No Interim Relief in Petition Seeking Stay on Mandatory Aadhaar – For Now

The fresh petition challenging the constitutionality of the Aadhaar Act (Shantha Sinha v. Union of India) came up for hearing before the Supreme Court today. While this petition has been tagged with the main bunch of petitions challenging the Aadhaar scheme, it also seeks urgent interim relief by way of a stay on 18 different executive notifications. As noted in our previous post, interim relief is crucial as most of these notifications stipulate 30 June 2017 as the deadline to enrol for Aadhaar.

Today’s hearing was solely to determine whether the petitioners were entitled to interim relief. However, less than a week ago, the Ministry of Electronics and Information Technology issued an ‘Office Memorandum’ to all central ministries, extending the date for mandatory enrolment to 30 September 2017. Pertinently however, similar to the exemption granted by the Supreme Court in the Aadhaar/PAN judgment, this extension only applies to those who are yet to enrol for Aadhaar. For those who possess the number, 30 June 2017 remains the deadline to quote Aadhaar in order to continue receiving benefits under the respective scheme.

Today’s hearing began with the Additional Solicitor General seeking a short adjournment on the ground that the government wished to respond to the claims made in the petitioners’ rejoinder. He argued that there was no ‘burning urgency’ anymore as the deadline for enrolling for and submitting Aadhaar had been extended till 30 September. While the petitioners’ counsel did not oppose the request for adjournment, he clarified that the extension notice excluded several beneficiaries. He therefore urged the Court to protect all beneficiaries from having to submit their Aadhaar number till the next date of hearing.

The bench appeared reluctant to pass any order to this effect. It asked if the petitioners had concrete evidence to show that children were being denied their mid-day meals on account of the notification(s) in issue. Despite pointing out that the deadline was 30 June 2017, and the feared exclusion would begin only after that, the Court appeared unconvinced.

In its order today, the Court noted that in view of paragraph 90 of the judgment in the Aadhaar/PAN case, no clarification or special order was required. This paragraph holds that the requirement of obtaining an Aadhaar number is voluntary. This is slightly confusing, as neither does it protect those who have obtained an Aadhaar number but to not wish to link it to the various schemes in issue, nor does it advance the government’s plan of ensuring mandatory enrolment by 30 September 2017.

The Court listed the case for further hearing on 7July 2017, before which the Union of India will file its response to the petitioners’ claims in the rejoinder.

Supreme Court Upholds Law Linking Aadhaar With PAN

The Supreme Court delivered its judgment in the constitutional challenge to Section 139AA of the Income Tax Act today. Brought in by way of an amendment in April this year, this provision made it mandatory for all taxpayers to quote their Aadhaar number when applying for a Permanent Account Number (PAN) and for filing returns of income. Failure to link one’s PAN with Aadhaar would automatically invalidate the former.

BACKGROUND

It is important to recall that this amendment was passed at a time when several petitions challenging the constitutionality of the Aadhaar project continue to be pending before the Supreme Court. Through various interim orders, the Court has repeatedly directed that Aadhaar must remain voluntary till the petitions are conclusively decided. In 2015, a three-judge bench felt that there was some ambiguity in the Supreme Court’s jurisprudence on the right to privacy (which the petitions rely on), and referred the matter to a larger bench. This bench is yet to be constituted. These orders were passed before the Parliament passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act in 2016 (Aadhaar Act). With the passage of the Aadhaar Act, the status of the interim orders has been put in question, with the government claiming that it is free to mandate Aadhaar for any service or benefit.

In the context of the Aadhaar-PAN petitions, the pending reference on the issue of privacy is important as it severely curtailed the grounds for challenge available to the petitioners. Forced to give up arguments on privacy, the submissions in this case were largely limited to the issue of bodily integrity and the right to equality. Arguments were also made on the grounds that the introduction of Section 139AA of the Income Tax Act violates Articles 14 and 19 of the Constitution of India.

However, in its judgement today, the Court has construed privacy extremely broadly. The Court excluded all arguments made on bodily integrity, dignity and the right to informational self-determination, on the basis that these concepts are linked to privacy.

THE DECISION

The Court upheld s. 139AA(1), making it mandatory for taxpayers to quote their Aadhaar while filing returns of income. However, for existing PAN holders who are not yet enrolled and do not have an Aadhaar number, the proviso under s. 139AA(2) has been stayed till the Constitution Bench decides the pending writ petitions challenging Aadhaar. This stay would not benefit those who have already obtained an Aadhaar number.

The Court justifies this partial stay on the ground that the consequences for non-compliance are severe, and individuals should not be made to suffer till the main matter attains finality.

The Court also read down the proviso to s. 139AA(2) which creates a legal fiction by which non-linking of the PAN with the Aadhaar number would result in penal provisions under the Income Tax Act applying ‘as if the person had not applied for the allotment of the PAN’. The Court held that these provisions could only apply prospectively.

