#RethinkAadhaar: Children continue to be perversely targeted

Mandatory enrolment of children under Aadhaar, purportedly to prevent pilferage in child related welfare schemes, raises practical as well as legal concerns

By Kritika Bhardwaj

This post first appeared in National Herald on September 25, 2019

This week marks one year since the Supreme Court ruled on the constitutionality of the Aadhaar project. Delivered just a year after the same Court unanimously affirmed the fundamental right to privacy, the majority of the five-judge Constitution bench upheld the validity of Aadhaar. However, it did so with significant caveats.

Principal among these was its finding that enrolment of children for an Aadhaar number must be based on their parents’ consent. The Court also held that on attaining majority, such children who are enrolled by their parents are entitled to opt out, or have their record deleted from the centralised database.

It further went on to hold that Aadhaar could not be made mandatory for school admissions, as every child between the ages of 6 and 14 had a fundamental right to education. Therefore, school admissions – which were neither a service, nor subsidy or benefit – could not be made contingent on Aadhaar. This rationale was also extended to benefits under the Sarv Siksha Abhiyan (the Union Government’s scheme to achieve universal access to education and retention of students in schools).

This was heartening; especially because the Court based its finding on children’s incapacity to consent, implying that they were therefore incapable of appreciating the significance of parting with their demographic and biometric information. It accordingly held – in unequivocal terms – that foisting Aadhaar on children was a disproportionate restriction on their fundamental rights, and clarified that no child could be denied the benefit of any scheme for being unable to produce an Aadhaar number.

The significance of this victory cannot be understated. Passed in 2016, the original Aadhaar Act made no distinction between enrolment of children and adults. Forcibly enrolled at birth, such children had no right to opt out of a system that they had never decided to enroll into in the first place.

Before the Court’s verdict, the central government had either linked, or proposed to link several child related welfare schemes to Aadhaar. This included the mid-day meal scheme, which made children’s entitlement to their lunch subject to biometric authentication.

Purportedly to prevent pilferage in such schemes, the mandatory enrolment of children under Aadhaar and biometric authentication raised several practical as well as legal concerns. First, biometrics of children are known to rapidly change over time, making it more likely for authentication to fail. This had the effect of excluding legitimate beneficiaries from their legal entitlements, contrary to the government’s aims.

This is besides universal concerns regarding lack of proper electronic and internet infrastructure, which routinely result in authentication failures across the country. Given that the rationale for the mid-day meal and other related schemes is to ensure nutrition and better attendance of children in school, a mandatory Aadhaar regime for such schemes ended up adversely impacting an already vulnerable section of society.

Second, the government’s failure to distinguish between adults and children while designing both the enrolment as well as the authentication process also demonstrated its scant regard for children’s privacy.

In his separate but concurring opinion in the landmark right to privacy judgment, Justice Sanjay Kishan Kaul was mindful of the special protection that children’s privacy merits, given that data about them is being collected and stored at a time when they have little understanding of how it will be used and by whom.

As the Aadhaar Act makes clear, biometric and demographic information collected during enrolment is stored by the government in a centralised database known as the Central Identities Data Repository (‘CIDR’). Every time a child is made to undergo authentication, the CIDR creates and stores a record of it.

Over a large period of time, such authentication records can collectively be used to create a detailed profile of an individual. While Aadhaar’s infrastructure poses significant privacy risks for all individuals, the intrusion into children’s fundamental rights is more severe because this information is collected without their consent or understanding, and without any corresponding right to review or correct it.

It is for this reason that the Supreme Court’s ruling holding that Aadhaar cannot be made mandatory for children, and giving those who enrolled the right to opt out at 18 years of age, is so significant. However, one year on, the government still appears to be wavering in implementing the Court’s verdict.

The Aadhaar and Other Laws (Amendment) Act, 2019, which seeks to give effect to the Court’s ruling, was passed only as late July this year. The Act prescribes that children can apply to have their Aadhaar record deleted on attaining majority, provided they do so within six months of turning 18 ‘in such manner as may be specified by regulations’. However, no regulations have been issued by the Unique Identification Authority of India (‘UIDAI’) to operationalize this right till date.

On the contrary, violations of the judgment continue unabated. For instance, the Tamil Nadu government recently issued a circular mandating every school to collect Aadhaar numbers of students under the Samagra Shiksha Abhiyan. Schools in Karnataka have similarly been reported to insist on Aadhaar for admissions.

At a conference held in February this year, the Department of Social Justice and Empowerment under the Government of India made a presentation setting out Aadhaar seeding as one of the action items requiring states’ attention in the context of scholharship schemes for high school students. The Rajasthan government similarly continues to insist on Aadhaar numbers of children as a condition to process scholarship applications.

Welfare schemes related to children therefore continue to be implemented in defiance of the Supreme Court’s express ruling. The UIDAI, which is the regulatory body entrusted with implementation of Aadhaar and compliance with the extant legal regime, has thus far failed to take any steps to remedy this situation. The 2019 amendment to the Aadhaar Act also contemplates the appointment of an Adjudicating Officer to decide violations of the Act.

However, in over two months since this amendment came into force, the UIDAI has not thought it fit to appoint such an officer and lodge a complaint against such erring state agencies.

Schemes such as the mid-day meal and those related to scholarships often serve to empower children from the most disadvantaged backgrounds. However, the government’s and the UIDAI’s failure to ensure effective implementation of the Court’s ruling only perpetuates these disadvantages. If the government is serious about sabka saath, sabka vikas (solidarity with everyone, development for all), it would do well to plug these enforcement gaps urgently.

Kritika Bhardwaj is an advocate and a Fellow with the Centre for Communication Governance at the National Law University Delhi

Facial Recognition Is Unreliable And The Police Shouldn’t Be Using This Technology

The government wants to use automated facial recognition technology to track criminals, identify suspects, or find missing persons. Here’s why it should think twice before it does so.

This post first appeared on HuffPost.in on August 2, 2019

Last month, the National Crime Records Bureau (NCRB) issued a Request for Proposal (RFP) inviting bids for the creation of an Automated Facial Recognition System. Facial recognition works by identifying distinct points on an individual’s face and creating a unique map of it. It is therefore more akin to a fingerprint rather than a photograph.

