundamental right to privacy under the Constitution could pose no bar.

With respect to MP Sharma, it was pointed out that the case operated in a completely distinct area i.e. Article 20(3) of the Constitution which provides that “no person accused of any offence shall be compelled to be a witness against himself”. The contention of the counsel was that privacy emanated from Articles 14, 19 and 21 and thus the observation in MP Sharma could not be considered an obstacle. He pointed out that the Supreme Court had expressly considered MP Sharma in the 2010 decision Selvi v. State of Karnataka and upheld the right to privacy.

He concluded by stating that the mark of a civilisation can be seen in how it treats personal privacy. Without privacy, all rights would be denuded of their vitality.

The senior counsel arguing on behalf of S. Raju began his submissions by stating that both MP Sharma and Kharak Singh only contained one stray sentence on the right to privacy. Whether privacy was a fundamental right was never a question before the Court in either of these cases. On reading relevant extracts from MP Sharma, Nariman J. observed that the 4th Amendment of the US Constitution, (which deals with unreasonable search and seizures, and was sought to be included within our Constitutional scheme), could never have been imported into Article 20(3). Pointing out that 20(3) was along the lines of the 5th Amendment under the American Constitution (which deals with self-incrimination among other things), he stated that the result would have been an anomalous situation as the 5th Amendment could never have been imported into the 4th Amendment.

The senior counsel continued his arguments citing several American cases, starting with the dissenting judgment of Justice Louis Brandeis in Olmstead vs. United States recognizing a right to be let alone, and dealing with the landmark cases of Griswold v. Connecticut and Roe v. Wade to explain how privacy had been developed from the 4th, 9th as well as the 14th Amendment(s).

He also read from Kharak Singh, arguing that with regard to the specific question on whether the judgments in Kharak Singh and MP Sharma still hold – it is important to note that the ratio in both of these cases did not specifically provide that there is no right to privacy. During the course of these readings, it was also pointed out by the bench that even the majority in Kharak Singh seemed to have implicitly recognized a right to privacy, without explicitly stating so. The senior counsel argued that it is anachronistic and paradoxical that after having recognised over thirty different rights under Article 21, the status of the right to privacy was in doubt. He also stated that while the right to privacy would fall within the ambit of Article 21, it would also need to be developed, and may be grounded in Articles 14, or 19, depending upon the issue being discussed.

Before the bench rose, it posed a few pertinent questions to the counsel. Justice Chandrachud pointed out that in several decisions, such as R. Rajagopal v. State of Tamil Nadu and Mr. X v. Hospital Z , the Court had applied the right to privacy horizontally. He sought a clarification regarding the applicability of a fundamental right to privacy against non-state actors.

Justice Nariman and the Chief Justice asked the counsel to clarify the contours of a right to privacy – the definition of the right, the restrictions on the right, and parameters of challenge for an action on privacy, if the right were to be grounded in Articles 14, 19 and 21. Another question that was posed to the counsel was whether the right to privacy would be a horizontal right, and the state would have any responsibility to take affirmative action to protect this right.

The counsels for the petitioners stated that the right would need to be developed on a case to case basis, providing not only for what is, but also for what may be. The counsel and the bench discussed the possibility of providing for various options for defining the right –simply stating that there is a right, and leaving it open to interpretation, or providing illustrations of the facets of the right to privacy.

In response to the questions on the parameters for challenges against a violation of this right, the counsel stated referred to the tests already in place to determine violations of rights under Articles 14, 19 or 21, or any other article that the right to privacy maybe grounded in depending upon the case being discussed.

The petitioners are expected to conclude their submissions within the first half tomorrow, after which the Union of India will put forth its case.

Disclosure: The author assisted the petitioners’ (S.G. Vombatkere) counsel.

Advertisements

No Interim Relief in Petition Seeking Stay on Mandatory Aadhaar – For Now

The fresh petition challenging the constitutionality of the Aadhaar Act (Shantha Sinha v. Union of India) came up for hearing before the Supreme Court today. While this petition has been tagged with the main bunch of petitions challenging the Aadhaar scheme, it also seeks urgent interim relief by way of a stay on 18 different executive notifications. As noted in our previous post, interim relief is crucial as most of these notifications stipulate 30 June 2017 as the deadline to enrol for Aadhaar.

Today’s hearing was solely to determine whether the petitioners were entitled to interim relief. However, less than a week ago, the Ministry of Electronics and Information Technology issued an ‘Office Memorandum’ to all central ministries, extending the date for mandatory enrolment to 30 September 2017. Pertinently however, similar to the exemption granted by the Supreme Court in the Aadhaar/PAN judgment, this extension only applies to those who are yet to enrol for Aadhaar. For those who possess the number, 30 June 2017 remains the deadline to quote Aadhaar in order to continue receiving benefits under the respective scheme.