DECISION ON SPECIFIC GROUNDS

I. Legislative Competence

a) Legislature lacked authority to pass a law contrary to judgments of the Supreme Court (the interim orders) without removing its basis – The court held that these orders were passed in the absence of any statutory scheme (and hence, lacked a basis). Further, it held interim orders could not preclude the Parliament from passing such a law.

b) Aadhaar Act itself was voluntary, and therefore, s. 139AA could not indirectly make it mandatory – The Court categorically holds that enrolment under Aadhaar is voluntary. However, it leaves open the question whether the government could make the number mandatory for receipt of benefits under Section 7, observing that is was squarely within the ambit of the pending writ petitions.

The Court went on to reject the contention the legislature could not make Aadhaar mandatory under s. 139AA, holding that the purpose behind the statute was entirely different from that of the Aadhaar Act. It accepts the efficacy of Aadhaar in solving stated objectives such as money laundering and black money based solely on the Parliament’s wisdom.

II. Article 14

It was argued that s. 139AA drew an arbitrary distinction between assesses who were individuals and others such as partnership firms, companies and trusts etc. as the latter were not required to obtain an Aadhaar number. Excluding juristic entities such as companies would fail to address the government’s stated objectives of weeding out fake cards and curbing black money.

The Court outlined the twin tests under Article 14 – that there must be a reasonable classification founded on intelligible differentia and this must have a rational nexus with the object sought to be achieved. It rejected the contention that mandating Aadhaar only for individuals could not achieve the desired purpose. What is surprising is that in reaching this conclusion, the Court accepts without question, the efficacy of Aadhaar to successfully de-duplicate PAN cards. This is despite the fact that the petitioners brought to light several instances of private enrollers mismanaging data and the cancellation of lakhs of cards for biometric and other errors.

III. Article 19(1)(g)

The petitioners had argued that the penal consequences associated with non-compliance were draconian and completely disproportionate, affecting individuals’ rights to carry on their business or profession. In dealing with the submission on proportionality, the Court focused on s. 139AA(2), which prescribes the penalty for non-compliance. The Court observed that several routine activities in course of any business required PAN. It held that invalidating one’s PAN would restrict the freedom to carry on trade enshrined under Article 19(1)(g). The Court then undertakes a lengthy discussion on the objective of Aadhaar to determine the reasonableness of the restriction.

The Court’s analysis in this section is astonishing. Without having presented any evidence to support or deny such a claim, the Court observes that failure to identify beneficiaries is ‘one of the main reasons’ for leakages in subsidies. (In fact, researchers have repeatedly questioned and de-bunked this assertion). The Court also fails to note the RTI reply cited by the petitioners, pointing out that 99.7% of persons enrolled for Aadhaar already had two other identity proofs. The judgment also makes bald assertions, referring to Aadhaar as the ‘most advanced and sophisticated infrastructure’, and hints at its use ‘to take care of problem of terrorism to some extent’ and also to check ‘crimes and also help investigating agencies in cracking the crimes’. It is worth pointing out that it is exactly this sort of mission creep that makes Aadhaar an extremely worrisome project.

The Court holds that it is the prerogative of the legislature to make penal provisions for violating a law, but does not explicitly comment on the reasonableness of the restriction.

ANALYSIS

Limiting the relief to those who have not yet enrolled for Aadhaar is questionable for two reasons:

1. As per the government’s submissions, 98-99% of the adult population already has an Aadhaar number, and therefore this decision only protects a miniscule minority of the population. Additionally, limiting relief to those who have managed to remain outside the system overlooks the fact that many were coerced to enrol (as essential services or benefits were made contingent on it). It also overlooks that instances of data leaks came to light only recently, prompting several citizens to have second thoughts about the project only after they had enrolled. But most importantly, the judgment ends up protecting only those who are privileged enough to not depend on the state for benefits and services, and have thus managed to remain un-enrolled.
2. Rejecting the Article 14 challenge, the Court had held that there could be no distinction between assesses who had ‘voluntarily’ enrolled for Aadhaar, and those who hadn’t or did not wish to. The legal regime had to apply uniformly to all individual assesses, it held. It is perplexing then for the Court to make the same distinction at the time of the final order, without any cogent reasons.

However, despite the limited relief, there is a silver lining in this judgment – the Court observed that it had not addressed any of the objections based on Article 21 of the Constitution, and the statute was being upheld subject to Aadhaar passing this ‘more stringent test’. At several places, the judgment makes note of these ‘important’ issues and hopes for their proper adjudication.

The judgment also notes the petitioners’ concerns regarding data leaks and observes that appropriate measures to address this are essential.

Disclosure: The author assisted the petitioners’ (Maj. Gen. Vombatkere and Mr. Bezwada Wilson) lawyers on specific occasions during the course of the hearing.

Decoding Privacy Policies – Uber

‘I have read and agree to the terms’ is commonly regarded as one of the biggest lies on the Internet. In 2014, a company called F-Secure put this to test and set up a free Wi-Fi hotspot in London. One of the terms for accessing the Wi-Fi was for users to assign their firstborn child to the company for eternity. People still signed up. Fortunately, the company decided not to enforce this condition.

