Pachauri defamation suit: Court rejects interim gag order plea

The Patiala House court at Delhi has rejected R. K. Pachauri’s plea for an interim gag order against NDTV, Bennett Coleman and Co., and the India Today Group. The media houses had been made defendants in a defamation suit filed by him in 2016.

In 2015, an FIR had been filed against Pachauri by a woman employee of TERI (The Energy and Resources Institute, of which he was then the Chief) accusing him of sexual harassment. Following these allegations, several other women had spoken out about similar experiences while they had worked at the organization. The allegations and ongoing proceedings had received extensive coverage in the media.

Pachauri filed for defamation against multiple parties, including the media houses, one of the women who had spoken out, as well as her lawyer. He sought a gag order against the media houses, and damages of Rs. 1 Crore from the victim and her lawyer.

We have written previously about how suits such as these are in the nature of ‘SLAPP’ suits – Strategic Lawsuits Against Public Participation. These are cases where powerful individuals and corporations use litigation as a way of intimidating or silencing their critics. The defendants are usually media houses or individuals who are then forced to muster the resources to mount a legal defense. Even if they are able to secure a victory in Court, it is at the cost of a protracted and expensive process.

The court has now refused to grant an interim injunction against the media houses, noting the right of the public to be aware of the developments. It further noted that public figures can be held to a higher degree of scrutiny by the public. However, it has also held that further reportage must also carry Pachauri’s views, and indicate that the matter is still pending before the Court. The text of the order may be found here.

Advertisements

SC Constitution Bench on Aadhaar – Final Hearing (Day X- Part II)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced on the first four days can be found here.

The matter is being heard in front of a constitutional bench, comprising of Chief Justice Dipak Misra, Justice Sikri, Justice Khanwilkar, Justice Chandrachud and Justice Ashok Bhushan.

Mr. Sibal began by reiterating that his primary status is that of a citizen of India and not that of an Aadhaar cardholder and that there is no difficulty in connecting identity to status. He stated that the Aadhaar architecture is defective and even if it is made perfect, it still could not be made mandatory.

He then discussed the doctrine of unconstitutional conditions upheld in The Ahmedabad St. Xaviers College Society & Anr. Etc. v. State of Gujarat & Anr. and In Re: Kerala Education Bill v. Unknown and explained that according to the doctrine a state cannot make a benefit or privilege conditional upon an individual giving up his rights. He argued that a condition that precludes one from enjoying a benefit on the basis of an unreasonable classification is void.

Justice Chandrachud asked if it’s not reasonable for government to require proof of identity if entitlement derives from it. Mr. Sibal responded that the proof has to be linked to ones status, which entitles him to a benefit. Justice Chandrachud interjected that there has to be a minimal way to prove who you are to which Mr. Sibal responded that there can be different ways to establish ones identity and reiterated that Aadhaar does not establish ones status.

Chief Justice Dipak Misra clarified if Mr. Sibal’s submission was that one could not be asked to barter or surrender any of his fundamental rights in order to have access to another and Mr. Sibal responded in the affirmative.

Justice Chandrachud asked if the argument was that constitutional violation occurs when a person’s choice of identity is restricted to one option and Mr. Sibal agreed to it. Justice Chandrachud pointed out that the argument is premised on the notion that everyone has at least one form of identity. He asked if in the event one does not have any identity proof if the government program is enabling him to have one, would that make the program constitutional. Mr. Sibal responded that even in such a scenario, the government cannot make just one identity compulsory but can only prescribe a method by which he can get an identity.

Chief Justice Dipak Misra pointed out that the whole argument boils down to choice and Mr. Sibal agreed to it. He submitted that the point of Aadhaar is not to grant identity but to authenticate it.

He agreed with Justice Chandrachud when he said that the argument put forth is that citizens must have a choice in deciding how to establish their identity through a reasonable manner prescribed by law.

Mr. Sibal, next, read out notifications that make Aadhaar mandatory for child labor welfare schemes, bonded labor rehabilitation schemes, which are meant for the most marginalized and pointed out that it is them who will be excluded and asked “if this is not a denial of fundamental rights, then what is?”. Next, he referred to Minerva Mills Ltd. & Ors. v. Union of India to emphasize that state should not achieve its goals by abrogating fundamental rights.

Mr. Sibal then mentioned that Aadhaar does not stop pilferage or leakage. Justice Sikri interjected stating that even if Aadhaar fails to take care of all kinds of fraud that in itself would not make it unconstitutional. Mr. Sibal responded that it would not but would raise questions about its proportionality and reiterated that his argument is that the scheme is disproportionate.