The RFP envisages the creation of a database of photographs, which could help the police identify a potential suspect, a missing person or unidentified dead bodies. If implemented, the proposed database will be made available to police stations across the country, including as a mobile application to help officers who are in the field. 

Attempts to modernize methods of investigation are undoubtedly essential. However, this RFP comes at a time when several city administrations in the United States of America have issued unequivocal bans prohibiting the use of facial recognition technology by law enforcement.

A similar sentiment was more recently echoed by British Parliamentarians, calling for a moratorium on the use of automatic facial recognition, including any trials, until concerns about the technology had been fully addressed, and a legislative framework had been established.

But most importantly, this RFP comes at a time when the Delhi Police itself has stated that the accuracy of its facial recognition systems is a dismal 2%. 

Facial recognition is unreliable and prone to discriminatory outcomes 

The cautious approach towards adoption of facial recognition technology internationally is encouraging given that there is now a growing body of scholarship warning against its use. There is mounting evidence in other countries to show that facial recognition systems are less accurate in identifying ethnic minorities and women, leading to a higher possibility of misidentification—and therefore discrimination—against communities that are already more vulnerable.

It is telling that the NCRB’s RFP appears to have been issued without any public consultation, or even a feasibility study to ascertain its usefulness. The RFP requires that the proposed system be able to run photos, video grabs, and even sketches against the database of images, in order to help identify a person of interest.

Given how inaccurate even sophisticated facial recognition systems can be, attempts to match such images may increase the danger of discriminatory outcomes exponentially. 

Legitimate aim but disproportionate means

It is no one’s case that the police should not exploit technological advancements to improve criminal investigation techniques. However, the unreliability of facial recognition technology is exacerbated when deployed in in the absence of a legislative framework governing its limits.

If implemented, the proposed system would operate without any oversight on which images can be collected and stored by the NCRB, whether an individual is even aware that their image is a part of the database, and how long the NCRB is entitled to store it for. 

The RFP further states that the proposed database will be populated using images from the passport database, the prisons database, images available with the Ministry of Women and Child Development, or ‘any other image database available with police’ or any other entity.

In its landmark decision affirming the right to privacy in 2017, the Supreme Court unequivocally held that privacy extended to public spaces.

This implies that this database is not limited to images of convicts, or even under trails, but could potentially include images of every resident, giving the police access to personal information without having to establish any cause. 

It is easy to imagine how this can become a tool for harassment for vulnerable groups, minorities or activists. To take an example, the Delhi Government’s ambitious CCTV programme contemplates the police having access to footage generated from cameras installed across the city.

If implemented, the automated facial recognition system would enable the police to use CCTV footage from a peaceful protest and potentially identify – or worse, wrongly identify – citizens attending such a protest. This can be used to create ‘watchlists’, inviting excessive scrutiny and harassment at places such as airports and public events.

Without a legal framework, those on such watchlists would have no knowledge about being on this list, let alone contest their inclusion on it. The proposed facial recognition system can therefore have a disproportionate impact on the freedom of association and expression. 

In its landmark decision affirming the right to privacy in 2017, the Supreme Court unequivocally held that privacy extended to public spaces. It also imposed an obligation on the state to ensure that citizens are not subject to indiscriminate collection and exploitation of their personal information. Even if personal information is required by the state for a legitimate purpose (such as criminal investigations), the means employed must be proportionate to achieving such purpose.

The Personal Data Protection Bill, 2018 drafted by the Srikrishna Committee, which otherwise exempts law enforcement from many of the obligations under the Bill, too mandates that collection of personal information is permissible only if pursuant to a law, and proportionate to its aims.

The routine collection of biometric personal information contemplated by the NCRB’s proposed facial recognition system makes it a tool for mass surveillance, rendering constitutional freedoms illusory.

For this and the fact that governments across the globe appear to exercising caution regarding its use, the NCRB would do well to reconsider its RFP on setting up a facial recognition system.

Kritika Bhardwaj is an advocate and a Fellow with the Centre for Communication Governance at National Law University Delhi

The sanctity of personal data

August 24 marked one year since the Supreme Court’s landmark judgment in the Right to Privacy case.

By Kritika Bhardwaj

The post first appeared in Indian Today on August 24, 2018

August 24 marked one year since the Supreme Court’s landmark judgment in the Right to Privacy case. A watershed moment for India’s constitutional jurisprudence, the judgment unequivocally recognised that privacy was essential to the core human values of dignity, liberty and autonomy. This was also the first time the judiciary took notice of contemporary, technology-related privacy threats and expressed the importance of individuals having a choice in, and control over, how their personal information was collected and used. Despite being articulated by six different judges, the court was unambiguous in its assertion that the individual lies at the centre of the right to privacy.

It is, therefore, not only surprising but also disappointing that the Justice Srikrishna Committee, which submitted its report along with a draft Personal Data Protection Bill to the government last month, chose to view data protection through the lens of innovation and a ‘free and fair digital economy’. It is important to note that the committee was set up in the wake of the right to privacy case itself. By constituting the committee, the government had suggested to the court that it was serious about regulating through a law the indiscriminate use of personal information, and therefore there was no need to carve out a separate fundamental right to privacy.

Irrespective of the government’s approach, it was incumbent on the committee to engage with the court’s emphasis on empowering the individual and give meaning to the constitutional guarantees articulated by it. But instead of setting its goal as putting individuals in control of their data, the committee appears fixated on promoting a digital economy, and sees the state as the key facilitator in this exercise.

The committee’s understanding of its mandate is apparent from the first chapter of its report, which is titled ‘A Free and Fair Digital Economy’. This chapter calls for an ‘Indian approach’ to data protection, based on the country’s development needs. It suggests that restrictions on privacy may be necessary in the interests of innovation and delivery of services, which is reminiscent of the government’s argument in court that individual rights must give way to welfare considerations.

Importantly, however, the court had rejected this line, noting that individual freedoms are essential prerequisites for people to enjoy social benefits.

