The General Data Protection Regulation and You

A cursory look at your email inbox this past month presents an intriguing trend. Multiple online services seem to have taken it upon themselves to notify changes to their Privacy Policies at the same time. The reason, simply, is that the European Union’s General Data Protection Regulation (GDPR) comes into force on May 25, 2018.

The GDPR marks a substantial overhaul of the existing data protection regime in the EU, as it replaces the earlier ‘Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.’ The Regulation was adopted by the European Parliament in 2016, with a period of almost two years to allow entities sufficient time to comply with their increased obligations.

The GDPR is an attempt to harmonize and strengthen data protection across Member States of the European Union. CCG has previously written about the Regulation and what it entails here. For one, the instrument is a ‘Regulation’, as opposed to a ‘Directive’. A Regulation is directly binding across all Member States in its entirety. A Directive simply sets out a goal that all EU countries must achieve, but allows them discretion as to how. Member States must enact national measures to transpose a Directive, and this can sometimes lead to a lack of uniformity across Member States.

The GDPR introduces, among other things, additional rights and protections for data subjects. This includes, for instance, the introduction of the right to data portability, and the codification of the controversial right to be forgotten. Our writing on these concepts can be found here, and here. Another noteworthy change is the substantial sanctions that can be imposed for violations. Entities that fall foul of the Regulation may have to pay fines up to 20 million Euros, or 4% of global annual turnover, whichever is higher.

The Regulation also has consequences for entities and users outside the EU. First, the Regulation has expansive territorial scope, and applies to non-EU entities if they offer goods and services to the EU, or monitor the behavior of EU citizens. The EU is also a significant digital market, which allows it to nudge other jurisdictions towards the standards it adopts. The Regulation (like the earlier Directive) restricts the transfer of personal data to entities outside the EU to cases where an adequate level of data protection can be ensured. This has resulted in many countries adopting regulation in compliance with EU standards. In addition, with the implementation of the GDPR, companies that operate in multiple jurisdictions might prefer to maintain parity between their data protection policies. For instance, Microsoft has announced that it will extend core GDPR protections to its users worldwide. As a consequence, many of the protections offered by the GDPR may in effect become available to users in other jurisdictions as well.

The implementation of the GDPR is also of particular significance to India, which is currently in the process of formulating its own data protection framework. The Regulation represents a recent attempt by a jurisdiction (that typically places a high premium on privacy) to address the harms caused by practices surrounding personal data. The lead-up to its adoption and implementation has generated much discourse on data protection and privacy. This can offer useful lessons as we debate the scope and ambit of our own data protection regulation.

Advertisements

Towards a Data Protection Framework (CCG Privacy Law Series)

Smitha and I are writing a series of papers on a data protection law for India, based on our research. We hope that our discussion of the options before us and their relative merits and demerits will help other engage with these difficult questions in a nuanced manner.

The first paper sets out the context for the data protection law. It discusses the
reasons and purpose for regulation and what specifically will be regulated.
It also discusses who will be regulated, since this is important while
considering the regulatory strategies to use while implementing the data
protection principles. It is available here.

Back to the Basics: Framing a New Data Protection Law for India

Over the past decade or so, the use of personal and big data has changed the way many businesses and governments operate. Regulators and legislative bodies have been struggling to keep up with the changes in technology, and increasing concerns about what it means for the privacy of individuals.

In India, we have worked with the Information Technology Act, 2000 (IT Act)[1], and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (Data Protection Rules) for a few years now[2]. These rules were arguably put together as a response to claims that Indian law did not meet European data protection standard, and for the purpose of ensuring that Indian companies do not lose cross border business (with the European Union)[3]. The rules are fraught with inconsistencies, right from the scope of the rules, to the manner in which they can be enforced[4].

Barring these rules, we have had minimal regulations on the use of personal data in certain sectors[5].