He then submitted to the court a compilation repudiating all the factual claims made by the state.

Justice Sikri raised concerns regarding people possessing multiple passports and other IDs and proposed that Aadhaar can be used to curb this problem by replacing multiple IDs. Mr. Sibal rebutted that people have multiple Aadhaars as well and stated that it is an issue that has to be dealt by law. He argued that the fact that some people are breaking the law couldn’t be cited as a ground for justifying the state’s action of making Aadhaar mandatory.

Mr. Sibal concluded by stating that this is the most important case that has been dealt by the court since independence and stated that it is more important than ADM Jabalpur v. S. S. Shukla as it dealt with a constitutional provision which had a limited expanse whereas Aadhaar has unlimited expanse as it binds everyone including the ones who are yet to be born. He stated that this judgment would decide whether we would be living in a country with choice or in a country where the state is the arbiter of choice.

Senior Counsel Gopal Subramanium commenced his arguments.

Mr. Subramanium initiated his arguments by referring to Puttuswamy v. Union of India and stated that the core of the judgment was the idea of dignity. He submitted that despite the advancements in technology, the Constitution has to be abided by. He stated that according to the privacy judgment the intrusion into the right to privacy by the state has to be as minimalistic as possible.

He stated that identification itself is a pejorative act. He also submitted that the Act strikes at the accountability of the state as it disintermediates the state.

The hearing will continue on Thursday (15/02).

 

SC Constitution Bench on Aadhaar – Final Hearing (Day X- Part I)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced on the first four days can be found here.

The matter is being heard in front of a constitutional bench, comprising of Chief Justice Dipak Misra, Justice Sikri, Justice Khanwilkar, Justice Chandrachud and Justice Ashok Bhushan.

Mr. Sibal commenced the proceedings by reading out the definition and purpose of biometric database from the biometric ID law of Israel. He focused on the aspect of consent in the law and pointed out the voluntary nature of the ID cards. He further pointed out that the law permits the usage of biometrics only for the purpose for which it is collected and that access to the database is also restricted for a specific purpose. He also indicated that there is no provision for collection of metadata in the Israeli law.

Next, he referred to the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act) and submitted that it is mandatory, lifelong, expansive, and that consent is illusory under it. He said that database should be used only for purposes authorized by law but also pointed out how the purpose of national security is often misused in India citing the targeting of NGOs in the name of national security as an example.

Mr. Sibal then submitted his proposition that information is power in today’s world where it is used for both commercial and non-commercial transactions. He referred to Paragraph 311 of Puttuswamy v. Union of India discussing the power of information and knowledge. Next, he read excerpts from the Harvard Business Review, which discussed the acquisition of WhatsApp by Facebook for an extremely high value and stated that these services are highly valued because of the information they provide. He then referred to the privacy judgment again, which stated that services such as Airbnb, Uber have only scattered information. He argued that information in silos is inconsequential whereas aggregated information poses a huge threat.

He stated that we cannot argue against the state insisting on national ID but we can ensure that our ID is neither in a public space nor in a centralized database. He further submitted that it is not problematic if the state asks for an ID card with biometrics as there is no metadata in it and reiterated that what is being challenged is the architecture and not the thought behind the Aadhaar. He stated that information regarding the opening of a bank account or a train journey is not relevant to public interest and there is no need for such information to be with the state. He highlighted this as the metadata problem. Referring to the incident where a woman had to deliver a baby outside the hospital for want of Aadhaar, he argued that medical information has no relevance to public interest.

He stated that his fundamental identity is that of a citizen of India and argued that how he proves his identity is his choice and the state can’t dictate how he should prove his citizenship.

Mr. Sibal, next, discussed the issue of mandatory nature of Aadhaar. He pointed out that despite the voluntary nature provided in Sec. 3 of the Aadhaar Act, it is actually mandatory. He then moved to Sec. 57 and pointed out that the section brings out the true intent of the Act to establish it as an exclusive proof of identification for purposes other than the ones stated in the object. He submitted that consent given is only for authentication. However when Aadhaar is made mandatory to get entitlements, there is no real purpose of consent.

Mr. Sibal, next, discussed the issue of concentration of information in a single entity. He stated that such concentration gives enormous powers to the entity and referred to relevant portions of the privacy judgment to highlight the issue.