The report makes no real attempt to justify its departure from a (fundamental) rights-based approach to data protection. It fails to make a convincing case for why (additional) restrictions on privacy may be necessary, and erroneously presumes that innovation is possible only at the cost of privacy. As a result, the draft bill ends up diluting individual rights and jettisoning safeguards. For instance, the report makes much of using big data and artificial intelligence for common good. Processing large volumes of personal data enables indiscriminate profiling of individuals, and while AI aims to make machines capable of reason and decision-making, the scholarly consensus is that outcomes are prone to error, resulting in discrimination and other kinds of harm. It is telling, therefore, that the committee felt it unnecessary to incorporate the right to object to such automated decision-making and a right to access the rationale for such decisions.

Another feature of the bill that undermines privacy is the requirement to store a copy of all personal data in India. While apparently motivated by the desire to create digital infrastructure in the country, the provision makes personal data more vulnerable to security threats and open to surveillance by the government. Given India’s permissive surveillance laws, this requirement could be misused to target citizens- for example, political dissenters who question the government’s actions. Curiously, the committee does acknowledge the lack of effective checks (such as prior judicial sanction for interception of communication) in India’s surveillance regime, but nevertheless dismisses these concerns while advocating localisation of data.

Given that we currently have little choice in giving up personal information in interactions with the state and corporations, the committee would have done well to prioritise individual rights over vague notions of innovation. Let’s hope the government will revisit these gaps and pass a bill that actually bolsters fundamental rights.

Kritika Bhardwaj is an advocate who assisted the petitioners in the right to privacy case and is a Fellow at the Centre for Communication Governance at National Law University Delhi

Data localisation must go, it damages the global Internet

Mandatory data localisation may seem attractive based on notions of sovereignty, but it only makes the personal data more vulnerable in the process

By Kritika Bhardwaj

This post first appeared in Hindustan Times on August 3, 2018

On July 27, the committee of experts under the chairmanship of Justice Srikrishna finally submitted its report on the principles that will guide the framing of India’s data protection statute. With its report, the committee also submitted a draft Personal Data Protection Bill, which, it is hoped, will guide further consultation on the subject. Given that India remains a notable exception to the now long list of countries with data protection laws, this draft Bill is a welcome step. Regretfully, however, some of the committee’s proposals not only risk weakening privacy rights guaranteed under the Constitution, but also undermine the committee’s own stated objective of a free and fair digital economy.

One such recommendation is the requirement to mandatorily store a copy of all personal data on servers located in India, subject to the Central government’s power to exempt such storage if necessary or in the strategic interests of the State. However, for sensitive personal data, which includes information about religious or political beliefs as well as health and financial information, the government has no power to exempt recipients of personal data (data fiduciaries under the Bill) from this obligation. A further category of “critical personal data” — a term that is undefined under the Bill — must be stored exclusively in India. The requirement to store data locally needs reconsideration not only because it militates against the idea of a global Internet, but also because it fails to adequately consider surveillance harms, issues of data security as well as their detrimental effects on industry.

Usually, the rationale behind restricting cross-border flow of data is to prevent entities from circumventing their obligations under national laws for data protection, or to protect personal data from processing risks abroad. Viewed in this context, the requirement to retain only a copy of all personal data in India is curious as it fails to achieve either of the two objectives mentioned above. Instead, most countries across the globe attempt to achieve these objectives by making cross-border transfer of data contingent on additional safeguards — a proposal that has also been incorporated in this Bill.

As lawyer Chinmayi Arun has pointed out, this mandate appears to be geared more towards the State having access to personal data rather than a desire to protect it. The committee’s report suggests that such access is necessary for law enforcement agencies to be able to enforce domestic laws. Investigation and prosecution of offences is undeniably a legitimate state interest. However, advocating for increased access to personal data through mandatory localisation without adequately considering surveillance risks is unhelpful. While it is arguable that surveillance reform was outside the committee’s terms of reference, it nevertheless ought to have taken note of the lack of effective checks under the extant legal regime before recommending data localisation. Among other limitations, the current legal framework allows communications to be intercepted without any judicial oversight.

In its report, the committee accurately notes that gaining access to data stored abroad through Mutual Legal Assistance Treaties (MLAT) — an agreement between states for exchange of information — has become a tedious process. However, it does not note that the failure of MLATs is a global concern and several states are already exploring alternatives.

Besides surveillance-related harms, data localisation also imperils the security of the data itself. As Anupam Chander and Uyên Lê suggest, forcing data fiduciaries to store data locally deprives them of the option of distributing information across servers in multiple locations, making it more vulnerable to cyber threats. This mandate also reduces the choice available with data fiduciaries by forcing them to opt for local but less secure data centres. In a 2016 survey, India was ranked 36th out of the 37 countries surveyed for risks associated with operating data centres.

Further, the committee’s view that localising data will aid the creation of a digital industry for emerging technologies is equally misplaced. Experts have argued that data localisation has an adverse impact on businesses, as it escalates their infrastructure and energy costs. This requirement may be especially onerous for small and medium sized businesses. The committee’s report considers and summarily dismisses this concern on the presumption that options for storing data locally will increase pursuant to its recommendations — without any thought to the viability or robustness of these options.

The requirement for mandatory data localisation may seem attractive based on notions of sovereignty, but it achieves little except damaging the character of the global Internet, making personal data more vulnerable in the process. Such a proposal is regressive and it is hoped a process of public consultation provides opportunity to deliberate it further.

Kritika Bhardwaj, a lawyer, assisted the petitioner’s counsel in the right to privacy case. She is also a Fellow at the Centre for Communication Governance at National Law University Delhi

A Giant Leap for Informational Privacy

The court’s judgment implies that the state will have to be cautious of its activities even before it begins implementing them. Projects or initiatives that involve collection of personal data would have to take into account explicit limitations on how such information can be used.

By Kritika Bhardwaj

This post first appeared on the Wire on August 25, 2017

In a landmark decision on Thursday, a nine-judge bench of the Supreme Court unanimously held that privacy is a fundamental right. The recognition of privacy as an inherent facet of dignity, personal liberty and individual autonomy has anchored this highly contested right firmly within our constitutional scheme. The vigour with which the court has defended the right, and the clarity of its reasoning is likely to impact judicial decision making for a long time.