Today’s hearing began with the Additional Solicitor General seeking a short adjournment on the ground that the government wished to respond to the claims made in the petitioners’ rejoinder. He argued that there was no ‘burning urgency’ anymore as the deadline for enrolling for and submitting Aadhaar had been extended till 30 September. While the petitioners’ counsel did not oppose the request for adjournment, he clarified that the extension notice excluded several beneficiaries. He therefore urged the Court to protect all beneficiaries from having to submit their Aadhaar number till the next date of hearing.

The bench appeared reluctant to pass any order to this effect. It asked if the petitioners had concrete evidence to show that children were being denied their mid-day meals on account of the notification(s) in issue. Despite pointing out that the deadline was 30 June 2017, and the feared exclusion would begin only after that, the Court appeared unconvinced.

In its order today, the Court noted that in view of paragraph 90 of the judgment in the Aadhaar/PAN case, no clarification or special order was required. This paragraph holds that the requirement of obtaining an Aadhaar number is voluntary. This is slightly confusing, as neither does it protect those who have obtained an Aadhaar number but to not wish to link it to the various schemes in issue, nor does it advance the government’s plan of ensuring mandatory enrolment by 30 September 2017.

The Court listed the case for further hearing on 7July 2017, before which the Union of India will file its response to the petitioners’ claims in the rejoinder.

Supreme Court Upholds Law Linking Aadhaar With PAN

The Supreme Court delivered its judgment in the constitutional challenge to Section 139AA of the Income Tax Act today. Brought in by way of an amendment in April this year, this provision made it mandatory for all taxpayers to quote their Aadhaar number when applying for a Permanent Account Number (PAN) and for filing returns of income. Failure to link one’s PAN with Aadhaar would automatically invalidate the former.

BACKGROUND

It is important to recall that this amendment was passed at a time when several petitions challenging the constitutionality of the Aadhaar project continue to be pending before the Supreme Court. Through various interim orders, the Court has repeatedly directed that Aadhaar must remain voluntary till the petitions are conclusively decided. In 2015, a three-judge bench felt that there was some ambiguity in the Supreme Court’s jurisprudence on the right to privacy (which the petitions rely on), and referred the matter to a larger bench. This bench is yet to be constituted. These orders were passed before the Parliament passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act in 2016 (Aadhaar Act). With the passage of the Aadhaar Act, the status of the interim orders has been put in question, with the government claiming that it is free to mandate Aadhaar for any service or benefit.

In the context of the Aadhaar-PAN petitions, the pending reference on the issue of privacy is important as it severely curtailed the grounds for challenge available to the petitioners. Forced to give up arguments on privacy, the submissions in this case were largely limited to the issue of bodily integrity and the right to equality. Arguments were also made on the grounds that the introduction of Section 139AA of the Income Tax Act violates Articles 14 and 19 of the Constitution of India.

However, in its judgement today, the Court has construed privacy extremely broadly. The Court excluded all arguments made on bodily integrity, dignity and the right to informational self-determination, on the basis that these concepts are linked to privacy.

THE DECISION

The Court upheld s. 139AA(1), making it mandatory for taxpayers to quote their Aadhaar while filing returns of income. However, for existing PAN holders who are not yet enrolled and do not have an Aadhaar number, the proviso under s. 139AA(2) has been stayed till the Constitution Bench decides the pending writ petitions challenging Aadhaar. This stay would not benefit those who have already obtained an Aadhaar number.

The Court justifies this partial stay on the ground that the consequences for non-compliance are severe, and individuals should not be made to suffer till the main matter attains finality.

The Court also read down the proviso to s. 139AA(2) which creates a legal fiction by which non-linking of the PAN with the Aadhaar number would result in penal provisions under the Income Tax Act applying ‘as if the person had not applied for the allotment of the PAN’. The Court held that these provisions could only apply prospectively.

DECISION ON SPECIFIC GROUNDS

I. Legislative Competence

a) Legislature lacked authority to pass a law contrary to judgments of the Supreme Court (the interim orders) without removing its basis – The court held that these orders were passed in the absence of any statutory scheme (and hence, lacked a basis). Further, it held interim orders could not preclude the Parliament from passing such a law.

b) Aadhaar Act itself was voluntary, and therefore, s. 139AA could not indirectly make it mandatory – The Court categorically holds that enrolment under Aadhaar is voluntary. However, it leaves open the question whether the government could make the number mandatory for receipt of benefits under Section 7, observing that is was squarely within the ambit of the pending writ petitions.

