On 6th October, the European Court of Justice (ECJ/ Court) delivered its much anticipated judgments in the consolidated matter of C-623/17,Privacy International from the UK and joined cases from France, C-511/18, La Quadrature du Net and others, C-512/18, French Data Network and others, and Belgium, C-520/18,Ordre des barreaux francophones et germanophone and others (Collectively “Bulk Communications Surveillance Judgments”).
In this post, I briefly discuss the Bulk Communication Surveillance Judgments, their significance for other countries and for India.
Through these cases, the Court invalidated the disproportionate interference by Member States with the rights of their citizens, as provided by EU law, in particular the Directive on privacy and electronic communications (e-Privacy Directive) and European Union’s Charter of Fundamental Rights (EU Charter). The Court assessed the Member States’ bulk communications surveillance laws and practices relating to their access and use of telecommunications data.
The Court recognised the importance of the State’s positive obligations towards conducting surveillance, although it noted that it was essential for surveillance systems to conform with the general principles of EU law and the rights guaranteed under the EU Charter. It laid down clear principles and measures as to when and how the national authorities could access and use telecommunications data (further discussed in the sections ‘The UK Judgment’ and ‘The French and Belgian Judgment’). It carved a few exceptions as well (in the joined cases of France and Belgium) for emergency situations, but held that such measures would have to pass the threshold of being serious and genuine (further discussed in the section ‘The French and Belgian Judgment’).
The Cases in Brief
The Court delivered two separate judgments, one in the UK case and one in the joined cases of France and Belgium. Since these cases had similar sets of issues, the proceedings were adjoined. The UK application challenged the bulk acquisition and use of telecommunications data by its Security and Intelligence Agencies (SIAs) in the interest of national security (as per the UK’s Telecommunication Act of 1984). The French and Belgian applications challenged the indiscriminate data retention and access by SIAs for combating crime.
The French and Belgian applications questioned the legality of their respective data retention laws (numerous domestic surveillance laws which permitted bulk collection of telecommunication data) that imposed blanket obligations on Electronic Communications Service Providers (ECSP) to provide relevant data. The Belgian law required ECSPs to retain various kinds of traffic and location data for a period of 12 months. Whereas, the French law provided for automated analysis and real time data collection measures for preventing terrorism. The French application also raised the issue of providing a notification to the person under the surveillance.
The Member States contended that such surveillance measures enabled them to inter alia, safeguard national security, prevent terrorism, and combat serious crimes. Hence, they claimed inapplicability of the e-Privacy Directive on their surveillance laws/ activities.
The UK Judgment
The ECJ found the UK surveillance regime unlawful and inconsistent with EU law, and specifically the e-Privacy Directive. The Court analysed the scope and scheme of the e-Privacy Directive with regard to exclusion of certain State purposes such as national and public security, defence, and criminal investigation. Noting the importance of such State purposes, it held that EU Member States could adopt legislative measures that restricted the scope of rights and obligations (Article 5, 6 and 9) provided in the e-Privacy Directive. However, this was allowed only if the Member States complied with the requirements laid down by the Court in Tele2 Sverige and Watson and Others(C-203/15 and C-698/15) (Tele2)andthe e-Privacy Directive. In addition to these, the Court held that the EU Charter must be respected too. In Tele2, the ECJ held that legislative measures obligating ECSPs to retain data must be targeted and limited to what was strictly necessary. Such targeted retention had to be with regard to specific categories of persons and data for a limited time period. Also, the access to data must be subject to a prior review by an independent body.
The e-Privacy Directive ensures the confidentiality of electronic communications and the data relating to it (Article 5(1)). It allows ECSPs to retain metadata (context specific data relating to the users and subscribers, location and traffic) for various purposes such as billing, valued added services and security purposes. However, this data must be deleted or made anonymous, once the purpose is fulfilled unless a law allows for a derogation for State purposes. The e-Privacy Directive allows the Member States to derogate (Article 15(1)) from the principle of confidentiality and corresponding obligations (contained in Article 6 (traffic data) and 9 (location data other than traffic data)) for certain State purposes when it is appropriate, necessary and proportionate.
The Court clarified that measures undertaken for the purpose of national security would not make EU law inapplicable and exempt the Member States from their obligation to ensure confidentiality of communications under the e-Privacy Directive. Hence, an independent review of surveillance activities such as data retention for indefinite time periods, or further processing or sharing, must be conducted for authorising such activities. It was noted that the domestic law at present did not provide for prior review, as a limit on the above mentioned surveillance activities.