Terms of use agreements, which also include privacy policies, usually run into multiple pages and are extremely dense, making it hard for users to understand how their personal information is collected, used and disclosed. This post looks at Uber’s privacy policy to understand its information practices, making it our second attempt to simplify privacy policies of popular companies. Uber is a transportation aggregator that allows users to connect with drivers through its technology platform. Understanding the company’s use of personal information is critical in light of its recent practice to charge users differently, based on what they’re ‘willing to pay’.

The policy has been analysed against the privacy principles recommended by the 2012 Report of the Group of Experts on Privacy (‘2012 Report’). These principles stem from internationally recognised data protection norms that form the basis of several regional and national data protection frameworks.

• Notice

The underlying principle, that is ‘notice’, requires companies to make their information practices known in an easily accessible manner, allowing users to make an informed choice. This includes informing users of policy changes and notifying them in the event of a data breach. Uber’s policy is to notify users only in the instance that there have been significant changes to its practices. It requires users to opt-out if they disagree with the changes, rather than giving them the option to opt-in. It is also completely silent on data breach notifications, signifying that users don’t have a right to know if their information has been compromised. This has serious ramifications for a user’s privacy in light of the extent of personal information collected.

• Information Collection

Uber collects the following information from users who sign up to use its service –

• Information Collected Directly From Users: At the time of creating or modifying an account, Uber collects a user’s name, email and phone number. It may also collect their postal address and payment information, among other information voluntarily provided.
• Information Collected Through Use of Uber’s Services:
• Location: Uber collects location information from a user’s device, the Uber application being used by the driver as well as through a user’s IP address and Wi-Fi signal. Pertinently, Uber collects this information even when the app is running in the background, and not merely during the course of a trip. Even if a user chooses to deny permission to access location information from their device, Uber will continue to receive this information through the other sources mentioned.
• Contacts: Subject to granting permission on her device, Uber may collect and store a user’s contact list. iOS users can choose to disable this permission at any stage, even after initially permitting the collection of this information. However, the policy states that the Android platform does not allow users to revoke access in the same manner.
• Transaction Information: Uber collects information related to the type of service requested, the date, time and amount paid for each ride and other related information.
• Usage and Preference Information: Uber collects information to understand a user’s preferences and remember her settings. This may be through cookies (a small text file placed on one’s device by the app/website) or pixel tags (a block of code on a website allowing it to retrieve certain information about one’s device/browser). Uber’s Cookie Policy explains that it allows certain third parties (such as Google and Facebook) to place cookies on a user’s device to help deliver its services and for advertising purposes.
• Device Information: Information about a user’s mobile device, such as their operating system, hardware model, unique device identifier and mobile network information is collected. Even such innocuous information could lead to unfavourable outcomes for users. For example, reports indicate that Uber has discovered that the battery level of a user’s phone indicates their willingness to pay a higher amount for the same ride.
• Call and SMS Data: To facilitate communication between riders and drivers, Uber collects date and time information related to a call or SMS and the content of the SMS message.
• Log Information: Information such as IP address, the date and time for using the application, and the features or pages viewed is collected.
• Information from ‘Other Sources’: Uber may also receive information from other sources and combine it with information it collects directly. These other sources include using a social media service (such as Facebook) to create an account, a user’s employer if the latter avails of services such as ‘Uber for Business’ or ratings from drivers.

As per the principle of collection limitation, entities must only collect personal information that is necessary for their stated purposes. As seen above, Uber collects extensive personal information, not all of which is directly related to its purpose of providing users with a transportation facility. Besides these, it also collects specific information from one’s device by seeking access to a user’s media files or calendar, among other things. However, these permissions can be denied. More information can be found here (for Android users) and here (for iOS users).

The 2012 Report also recommends that companies allow individuals to access their personal information and amend or modify it, if it is inaccurate. This right extends to obtaining a copy of all personal information held by the company. Uber allows modification or deletion of a user’s account through its mobile application and website. The right to obtain a copy of one’s information or delete some of it is circumscribed to the rights of individuals under ‘applicable law’. Under Indian law, the access and correction principle is restricted to sensitive personal information only. In the context of information collected by Uber, this is only likely to include passwords and financial information.

• Use of Information

The principle of purpose limitation requires information to be collected for specific and explicitly stated purposes and prohibits its recycling for newer purposes. The policy states six distinct purposes. Some are clearly defined – such as facilitating communication between users and drivers or users and their contacts (to split fares etc.), but some are more vaguely drafted. An example of the latter is sending communications the company thinks ‘will be of interest to you’ regarding ‘products, services, promotions, news and events of Uber and other companies’. A user may opt-out of such promotional communication by following the instructions on the message itself.

Besides this, Uber uses the information collected by it to provide and improve its services such as facilitating payments and developing new features. It also uses this information to conduct data analysis, research and monitor how users are using its services.

• Sharing of Information

Besides sharing certain basic and essential personal information with drivers, Uber also shares information with other riders if a user is availing a ride-sharing option like UberPool. Third parties also receive information if users avail of Uber services through a promotion or partnership between a third party and Uber. For workplaces using services like Uber for Business, personal information may be shared with relevant third parties, such as a user’s employer.