The Committee of Experts (Committee), constituted by Ministry of Electronics and Information Technology (MEITY), is currently working on recommendations regarding a new legal and regulatory framework for protection of personal data in India[6]. With all signs pointing only towards an increase in not only data driven businesses, but also data driven solutions to problems in many aspects of our life, it is imperative that we get it right this time.

The constant change and development in tech over the past few decades has shown us that it may be difficult to predict the way our technology and the internet will look in 10 years. It may be even more difficult to put in place the perfect legal system that addresses such technology. However, ensuring that the basic premise of the data protection law – what / who does it aim to protect, what the scope of the law is, and what principles the law is meant to uphold – is balanced and robust, will go a long way in ensuring that we have a strong, yet flexible legal framework[7].

In my paper titled ‘Back to the Basics: Framing a New Data Protection Law for India’, I take a preliminary look at each of these three concepts, while focusing largely on some of the principles that data protection laws have traditionally relied on, and how they can be revisited in today’s context.

The paper is available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3113536

 

 

[1] Information Technology Act, 2000, available at https://indiankanoon.org/doc/1965344/ (last visited on January 30, 2018)

[2] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, available at http://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf (last visited on January 30, 2018)

[3] Krishna Prasad, Smitha, (Draft) Paper on Information Technology Act, 2000 and the Data Protection Rules (December 30, 2017). Available at SSRN: https://ssrn.com/abstract=3094792 (last visited on January 30, 2018)

[4] Krishna Prasad, Smitha, (Draft) Paper on Information Technology Act, 2000 and the Data Protection Rules (December 30, 2017). Available at SSRN: https://ssrn.com/abstract=3094792 (last visited on January 30, 2018)

[5] International Comparative Legal Guide, Chapter on Data Protection in India, 2017, https://iclg.com/practice-areas/data-protection/data-protection-2017/india (last visited on January 30, 2018)

[6] http://meity.gov.in/writereaddata/files/meity_om_constitution_of_expert_committee_31072017.pdf (last visited on January 30, 2018)

[7] Krishna Prasad, Smitha, “Defining ‘personal info’ broadly key to protecting it”, January 21, 2018, available at:  http://m.deccanherald.com/?name=http://www.deccanherald.com/content/655012/defining-personal-info-broadly-key.html (last visited on January 30, 2018)

CCG’s recommendations to the TRAI Consultation Paper on Privacy, Security and Ownership of Data in the Telecom Sector – Part III

In this series of blogposts, we discuss CCG’s responses and recommendations to the TRAI (available here), in response to their Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector. We focus on the principles and concerns that should govern the framing of any new data protection regime, whether limited to the telecom sector or otherwise. 

In our previous posts, we discussed the background against which we have provided our responses and recommendations, and the need for a separate regulatory framework for data within the telecom sector, in the context of the jurisdiction and powers of the TRAI.

In this post, we look at the basic data protection principles that we recommend form the basis for any new data protection regulation. Several of these principles are also discussed in the white paper of the Committee of Experts on a Data Protection Framework for India.

Any new data protection regulation, whether applicable across industries and sectors, or applicable only to the telecom sector, should be based on sound principles of privacy and data protection. As discussed in the Consultation Paper, the Report of the Group of Experts on Privacy[1] (GOE Report) identified 9 national privacy principles to be adopted in drafting a privacy law for India. These principles are listed below[2]:

  • Notice: A data controller, which refers to any organization that determines the purposes and means of processing the personal information of users, shall give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include disclosures on what personal information is being collected; purpose for collection and its use; whether it will be disclosed to third parties; notification in case of data breach, etc.
  • Choice and consent: A data controller shall give individuals choices (opt-in/opt-out) with regard to providing their personal information, and take individual consent only after providing notice of its information practices.
  • Collection limitation: A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection.
  • Purpose limitation: Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which they are processed.
  • Access and correction: Individuals shall have access to personal information about them held by a data controller and be able to seek correction, amendments, or deletion of such information, where it is inaccurate.
  • Disclosure of Information: A data controller shall only disclose personal information to third parties after providing notice and seeking informed consent from the individual for such disclosure.
  • Security: A data controller shall secure personal information using reasonable security safeguards against loss, unauthorised access or use and destruction.
  • Openness: A data controller shall take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data they collect, in order to ensure compliance with the privacy principles, information regarding which shall be made in an intelligible form, using clear and plain language, available to all individuals.
  • Accountability: The data controller shall be accountable for complying with measures which give effect to the privacy principles. Such measures should include mechanisms to implement privacy policies, including training and education, audits, etc.