Beyond the meaningful addition to the right to choose and the right of self-determination of sexual minorities, the recognition of a right to informational privacy cannot be understated in current times. In an age where ‘data is the new oil’ has now become a cliché, it’s useful to see how Thursday’s judgment bolsters our right to informational privacy. Importantly, the court’s treatment of limitations or legitimate interference of the right to privacy must also be scrutinised to understand the judgment’s true impact.

While there has been an unbroken line of decisions recognising the right to privacy over the last forty years, the court’s jurisprudence on informational privacy has been somewhat limited. Up until now, any articulation privacy as an aspect of personal information was limited to the ‘offline’ world. Mass surveillance, which has been made possible by leaps in technology, has never been adjudicated before the court. In other cases where the role of Internet based platforms has been in issue, the court’s interim decisions have been somewhat disappointing. Thursday’s decision is in stark contrast as far as the court’s understanding of technology related issues is concerned. The judgment displays remarkable clarity in outlining contemporary threats to privacy and the importance of a rights based approach to protect it.

It is important to recall that this case arose in the backdrop of the challenge to Aadhaar. The reference was limited to the issue of deciding the correctness of two early Supreme Court decisions and whether the subsequent line of cases on privacy was good law.

However, the court displayed a keen interest in understanding the nuances of informational privacy, data protection and surveillance by corporations during the course of the hearing. It was feared that since there were no real dispute before the court, it might inadvertently prejudge these issues based on its limited understanding. However, the judgment shows restraint as it acknowledges that the contours of privacy may have to be redefined in light of newer and unforeseen threats.  

With respect to Aadhaar, barring the opinion penned by Justice D.Y Chandrachud, the court categorically refused to consider any aspect of the project or its impact on privacy. However that said, the status of the fundamental right to privacy and where it lies in the constitution has definitely been made clearer, if not elevated, making it harder for the state to justify its biometric coercion. At a general level, harms associated with data mining, profiling and aggregation of information have also been noted, which would also make it difficult to implement Aadhaar as an all-purpose, ubiquitous ‘identity platform’.

But the judgment’s impact is not necessarily limited to Aadhaar, or other intrusions by the state. While a fundamental right traditionally only applies against the state, this decision has paved the way for the right to be extended to non-state actors in a fit case. This is based on the court’s reasoning that there is a positive obligation on the state to protect the privacy rights of individuals. In the face of a privacy violation by a non-state actor (such as a corporation), the state may be asked to provide an adequate remedy or effective redressal. In the absence of any privacy or data protection law, the implications of the court’s decision cannot be emphasised enough.

Over five hundred pages, six judges have outlined several contemporary threats to privacy. There is hope that just an acceptance of these troubling realities would trickle down, enabling lower courts to treat them as legitimate concerns. Last year, while disposing off the petition challenging WhatsApp’s updated privacy policy, the Delhi high court largely reduced the privacy concerns in the case to an issue of contractual rights. Admittedly, the privacy case was pending then, but it can be argued that the court might have at least taken a more serious view of the concerns raised.

In a well-researched judgment, Justice Chandrachud sets out how important information can be gleaned from metadata, leading to the creation of detailed profiles of an individual. The issue of metadata is somewhat central to the case challenging sharing of data between WhatsApp and Facebook. One can hope that a judicial recognition of these privacy harms would enable subsequent benches of the court to develop the right in a more meaningful manner.

Similarly, in a separate opinion, Justice Kaul highlights how personal information online can cause discrimination by throwing up old, irrelevant and decontextualised information about individuals. This is one of rationales for a ‘right to be forgotten’, an issue that has come up before several high courts, and is currently pending before the Delhi high court. Importantly, he also clarifies that a balance would have to be struck between competing rights such as freedom of expression. Seen this way, this judgment can pave the way for nuanced privacy adjudication in India.

However, the judgment is careful to state that informational (or any other) privacy cannot be absolute. It highlights that there may be important countervailing interests resulting in legitimate intrusions of privacy. These could range from national security to tackling public health epidemics. These are well known ‘exceptions’ to privacy, and jurisdictions across the globe are trying to find the correct balance between these contesting claims. Importantly, the judgment does not set any limits to these intrusions or narrow down their scope in any way. Arguably, this creates a slippery slope – with the state considering itself entitled to deploy surveillance, both online and offline. However, any attempt at unfettered or even disproportionate surveillance would be a gross misreading of the judgment, which is now the law of the land.

I would argue that the court’s emphasis on privacy as a natural and inalienable right implies that the state would have to be cautious of its activities even before it begins implementing them. Projects or initiatives that involve collection of personal data would have to take into account explicit limitations on how such information can be used. The judgment endorses privacy principles such as express notice, consent from the individual and an obligation to use personal information only for that purpose for which it was collected. A recognition of these principles by the highest court of the land would imply that the state would have to adopt a rights-based approach to data protection, rather than mere technological frameworks.

Of course, much would boil down to the actual application of this judgment in subsequent cases. But at the very least, this judgment gives vigour and vitality to the struggle against the state’s intrusion into our private lives.  

Kritika Bhardwaj is a lawyer and a Fellow at the Centre for Communication Governance at National Law University Delhi. She assisted the petitioners’ counsel in the right to privacy case.

Right to Privacy judgment will ensure more rigorous analysis of Aadhaar’s impact

While the position of privacy as a fundamental right was uncontested till 2015, the importance of this decision cannot be emphasized enough.

By Kritika Bhardwaj

This post first appeared in the Indian Express on August 25, 2017

A nine-judge bench of the Supreme Court delivered its verdict on status of the right to privacy today. In a landmark decision, the Supreme Court has unanimously upheld the right to privacy as a fundamental right. Importantly, the Court held that that privacy is not just an integral part of the right to life and personal liberty, but is secured by all other fundamental rights as well.

Today’s ruling emerges from a batch of petitions challenging the Aadhaar project – India’s contentious biometric identification scheme. In 2015, during one of the hearings in this case, the Central Government had contested the existence of the fundamental right to privacy. This contention was based on the argument that since two early decisions of the Court had expressly rejected incorporating privacy as a fundamental right, subsequent smaller benches could not have done so. Today’s decision explicitly overrules these two decisions – M.P. Sharma v. Satish Chandra and Kharak Singh v. State of Punjab, in so far as their observations on privacy were concerned.