If users use social sharing features integrated onto the Uber platform, personal information is shared with that service as well. Uber also allows its advertising partners to track the performance of their ads by placing cookies on a user’s device.

Uber also reserves the right to share personal information with –

• Its subsidiaries and affiliated entities that process data on its behalf. It does not however, identify these entities.
• With any vendor, consultant, marketing partner or service provider that it contracts with to carry out work on its behalf. This clause suffers from vagueness and fails to give individuals an idea about who may have access to their information.
• Any competent authority under law or law enforcement officials and government authorities.
• Any entity as required in the course of a sale, merger, consolidation or acquisition of the company’s business by or into another company.
• Anyone, subject to a user’s consent
• Anyone, in an aggregated or anonymised form where identification is not reasonably possible. Research indicates big data analytics is making re-identification of anonymised data easier. This renders personal information vulnerable under this clause.
• Security

Additionally, the policy makes no mention of security standards or procedures undertaken by Uber or its affiliates to safeguard personal information. Under the 2012 Report, the principle of security requires companies to adopt reasonable security safeguards to protect against loss, unauthorised access, destruction, use or disclosure of personal information.

Overall, Uber’s privacy policy is relatively accessible. It breaks down complex terms and processes and gives illustrations at various points. However, as pointed out, it also suffers from overbreadth and vagueness at many places.

Lastly, the principle of accountability requires that companies be held accountable for compliance with privacy principles. An important aspect of accountability is appointing a grievance redressal officer for addressing privacy concerns. The policy provides users with an email (privacy@uber.com) as well as a postal address for raising their privacy concerns. However, enforcing these commitments is difficult in the absence of a data protection legislation. The existing rules under the Information Technology Act 2000 only protect sensitive personal information, excluding a large category of valuable information collected by private corporations. This leaves users with very few remedies if companies fail to live up to their promises. As data collection by corporations becomes more ubiquitous, the need for a robust privacy legislation becomes harder to ignore.

---

This post is based on the privacy policy that came into effect on 15 July 2015, as available at https://www.uber.com/en-IN/legal/privacy/users/en/ on 23 May 2017.

Linking PAN with Aadhaar – Updates from the Supreme Court (Day V)

The arguments in the case challenging the constitutionality of s. 139AA of the Income Tax Act (IT Act) continued for the fifth day today. Summaries of arguments advanced on the first four days can be accessed here. Today, the Central Government concluded its submissions and the petitioners commenced their rejoinder arguments.

Due to the Attorney General’s unavailability, the Central Government as well as the Unique Identification Authority of India (UIDAI) were collectively represented by two counsels for today’s hearing.

The Government advanced arguments on two grounds raised by the petitioners during their submissions –

1. Violation of Article 14 of the Constitution
2. Informational self-determination

Violation Article 14 of the Constitution

On Article 14, two main arguments were advanced. The first was that proportionality was not a facet of Article 14, and should not be read into the Article in the instant case. The second argument advanced was that in any case, on facts, there was no Article 14 violation. An important facet of the second argument, subsequently advanced by the second counsel was that inclusion of Aadhaar into the tax regime actually helped secure Article 14 rights, or the right to equality. India had a progressive tax regime, which in itself was an important aspect of equality under Article 14. It was argued that weeding out duplicate PANs to end corrupt practices would eliminate the discrimination against honest tax payers as against those abusing the system.

                  Proportionality

The first argument advanced was that proportionality was not a facet of Article 14 under our constitutional scheme. To decide proportionality of a legislation would amount to the Court substituting its wisdom in place of the legislature. It was argued that the issue of proportionality only arose in a context where a restriction needed to be balanced with a right of if different rights were required to be balanced. Article 14 did not contemplate any such balance and therefore, the issue of proportionality did not arise.

                  No violation of Article 14 on merits

With respect to the second argument, it was argued that the penalty imposed by the legislature could not be struck down on proportionality. This was because s. 139AA did not impose any new penalty and the consequences would be the same as if an individual did not quote their PAN for tax returns. The counsel revisited the AG’s argument that the purpose of PAN was also to provide a unique identity. Further, it was also submitted that an enactment cannot be struck down on reasonableness or arbitrariness. Rajbala v. State of Haryana was again cited for this proposition. Citing the Mardia Chemicals judgement, Justice Sikri suggested that in certain circumstances, the ground of arbitrariness may be available.

On the argument that s. 139AA lacked a rational nexus with the object of controlling black money as it only affected individuals and not companies, the Union’s response was that the enactment never purported to solve the problem completely. The Government would probably devise other methods for tax evasion and money laundering done through companies or trusts. A sealed envelope, with details of ongoing investigations was handed over to the bench to impress upon it the extent of tax fraud perpetuated by individuals. However, the bench refused to take a look at it.