With the growth of businesses driven by big data, there is now a demand for re-thinking these principles, especially those relating to notice and consent[3].

While notice, consent and the other principles set forth in the GOE Report have formed the basis for data protection laws for many years now, additional principles have been developed in many jurisdictions across the world. In order to ensure that any new regulations in India are up to date and effective, it will be prudent to study such principles and identify the best practices that can then be incorporated into Indian law.

Graham Greenleaf has compared data protection laws across Europe and outside Europe and found that today, second and third generation ‘European Standards’ are being implemented across jurisdictions[4]. These ‘European Standards’, refer to standards that are applicable under European Union (EU) law, in addition to the original principles developed by the Organisation for Economic Co-operation and Development (OECD)[5]. The second generation European Standards that are most commonly seen outside the EU are:

  • Recourse to the courts to enforce data privacy rights (including. compensation, and appeals from decisions of DPAs)
  • Destruction or anonymisation of personal data after a period
  • Restricted data exports based on data protection provided by recipient country (‘adequate’), or alternative guarantees
  • Independent Data Protection Authority (DPA)
  • Minimum collection necessary for the purpose (not only ‘limited’)
  • General requirement of ‘fair and lawful processing’ (not only collection)
  • Additional protections for sensitive data in defined categories
  • To object to processing on compelling legitimate grounds, including to ‘opt-out’ of direct marketing uses of personal data
  • Additional restrictions on some sensitive processing systems (notification; ‘prior checking’ by DPA.)
  • Limits on automated decision-making (including right to know processing logic)

He also notes that there are several new principles put forward in the EU’s new General Data Protection Regulation[6] (GDPR) itself, and that it remains to be seen which of these will become global standards outside the EU. The most popular of these principles, which he refers to as ‘3rd General European Standards’ are[7]:

  • Data breach notifications to the DPA for serious breaches
  • Data breach notifications to the data subject (if high risk)
  • Class action suits to be allowed before DPAs or courts by public interest privacy groups
  • Direct liability for processors as well as controllers
  • DPAs to make decisions and issue administrative sanctions, including fines.
  • Opt-in requirements for marketing
  • Mandatory appointment of data protection officers in companies that process sensitive personal data.

We note that there exist other proposed frameworks that aim to regulate data protection and ease compliances required by businesses. Such additional frameworks may also be considered while formulating new data protection principles and regulations in India. However, it is recommended that the ‘European Standards’ described above, i.e. those set out in the GDPR may be adopted as the base on which any new regulations are built. This would ensure that India has greater chances of being recognised as having ‘adequate’ data protection frameworks by the EU, and improve our trade relations with the EU and other countries that adopt similar standards.

Professor Greenleaf’s studies suggest that the 2nd and 3rd General European Standards are being adopted by several countries outside the European Union. We note here that adoption of principles that are considered best practices across jurisdictions would also assist in increasing interoperability for businesses that operate across borders.

While adoption of these practices is likely to raise the cost of compliance, it is also likely to ensure that India remains a very competitive market globally for the outsourcing of services. In the long term, this will benefit Indian industry and the Indian economy. It will also safeguard the privacy rights of Indian citizens in the best possible manner.