The Court went on to reject the contention the legislature could not make Aadhaar mandatory under s. 139AA, holding that the purpose behind the statute was entirely different from that of the Aadhaar Act. It accepts the efficacy of Aadhaar in solving stated objectives such as money laundering and black money based solely on the Parliament’s wisdom.

II. Article 14

It was argued that s. 139AA drew an arbitrary distinction between assesses who were individuals and others such as partnership firms, companies and trusts etc. as the latter were not required to obtain an Aadhaar number. Excluding juristic entities such as companies would fail to address the government’s stated objectives of weeding out fake cards and curbing black money.

The Court outlined the twin tests under Article 14 – that there must be a reasonable classification founded on intelligible differentia and this must have a rational nexus with the object sought to be achieved. It rejected the contention that mandating Aadhaar only for individuals could not achieve the desired purpose. What is surprising is that in reaching this conclusion, the Court accepts without question, the efficacy of Aadhaar to successfully de-duplicate PAN cards. This is despite the fact that the petitioners brought to light several instances of private enrollers mismanaging data and the cancellation of lakhs of cards for biometric and other errors.

III. Article 19(1)(g)

The petitioners had argued that the penal consequences associated with non-compliance were draconian and completely disproportionate, affecting individuals’ rights to carry on their business or profession. In dealing with the submission on proportionality, the Court focused on s. 139AA(2), which prescribes the penalty for non-compliance. The Court observed that several routine activities in course of any business required PAN. It held that invalidating one’s PAN would restrict the freedom to carry on trade enshrined under Article 19(1)(g). The Court then undertakes a lengthy discussion on the objective of Aadhaar to determine the reasonableness of the restriction.

The Court’s analysis in this section is astonishing. Without having presented any evidence to support or deny such a claim, the Court observes that failure to identify beneficiaries is ‘one of the main reasons’ for leakages in subsidies. (In fact, researchers have repeatedly questioned and de-bunked this assertion). The Court also fails to note the RTI reply cited by the petitioners, pointing out that 99.7% of persons enrolled for Aadhaar already had two other identity proofs. The judgment also makes bald assertions, referring to Aadhaar as the ‘most advanced and sophisticated infrastructure’, and hints at its use ‘to take care of problem of terrorism to some extent’ and also to check ‘crimes and also help investigating agencies in cracking the crimes’. It is worth pointing out that it is exactly this sort of mission creep that makes Aadhaar an extremely worrisome project.

The Court holds that it is the prerogative of the legislature to make penal provisions for violating a law, but does not explicitly comment on the reasonableness of the restriction.

ANALYSIS

Limiting the relief to those who have not yet enrolled for Aadhaar is questionable for two reasons:

  1. As per the government’s submissions, 98-99% of the adult population already has an Aadhaar number, and therefore this decision only protects a miniscule minority of the population. Additionally, limiting relief to those who have managed to remain outside the system overlooks the fact that many were coerced to enrol (as essential services or benefits were made contingent on it). It also overlooks that instances of data leaks came to light only recently, prompting several citizens to have second thoughts about the project only after they had enrolled. But most importantly, the judgment ends up protecting only those who are privileged enough to not depend on the state for benefits and services, and have thus managed to remain un-enrolled.
  2. Rejecting the Article 14 challenge, the Court had held that there could be no distinction between assesses who had ‘voluntarily’ enrolled for Aadhaar, and those who hadn’t or did not wish to. The legal regime had to apply uniformly to all individual assesses, it held. It is perplexing then for the Court to make the same distinction at the time of the final order, without any cogent reasons.

However, despite the limited relief, there is a silver lining in this judgment – the Court observed that it had not addressed any of the objections based on Article 21 of the Constitution, and the statute was being upheld subject to Aadhaar passing this ‘more stringent test’. At several places, the judgment makes note of these ‘important’ issues and hopes for their proper adjudication.

The judgment also notes the petitioners’ concerns regarding data leaks and observes that appropriate measures to address this are essential.

Disclosure: The author assisted the petitioners’ (Maj. Gen. Vombatkere and Mr. Bezwada Wilson) lawyers on specific occasions during the course of the hearing.

Decoding Privacy Policies – Uber

‘I have read and agree to the terms’ is commonly regarded as one of the biggest lies on the Internet. In 2014, a company called F-Secure put this to test and set up a free Wi-Fi hotspot in London. One of the terms for accessing the Wi-Fi was for users to assign their firstborn child to the company for eternity. People still signed up. Fortunately, the company decided not to enforce this condition.