Next, he discussed the issue of proportionality. He pointed out that for an statute to be proportional its objective would have to be taken into consideration and if the proposed policy was the least restrictive way to achieve that objective. Mr. Sibal submitted that, in the current case there was no nexus between Aadhaar and entitlement and therefore it was violative of the proportionality doctrine. He further stated that it was a citizens status from which entitlements were to flow and the state could not deny benefits only for the want of a certain proof of identity. He further pointed out that most the entitlements flow from part III of the Constitution and therefore the denial of it for want of a particular proof of identification would be denial of those fundamental rights.

Referring to Article 21, he stated that the right to livelihood  can be denied only by just and fair procedure of law and therefore denial of it merely for want of Aadhaar is neither just nor fair.

He concluded his argument on proportionality by stating that the procedure does not meet the test of Article 14 and therefore using only Aadhaar as proof of identity is unconstitutional and that it amounts to extinguishment of fundamental rights.

 

 

Back to the Basics: Framing a New Data Protection Law for India

Over the past decade or so, the use of personal and big data has changed the way many businesses and governments operate. Regulators and legislative bodies have been struggling to keep up with the changes in technology, and increasing concerns about what it means for the privacy of individuals.

In India, we have worked with the Information Technology Act, 2000 (IT Act)[1], and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (Data Protection Rules) for a few years now[2]. These rules were arguably put together as a response to claims that Indian law did not meet European data protection standard, and for the purpose of ensuring that Indian companies do not lose cross border business (with the European Union)[3]. The rules are fraught with inconsistencies, right from the scope of the rules, to the manner in which they can be enforced[4].

Barring these rules, we have had minimal regulations on the use of personal data in certain sectors[5].

The Committee of Experts (Committee), constituted by Ministry of Electronics and Information Technology (MEITY), is currently working on recommendations regarding a new legal and regulatory framework for protection of personal data in India[6]. With all signs pointing only towards an increase in not only data driven businesses, but also data driven solutions to problems in many aspects of our life, it is imperative that we get it right this time.

The constant change and development in tech over the past few decades has shown us that it may be difficult to predict the way our technology and the internet will look in 10 years. It may be even more difficult to put in place the perfect legal system that addresses such technology. However, ensuring that the basic premise of the data protection law – what / who does it aim to protect, what the scope of the law is, and what principles the law is meant to uphold – is balanced and robust, will go a long way in ensuring that we have a strong, yet flexible legal framework[7].

In my paper titled ‘Back to the Basics: Framing a New Data Protection Law for India’, I take a preliminary look at each of these three concepts, while focusing largely on some of the principles that data protection laws have traditionally relied on, and how they can be revisited in today’s context.

The paper is available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3113536

 

 

[1] Information Technology Act, 2000, available at https://indiankanoon.org/doc/1965344/ (last visited on January 30, 2018)

[2] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, available at http://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf (last visited on January 30, 2018)

[3] Krishna Prasad, Smitha, (Draft) Paper on Information Technology Act, 2000 and the Data Protection Rules (December 30, 2017). Available at SSRN: https://ssrn.com/abstract=3094792 (last visited on January 30, 2018)

[4] Krishna Prasad, Smitha, (Draft) Paper on Information Technology Act, 2000 and the Data Protection Rules (December 30, 2017). Available at SSRN: https://ssrn.com/abstract=3094792 (last visited on January 30, 2018)

[5] International Comparative Legal Guide, Chapter on Data Protection in India, 2017, https://iclg.com/practice-areas/data-protection/data-protection-2017/india (last visited on January 30, 2018)

[6] http://meity.gov.in/writereaddata/files/meity_om_constitution_of_expert_committee_31072017.pdf (last visited on January 30, 2018)

[7] Krishna Prasad, Smitha, “Defining ‘personal info’ broadly key to protecting it”, January 21, 2018, available at:  http://m.deccanherald.com/?name=http://www.deccanherald.com/content/655012/defining-personal-info-broadly-key.html (last visited on January 30, 2018)

SC Constitution Bench on Aadhaar – Final Hearing (Day IV)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced on the first three days can be found here, here, and here.

Senior Counsel Shyam Divan continued to take the court through the relevant provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act). He started off with s.57 and pointed out that the section not only contemplates the giving of the aadhaar number by an individual but the proviso also requires it to be authenticated. Next, he moved to s.59 and argued that the text of the section only validates the actions of the central government and therefore the actions of private entities including private enrollment agencies are not protected.

Justice Sikri stated that during the pre-statute regime also, the appointment of the enrollment agency was made by the Unique Identification Authority of India (UIDAI). However Mr. Divan responded arguing that there was neither a statutory framework nor privity of contract prior to the Act. He also indicated that the even if the enrollment agency was appointed by the Registrar, the later was still not the central government and therefore the protection of s.59 does not extend to private enrollment agencies.