[1] Report of the Group of Experts on Privacy, available at http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[2] Report of the Group of Experts on Privacy, Chapter 3, as summarised in the TRAI Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector, pages 7-9

[3] TRAI Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector, Page 9; and Rahul Matthan, Beyond Consent: A New Paradigm for Data Protection, available at http://takshashila.org.in/takshashila-policy-research/discussion-document-beyond-consent-new-paradigm-data-protection/ (last visited on November 5, 2017)

[4] Graham Greenleaf, European data privacy standards in laws outside Europe, Privacy Law and Business International Report, Issue 149

[5]OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, available at http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm (last visited on November 5, 2017)

[6] General Data Protection Regulation, Regulation (EU) 2016/679

[7] Graham Greenleaf, Presentation on 2nd & 3rd generation data privacy standards implemented in laws outside Europe (to be published and available on request).

CCG’s recommendations to the TRAI Consultation Paper on Privacy, Security and Ownership of Data in the Telecom Sector – Part II

In this series of blogposts, we discuss CCG’s responses and recommendations to the TRAI (available here), in response to their Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector. We focus on the principles and concerns that should govern the framing of any new data protection regime, whether limited to the telecom sector or otherwise.

In our previous blogpost, the first of the series, we discussed the background against which we have provided our responses and recommendations. In this post, we look at whether there is a need for a separate regulatory framework for data within the telecom sector, and the jurisdiction and powers of the TRAI.

We note that the Consultation Paper makes several references to stakeholders / players in the digital / telecommunications eco-system that are not traditional telecommunication service providers. These include online content / application service providers, device manufacturers, and providers of online communication services, operating systems, browsers. The Consultation Paper poses several questions about the regulation of data use and processing by such stakeholders.

In this context, we have examined the role and responsibilities of the TRAI beyond the regulation of traditional telecommunication service providers.

The preamble to the Telecom Regulatory Authority of India Act, 1997 (TRAI Act) states that the law is meant to “provide for the establishment of the Telecom Regulatory Authority of India and the Telecom Disputes Settlement and Appellate Tribunal to regulate the telecommunication services, adjudicate disputes, dispose of appeals and to protect the interests of service providers and consumers of the telecom sector, to promote and ensure orderly growth of the telecom sector and for matters connected therewith or incidental thereto”.

Telecommunication services have been defined to mean “service of any description (including electronic mail, voice mail, data services, audio tax services, video tax services, radio paging and cellular mobile telephone services) which is made available to users by means of any transmission or reception of signs, signals, writing, images and sounds or intelligence of any nature, by wire, radio, visual or other electromagnetic means”[1]. Broadcasting services have been excluded from the definition of telecommunication services[2].

Service providers means either the government as a service provider, or a licensee[3] – which refers to any person licensed to provide telecommunication services under the Indian Telegraph Act, 1885[4].

Section 11 of the TRAI Act describes the functions of the TRAI. These functions are divided into two broad areas: (i) making recommendations of certain matters, and (ii) regulatory functions. The regulatory functions largely deal with monitoring compliance with the telecom licenses, and other functions of service providers.

The TRAI’s powers to make recommendations extend to the following matters:

  • need and timing for introduction of new service provider;
  • terms and conditions of licence to a service provider;
  • revocation of licence for non-compliance of terms and conditions of licence;
  • measures to facilitate competition and promote efficiency in the operation of telecommunication services so as to facilitate growth in such services;
  • technological improvements in the services provided by the service providers;
  • type of equipment to be used by the service providers after inspection of equipment used in the network;
  • measures for the development of telecommunication technology and any other matter relatable to telecommunication industry in general;
  • efficient management of available spectrum

We note that most of the above matters deal specifically with functions of service providers. However, as mentioned above, telecommunication services do include some services beyond those provided by traditional telecommunication service providers – such as electronic mail and voice mail among others.

In this context, we would argue that the functions and powers of the TRAI would not extend to making recommendations regarding, or regulating online content and application providers, device manufacturers or other businesses that do not provide communication services.

At best, the TRAI may derive powers to make recommendations regarding based on questions posed in the Consultation Paper, under sub-section (iv) which provides the TRAI with the authority to make recommendations on improving efficiency of telecommunication services.