It also affirms that the Court’s extensive jurisprudence on privacy, spanning over forty years, is good law. The challenge to the validity of the Aadhaar project will now be decided on the strength of today’s decision.

While the position of privacy as a fundamental right was uncontested till 2015, the importance of this decision cannot be emphasized enough. Some of the main grounds for challenging Aadhaar are its violation of physical privacy (by forcefully capturing biometrics), and its surveillance potential (by aggregation of independent data silos). By reaffirming that privacy is an inherent aspect of dignity and liberty, and consequently deeply embedded within our Constitutional scheme, this judgment will ensure a more rigorous analysis of Aadhaar’s impact on individual rights.

However, the significance of this decision goes beyond its impact on Aadhaar. At the outset, it is important to note that the judges have restrained themselves from exhaustively cataloguing the right, or any limitations to it. Privacy is often invoked in myriad circumstances, and has traditionally been tough to define. The approach of the Supreme Court had always been to develop the right on a case-by- case basis and it is heartening that the judgment acknowledges that changing time and technology can impact the right in unforeseen ways.

Another significant impact of this judgment will be on the pending petition challenging the Supreme Court’s earlier verdict in the Section 377 case. In a disappointing (to say the least) judgment in 2014, the Court had upheld the validity of Section 377 of the Indian Penal Code, resulting in re-criminalisation of sex between consenting adults of the same sex. Today’s judgment expresses strong contempt for the reasoning in this case and expressly holds that sexual orientation is a fundamental aspect of one’s identity, and is therefore closely related to dignity and privacy.

It was also noted that besides an obligation to not interfere with an individual’s privacy, the state also has a positive obligation to protect the right. In the absence of any legislation on privacy, it could be argued that such an obligation extends to protecting individuals against discriminatory data practices of corporations and other non-state actors.

It is true that the true test of the ruling will depend on its application. It is still possible for the Court to uphold the validity of Aadhaar if it feels that the scheme is a justifiable intrusion of privacy. However, an unequivocal recognition of the importance of the right is more than just an encouraging sign. Today’s judgment acknowledges the importance of a right to privacy in the context of autonomy, dignity and liberty. It is hoped that in the face of unjustifiable intrusions, the Court will continue to uphold and enlarge this right in a meaningful manner.

Kritika Bhardwaj is a Supreme Court lawyer and a Fellow at the Centre for Communication Governance at National Law University Delhi. She assisted senior counsel Shyam Divan who represented petitioners in the Right to Privacy case.

The privacy verdict will go a long way in shaping future jurisprudence

The SC’s decision recognises privacy as an important facet of individual autonomy, the right to live with dignity, and the right to personal liberty. The Court has also acknowledged the importance of informational privacy and right to exercise control over one’s personal information

By Kritika Bhardwaj

The post first appeared in Hindustan Times on August 25, 2017

The Supreme Court’s decision recognises privacy as an important facet of individual autonomy, the right to live with dignity, and the right to personal liberty(Reuters)

In a landmark decision on August 24, a nine-judge bench of the Supreme Court held that the right to privacy is a fundamental right. In a unanimous decision, the SC held that privacy is an inalienable right, and a crucial aspect of individual liberty and dignity.

The challenge to the existence of the right to privacy arose out of a batch of petitions assailing the constitutionality of the Aadhaar project. Introduced as a means to plug leakages in the welfare delivery system, the project involves the collection of biometrics and storage of extensive personal information within a centralised database. As a result, one of the grounds on which the project has been challenged is its potential impact on privacy. Although many of these petitions were filed in 2012, it was only in 2015 that the government objected to the petitioners’ reliance on this right. Convinced that the position of privacy as a fundamental right required some clarification, the Supreme Court referred this issue to a larger bench.

The SC decision puts the government’s claim to rest for eternity. The SC overruled two decisions that formed the crux of the government’s argument – MP Sharma v. Satish Chandra and Kharak Singh v. State of Punjab, with respect to their observation that privacy was not a fundamental right under our Constitution. It also held that the Court’s existing jurisprudence on the right to privacy from 1975 onwards was the correct legal position. The merits of the Aadhaar project will now be decided on the basis of this decision.

It is important to remember that the Court was considering the right without reference to any specific facts or intrusions. Often, such intrusions are justified on the basis of other countervailing interests – such as national security or important public interest. It remains to be seen how the Court will apply today’s ruling in the face of such situations, especially Aadhaar. However, it is undeniable that an unequivocal affirmation of the right to privacy by a bench of nine judges can go a long way in shaping the Court’s jurisprudence over the next few decades.

The SC decision recognises privacy as an important facet of individual autonomy, the right to live with dignity, and the right to personal liberty. The Court has also acknowledged the importance of informational privacy and right to exercise control over one’s personal information. Significantly, the Court has refrained from defining privacy definitively, recognising that the nature of the privacy right and any limitations to it must be developed on a case-by-case basis. This presents opportunities to develop the right in light of newer and unanticipated privacy challenges.

One of the most significant aspects of the judgment is the Court’s articulation of privacy in the context of identity, especially with respect to an individual’s sexual orientation. In doing so, the judgment was critical of the Court’s earlier decision in Koushal v. Naz, which upheld Section 377 of the Indian Penal Code. Today, the Court held that the right to privacy and the protection of sexual orientation “lie at the core of fundamental rights”.

Pertinently, the Court dismissed the common misconception that privacy is merely an ‘elite’ concern. This line of argument has been common among supporters of the Aadhaar project. Citing Nobel laureate Amartya Sen, Justice Chandrachud observed that that there is an “intrinsic relationship between development and freedom”. He went on to hold that besides being intrinsic to the Constitution, liberty and freedom are crucial for creating a framework for socio-economic rights.

Finally, the Court accepted that the right to privacy is not absolute. There may be legitimate interests, which may justify an intrusion into one’s right to privacy. However, the Court set a high threshold for the government to be able to justify any privacy intrusions in the future. This is important, as the government will have to be mindful of these constitutional limitations for any of its proposed initiatives, Digital India or otherwise.