Justice Sikri, however, stated that as the central government appointed the UIDAI, all the actions performed by it should be protected by s.59. Mr. Divan responded that what may be protected is the central government’s action of entering into a memorandum of understanding (MoU) with the UIDAI but not the actions of the Registrar.

Justice Chandrachud pointed out that the Registrar would not have been appointed in the absence of the MoU and therefore his actions are also protected. Mr. Divan, however, stated that there was no legislative or contractual framework for the appointment of the Registrar and his actions cannot be attributed to the central government. He also stated that enrollment agencies are not covered under the MoU and therefore the enrollments prior to the Act are not saved by s.59.

Mr. Divan further argued that even if the provision was assumed to have retrospective effect, it would still not be able to cure breach of fundamental rights that have already occurred, as the violation is complete.

Justice Chandrachud asked whether Aadhaar was used by private entities before the Act and pointed out that such action would not be validated by s.59. Mr. Divan replied that he will gather the specific factual details on it. Justice Chandrachud further mentioned that s.59 attempts to provide a basis in law, as was said to be required in Puttaswamy vs. Union of India, through a legal fiction. He asked Mr. Divan to consider how to deal with data breaches prior to the Act.

Mr. Divan also pointed out that there is a requirement of informed consent that is to be satisfied and mentioned that there can be no retrospective validation by stating that there was always consent. He concluded the discussion on the provision by submitting that even if the provision is upheld, it should be accorded the narrowest reasonable construction.

He then submitted the main heads of challenges to the Act:

  1. Surveillance: The architecture of Aadhaar enables pervasive surveillance.
  2. Violation of privacy: Prior to the Act, there was no law authorizing the violation of the right to privacy. Even after the enactment of the Act, violation of informational privacy continues when the private entities are allowed to collect information. Mandatory authentication for availing subsidies, depriving individuals the choice to submit alternate modes of identification also results in violation of informational privacy.Mr. Divan also submitted that there is a violation of individual autonomy and dignity, when individuals are compelled to part with demographic or biometric information. He stated that in a digital society, individuals have the right to control dissemination of their personal information and highlighted that information in silos, when aggregated, can enable the government to create an entire profile of the individual, resulting in the violation of their right to privacy.
  3. Limited government authority: The Constitution is not about the power of the state but about the limits to that power. The Aadhaar programme if allowed, would result in a totalitarian state wherein all basic activities of the citizens will be known to the state.Here, Mr. Divan reiterated that state has the power to cause civil death by disabling an individual’s Aadhaar. He also said that implementation of the Aadhaar programme would result in a pervasive state where citizens are forced to be transparent to the state instead of the state being transparent to the citizens.
  4. Money Bill: Mr. Divan reiterated that the Act was not a money bill and stated that Mr. Sibal and Mr. Datar will address this in detail.
  5. Violation of Ar.14 and Ar.21: Procedure under the Act violates Ar.14 and Ar.21 as there is no informed consent. The individuals are not informed about the commercial value of the data or that it could be used in criminal proceedings pursuant to court order. Furthermore, there is no opt-out option. Also, most of the process is performed by private entities with no government oversight. Moreover the data collected and stored lacks integrity, as it is self-certified. Here, Mr. Divan indicated how the verification processes of the banks are now being replaced merely with the Aadhaar, a process that lacks adequate oversight. He also stated that UIDAI has no control over the use or misuse of the data; at the most it can blacklist the agencies.
  6. Unreliability of biometrics: Biometrics are probabilistic. Mr. Divan stated that if biometrics does not match, then an individual ceases to exist.

Mr. Divan, next, moved to the Act to establish its unconstitutionality, section by section. He submitted that when s.2(c) on “authentication” and s.2(d) on “authentication record” are read with s.32, they facilitate real time surveillance which is unconstitutional. He also submitted that the notion of a central database is unconstitutional as it enables an authoritarian or police state. He stated that it will also compromise national sovereignty, if the database is operated by foreign agents.

Justice Chandrachud asked who maintains the Central Identities Data Repository (CIDR) and if the source code is with the UIDAI. Mr. Divan responded that there are agreements with foreign entities as they developed the technology and as far as the source code is concerned, it is proprietary technology which belongs neither to the UIDAI nor to the Indian government.