In our next posts in this series, we will discuss principles that we believe any data protection regulation, irrespective of the sector it applies to, should address. We also note that as Indian businesses grow and adopt new technology, they are increasingly beginning to function across sectors. In this context, we recommend that a basic data protection law that is applicable horizontally across sectors and regions, to cope with these cross-sectoral business models.  Where required, additional regulations may be made applicable to collection and processing of sector specific sensitive personal data.

[1] Section 2(1)(k) of the Telecom Regulatory Authority of India Act, 1997

[2] Section 2(1)(k) of the Telecom Regulatory Authority of India Act, 1997

[3] Section 2(1)(j) of the Telecom Regulatory Authority of India Act, 1997

[4] Section 2(1)(e) of the Telecom Regulatory Authority of India Act, 1997

CCG on the Privacy Judgment

Written by the Civil Liberties team at CCG

A 9 judge bench of the Supreme Court of India passed a landmark judgment two weeks ago, which unanimously recognized the right to privacy as a fundamental right under the Constitution of India. The Court found the right to privacy to be a part of the freedoms guaranteed across fundamental rights, and an intrinsic aspect of dignity, autonomy and liberty.

In 2012, a petition was filed before the Supreme Court by Justice K. S. Puttuswamy (Retd.), challenging the validity of Aadhaar. During the course of the hearings, the Attorney General argued that the Supreme Court in M.P. Sharma v. Satish Chandra (1954) and Kharak Singh v. State of U.P. (1962) had found that there was no fundamental right to privacy in India, because of which its position in the Indian Constitution was debatable. As a consequence, the Court in its order on August 11, 2015 referred the question to a Constitution bench of the Supreme Court. Last month, the Constitution bench decided to refer the matter to a 9 judge bench, in view of M.P. Sharma and Kharak Singh being decided by an 8 judge bench, and a 6 judge bench respectively. A timeline of events, from the filing of the petition, to the constitution of the 9 judge bench, may be found here.

During the proceedings, the petitioners broadly argued that M.P. Sharma, and Kharak Singh were no longer good law; that privacy was an essential component of liberty, dignity and other core aspects of the Constitution; and the fundamental right to privacy could be located in a combined reading of the rights under Part III of the Constitution. Further, they argued that India’s international obligations presented an imperative to recognize the right. The respondents argued, among other things, that privacy was a vague concept, of which only certain aspects could be elevated to the status of a fundamental right, if at all. They argued that the right could be protected through the common law, or by statute, and did not need the protection of a fundamental right. Further, that the right to life, and the concomitant duty of the state to provide welfare, must trump privacy. An index of our posts reporting the arguments is also available below.

The petition and reference posed some critical questions for the Court. The Court had to evaluate whether privacy, as argued, was just an alien, elitist construct unsuitable to India, or a necessary protection in a digital age. It was further tasked with defining its safeguards and contours in a way that would not invalidate the right. Chinmayi Arun’s piece specifically addresses these concerns here.

Fortunately, the Supreme Court also has an illustrious history of recognizing and upholding the right to privacy. The Centre for Communication Governance recently published an infographic, illustrating the Court’s jurisprudence on the right to privacy across 63 years.

The Court eventually decided on an expansive articulation of the fundamental right to privacy. However, the judgment raises a few crucial implications. We at the Centre for Communication Governance have presented our analysis of the judgment in various news media publications. Chinmayi Arun, our Research Director, has presented her views on the judgment as part of a panel of experts here, and in an interview, here. She also argues that the Court seems to have left a significant leeway, presumably for intrusion by the state. Smitha presents a detailed assessment of the implications of the right to privacy here. The judgment has also been lauded for its critique of the Suresh Kumar Koushal v. NAZ Foundation, which recriminalized consensual same-sex intercourse. As Arpita writes here, a strong formulation of the right to privacy, with its close connection to bodily integrity, can forge a more progressive expression of the rights of women and sexual minorities.