Kritika Bhardwaj is a lawyer and Fellow at the Centre for Communication Governance at National Law University Delhi. She assisted the petitioners in this case

SC 9 Judge Bench on the Fundamental Right to Privacy – Day I

Following from the five-judge bench’s decision yesterday, a nine-judge bench was constituted today to determine the existence of a fundamental right to privacy. Arguments were advanced on behalf of some of the petitioners today. A background to this hearing, and the larger Aadhaar case can be found here.

Senior counsel appearing for Mr. Mathew Thomas commenced arguments today. He began by arguing that both M.P. Sharma v. Satish Chandra (MP Sharma) and Kharak Singh v. State of Punjab (Kharak Singh) were decided when AK Gopalan v. State of Madras (Gopalan) held the field. The view adopted in AK Gopalan was that different fundamental rights operated in individual silos and were to be read separately. This decision was overruled by an eleven-judge bench in R. C. Cooper v. Union of India (RC Cooper).

It was argued that neither of the two decisions in question could be considered good law with respect to their interpretation of fundamental rights, given that the basis for these judgments i.e. AK Gopalan was overruled.

Further, the observation in MP Sharma that there is no right to privacy within Article 20(3) of the Constitution could not extinguish a general right to privacy. With respect to Kharak Singh, it was pointed out that the minority view in the case applied had the correct test and consequently, liberty was not a residuary expression and inherently contemplated privacy.

It was argued that the concepts of privacy and liberty could not be separated. If life and liberty were considered inalienable, so was privacy, as the former could not exist without the latter. Characterising the American jurisprudence on privacy as being rooted in the concept of liberty, and the continental understanding emerging from dignity, he argued that the Preamble to the Indian Constitution considered both to be inalienable values. He contended that privacy was the essence of liberty, and that human development and exercising choice required internal privacy.

It was pointed out that pursuant to the Court’s decision in Maneka Gandhi v. Union of India (Maneka Gandhi), Articles 14, 19 and 21 had to be read together. These rights, he argued, could only exist under a limited government. He pointed out that equal protection of laws under Article 14 would also protect liberty. Similarly, the exercise of choice secured under Article 19 would also require liberty.

On being posed a question from Justice Bobde regarding the facets and contours of the right to privacy, the senior counsel argued that privacy had multiple dimensions. While the Supreme Court had recognised four of these in Gobind v. State of Madhya Pradesh – spatial privacy, informational privacy, decisional autonomy and full development of personality, these were not exhaustive.

The bench also asked if the constitutional right to privacy was broader than the common law right, to which the counsel responded in the affirmative. Justice Chandrachud sought to know if the fundamental right to privacy was applicable horizontally, and if the state had an obligation to legislate to protect this right. This too, was answered in the affirmative.

Senior counsel Soli Sorabjee, who was also appearing for one of the petitioners, argued briefly that the absence of an express right to privacy under Part III of the Constitution did not imply that it did not exist.  He contended that the right to privacy could be deduced from other existing right just as the freedom of the press has been deduced from Article 19(1)(a).

Next, arguments were made by the senior counsel on behalf of S.G. Vombatkere. He argued that there was an unbroken like of decisions recognising a right to privacy for over forty years, and contended that this was an occasion to affirm, and not regress from established precedent.

Further, he clarified that the right to privacy cannot be defined with any specificity. Being multi faceted, it is not capable of an exhaustive definition and therefore must be developed on a case-by-case basis.

He also cited I R. Coelho v. State of Tamil Nadu to emphasize that the Constitution is a living document and the law must continue to evolve in accordance with modern realities.

It was argued that the right to privacy emanates from a joint reading of Articles 14, 19 and 21. He also emphasised that the right to privacy was enshrined under the International Covenant on Civil and Political Rights as well as the Universal Declaration of Human Rights, thereby forming a part of India’s international obligations. He also brought to the Court’s notice that the UN had recently appointed a Special Rapporteur on Privacy and published a preliminary report on Privacy in the Digital Age, signifying that privacy is a contemporary international concern. The Chief Justice remarked that the report acknowledges privacy as a basic human right. Justice Chandrachud questioned the counsel regarding data protection being distinct from privacy. He opined that data protection must be regulated by law, and that privacy could not be considered absolute. At this stage the counsel clarified that he was not contending that the right to privacy was absolute, but merely that it be developed on a case by case basis.

He argued, that what was sought was that privacy be recognised as a fundamental right. Relegating it to the status of a mere common law right would leave it vulnerable to state action and legislation. This hierarchy, in the counsel’s opinion, was an essential limitation on the state’s power.

Moving on, he argued that the fact that the Supreme Court had, over time, articulated over thirty unenumerated rights under Article 21 also went to signify that privacy is a fundamental right.

He reiterated that the majority view in Kharak Singh had been overruled, as made evident in Satwant Singh Sawhney v. D. Ramarathnam, RC Cooper as well as Maneka Gandhi. Tracing the development of the jurisprudence on fundamental rights, he explained RC Cooper had overturned the prevailing view since Gopalan (that fundamental rights operated in distinct silos). In 1976, Maneka Gandhi expressly overruled the majority view in Kharak Singh. In 2014, the Supreme Court reiterated in Mohamad Arif v. The Registrar, Supreme Court and Ors that pursuant to RC Cooper, the minority view in Kharak Singh was good law. Read together, it was contended that the statements in the majority decision of Kharak Singh on the absence of an explicit fundamental right to privacy under the Constitution could pose no bar.

With respect to MP Sharma, it was pointed out that the case operated in a completely distinct area i.e. Article 20(3) of the Constitution which provides that “no person accused of any offence shall be compelled to be a witness against himself”. The contention of the counsel was that privacy emanated from Articles 14, 19 and 21 and thus the observation in MP Sharma could not be considered an obstacle. He pointed out that the Supreme Court had expressly considered MP Sharma in the 2010 decision Selvi v. State of Karnataka and upheld the right to privacy.

He concluded by stating that the mark of a civilisation can be seen in how it treats personal privacy. Without privacy, all rights would be denuded of their vitality.