The French and Belgian Judgment
While assessing the joined cases, the Court arrived at a determination in similar terms as the UK case. It reiterated that the exception (Article 15(1) of the e-Privacy Directive) to the principle of confidentiality of communications (Article 5(1) of the e-Privacy Directive) should not become the norm. Hence, national measures that provided for general and indiscriminate data retention and access for State purposes were held to be incompatible with EU law, specifically the e-Privacy Directive.
The Court in the joined cases, unlike the UK case, allowed for specific derogations for State purposes such as safeguarding national security, combating serious crimes and preventing serious threats. It laid down certain requirements that the Member States had to comply with in case of derogations. The derogations should (1) be clear and precise to the stated objective (2) be limited to what is strictly necessary and for a limited time period (3) have a safeguards framework including substantive and procedural conditions to regulate such instances (4) include guarantees to protect the concerned individuals against abuse. They should also be subjected to an ‘effective review’ by a court or an independent body and must be in compliance of general rules and proportionality principles of EU law and the rights provided in the EU Charter.
The Court held that in establishing a minimum threshold for a safeguards framework, the EU Charter must be interpreted along with the European Convention on Human Rights (ECHR). This would ensure consistency between the rights guaranteed under the EU Charter and the corresponding rights guaranteed in the ECHR (as per Article 52(3) of the EU Charter).
The Court, in particular, allowed for general and indiscriminate data retention in cases of serious threat to national security. Such a threat should be genuine, and present or foreseeable. Real-time data collection and automated analysis were allowed in such circumstances. But the real-time data collection of persons should be limited to those suspected of terrorist activities. Moreover, it should be limited to what was strictly necessary and subject to prior review. It even allowed for general and indiscriminate data retention of IP addresses for the purpose of national security, combating serious crimes and preventing serious threats to public security. Such retention must be for a limited time period to what was strictly necessary. For such purposes, the Court also permitted ECSPs to retain data relating to the identity particulars of their customers (such as name, postal and email/account addresses and payment details) in a general and indiscriminate manner, without specifying any time limitations.
The Court allowed targeted data retention for the purpose of safeguarding national security and preventing crime, provided that it was for a limited time period and strictly necessary and was done on the basis of objective and non-discriminatory factors. It was held that such retention should be specific to certain categories of persons or geographical areas. The Court also allowed, subject to effective judicial review, expedited data retention after the initial retention period ended, to shed light on serious criminal offences or acts affecting national security. Lastly, in the context of criminal proceedings, the Court held that it was for the Member States to assess the admissibility of evidence resulting from general and indiscriminate data retention. However, the information and evidence must be excluded where it infringes on the right to a fair trial.
Significance of the Bulk Communication Surveillance Judgments
With these cases, the ECJ decisively resolved a long-standing discord between the Member States and privacy activists in the EU. For a while now, the Court has been dealing with questions relating to surveillance programs for national security and law enforcement purposes. Though the Member States have largely considered these programs outside the ambit of EU privacy law, the Court has been expanding the scope of privacy rights.
Placing limitations and controls on State powers in democratic societies was considered necessary by the Court in its ruling in Privacy International. This decision may act as a trigger for considering surveillance reforms in many parts of the world, and more specifically for those aspiring to attain an EU adequacy status. India could benefit immensely should it choose to pay heed.
As of date, India does not have a comprehensive surveillance framework. Various provisions of the Personal Data Protection Bill, 2019 (Bill), Information Technology Act, 2000, Telegraph Act, 1885, and the Code of Criminal Procedure, 1973 provide for targeted surveillance measures. The Bill provides for wide powers to the executive (under Clause 35, 36 and 91 of the Bill) to access personal and non-personal data in the absence of proper and necessary safeguards. This may cause problems for achieving the EU adequacy status as per Article 45 of the EU General Data Protection Regulation (GDPR) that assesses the personal data management rules of third-party countries.
Recent news reports suggest that the Bill, which is under legislative consideration, is likely to undergo a significant overhaul. India could use this as an opportunity to introduce meaningful changes in the Bill as well as its surveillance regime. India’s privacy framework could be strengthened by adhering to the principles outlined in the Justice K.S. Puttaswamy v. Union of Indiajudgment and the Bulk Communications Surveillance Judgments.
The Personal Data Protection Bill, 2019 (PDP Bill/ Bill) was introduced in the Lok Sabha on December 11, 2019 , and was immediately referred to a joint committee of the Parliament. The joint committee published a press communique on February 4, 2020 inviting comments on the Bill from the public.
The Bill is the successor to the Draft Personal Data Protection Bill 2018 (Draft Bill 2018), recommended by a government appointed expert committee chaired by Justice B.N. Srikrishna. In August 2018, shortly after the recommendations and publication of the draft Bill, the Ministry of Electronics and Information Technology (MeitY) invited comments on the Draft Bill 2018 from the public. (Our comments are available here.)