Terms of use agreements, which also include privacy policies, usually run into multiple pages and are extremely dense, making it hard for users to understand how their personal information is collected, used and disclosed. This post looks at Uber’s privacy policy to understand its information practices, making it our second attempt to simplify privacy policies of popular companies. Uber is a transportation aggregator that allows users to connect with drivers through its technology platform. Understanding the company’s use of personal information is critical in light of its recent practice to charge users differently, based on what they’re ‘willing to pay’.

The policy has been analysed against the privacy principles recommended by the 2012 Report of the Group of Experts on Privacy (‘2012 Report’). These principles stem from internationally recognised data protection norms that form the basis of several regional and national data protection frameworks.

  • Notice

The underlying principle, that is ‘notice’, requires companies to make their information practices known in an easily accessible manner, allowing users to make an informed choice. This includes informing users of policy changes and notifying them in the event of a data breach. Uber’s policy is to notify users only in the instance that there have been significant changes to its practices. It requires users to opt-out if they disagree with the changes, rather than giving them the option to opt-in. It is also completely silent on data breach notifications, signifying that users don’t have a right to know if their information has been compromised. This has serious ramifications for a user’s privacy in light of the extent of personal information collected.

  • Information Collection

Uber collects the following information from users who sign up to use its service –

  • Information Collected Directly From Users: At the time of creating or modifying an account, Uber collects a user’s name, email and phone number. It may also collect their postal address and payment information, among other information voluntarily provided.
  • Information Collected Through Use of Uber’s Services:
  • Location: Uber collects location information from a user’s device, the Uber application being used by the driver as well as through a user’s IP address and Wi-Fi signal. Pertinently, Uber collects this information even when the app is running in the background, and not merely during the course of a trip. Even if a user chooses to deny permission to access location information from their device, Uber will continue to receive this information through the other sources mentioned.
  • Contacts: Subject to granting permission on her device, Uber may collect and store a user’s contact list. iOS users can choose to disable this permission at any stage, even after initially permitting the collection of this information. However, the policy states that the Android platform does not allow users to revoke access in the same manner.
  • Transaction Information: Uber collects information related to the type of service requested, the date, time and amount paid for each ride and other related information.
  • Usage and Preference Information: Uber collects information to understand a user’s preferences and remember her settings. This may be through cookies (a small text file placed on one’s device by the app/website) or pixel tags (a block of code on a website allowing it to retrieve certain information about one’s device/browser). Uber’s Cookie Policy explains that it allows certain third parties (such as Google and Facebook) to place cookies on a user’s device to help deliver its services and for advertising purposes.
  • Device Information: Information about a user’s mobile device, such as their operating system, hardware model, unique device identifier and mobile network information is collected. Even such innocuous information could lead to unfavourable outcomes for users. For example, reports indicate that Uber has discovered that the battery level of a user’s phone indicates their willingness to pay a higher amount for the same ride.
  • Call and SMS Data: To facilitate communication between riders and drivers, Uber collects date and time information related to a call or SMS and the content of the SMS message.
  • Log Information: Information such as IP address, the date and time for using the application, and the features or pages viewed is collected.
  • Information from ‘Other Sources’: Uber may also receive information from other sources and combine it with information it collects directly. These other sources include using a social media service (such as Facebook) to create an account, a user’s employer if the latter avails of services such as ‘Uber for Business’ or ratings from drivers.

As per the principle of collection limitation, entities must only collect personal information that is necessary for their stated purposes. As seen above, Uber collects extensive personal information, not all of which is directly related to its purpose of providing users with a transportation facility. Besides these, it also collects specific information from one’s device by seeking access to a user’s media files or calendar, among other things. However, these permissions can be denied. More information can be found here (for Android users) and here (for iOS users).

The 2012 Report also recommends that companies allow individuals to access their personal information and amend or modify it, if it is inaccurate. This right extends to obtaining a copy of all personal information held by the company. Uber allows modification or deletion of a user’s account through its mobile application and website. The right to obtain a copy of one’s information or delete some of it is circumscribed to the rights of individuals under ‘applicable law’. Under Indian law, the access and correction principle is restricted to sensitive personal information only. In the context of information collected by Uber, this is only likely to include passwords and financial information.

  • Use of Information

The principle of purpose limitation requires information to be collected for specific and explicitly stated purposes and prohibits its recycling for newer purposes. The policy states six distinct purposes. Some are clearly defined – such as facilitating communication between users and drivers or users and their contacts (to split fares etc.), but some are more vaguely drafted. An example of the latter is sending communications the company thinks ‘will be of interest to you’ regarding ‘products, services, promotions, news and events of Uber and other companies’. A user may opt-out of such promotional communication by following the instructions on the message itself.

Besides this, Uber uses the information collected by it to provide and improve its services such as facilitating payments and developing new features. It also uses this information to conduct data analysis, research and monitor how users are using its services.