The senior counsel arguing on behalf of S. Raju began his submissions by stating that both MP Sharma and Kharak Singh only contained one stray sentence on the right to privacy. Whether privacy was a fundamental right was never a question before the Court in either of these cases. On reading relevant extracts from MP Sharma, Nariman J. observed that the 4th Amendment of the US Constitution, (which deals with unreasonable search and seizures, and was sought to be included within our Constitutional scheme), could never have been imported into Article 20(3). Pointing out that 20(3) was along the lines of the 5th Amendment under the American Constitution (which deals with self-incrimination among other things), he stated that the result would have been an anomalous situation as the 5th Amendment could never have been imported into the 4th Amendment.

The senior counsel continued his arguments citing several American cases, starting with the dissenting judgment of Justice Louis Brandeis in Olmstead vs. United States recognizing a right to be let alone, and dealing with the landmark cases of Griswold v. Connecticut and Roe v. Wade to explain how privacy had been developed from the 4th, 9th as well as the 14th Amendment(s).

He also read from Kharak Singh, arguing that with regard to the specific question on whether the judgments in Kharak Singh and MP Sharma still hold – it is important to note that the ratio in both of these cases did not specifically provide that there is no right to privacy. During the course of these readings, it was also pointed out by the bench that even the majority in Kharak Singh seemed to have implicitly recognized a right to privacy, without explicitly stating so. The senior counsel argued that it is anachronistic and paradoxical that after having recognised over thirty different rights under Article 21, the status of the right to privacy was in doubt. He also stated that while the right to privacy would fall within the ambit of Article 21, it would also need to be developed, and may be grounded in Articles 14, or 19, depending upon the issue being discussed.

Before the bench rose, it posed a few pertinent questions to the counsel. Justice Chandrachud pointed out that in several decisions, such as R. Rajagopal v. State of Tamil Nadu and Mr. X v. Hospital Z , the Court had applied the right to privacy horizontally. He sought a clarification regarding the applicability of a fundamental right to privacy against non-state actors.

Justice Nariman and the Chief Justice asked the counsel to clarify the contours of a right to privacy – the definition of the right, the restrictions on the right, and parameters of challenge for an action on privacy, if the right were to be grounded in Articles 14, 19 and 21. Another question that was posed to the counsel was whether the right to privacy would be a horizontal right, and the state would have any responsibility to take affirmative action to protect this right.

The counsels for the petitioners stated that the right would need to be developed on a case to case basis, providing not only for what is, but also for what may be. The counsel and the bench discussed the possibility of providing for various options for defining the right –simply stating that there is a right, and leaving it open to interpretation, or providing illustrations of the facets of the right to privacy.

In response to the questions on the parameters for challenges against a violation of this right, the counsel stated referred to the tests already in place to determine violations of rights under Articles 14, 19 or 21, or any other article that the right to privacy maybe grounded in depending upon the case being discussed.

The petitioners are expected to conclude their submissions within the first half tomorrow, after which the Union of India will put forth its case.

Disclosure: The author assisted the petitioners’ (S.G. Vombatkere) counsel.

No Interim Relief in Petition Seeking Stay on Mandatory Aadhaar – For Now

The fresh petition challenging the constitutionality of the Aadhaar Act (Shantha Sinha v. Union of India) came up for hearing before the Supreme Court today. While this petition has been tagged with the main bunch of petitions challenging the Aadhaar scheme, it also seeks urgent interim relief by way of a stay on 18 different executive notifications. As noted in our previous post, interim relief is crucial as most of these notifications stipulate 30 June 2017 as the deadline to enrol for Aadhaar.

Today’s hearing was solely to determine whether the petitioners were entitled to interim relief. However, less than a week ago, the Ministry of Electronics and Information Technology issued an ‘Office Memorandum’ to all central ministries, extending the date for mandatory enrolment to 30 September 2017. Pertinently however, similar to the exemption granted by the Supreme Court in the Aadhaar/PAN judgment, this extension only applies to those who are yet to enrol for Aadhaar. For those who possess the number, 30 June 2017 remains the deadline to quote Aadhaar in order to continue receiving benefits under the respective scheme.

Today’s hearing began with the Additional Solicitor General seeking a short adjournment on the ground that the government wished to respond to the claims made in the petitioners’ rejoinder. He argued that there was no ‘burning urgency’ anymore as the deadline for enrolling for and submitting Aadhaar had been extended till 30 September. While the petitioners’ counsel did not oppose the request for adjournment, he clarified that the extension notice excluded several beneficiaries. He therefore urged the Court to protect all beneficiaries from having to submit their Aadhaar number till the next date of hearing.

The bench appeared reluctant to pass any order to this effect. It asked if the petitioners had concrete evidence to show that children were being denied their mid-day meals on account of the notification(s) in issue. Despite pointing out that the deadline was 30 June 2017, and the feared exclusion would begin only after that, the Court appeared unconvinced.

In its order today, the Court noted that in view of paragraph 90 of the judgment in the Aadhaar/PAN case, no clarification or special order was required. This paragraph holds that the requirement of obtaining an Aadhaar number is voluntary. This is slightly confusing, as neither does it protect those who have obtained an Aadhaar number but to not wish to link it to the various schemes in issue, nor does it advance the government’s plan of ensuring mandatory enrolment by 30 September 2017.

The Court listed the case for further hearing on 7July 2017, before which the Union of India will file its response to the petitioners’ claims in the rejoinder.

Supreme Court Upholds Law Linking Aadhaar With PAN

The Supreme Court delivered its judgment in the constitutional challenge to Section 139AA of the Income Tax Act today. Brought in by way of an amendment in April this year, this provision made it mandatory for all taxpayers to quote their Aadhaar number when applying for a Permanent Account Number (PAN) and for filing returns of income. Failure to link one’s PAN with Aadhaar would automatically invalidate the former.


It is important to recall that this amendment was passed at a time when several petitions challenging the constitutionality of the Aadhaar project continue to be pending before the Supreme Court. Through various interim orders, the Court has repeatedly directed that Aadhaar must remain voluntary till the petitions are conclusively decided. In 2015, a three-judge bench felt that there was some ambiguity in the Supreme Court’s jurisprudence on the right to privacy (which the petitions rely on), and referred the matter to a larger bench. This bench is yet to be constituted. These orders were passed before the Parliament passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act in 2016 (Aadhaar Act). With the passage of the Aadhaar Act, the status of the interim orders has been put in question, with the government claiming that it is free to mandate Aadhaar for any service or benefit.