While the judgment is a step forward, its effect and implementation are yet to be seen. Recently, in the ongoing matter of Karmanya Singh v. Union of India (WhatsApp data sharing case), the Puttaswamy judgment was visited. Following from the judgment, the petitioners argued that the state should protect an individual’s right to privacy even when it is being infringed by a non-state actor.

 Reports of arguments made before the Supreme Court:

SC 9 Judge Bench on the Constitutional Right to Privacy – Day VI (Part II)

Yesterday, a nine-judge bench continued to hear arguments on whether a fundamental right to privacy exists. Our posts discussing yesterday’s hearings can be found here. Today, the hearing concluded with arguments advanced on behalf of the states of Rajasthan and Haryana along with the Centre for Civil Society and the TRAI and with a rejoinder from the petitioners. Today’s hearings have been divided into two posts, the first post can be found here.

Counsel Gopal Shankarnarayan appeared for the Centre for Civil Society.

Mr. Shankarnarayan commenced his arguments by stating that the judgments of M.P. Sharma and Kharak Singh were correct and that there is no fundamental right to privacy.

He stated that following from the petitioner’s arguments, Cooper’s overruling of Gopalan would be erroneous. He also stated that 96 judgments between 1950 and 1970 had not used that parameter.

He then discussed the consequences of allowing for a fundamental right to privacy. He started by asking how such a right would be tested, stating that there would be a different test in each Article.

He then remarked upon the fact that ‘persons’ were protected under Article 19 and ‘citizens’ were protected under Article 14. He stated that if one was to blindly accept the standard in Maneka Gandhi case, that all rights flow freely into each other, then the position of non-citizens would be unsure. He also stated that there was a necessity to understand the difference between persons and citizens in the context of the Gopalan and Maneka judgments.

He discussed a case, Munn vs. Illinois and then stated that the right to privacy was flowing from Article 21. He also stated that life and personal liberty could be subject to expansive interpretation.

He then stated that the argument that MP Sharma and Kharak Singh do not deal with privacy, and could be sustained.  He also stated that only certain aspects of privacy could be elevated to the level of a fundamental right.

Mr. Shankarnarayan stated that privacy could be conceptualized as being broader than what was being argued.

He then went on to discuss medical privacy. Referring to pre-natal sex determination, he stated that privacy could not be claimed if there was a competing issue with the PNDT Act, for instance. He also discussed the ‘right to refuse care’ in this context.

He stated that large aspects of privacy had already been covered by statutory provisions. He mentioned the DNA profiling bill and the CrPC.

Referring back to the consequences of a fundamental right, he stated that such a right could not be waived under any circumstances. He stated that the doctrine of waiver could not be introduced in the Indian Constitution. He substantiated this claim by referring to the case of Basheshar Nath vs. CIT.

At this point, Justice Bobde asked if there were fundamental rights that could be waived, to which Mr. Shankaranarayan responded in the negative.

Mr. Shankaranarayanan then stated that the assumption was that if a separate right to privacy did not exist, there would only be statutory protections. He said that this wasn’t the case as privacy would still be provisionally recognized.

Referring back to the respondent’s arguments about pitting the right to life of others vs. the right to privacy, he stated that the majoritarian view of the ‘elite’ could not take over. Relying on the NAZ foundation judgment, he stated that the ‘miniscule minority’s rights could not be given precedence:

While reading down Section 377 IPC, the Division Bench of the High Court overlooked that a miniscule fraction of the country’s population constitutes lesbians, gays, bisexuals or transgenders and in last more than 150 years less than 200 persons have been prosecuted (as per the reported orders) for committing offence under Section 377 IPC and this cannot be made sound basis for declaring that section ultra vires the provisions of Articles 14, 15 and 21 of the Constitution.

Arguments then turned towards discussing the import of provisions from the UDHR, he stated that not all basic principles are found in Part III of the constitution.