The bench appeared convinced regarding the intelligible differentia between individuals and legal persons but quizzed the counsel regarding the discrimination between willing enrollees of Aadhaar and those who objected to the scheme. To this, the Union’s response was that the object of the scheme was not to discriminate, as it only sought de-duplication of PAN and not seeding of Aadhaar numbers. The counsel further argued that ‘conscientious objectors’ should actually be considered as offenders of the law, notwithstanding any good or moral justifications for not wanting to comply. If being a conscientious objector was seen as a standard for discrimination, most laws would be considered discriminatory.

Informational Self-Determination

With respect to informational self-determination, three arguments were advanced – that the right was not absolute, that the right was an inherent facet of privacy (which could not be argued before this Court) and that the right could not be imported into Indian jurisprudence as is, due to peculiarities of the Indian context.

The counsel argued that even in Germany, where the right emerged, it was not absolute. In India, all fundamental rights envisaged restrictions. Quoting Daniel Solove’s seminal paper titled Conceptualizing Privacy, he further argued that informational self-determination was intrinsically linked to privacy. Lastly, he submitted that German conceptions of privacy were markedly different and warned against directly borrowing solutions from one jurisdiction to another, without context. The counsel cited R. Rajagopal v. State of Tamil Nadu to emphasise that the right to be let alone was a part of privacy rights, which prompted Justice Sikri to frame the issue as that of choice. He asked the petitioners if they had any right to pay taxes in the manner they desired.

In conclusion, the counsel argued that biometrics were the most sophisticated technology for de-duplication in this day and age. Under Section 70 of the Information Technology Act, the central repository which stored biometrics had been designated as a Critical Information Infrastructure, ensuring additional security for it.

At 2:30 pm, shortly after the court reassembled after the lunch break, the petitioners began their rejoinder arguments. On behalf of (Retd) Maj. Gen Vombatkere and Mr. Wilson, the following arguments were made –

1. The counsel emphasised on the petitioners’ background and their contribution to the state as well as civil society. He reiterated their grave concerns about the state’s efforts to constrain their freedom. He specifically pointed out Mr. Wilson’s work with manual scavengers and how biometrics have repeatedly failed for those engaged in manual labour. The exclusion due to biometric failure made this a real civil rights issue, rather than an elite concern as the AG had claimed.
2. He reiterated his argument that the scheme of the Aadhaar Act was in collision with s. 139AA as the former was voluntary and the latter was not. In response, the AG had tried to reconcile this contradiction by arguing that even under the Aadhaar Act, enrolment was mandatory. The petitioners’ counsel argued that this was wrong, and proceeded to attack the premise of this argument by showing how the entire scheme of Aadhaar was voluntary. He relied on –

• Section 3 of the Aadhaar Act, which creates an entitlement in favour of a resident, but poses no obligation to obtain an Aadhaar.
• Further, Section 7 of the Act only applied to subsidies or benefits. He argued that it was a narrow provision and could not be extended to situations such as tax collection.
• Section 8 of the Aadhaar Act contemplates seeking consent, again pointing towards the voluntariness of the scheme.
• He then referred to the enrolment form appended as a Schedule to the Aadhaar (Enrolment and Update) Regulations 2016. The form clearly stated that Aadhaar enrolment is ‘free and voluntary’.
• Additionally, citing Regulation 6 of the Aadhaar (Authentication) Regulations 2016, he pointed out how consent was an inherent aspect of the enrolment process. There could be no consent to a mandatory scheme.
• Further, Section 57 of the Act, on which the AG had relied to show that Aadhaar could be used for purposes other than subsidies or benefits, also contemplated informed consent by making a reference to Section 8. He contended that the nature and character of Aadhaar was essentially voluntary, and therefore, tax payers could not be compelled to enrol for it.
• The lack of any coercive action or penalty under the Act for failing to enrol.

The petitioners’ counsel also relied on representations made on the UIDAI website and the advertisements put out by UIDAI reaffirming its voluntariness. He proceeded to argue that to claim otherwise would be to defraud the public. Since instrumentalities of the state could not defraud the citizenry, their representations as to the voluntary nature of Aadhaar must be taken to be true and s. 139AA should be struck down on this ground alone.

He went on to reference a report from today’s newspaper about new-borns being required to enrol for Aadhaar even before they were assigned a name. In his view, the insistence on tracking individuals from birth showed signs of a totalitarian state, capable of destroying any individual social or political choice.

He also assailed the Central Government’s argument that biometric authentication was secure and sophisticated. He explained how it was possible to forge fingerprints using a photograph or Fevicol.

On the contention that Aadhaar leaks by government portals were distinct from the main centralised database being compromised, he contended that from the citizen’s point of view, the lapses were made by the state. The citizens’ personal information was in public domain irrespective of where the lapse occured.

On compelled speech, he clarified that the issue was not limited to parting with biometrics or iris scans, but a compulsion to give information to a private third party, 34,000 of whom had been blacklisted. The architecture, he argued, was deeply flawed. Based on the Government’s contention that personal information was required to be supplied for purposes such as Census and registration of property, he responded that these were vastly different. These were localized, retained by one authority and for a narrowly tailored purpose. Under the Census Act, there were restrictions on sharing the information, including a prohibition on using the information in a court of law. (Author’s note – the Aadhaar Act allows information stored in the centralised database to be used for court proceedings pursuant to a judge’s orders)

He also debunked the Centre’s claim that Aadhaar was an identity for the identity-less, by citing RTI replies from UIDAI pointing out that less than 0.03% of the total number of people enrolled lacked any previous form of identification.