  • Sharing of Information

Besides sharing certain basic and essential personal information with drivers, Uber also shares information with other riders if a user is availing a ride-sharing option like UberPool. Third parties also receive information if users avail of Uber services through a promotion or partnership between a third party and Uber. For workplaces using services like Uber for Business, personal information may be shared with relevant third parties, such as a user’s employer.

If users use social sharing features integrated onto the Uber platform, personal information is shared with that service as well. Uber also allows its advertising partners to track the performance of their ads by placing cookies on a user’s device.

Uber also reserves the right to share personal information with –

  • Its subsidiaries and affiliated entities that process data on its behalf. It does not however, identify these entities.
  • With any vendor, consultant, marketing partner or service provider that it contracts with to carry out work on its behalf. This clause suffers from vagueness and fails to give individuals an idea about who may have access to their information.
  • Any competent authority under law or law enforcement officials and government authorities.
  • Any entity as required in the course of a sale, merger, consolidation or acquisition of the company’s business by or into another company.
  • Anyone, subject to a user’s consent
  • Anyone, in an aggregated or anonymised form where identification is not reasonably possible. Research indicates big data analytics is making re-identification of anonymised data easier. This renders personal information vulnerable under this clause.
  • Security

Additionally, the policy makes no mention of security standards or procedures undertaken by Uber or its affiliates to safeguard personal information. Under the 2012 Report, the principle of security requires companies to adopt reasonable security safeguards to protect against loss, unauthorised access, destruction, use or disclosure of personal information.

Overall, Uber’s privacy policy is relatively accessible. It breaks down complex terms and processes and gives illustrations at various points. However, as pointed out, it also suffers from overbreadth and vagueness at many places.

Lastly, the principle of accountability requires that companies be held accountable for compliance with privacy principles. An important aspect of accountability is appointing a grievance redressal officer for addressing privacy concerns. The policy provides users with an email (privacy@uber.com) as well as a postal address for raising their privacy concerns. However, enforcing these commitments is difficult in the absence of a data protection legislation. The existing rules under the Information Technology Act 2000 only protect sensitive personal information, excluding a large category of valuable information collected by private corporations. This leaves users with very few remedies if companies fail to live up to their promises. As data collection by corporations becomes more ubiquitous, the need for a robust privacy legislation becomes harder to ignore.


This post is based on the privacy policy that came into effect on 15 July 2015, as available at https://www.uber.com/en-IN/legal/privacy/users/en/ on 23 May 2017.

(Updates from the SCOI) WhatsApp-Facebook Data Sharing (Day – II): Can Fundamental Rights be Exercised Against WhatsApp?

The hearing in the petition challenging WhatsApp’s privacy policy continued today. Arguments made during the course of yesterday’s proceedings can be accessed here. Before the respondents could resume their arguments on maintainability, the Additional Solicitor General made a brief representation on behalf of the Central Government. He submitted that even if the Court finds that a writ lies against the Government, it should refrain from issuing it as the Government was already in the process of framing a statutory regime for data protection. He stated that these binding regulations could be in the form of a statute, rules or Executive directions.

Counsel for Facebook subsequently resumed his arguments on the issue of maintainability of the special leave petition. He argued that the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘2011 Rules’) along with other provisions of the Information Technology Act 2000 (‘IT Act’) provided a complete regime for the collection, use and disclosure of personal information. He contended that it was not open to the petitioners to argue that these rules were insufficient, as that was squarely within the realm of public policy. Particularly with respect to the 2011 Rules, he stated that WhatsApp did not collect any of the eight categories of information covered by the definition of ‘sensitive personal data or information’[1].

The Court sought clarity on whether the respondents were covered by the 2011 Rules. For the intervenor, it was submitted that metadata was outside the ambit of the 2011 Rules. The petitioners’ counsel reiterated this, and also stated that the 2011 Rules were limited to only ‘sensitive personal information or data’, which excluded important information such as phone numbers. She also pointed out that on 24th August 2011, the Ministry of Communications & Information Technology had released a ‘clarification’, which restricted the applicability of the 2011 Rules only to companies located within India. All parties (as well as the bench) were baffled as to how a clarification could limit or amend the scope of statutory rules. For the time being, it appears that the Court will not be taking cognizance of this clarification.

Justice Dipak Mishra opined that an aggrieved citizen would be entitled to an alternate remedy if a violation of the rules also constituted a violation of a fundamental right. Facebook’s counsel responded stating that there was no violation of the rules in the instant case and that in any case, they were not required to take consent at all, considering they did not collect any sensitive personal information.