In the context of the Aadhaar-PAN petitions, the pending reference on the issue of privacy is important as it severely curtailed the grounds for challenge available to the petitioners. Forced to give up arguments on privacy, the submissions in this case were largely limited to the issue of bodily integrity and the right to equality. Arguments were also made on the grounds that the introduction of Section 139AA of the Income Tax Act violates Articles 14 and 19 of the Constitution of India.

However, in its judgement today, the Court has construed privacy extremely broadly. The Court excluded all arguments made on bodily integrity, dignity and the right to informational self-determination, on the basis that these concepts are linked to privacy.


The Court upheld s. 139AA(1), making it mandatory for taxpayers to quote their Aadhaar while filing returns of income. However, for existing PAN holders who are not yet enrolled and do not have an Aadhaar number, the proviso under s. 139AA(2) has been stayed till the Constitution Bench decides the pending writ petitions challenging Aadhaar. This stay would not benefit those who have already obtained an Aadhaar number.

The Court justifies this partial stay on the ground that the consequences for non-compliance are severe, and individuals should not be made to suffer till the main matter attains finality.

The Court also read down the proviso to s. 139AA(2) which creates a legal fiction by which non-linking of the PAN with the Aadhaar number would result in penal provisions under the Income Tax Act applying ‘as if the person had not applied for the allotment of the PAN’. The Court held that these provisions could only apply prospectively.


I. Legislative Competence

a) Legislature lacked authority to pass a law contrary to judgments of the Supreme Court (the interim orders) without removing its basis – The court held that these orders were passed in the absence of any statutory scheme (and hence, lacked a basis). Further, it held interim orders could not preclude the Parliament from passing such a law.

b) Aadhaar Act itself was voluntary, and therefore, s. 139AA could not indirectly make it mandatory – The Court categorically holds that enrolment under Aadhaar is voluntary. However, it leaves open the question whether the government could make the number mandatory for receipt of benefits under Section 7, observing that is was squarely within the ambit of the pending writ petitions.

The Court went on to reject the contention the legislature could not make Aadhaar mandatory under s. 139AA, holding that the purpose behind the statute was entirely different from that of the Aadhaar Act. It accepts the efficacy of Aadhaar in solving stated objectives such as money laundering and black money based solely on the Parliament’s wisdom.

II. Article 14

It was argued that s. 139AA drew an arbitrary distinction between assesses who were individuals and others such as partnership firms, companies and trusts etc. as the latter were not required to obtain an Aadhaar number. Excluding juristic entities such as companies would fail to address the government’s stated objectives of weeding out fake cards and curbing black money.

The Court outlined the twin tests under Article 14 – that there must be a reasonable classification founded on intelligible differentia and this must have a rational nexus with the object sought to be achieved. It rejected the contention that mandating Aadhaar only for individuals could not achieve the desired purpose. What is surprising is that in reaching this conclusion, the Court accepts without question, the efficacy of Aadhaar to successfully de-duplicate PAN cards. This is despite the fact that the petitioners brought to light several instances of private enrollers mismanaging data and the cancellation of lakhs of cards for biometric and other errors.

III. Article 19(1)(g)

The petitioners had argued that the penal consequences associated with non-compliance were draconian and completely disproportionate, affecting individuals’ rights to carry on their business or profession. In dealing with the submission on proportionality, the Court focused on s. 139AA(2), which prescribes the penalty for non-compliance. The Court observed that several routine activities in course of any business required PAN. It held that invalidating one’s PAN would restrict the freedom to carry on trade enshrined under Article 19(1)(g). The Court then undertakes a lengthy discussion on the objective of Aadhaar to determine the reasonableness of the restriction.

The Court’s analysis in this section is astonishing. Without having presented any evidence to support or deny such a claim, the Court observes that failure to identify beneficiaries is ‘one of the main reasons’ for leakages in subsidies. (In fact, researchers have repeatedly questioned and de-bunked this assertion). The Court also fails to note the RTI reply cited by the petitioners, pointing out that 99.7% of persons enrolled for Aadhaar already had two other identity proofs. The judgment also makes bald assertions, referring to Aadhaar as the ‘most advanced and sophisticated infrastructure’, and hints at its use ‘to take care of problem of terrorism to some extent’ and also to check ‘crimes and also help investigating agencies in cracking the crimes’. It is worth pointing out that it is exactly this sort of mission creep that makes Aadhaar an extremely worrisome project.

The Court holds that it is the prerogative of the legislature to make penal provisions for violating a law, but does not explicitly comment on the reasonableness of the restriction.


Limiting the relief to those who have not yet enrolled for Aadhaar is questionable for two reasons:

  1. As per the government’s submissions, 98-99% of the adult population already has an Aadhaar number, and therefore this decision only protects a miniscule minority of the population. Additionally, limiting relief to those who have managed to remain outside the system overlooks the fact that many were coerced to enrol (as essential services or benefits were made contingent on it). It also overlooks that instances of data leaks came to light only recently, prompting several citizens to have second thoughts about the project only after they had enrolled. But most importantly, the judgment ends up protecting only those who are privileged enough to not depend on the state for benefits and services, and have thus managed to remain un-enrolled.
  2. Rejecting the Article 14 challenge, the Court had held that there could be no distinction between assesses who had ‘voluntarily’ enrolled for Aadhaar, and those who hadn’t or did not wish to. The legal regime had to apply uniformly to all individual assesses, it held. It is perplexing then for the Court to make the same distinction at the time of the final order, without any cogent reasons.

However, despite the limited relief, there is a silver lining in this judgment – the Court observed that it had not addressed any of the objections based on Article 21 of the Constitution, and the statute was being upheld subject to Aadhaar passing this ‘more stringent test’. At several places, the judgment makes note of these ‘important’ issues and hopes for their proper adjudication.

The judgment also notes the petitioners’ concerns regarding data leaks and observes that appropriate measures to address this are essential.

Disclosure: The author assisted the petitioners’ (Maj. Gen. Vombatkere and Mr. Bezwada Wilson) lawyers on specific occasions during the course of the hearing.