He also raised the concern that private enrollment agencies cannot be entrusted with the task of ensuring informed consent. He also reiterated that the definition of “resident” is problematic as it neither requires proof nor has a verification mechanism in place. He pointed out that the security of the country is compromised when the Aadhaar is issued without rigorous verification process. Furthermore, he submitted that s.7 is unconstitutional, as it compels an individual to give up her constitutional rights to enjoy certain subsidies, benefits to which she is entitled.

Next, he moved to Chapter IV of the Act and stated that the right to individual freedom also entails the right to be alone. He then moved to s.33, which allows the information to be used for police investigation. He submitted that this would amount to self-incrimination and also highlighted that there is no opportunity for hearing, which is contrary to natural justice.

Mr. Divan then submitted to the bench a compilation of the various circumstances in which a society considers the collection of biometric information reasonable. He took the court to s.15 of the Census Act, 1948 to demonstrate the nature of protection accorded to census data. The section prevented any court from summoning the information gathered except for an offence under the Census Act. Next, he moved to s.7 of the Identification of Prisoners Act, 1920, which even in the pre-constitutional era accorded protection to bodily information by requiring the destruction of personal data if the prisoner is released without charge. Next, he moved to s.32A of the Registration Act, 1908. He pointed out that the section prescribed the collection of information-photograph and finger print- for a very narrow purpose and that it is collected only once and is maintained with one registry. He cited this as an example of a law satisfying the legitimate purpose and proportionality requirements. Finally, he took the court to s.6 of the Bombay Habitual Offenders Act, 1959 which allowed palm impressions of the offenders to be taken. However s.9 of this Act provides that the registration of a habitual offender would come to an end after five years.

Mr. Divan stated that all these acts are narrowly tailored unlike the Aadhaar Act.

Next, he elaborated his argument on surveillance. He began by explaining how the architecture of the Act enables surveillance. He reiterated that state can aggregate data collected over a period of time to acquire the profile of an individual, a community, or a segment of society. However the constitution does not permit a surveillance state.

Mr. Divan then discussed in detail the technical aspect of the programme. He stated that every electronic device linked to CIDR is assigned a unique number. This will help in recognizing the device from which the transmission of information emanates. A unique electronic path attaches to each transmission enabling the identification of the links through which the transmission takes place. Based on this, Mr. Divan submitted that every transaction can be tracked and the broad nature of the transaction can also be identified. He also submitted that the technology enables tracking of the location of the device in real time. He further stated that s.57 of the Act, will further deepen the extent and the scope of this surveillance over time.

Mr. Divan submitted affidavits of technical experts to demonstrate how the programme would enable surveillance by the state. Mr. D’Souza in his affidavit mentioned that he had demonstrated to the UIDAI officials the ease with which fingerprints can be replicated and duplicated. He also highlighted that fingerprint machines are not manufactured indigenously and therefore the machine code and source code are unknown to the UIDAI. This could result in having a backdoor feature that could be used for data mining without UIDAI’s knowledge, which could pose as a serious threat to national security.

Justice Chandrachud asked to what extent the court can look into technical evidence. He also asked if this would result in second guessing the decision of the executive government.

Mr. Divan stated that the affidavits confirm that the technology enables a complete mapping of the electronic path in real time, thereby allowing the tracking of the location. He pointed out that such a system is not in place anywhere else.

Justice Chandrachud stated that government is subject to Ar.14 and therefore the manner in which it uses the information is also subjected to the Constitution. He questioned if we are comfortable with Google maps and other private entities tracking us. Mr. Divan responded that when such surveillance is performed by the state it would make the state a police state, which is not permitted by the Constitution. He further stated that the Constitution couldn’t even be amended to permit it, as it would deprive individuals their liberty to live in a democratic state. He also mentioned that Google, although powerful, is not as powerful as the state.

Justice Chandrachud questioned what is the problem with collection of data if its use is limited to its purpose. He said that we are living in times of terrorism, money laundering and therefore we need to balance it with our concerns of privacy. He stated that surveillance is about how the data is used and not about the collection of data.

Mr. Sibal responded that the problem lies in handing over such extensive information to the state. He said that the state may use such information without the individual’s knowledge. Mr. Divan agreed to this statement and stated that the whole point is to prevent surveillance by the state. He said that it would be extremely perilous to ignore the affidavits of the technical experts. He mentioned that tracking by Google is a separate issue but what is of concern here is whether state can perform such pervasive surveillance.