At this point, the Bench posed two questions to the petitioners. It asked for a clarification on the information collected by WhatsApp and an explanation on how metadata was generated. The petitioner’s counsel took the Court through several clauses of the policy including one where WhatsApp reserved the right to create ‘derivative works’ out of the content of a user’s message. She argued that notwithstanding the claim of end-to-end encryption, the language of the policy was ‘suitably ambiguous’ regarding access to content of messages. She also emphasized on WhatsApp’s access to other information, such as a user’s phonebook, which included numbers of individuals who were not users of the service. She argued that there was no privity or consent in the latter circumstance. With respect to metadata, she highlighted how it had the potential to reveal much more than actual data, enabling the private corporations to draw behavioral patterns. In her view, the fact that WhatsApp had been bought over for $19 billion signified that access to this data was a ‘goldmine’ for Facebook.

On behalf of Facebook, it was urged that besides the 2011 Rules, Sections 43A (compensation for failure to protect data), 45 (residuary penalty), 46 (power to adjudicate), 79 (exemption from liability of intermediary in certain cases) as well as the Information Technology (Intermediaries Guidelines) Rules 2011 created a complete code for the regulation of WhatsApp. It was also clarified that the sub-license clause in the policy was a standard clause, required to covert the message into its encrypted form. Additionally, Facebook offered to submit an affidavit to the effect that WhatsApp had not and could not access the content of a message.

Facebook elaborated on two other arguments made by it on the previous day –

  1. The Court’s writ jurisdiction could not be invoked against a private party where the dispute was purely contractual. He also argued that neither WhatsApp nor Facebook performed a public function, or owed any public duty. Reliance was placed on Jatya Pal Singh v. Union of India (2013) 6 SCC 452, where the Supreme Court had held that service provided by telecom operators in a competitive market for commercial purposes did not amount to a public function. It further held that in order to establish public function, a party would have to ‘prove that the body seeks to achieve some collective benefit for the public or a section of public and [is] accepted by the public as having authority to do so.’
  2. All submissions were couched on the issue of privacy or some form of it, which could not be raised in light of the pending reference. Facebook’s counsel took the Court through the reference order of 11 August 2015, highlighting that the determination of the very existence as well as scope of a fundamental right to privacy had been referred to the Chief Justice of India.

In response, the petitioners argued that pursuant to Secretary, Ministry of Information and Broadcasting v. Cricket Association of Bengal (1995) 2 SCC 161, electromagnetic waves facilitating transmission were a public good. While private, messages sent through WhatsApp were riding on a public medium. As per WhatsApp’s own policy, the service was intended as a replacement for conventional text messages. It was argued that a situation where telecom services were heavily regulated and licensed but Over The Top (OTT) services were not was anomalous. At this point, Facebook’s counsel interjected urging that the nature of an open Internet must be preserved. He argued that WhatsApp used the network of service providers that were properly licensed.

The petitioners’ counsel clarified that the argument was only intended to draw a comparison between competing choices from the point of view of a consumer. She stated that while licensing would be undesirable, OTT services must be subject to some form of regulation. The counsel for the intervenor also urged that they were strongly opposed to a licensing regime for OTT services. He urged the Court to take note of Vishakha v. State of Rajasthan, where the Supreme Court had found that the state had failed to protect and fulfill its obligation of safeguarding fundamental rights. As a result, it had framed interim guidelines for the prevention and redressal of workplace sexual harassment that would be applicable to all workplaces. Drawing an analogy, it was argued that the Supreme Court must step in in this case to frame appropriate guidelines for the protection of personal data.

Another argument advanced on behalf of the petitioner was that the contract between an individual and WhatsApp was unconscionable, and consequently attracted public policy considerations. With a user base of over 160 million, India was one of WhatsApp’s biggest markets. However, considering that the service was used by children as well as those who may not be literate, it was argued that the Court must step in to protect against procedural as well as substantive unconscionability. Placing reliance on the Italian anti-trust regulator’s decision to subject WhatsApp to a heavy fine, it was urged that WhatsApp owed the same public duty to Indian users.

The case has been adjourned to 21 July 2017, when arguments on maintainability are likely to conclude. It is believed that WhatsApp’s counsel will make additional submissions on this issue.