Mr. Shankaranarayanan concluded his arguments and Mr. Arghya Sengupta, appearing for the State of Haryana and the TRAI, commenced his arguments.

He started by referring to the doctrine of ‘purposive limitation’, which was a cardinal principle of data protection.

He then stated that the actual implementation of these principles was difficult, since the structure of these contracts allowed them to share information with other connected bodies.

Referring to Justice Chandrachud’s ‘zones of privacy’, he stated that the nature of the right was different in each zone and not just state involvement. He then stated that the Bench should not read in general fundamental rights like the petitioners were asking.

Mr. Sengupta then stated that according to his submission, privacy was the right to be left alone and denotes that ‘everyone else would have to stay off’. He concluded by stating that privacy was just the formal construct of liberty.

Referring to the case X vs. Hospital Z, he stated that the patient had the liberty to disclose or not disclose certain information and that dignity was upheld in this case.

He stated that privacy was a liberty claim and that to determine whether there was a right to privacy, there would have to be a case by case determination of whether there was a personal liberty or any other liberty and not just a claim to privacy.

He laid down a three fold test, where one would have to determine if there was a liberty interest, if this interest lied under personal liberty or any other liberty like freedom of religion and what the restrictions would be.

He discussed the right to privacy and how it could not be a ground to test legislations. Referring to the case Planned Parenthood vs. Casey, He then stated that privacy is not all prevalent and can only be found in liberty. He stated that the right to not disclose had no right of its own.

Referring to the Hohfeldian construct of jural opposites, he asked what the nature of the right would be, stating, ‘the right to do what?’. He mentioned that liberty would be a privilege and there would be a corresponding right to stay off.

He then briefly discussed the Auto Shankar case in the context of reasonable restrictions.

The arguments then turned towards discussing the nature of a right to privacy  and how it would be overbroad and could therefore not be introduced.

Justice Bobde clarified that under Hohfeld’s structure, it would be the power to stay off, not the right.

Lastly, Mr. Sengupta stated that data protection was a horizontal issue and vastly complex, and was not the same as a privacy concern. Mr. Sengupta concluded his arguments and the petitioners commenced their rebuttal, starting with Senior Counsel Gopal Subramaniam.

The senior counsel stated that as per Keshavnanda Bharati vs Union of India, the social good and welfare argument was rejected. He stated that the minority opinion infused meaning.

He then stated that constitutional words were not restrictive, and there had to be a sense of fullness while interpreting them. Mr. Subramaniam went on to state that life and liberty came from Descartes, Mill and Rousseau and not merely from the Magna Carta as mentioned by the respondents.

He also referred to the incidents that took place after the Second World War, stating that nothing could be done by which liberty would be diminished.

On the Gopalan principle, he stated that it was followed by Justice Ray in Keshavnanda Bharati and was also followed in Kharak Singh. He also remarked upon its use in the Indira Gandhi case. He then referred to Justice Khanna’s opinion on inalienable rights and that the right to courts could never be taken away.

He also discussed the Maneka Gandhi and Minerva Mills judgment, remarking on the nature of inalienable rights in them.

On the matter of privacy, he stated that ‘private choices’ had been discussed in the Maneka Gandhi judgment and ‘dignity’ was used in the Keshavnanda Bharati judgment.

He then discussed to the status of privacy in other jurisdictions, referring to the standard in South Africa where privacy, dignity and liberty were held to be intertwined.

The senior counsel lastly mentioned a passage from Keshavnanda Bharati, referring to Chief Justice Sikri’s opinion on the republic also importing Article 14, and concluded by stating that the state was the custodian and would have to protect these rights.

Next, Senior Counsel Kapil Sibal commenced his arguments.

He started off by remarking on the unique persona of individuals and how ‘each person has moments of solitude’. He questioned where the ‘right to a private moment’ could arise from.

At this point, Justice Chandrachud questioned whether privacy was a subset of liberty. To this Mr. Sibal responded stating that it was a golden thread that ran through liberty. Justice Chandrachud asked if there was a difference. Mr. Sibal stated that privacy was more fundamental than liberty.