Mr.Divan then took the court to Justice Subba Rao’s dissenting opinion in Kharak Singh v. The State of UP & Ors., which was endorsed as the correct position in Puttaswamy vs. Union of India. He read the part that discuses how surveillance constricts the right to life and liberty. Next, he highlighted the District Collector v. Canara Bank judgment wherein it was stated that “we are not living in a police raj”. He said this is exactly the point in the present case. Next, he moved to Justice Sotomayor’s opinion in US v. Jones wherein it was held that physical violations are no longer required to infringe privacy. Next, he moved to the judgment of the European Court of Human Rights in Zakharov v. Russia.

The hearing will continue on 30th January, 2018.

SC Constitution Bench on Aadhaar- Final Hearing (Day III)

In October 2015, a 3-judge bench of the Supreme Court of India referred challenges to the Aadhaar program to a constitution bench. One of the primary concerns of this petition was to decide on the existence of a fundamental right to privacy, which has since been upheld. Other similar petitions, concerned with the legitimacy of Aadhaar had been tagged with this petition. While the existence of the fundamental right to privacy has been upheld, challenges against the Aadhaar programme and linking services to this programme were yet to be adjudicated upon.

An interim order was passed in December of 2017, a summary of the arguments can be found here and here.

The final hearing commenced on January 17, 2017. Summaries of the arguments advanced on the first two days can be found here and here.

Senior Counsel Shyam Divan started off by referring to the relevant portions of the Supreme Court’s judgment on the right to privacy (Puttaswamy vs. Union of India) to highlight how the implementation of the aadhaar programme pose a serious threat to the right to privacy of the citizens. He concluded by stating that privacy has always been a fundamental right and the correct position has been established in decisions subsequent to Kharak Singh v. The State of U.P. & Ors.

He summarized the crucial elements of the privacy judgment in two pages, which he submitted to the court. Following are the takeaways that he submitted:

  1. Privacy is a natural right and is therefore alienable. It is a condition precedent to the enjoyment of any other fundamental rights and it includes the right to control the dissemination of information regarding ones identity.
  2. Privacy is a postulate of human dignity.
  3. Privacy is integral to the enjoyment of liberty and freedom. It is a foundational right and not derivative and it cannot be lost or surrendered merely because the person is in a public space.
  4. Privacy has both negative and positive components. The negative component protects individuals from state whereas the positive component casts a duty upon the state to protect individuals from the infringement of their right by private actors.
  5. Privacy is not an elitist concept.
  6. Integration of different sets of data can pose a threat to freedom.
  7. Privacy can only be curtailed by a law which satisfies the proportionality and legitimate purpose requirements.
  8. Rule of law has to protect the rights.

Mr. Divan then took the court to the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act / Act). He read out the statement of objects, preamble and the short title. Then he moved to the definitions clause. He stressed on the definitions of “authentication” and “authentication record” and pointed out that both the time of authentication and identity of the requesting entities are required to maintain an authentication record.

Next he moved to the definition of “benefit” and highlighted that it does not necessarily have to be from the government. He also pointed out the open-ended nature of the definitions of “biometric information” and “core biometric information”.

Then he moved to the clause defining “enrolling agency” and indicated that the system remains privatized even after the enactment of the Act. He restated the risk of the privatization scheme by pointing out that close to 40,000 operators were blacklisted in 2017. He then directed the court’s attention to the definition of “registrar” and pointed out that similar to the pre-statute regime, the registrar need not be a government body. He also indicated that “requesting entity”, mentioned in s.2(d) and defined in s.2(u), need not necessarily be a government entity or department thereby enabling even private agencies to submit demographic and biometric information to Central Identities Data Repository (CIDR) for verification. He also discussed the definition of “resident” and the statutory form that is to be submitted by a resident and identified that it is a self-declaratory form with no verification to ensure that the applicant is actually a resident. He raised this as the first flaw of the statute. He also pointed out the open-ended nature of the definitions of “service” and subsidy”.

Mr. Divan next took the court to s.3 of the Act on enrollment and pointed out that the words used are “shall be entitled to obtain”. He argued that this indicates that it is the right of the resident to obtain an aadhaar number and not an obligation. He further stated that the entire regime under s.3(2) was established post 2016 and therefore there was no requirement of counseling for all the aadhaar number issued prior to that. He also argued that the concept of informed consent, reflected in the counseling requirement, would become completely illusory if Aadhaar is held to be mandatory. He also reiterated the probabilistic nature of the authentication process.

He then moved to s.4 and argued that the whole enrollment process is compromised. He further stated 49,000 enrolments were cancelled which questions the integrity of the whole process. He also indicated that s.4(3) enables an aadhaar number to be used as a proof of identity for “any” purpose. He also argued that the whole idea of uniqueness of the data on which the whole process is based is compromised by the fact that biometric information changes over time. Next, he discussed s.7, which effectively allows aadhaar to be made mandatory for receipt of certain benefits and services and stated that this deprives an individual of her right to identify herself in a reasonable alternative manner.