[1] Sensitive personal data or information of a person means such personal information which consists of information relating to;—

(i)  password;

(ii)  financial information such as Bank account or credit card or debit card or other payment instrument details ;

(iii)  physical, physiological and mental health condition;

(iv)  sexual orientation;

(v)  medical records and history;

(vi)  Biometric information;

(vii)  any detail relating to the above clauses as provided to body corporate for providing service; and

(viii)  any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

(Updates from the SCOI) WhatsApp-Facebook Data Sharing (Day – I): From Content to Metadata

Today marked the first substantive hearing in the petition challenging the Delhi High Court’s judgment upholding WhatsApp’s updated privacy policy. Summaries of arguments in the previous hearings in this case can be found here and here. Curiously, despite the petitioners’ counsel being available in Court, the Court asked the counsel appearing for the intervenor to lay out the issues in the case. As mentioned earlier, the Internet Freedom Foundation had filed an intervention application, which had been allowed by the Court on the last date of hearing.

IFF’s counsel began by apprising the Court that India lacked a statute on data protection. He argued that the absence of a legislative framework allowed corporations to collect extensive data, including metadata. This, he contended, enabled these corporations to aggregate information and create an extensive profile of an individual, including revealing sensitive information such as that related to health and sexual preferences. The lack of a data protection authority or commissioner resulted in lack of knowledge about how personal data is held and exploited. He argued that in such a scenario, the Supreme Court must step in and hold that the state has a positive obligation to protect the rights infringed as a result of such data practices. In his view, exploitative data practices infringed an individual’s right to free speech enshrined under Article 19(1)(a) as well as Article 21. He located this positive obligation under Article 17 of the International Covenant of Civil and Political Rights (ICCPR), to which India is a signatory, as well as Article 12 of the Universal Declaration of Human Rights (UDHR).

Before he could continue, the counsel for Facebook Inc. objected to the case being heard on the ground that the existence and scope of a right to privacy had been referred to a larger bench for determination. (In 2015, a three-judge bench of the Supreme Court had cited some ambiguity in the jurisprudence on the right to privacy and referred the issue to the Chief Justice of India). At this point, the petitioners’ counsel responded, stating that the case at hand included possible violations of Articles 19(1)(a), 19(1)(c), 19(1)(d) as well as 21. She stated that the petitioners were basing their claims on these rights dehors a right to privacy. However, she also clarified that the right to privacy continued to exist under statutory law, common/tort law as well as under international covenants. She argued that foreign corporations could not be allowed to take advantage of a lacuna (if any) in the law till the time the larger bench decided the issue. In her view, there were laws in place to address the issues at hand.

Both counsels also apprised the Court regarding Italy’s anti-trust regulator fining WhatsApp €3 million for the same privacy policy and a German Administrative Court upholding the Hamburg Data Commissioner’s order to stop transfer of data between both entities for German users.

The intervenor’s counsel set out Facebook’s model for targeted advertisements, which allows advertisers to customise their audience. This targeting is in a large part, facilitated by the collection of metadata such as information about one’s device, network information, location etc. Before he could complete, Facebook’s lawyer again objected to this line of argument stating that none of these facts or issues had been raised before the High Court or in the main petition and would consequently warrant a separate response. The Court attempted to steer the proceedings back to WhatsApp’s privacy policy and asked the intervenor’s counsel to show how it infringed rights.

He argued that the some of the terms were in contradiction with WhatsApp’s stated claim of providing end-to-end encryption. These included their practice of retaining popular ‘content’ for a longer duration of time and stating that they do not retain messages in the ‘ordinary’ course of providing their services. On the aspect of metadata, it was argued the terms allowed for collection of extensive information (such as IP addresses, mobile device and network information as well as location information) and allowed its use and disclosure to several third parties, including Facebook. An analysis of these terms can be found here. Further, it was argued that while the 2012 policy clearly articulated what information WhatsApp did not collect, this was absent under the new policy. Additionally, the age for children to create an account was lowered from 16 to 13 years. He also argued that there was no informed consent with respect to accepting these changes.

In Justice Mishra’s view, arguments on consent were unhelpful as they brought the issues within the frame of contractual obligations. He urged the counsel to advance arguments on how the policy impacted individual rights. Recognising the value of metadata, he framed the issue as whether commercial exploitation of information pertaining to an individual’s identity had an impact on rights.

The counsel for Facebook India Ltd. shared with the Court that only a user’s phone number, device identification, account registration details and their ‘last seen’ status was shared with Facebook. This is significant, because the privacy policy is silent on this, and neither Facebook nor WhatsApp have explicitly stated this before.

Continuing with his arguments, the intervenor’s counsel argued that –

  1. WhatsApp’s updated policy impacts the freedom guaranteed under Article 19(1)(a) and 21 – Article 19 was distinct from the other rights under the Constitution because it guaranteed (a right to) freedoms, and not solely a right. This was necessary for the self-fulfilment of an individual (Indian Express Newspapers v. Union of India (1985) 1 SCC 641). The extensive and unregulated collection of information by WhatsApp and Facebook inhibited this freedom, creating a chilling effect. The feeling of being under surveillance also attracted rights enshrined under Article 21.