He then remarked on the changing nature of the state and the need for changes. Justice Chandrachud responded stating that the state’s actions will be in the protection of absolute liberty.

The senior counsel concluded his arguments and Senior Counsel Shyam Divan commenced his arguments.

The senior counsel stated that privacy encompassed many other aspects, like creativity and psychological well-being. He referred to a quote from John L. Mills on privacy being the last right.

He referred to privacy as a bundle of rights, and went on to distinguish 4 areas of privacy. These included personal information, value autonomy, physical space and the interface of property. He stated that the interaction and overlap of these factors should make way for a general protection.

He referred to provisions from the Census Act, specifically Section 15, stating that recorded/tabulated information could not even be summoned by the Court of Law.

He also that privacy as a right was concerned with more than just data protection, but was also concerned with surveillance, bodily integrity and self-determination.

The senior counsel concluded his arguments and senior counsel Anand Grover commenced his arguments.

The senior counsel started off by discussing Kharak Singh and the notion of liberty. He remarked on the discussion of privacy being a common law right, stating that it could not be accepted in India. He also mentioned that elevating a common law right or a statutory right to a fundamental right could be possible.

He mentioned the right to health and how it was now progressively realizable.

Remarking on the status of privacy in other jurisdictions, he stated that American jurisprudence was considered lacking in this regard and that jurisdictions like Canada should be paid attention to. He discussed the notions of liberty and security in Canada, which also read in privacy, stating that there was a reasonable expectation of privacy. He also remarked on the European Court devising their own tests for privacy and the recognition of the right by the Inter-American Court.

He then discussed the landmark judgment, Loving vs. Virginia, by which inter-racial marriages were recognized in the United States, stating that the concepts of choice and privacy were integral to this judgment.

Lastly, he discussed the movie ‘Aligarh’, and the judgment the story was based on. He stated that the Allahabad High Court recognized a right to privacy in this regard.

The senior counsel concluded his arguments, and senior counsel PV Sundaresan commenced his arguments.

He remarked on the private nature of thoughts and feelings, stating that a person had a right to be privy to them. He stated that liberty was not limited to physical liberty and mentioned that the allegedly vague nature of privacy was not concrete enough to be a ground for denial.

Mr. Sundaresan concluded his arguments and Senior Counsel Meenakshi Arora commenced her arguments.

The senior counsel stated that under Article 372 all laws shall continue to be protected. She also stated that protection under Article 21 were always present, even before the Constitution was realized.

Referring to Articles 528-531, she remarked upon Justice Khanna’s reading of the Brandeis judgment.

She then remarked upon the nature of fundamental rights, stating that there was no fixed content and that generations must pour their content into the rights.

She also stated that privacy was a multi-faceted right and that it was not open to the state to say that it was an elitist measure. She also stated that fundamental rights could not be pitted against each other to the extent that the right to life of others could only be upheld if privacy is given away. She remarked upon the nature of state as parens patriae and how all rights needed to be protected.

Senior counsel Meenakshi Arora concluded her arguments, and senior counsel Sajjan Poovayya commenced his arguments.

He discussed the collection of data and 26 statutes where privacy was recognized and the mechanism in place to protect the rights.

He remarked upon the respondent’s arguments, stating that they argued that there was a right but not a fundamental right, which seemed merely like a matter of nomenclature.

He concluded his arguments and lastly, Senior Counsel Arvind Datar commenced his arguments.

He stated that Part III of the Constitution was concerned with fundamental rights and if privacy was seen as a sub-set to a fundamental right, then by virtue of being a subset to a larger set, it would also be a fundamental right.

He also remarked upon the respondent’s arguments about privacy being vague, stating that the correct postulation would be to say that it was incapable of precision or a precise definition, and not merely vague. Lastly, he remarked upon the danger of omitting a right like privacy in 2017.

The hearing has concluded and the judgment is reserved.