Finally, on legislative competence, he argued that despite wide residuary powers, there were implied limitations on the state’s power to legislate with respect to an individual’s body, barring narrowly tailored circumstances. Viewed this way, s. 139AA was not a fiscal statute, where the state enjoyed wide latitude to legislate.

The counsel for Mr. Binoy Viswam commenced arguments shortly before the court rose for the day. His arguments will continue tomorrow, after which the matter is likely to be reserved for judgment. A summary of his arguments made today and tomorrow will be collectively posted after tomorrow’s hearing.

Is Your Aadhaar Number Confidential?*

Earlier this week, an agency entrusted with enrolling individuals under the Aadhaar scheme inadvertently published Mahendra Singh Dhoni’s personal information online. When it was pointed out this amounted to a gross violation of privacy, the government released a statement confirming that such publication was illegal and that the agency had accordingly been blacklisted. Another post indicated that several databases containing individuals’ Aadhaar numbers can be obtained by a simple online search. Over the last few months, the government has made the Aadhaar number mandatory for a host of benefits, including essential schemes such as the mid-day meal scheme for school children. As Aadhaar increasingly becomes the gateway to accessing benefits, the lack of clarity about how the number can be used, displayed or stored deserves further attention.

Aadhaar was introduced in 2009 as a way to plug leakages in the welfare delivery mechanism. It proposed to do so by creating a secure authentication mechanism that is capable of accurately verifying the identity of beneficiaries. Under the regulations framed under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016 (‘Aadhaar Act’), this can be done in three ways –

• Demographic authentication – requires some demographic information (such as name or address) along with one’s Aadhaar number
• One Time Password authentication – authentication through a One Time Password, sent to an individual’s registered mobile number, coupled with one’s Aadhaar number
• Biometric authentication – uses biometrics along with the Aadhaar number

However, besides authentication, the Aadhaar number, usually printed on paper card and laminated has gained wide currency as a regular identification card. It is popularly used as a proof of identity, and photocopies of it are readily submitted where identity proof is required for compliance with certain legal obligations (such as hotel reservations, use of a cyber-café etc.). The wide circulation of information printed on these cards – Aadhaar numbers as well as basic demographic information such as one’s name and address, makes it susceptible to misuse.

To illustrate, if an entity opted to authenticate its customers using the ‘demographic authentication’ model, the easy availability of such information would make it exceptionally easy to avail the service under a false identity. Even for authentication using biometrics, it has been repeatedly argued that fingerprints can easily be copied and re-created. This points to a need for more restricted use of the Aadhaar number, and stringent safeguards for its storage and sharing.

The legal framework does not specifically prohibit the use of Aadhaar as an identity document, but news reports indicate that the UIDAI does regard this as being problematic. In the weeks following demonetisation, the UIDAI, through its Twitter handle, had ‘advised’ people not to share their Aadhaar numbers printed on such cards. It further warned that if a photocopy was being submitted, it should be self-attested and the purpose for sharing should be clearly stated to avoid misuse. This form of advisory, without any formal action to tackle concerns regarding misuse of Aadhaar data raises several concerns.

The Aadhaar (Sharing of Information) Regulations 2016 (Regulations) require that any individual or entity that collects the Aadhaar number must –

• Not publish or publicly display it;
• Ensure its security and confidentiality;
• Ensure that numbers have been redacted before publishing any database that contains them;
• Not transfer it in an unencrypted form, except when required for correction errors or grievance redressal; and
• Not hold such data for longer than is necessary to achieve the desired purpose.

However, a blog post that has been shared widely shows that organisations including government departments have been callous in how they store Aadhaar information. Under the Regulations, this constitutes a violation of Section 29 of the Aadhaar Act. Such a lapse in storing Aadhaar information is punishable with imprisonment for a term which may extend to three years or a fine that may extend to ten thousand rupees or both (in case of a company, the fine may extend to one lakh rupees). However, it remains to be seen if the UIDAI will initiate any action against these entities.

This highlights another weakness of Aadhaar’s legal framework – it does not allow individuals to approach the court for any instance of data mismanagement. The complaint can only be initiated at the behest of the UIDAI. As a result, individuals whose data has been made public can only hope that the UIDAI will take action against erring entities. A recent report highlights that the UIDAI has only initiated criminal complaints in three out of 1390 complaints received by it so far.

Besides this major lacuna, what qualifies as adequate security for storing Aadhaar numbers remains unknown, as the regulations do not prescribe any standard. They are therefore inadequate to ensure that the Aadhaar number remains confidential.

So is the Aadhaar number confidential? The law certainly seems to suggest so, but its wide use as an identity proof indicates otherwise. It is apparent that the Aadhaar is popularly used as an identity document, contrary to its original purpose as a means for authentication or verification of identity. Despite being in contradiction with the scheme of the regulations, there has been little effort on the UIDAI’s part to initiate any course correction. It has been pointed out that one reason for this could be that it will reduce the public acceptability of Aadhaar, and public perception may take a hit. But it is extremely short-sighted to sacrifice individuals’ security and privacy in order to maintain public perception.