Mr. Divan then moved to Chapter IV of the Act and discussed the vast powers that have been granted to the Unique Identification Authority of India (UIDAI). He stated that the power of the UIDAI to contract out the security of the database raises a lot of security concerns. He also raised concerns with the UIDAI’s power to deactivate an aadhaar number which would effectively deprive an individual of her civil rights. He also pointed to s.23(3) which allows UIDAI to enter into agreements with both public and private entities to perform any of its functions.

Mr. Divan then moved to Chapter VI of the Act, which deals with protection of information. He stated that all the information that the Act requires to be kept secure has already been shared.

Justice Chandrachud asked how the breach of a statutory provision affects the constitutionality of the statute itself. Mr. Divan responded that the Aadhaar programme is unconstitutional due to its invasive nature and that it cannot reconcile with free and open democratic society. Therefore, he stated, an Act that supports such a programme is also unconstitutional. He said that this argument will be developed further.

Justice Chandrachud said that there are two possible claims. First, the programme itself is unconstitutional. Second, there have been breaches. He asked if Mr. Divan will argue on both the points. Mr. Divan responded that democracy entails choices and trust and therefore the key question is whether an individual is entitled to protect herself by making a choice about which method is to be used to identify herself. He stated that the breaches will help to substantiate this claim regarding choice. He also mentioned that if the system in its current form is upheld, it will result in a complete surveillance state as the architecture of the whole system enables it.

Justice Chandrachud raised the point that even in the absence of aadhaar, currently we are living in an extremely networked society where we are already sharing information with private entities. He asked what effective change would the interpolation of an aadhaar number bring about in the present situation. Mr. Divan responded that he will address it in detail.

The Chief Justice formulated a set of propositions on which the case is based and Mr. Divan agreed that it is mostly accurate.

Mr. Kapil Sibal raised concerns regarding the extent to which the state should be allowed to seek information under one umbrella and also the extent to which information is shared with private entities.

Mr. Divan resumed to go through the statute. He indicated how under s.47 an individual has no locus to make a complaint. He then moved to s.48 which enables the government to take control over the entire record in light of a public emergency and cited this as a cause of concern.

Justice Sikri asked what the harm would be in giving just the aadhaar number without any biometric information. Mr. Divan responded that the number when combined with other information publicly available could be compromising.

Justice Chandrachud pointed out that biometric information remains only with the CIDR. Mr. Divan responded that it is not correct and cited examples of mobile network operators collecting fingerprint while issuing SIM cards. He said that he will address it in detail in the next hearing.

The hearing will continue on 24th January, 2018.

NATO: From Defensive to Offensive

To keep pace with the rapidly developing landscape of military technologies, the North Atlantic Treaty Organization (NATO) is reportedly changing its approach to cyber warfare. NATO, a primarily defensive alliance so far, is considering the adoption of offensive cyber warfare strategies to confront hacking attacks from its opponents. Member states including United States, Germany, Spain, Britain, Netherlands, and Norway are already actively developing offensive cyber warfare strategies and are hoping to solidify their agreement by 2019. The agreement would enable the alliance to combat cyber attacks that undermine governments and steal their intelligence information and military technologies.[1] This post will briefly examine the prospect of NATO adopting the proposed offensive cyber warfare strategy within the current framework of international law.

NATO’s Current Cyber Strategy

At present, NATO has a strong cyber defense policy in place. It aims to protect its own networks, and provides assistance to its members to develop their own cyber defense capabilities.[2] Following the denial of service (DoS) attacks against Estonia, NATO adopted a new cyber defense policy at the 2008 Bucharest Summit, which then led to the establishment of the Cyber Defense Management Authority. It was subsequently replaced with Cyber Defence Management Board, which is the nodal agency responsible for “technical, political, and information sharing between allies” and for directing and coordinating between existing cyber defence entities.[3]

In the following years, NATO made substantive progress towards integrating cyber defense into its exercises. At the 2014 Wales summit, cyber defense was established as an integral component of NATO’s core mission of collective defense, triggering the application of collective defense under Article 5 of the NATO Treaty. Under Article 5, all member states are required to come together to aid a member state if it is subjected to an armed attack. With the adoption of the cyber defence policy, an armed attack was defined to also include a cyber attack. However the threshold that is to be satisfied by the cyber attack to trigger collective defense was not disclosed so that it would remain as a deterrent for potential attackers.[4] This was followed by an official recognition of cyber as a domain of warfare in 2016.