Further, Article 17 of the ICCPR and Article 12 of the UDHR cast a positive obligation on the state to enact measures that would allow these rights to be meaningfully exercised.

  1. There can be no waiver of fundamental rights guaranteed under Article 19(1)(a) and Article 21 – While several arguments were sought to be raised on the issue of consent, only this was urged, as Justice Mishra reiterated his objection to this line of argument. Citing Basheshar Nath v. CIT (1959 (Suppl) 1 SCE 528), it was argued that there can be no waiver till the person waiving her rights is fully informed as to her rights and abandons them with full knowledge.
  2. Data protection laws of foreign countries prohibit sharing of personal and sensitive data without free consent – The counsel took the Court through the provisions of the German data protection statute for guidance. Importantly, provisions emphasising on certain inalienable rights (such as that of access, rectification and erasure) were also brought to the Court’s notice.
  3. Right essential to exercise a fundamental right must be deemed to be a part of that fundamental right – He elaborated on the importance of ‘penumbral rights’ as articulated in the landmark United States Supreme Court decision Roe v. Wade and argued that a right essential to enjoy other fundamental rights would in itself be fundamental. He also cited Olga Tellis v. Bombay Municipal Corporation for this proposition.

In conclusion, the intervenor’s counsel laid out the reliefs sought from the Court – that data protection guidelines be framed by the Court till such time as the Parliament enacted a legislation. Alternatively, WhatsApp should be directed to provide all users with the opt-out clause (even after the thirty day period, as was provided), while continuing to access the service.

After almost an entire day’s hearing, the Court thought it appropriate to give the respondents a chance to raise the issue of maintainability – that is, to determine whether the petition was fit for hearing before the Court or not. Counsel for Facebook Inc. argued that –

  1. The issue was purely in the realm of contract and the petitioners were precluded from any remedy under public law.
  2. Neither Facebook nor WhatsApp were ‘state’ or agents or instrumentalities of the state so as to attract the Court’s writ jurisdiction
  3. Under its terms, WhatsApp had reserved its right to renew its policies in the event of an acquisition or a merger.
  4. The petitioners could not claim to speak for all users of WhatsApp and their grievances regarding consent would only be applicable to them and not others.
  5. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, framed under the Information Technology Act 2000 provided a statutory regime for the regulation of services such as WhatsApp and Facebook.

The arguments on maintainability will continue tomorrow and the petitioners as well as the intervenor will be asked to respond to the submissions advanced.

Supreme Court Hears Fresh Challenge to Aadhaar

Yesterday, a new petition challenging several sections under the Aadhaar Act came up for hearing before a two-judge bench of the Supreme Court. The bench, comprising of Justices A.K. Sikri and Ashok Bhushan, was the same that heard the petitions challenging s. 139AA of the Income Tax Act, which made it it mandatory to link one’s Permanent Account Number (PAN) with Aadhaar.

The hearing began with the bench wanting to know why another petition had been filed, considering several petitions challenging the Aadhaar scheme as well as the Aadhaar Act were already pending before the Court. To recall, these earlier petitions were referred to the Chief Justice of India on 11 August 2015 to constitute a larger bench to decide the existence and scope of a fundamental right to privacy. Privacy is one among several grounds on which the validity of the project has been challenged. Almost two years since, this bench is yet to be constituted. Yesterday, the counsel for the petitioners argued that the interim relief sought in the present case distinguished it from the earlier batch of petitioners.

By way of interim relief, the petitioners sought a stay on eighteen Executive notifications, which made Aadhaar a mandatory condition to receive benefits under several welfare schemes. These included compensation schemes for victims of the Bhopal Gas tragedy, the Mid-day Meal scheme as well as Ujjawala, a scheme for the prevention and rehabilitation of victims of trafficking. For many of these, the deadline to furnish Aadhaar is 30 June 2017. This makes interim relief crucial, considering that the Supreme Court is officially on vacation till 2 July 2017.

The Solicitor General, appearing for the Central Government, stated that the same notifications had been challenged in the main petitions too, by way of interim applications. The petitioners’ counsel reiterated the urgency in the matter and emphasised how the mandatory condition could lead to large scale exclusion of legitimate beneficiaries. However, in the judges’ view even interim relief could only be given by the Constitution bench (which has not yet been formed), since the issues and the grounds in the writ were substantially similar to the earlier petitions.

In its order, the Court issued notice in the petition. Further, it tagged this petition with the batch of existing petitions challenging the vires of Aadhaar. It also noted that urgent orders were required and granted the petitioners liberty to approach the Chief Justice for relief, including interim relief.