__________________________________________________________________

*Builds on important disclosures made by @St_Hill in a post here.

Two Takes on the Right to be Forgotten

Last month saw important developments in the discourse around the right to be forgotten. Two high courts, Gujarat and Karnataka, delivered judgments on separate pleas to have particular judgments either removed from online repositories and search engine results or have personal information redacted from them. The Gujarat High Court dismissed the petition, holding that there was no legal basis to seek removal of a judgment from the Internet. On the other hand, the Karnataka High Court ordered the Court’s Registry to redact the aggrieved person’s name before releasing the order to any entity wanting to publish it. This post examines both judgments to understand the reasoning and legal basis for denying or accepting a claim based on the right to be forgotten.

 Gujarat High Court

According to the facts reproduced in the order, the petitioner in this case had criminal charges filed against him for several offences, including murder, which ultimately resulted in an acquittal. At the appellate stage too, the petitioner’s acquittal was confirmed. The judgment was classified as ‘non reportable’ but nevertheless published on an online portal that reproduces judgments from all superior courts in India. It was also indexed by Google, making it easily accessible. Being distressed about this, the petitioner sought ‘permanent restrain of free public exhibition of the judgement…over the Internet’.

While dismissing the petition, the Court held that it was permissible for third parties to obtain copies of the judgment under the Gujarat High Court Rules 1993, provided their application was accompanied by an affidavit and stated reasons for requiring the judgment. Moreover, it held that publication on a website did not amount to a judgment being reported, as the classification of ‘reportable’ was only relevant from the point of view of law reports. In the Court’s opinion, there was no legal basis to order such removal and the presence of the judgment on the Internet did not violate the petitioner’s rights under Article 21 – from which the right to privacy emanates.

The Court’s dismissal of the argument that a non-reportable judgment is on an equal footing with a reportable judgment is problematic, but hardly surprising. In a 2008 decision, while describing the functions of a law reporter that was a party before it, the Supreme Court observed that “the [law report] publishes all reportable judgments along with non-reportable judgments of the Supreme Court of India” The distinction between reportable and non-reportable judgments was not in issue, but it does call for some introspection on the legal basis and rationale for classification of judgments. In an article on the evolution of law reporting in India, the constitutional expert M.P Jain explains that law reports were created as a response to Indian courts adopting the doctrine of precedent. This is the doctrine that binds lower courts to decisions of the higher courts. Precedent is created when a court lays down a new principle of law or changes or clarifies existing law. Consequently, the decision to make a ruling reportable (ideally) depends on whether it sets a precedent or not. Presumably then, there is a lesser public interest in having access to non-reportable judgments as compared to reportable ones.

While there is a clear distinction between publication in a law report and publication of the transcript of the judgment, the lack of a public interest element could have been taken into account by the High Court while deciding the petition. Moreover, it is unclear how reliance on the High Court Rules helped the Court decide against the petitioner. Third parties may be entitled to obtain a copy of a judgment, but the motivation behind a right to be forgotten is to only make information less accessible, when it is determined that there is no countervailing interest in its publication. At its root, the right is intended to enable citizens to exercise greater control over their personal information, allowing them to live without the fear that a single Google search could jeopardise their professional or personal prospects.

Karnataka High Court

Less than three weeks after the Gujarat High Court’s decision, the Karnataka High Court ordered its Registry to redact the name of the petitioner’s daughter from the cause title as well as the body of an order before handing out copies of it to any ‘service provider’. It accepted the petitioner’s contention that a name-wise search on a search engine might throw up the order, adversely affecting his daughter’s reputation and relationship with her husband. The Court clarified that the name need not be redacted from the order published on the Court’s official website.

Towards the end, it remarked that such an action was ‘in line with the trend in Western countries’ where the right to be forgotten exists as a rule in ‘sensitive cases involving women in general and highly sensitive cases involving rape or affecting the modesty and reputation of the person concerned’.

This statement is problematic. The right to be forgotten emanates from the right to privacy and data protection, which are both regarded as fundamental rights in Europe. Basing the right on ideas of honour and modesty [of women] creates some cause for concern. Further, an important distinction between this case and the one before the Gujarat High Court is that neither Google nor any website publishing court judgments were made parties to it. The claim was based on redaction of information from the source, rather than de-listing it from search engine results or deleting it from a website. This is interesting, because it allows us to think of the right to be forgotten as a comprehensive concept, instead of a singular right to de-list information from search engine results. It provides courts with a choice, allowing them to opt for the least restrictive means to secure an individual’s right to online privacy.

However, the lack of a clear legal basis to allow or deny such claims raises cause for concern. As is already apparent, different high courts are likely to take divergent views on the right to be forgotten in the absence of an overarching data protection framework that grants such rights and prescribes limits to them. In several cases, the right to be forgotten will trigger a corresponding right to freedom of expression and the right to know. The criteria to balance these important but competing claims should be in place for courts to be able to decide such requests in a just manner.