Should NATO Adopt An Offensive Cyber Warfare Strategy?

The cyber threat landscape is rapidly undergoing dramatic changes; it is becoming increasingly sophisticated and diverse. A war in cyber space is not a distant possibility. In response to these current developments, it might be appropriate for NATO to adopt a more proactive approach to counter the threats posed by the proliferation of cyber weapons by its adversaries and to ensure global security. An offensive cyber warfare strategy, as considered by NATO could be a solution. Embedding offensive cyber operations into NATO’s military operations may serve as a deterrent for potential attackers.[5]

However the use of offensive cyber strategies should be governed by the principles of international law. Even though the UN Charter prohibits the use of force, Article 51 of the Charter recognizes the inherent right of states to act in self-defence. Therefore an offensive cyber strategy should be employed only if it amounts to an act of self-defence. In the cyber context, as per the unanimous opinion of the Group of Experts that prepared the Tallinn Manual, only cyber attacks with kinetic consequences are tantamount to an armed attack, legitimizing the use of force in self-defence. There are limited circumstances in which an act of offensive warfare can be considered an act of self-defence, which is legitimate in international law.

 International Law and Offence as Defence

Currently, there are two possible types of self-defence- anticipatory and pre-emptive- that could be claimed by a state if it exercises use of force against another prior to getting attacked. However there is an ongoing debate on their legitimacy under international law. Over the course of time, anticipatory self-defence has gained international consensus with the support of significant state practice[6] and is considered legitimate if an imminent threat of attack clearly exists and the response is proportional to the threat.[7] However pre-emptive self-defence involves preventive action by a state against a non-imminent threat, and is more controversial.

Even though the ICJ has in the past ruled a claim of pre-emptive self-defence invalid in Democratic Republic of the Congo v. Uganda stating that it is not in consonance with the language of the UN Charter, the claim is being increasingly reaffirmed by many countries including Australia, UK, China and the US.[8] But if imminence is not a pre-requisite, where do we draw the line between legitimate and illegitimate pre-emptive self-defence attacks? The international community is yet to establish a criteria for determination of the same.

In light of the profound political consequences attached to an offensive attack, it is ideal for NATO to resort to offensive strategies only if either a member state is subjected to cyber attack or if there is an imminent threat. It is also imperative that the response remains proportional. However in case of cyber attacks, key questions remain in relation to the determination of proportionality and imminence. This confusion is exacerbated by the uncertain nature of law in this field, with a lack of consensus on even basic questions such as what amounts to a cyber attack.

Conclusion

As cyber attacks are increasingly integrated into the conventional military technologies of states and non-state actors, NATO is facing an array of complex threats. An offensive strategy has both its advantages and disadvantages. However, considering the complexities surrounding the determination of what amounts to cyber attacks and what is legitimate self-defence, now might not be the ideal time for NATO to adopt an offensive cyber warfare strategy.

[1] Robin Emmott, Reuters, NATO mulls ‘offensive defense’ with cyber warfare (Nov.30, 2017), available at http://mobile.reuters.com/article/amp/idUSKBN1DU1G4.

[2] Neil Robinson, NATO: changing gear on cyber defense, NATO Review, available at https://www.nato.int/docu/review/2016/Also-in-2016/cyber-defense-nato-security-role/EN/index.htm.

[3] Vincent Joubart, Five years after Estonia’s cyber attacks: Lessons learned for NATO?, NATO (2012); Szentgali Gergely, The NATO Policy on Cyber Defense, AARMS 1, 4 (2012)

[4] Warwick Ashford, ComputerWeekly.com, NATO to adopt new cyber defense policy (Sept.03, 2014), available at http://www.computerweekly.com/news/2240228071/Nato-to-adopt-new-cyber-defence-policy.

[5] James A. Lewis, The Role of Offensive Cyber Operations in NATO’S Collective Defense, Tallinn Paper No.8 (2015).

[6] Anthony Clark Arend, International Law and the Preemptive Use of Military Force, The Washington Quarterly (2003).

[7] Commonly referred to as the Caroline Test, formulation of Customary International Law upheld by the Nuremberg Tribunal; Patrick Kelly, Preemptive Self-Defence, Customary International Law and the Congolese Wars (Sept.3, 2016).

[8] Patrick Kelly, Preemptive Self-Defence, Customary International Law and the Congolese Wars (Sept.3, 2016).