Supreme Court considers installation of CCTV units in courts – but will it regulate what happens next?

Earlier this month, the Supreme Court heard a petition seeking directions to ensure audio-visual recording of the proceedings in trial courts. The reasoning behind the request was that recording proceedings would enhance the fairness of trials. The Supreme Court decided to limit the question to whether CCTV (video only) cameras may be installed at various locations in the courts, in order to better serve security and administrative needs.

This is not the first time the Supreme Court has discussed the use of CCTV cameras for security and other purposes. However, there is also no comprehensive law that deals with the use of CCTV cameras and related security and privacy issues.

In the present case, the Court initially noted that multiple courts, including the courts in Gurgaon have undertaken such efforts in the past. The Court then requested the additional solicitor general and a senior advocate present in the court as amicus to visit the courts in Gurgaon, and report on the matter within four weeks. It stated that once the report is received, it will consider directing installation of CCTV (video only) cameras at district courts in various states. It has also indicated that any recordings made by these CCTV cameras will not be available to the public, and will be retained for specified periods of time only.

The Court has considered the use of CCTV cameras in public places in previous cases. In Deputy Inspector General of Police and Anr. v. S. Samuthiram, a case regarding eve-teasing / sexual harassment, the Court took cognizance of such cases and the need for prevention mechanisms. Amongst other things, it directed all states and union territories to install CCTV cameras in public places. The CCTV cameras were to be positioned such that they act as a deterrent to potential offenders, and if an offence was committed, the offenders would be caught / identified.

In Dilip K. Basu v. State of West Bengal and Ors, the Court considered the request of the amicus, and directed state governments to: (a) take steps to install CCTV cameras in all the prisons in their respective states, within a period of one year from the date of the order (but not later than two years), and (b) consider installation of CCTV cameras in police stations in a phased manner depending upon the incidents of human rights violation reported in such stations.

State governments have also, in various instances, directed the installation of CCTV cameras in public places. In Tamil Nadu, the state government has directed that CCTV cameras must be installed in every public building. The cameras must be installed in accordance with the recommendations of the local police officers. Such recommendations may be made for purposes such as ensuring public order or controlling crimes and the reasons for the recommendation must be recorded in writing.

In Chandigarh, the local government released a set of draft rules meant to regulate mobile app-based transport aggregators (such as Uber and Ola). Among other things, these draft rules require that every taxi must install a CCTV unit to monitor activities inside the taxi in real time. The rules suggest that the video feed from the CCTV cameras should be linked to a control room established by the aggregator.

The above are some examples of courts and government bodies providing for installation and use of CCTV cameras and video recordings. There is a common trend among them – the orders and rules only deal with when and where the units are to be installed, and used. They do not, however, provide a procedural / regulatory mechanism to ensure proper, lawful use of such cameras and associated video recordings.

Maintenance of law and order, security, deterrence of criminal activity, and identification of offenders, are all important issues, and appropriate means should be adopted to provide for the same. At the same time, there needs to be a balance between such means, and individual rights, such as the right to privacy. These laws and orders largely deal with installation and use of CCTV cameras in public places, where some may argue that an individual does not have a reasonable expectation of privacy. However, reports suggest there is misuse of CCTV cameras, especially where installed in customer heavy locations such as retail outlets.

Such misuse could be dealt with under some existing provisions of laws such as the Information Technology Act, 2000 – for example under the provision which criminalizes capturing of images or videos of an individual’s private parts, or the data protection rules. However, these laws are of limited applicability, and deal mostly with sensitive personal information, and images or videos of a private / sexual nature. We do not currently have a comprehensive law that deals with  surveillance equipment and its use in public spaces. Although some states such as Tamil Nadu provide that CCTV cameras must be installed based on police recommendations, there is no general prohibition or restriction on their installation and use. Further, there are no specific restrictions on the collection, use, retention, or transfer of any video recordings, or information that is derived from such recordings. There is no mechanism put in place to deal with a situation where an individual’s data is shared without authorization.

Certain authorities within the country appear to have recognized this gap, and taken some steps towards addressing these issues. In Maharashtra, the local municipal corporation in Navi Mumbai has implemented a CCTV surveillance system to help the local police maintain law and order. The corporation has issued a ‘voluntary code of conduct’ in relation to all surveillance camera systems in public and private places. This document attempts to “provide a framework to all the stakeholders so that there is proportionality and transparency in their use of surveillance”. Among other things, it provides that (i) the use of a surveillance system must always be for a legitimate and specified purpose; (ii) establishments must be transparent about the use of CCTV cameras on their premises; and (iii) access to the video feed will be limited and subject to clearly defined rules on persons who can gain access and purposes for which access may be gained.

Even a limited framework such as this, goes a long way towards ensuring transparency and protection of individual rights and freedoms. Perhaps the Supreme Court will provide more nuanced directions, not only on the installation of CCTV cameras, but also on the use of associated video recordings when the matter is next brought up.