In this post we undertake a preliminary examination of:
The scope and applicability of the PDP Bill
The application of general data protection principles
The rights afforded to data subjects
The exemptions provided to the application of the law
In future posts in the series we will examine the Bill and look at the:
The restrictions on cross border transfer of personal data
The structure and functions of the regulatory authority
The enforcement mechanism and the penalties under the PDP Bill
Scope and Applicability
The Bill identifies four different categories of data. These are personal data, sensitive personal data, critical personal data and non-personal data
Personal data is defined as “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling”. (emphasis added)
The addition of inferred data in the definition realm of personal data is an interesting reflection of the way the conversation around data protection has evolved in the past few months, and requires further analysis.
Sensitive personal data is defined as data that may reveal, be related to or constitute a number of different categories of personal data, including financial data, health data, official identifiers, sex life, sexual orientation, genetic data, transgender status, intersex status, caste or tribe, and religious and political affiliations / beliefs. In addition, under clause 15 of the Bill the Central Government can notify other categories of personal data as sensitive personal data in consultation with the Data Protection Authority and the relevant sectoral regulator.
Similar to the 2018 Bill, the current bill does not define critical personal data and clause 33 provides the Central Government the power to notify what is included under critical personal data. However, in its report accompanying the 2018 Bill, the Srikrishna committee had referred to some examples of critical personal data that relate to critical state interest like Aadhaar number, genetic data, biometric data, health data, etc.
The Bill retains the terminology introduced in the 2018 Draft Bill, referring to data controllers as ‘data fiduciaries’ and data subjects ‘data principals’. The new terminology was introduced with the purpose of reflecting the fiduciary nature of the relationship between the data controllers and subjects. However, whether the use of the specific terminology has more impact on the protection and enforcement of the rights of the data subjects still needs to be seen.
Application of PDP Bill 2019
The Bill is applicable to (i) the processing of any personal data, which has been collected, disclosed, shared or otherwise processed in India; (ii) the processing of personal data by the Indian government, any Indian company, citizen, or person/ body of persons incorporated or created under Indian law; and (iii) the processing of personal data in relation to any individuals in India, by any persons outside of India.
The scope of the 2019 Bill, is largely similar in this context to that of the 2018 Draft Bill. However, one key difference is seen in relation to anonymised data. While the 2018 Draft Bill completely exempted anonymised data from its scope, the 2019 Bill does not apply to anonymised data, except under clause 91 which gives the government powers to mandate the use and processing of non-personal data or anonymised personal data under policies to promote the digital economy. There are a few concerns that arise in context of this change in treatment of anonymised personal data. First, there are concerns on the concept of anonymisation of personal data itself. While the Bill provides that the Data Protection Authority (DPA) will specify appropriate standards of irreversibility for the process of anonymisation, it is not clear that a truly irreversible form of anonymisation is possible at all. In this case, we need more clarity on what safeguards will be applicable for the use of anonymised personal data.
Second, is the Bill’s focus on the promotion of the digital economy. We have previously discussed some of the concerns regarding focus on the promotion of digital economy in a rights based legislation inour comments to the Draft Bill 2018.
These issues continue to be of concern, and are perhaps heightened with the introduction of a specific provision on the subject in the 2019 Bill (especially without adequate clarity on what services or policy making efforts in this direction, are to be informed by the use of anonymised personal data). Many of these issues are also still under discussion by thecommittee of experts set up to deliberate on data governance framework (non-personal data). The mandate of this committee includes the study of various issues relating to non-personal data, and to make specific suggestions for consideration of the central government on regulation of non-personal data.
The formation of the non-personal data committee was in pursuance of a recommendation by the Justice Srikrishna Committee to frame a legal framework for the protection of community data, where the community is identifiable. The mandate of the expert committee will overlap with the application of clause 91(2) of the Bill.
Data Fiduciaries, Social Media Intermediaries and Consent Managers
As discussed above the Bill categorises data controllers as data fiduciaries and significant data fiduciaries. Any person that determines the purpose and means of processing of personal data, (including the State, companies, juristic entities or individuals) is considered a data fiduciary. Some data fiduciaries may be notified as ‘significant data fiduciaries’, on the basis of factors such as the volume and sensitivity of personal data processed, the risks of harm etc. Significant data fiduciaries are held to higher standards of data protection. Under clauses 27-30, significant data fiduciaries are required to carry out data protection impact assessments, maintain accurate records, audit policy and the conduct of its processing of personal data and appoint a data protection officer.
Social Media Intermediaries
The Bill introduces a distinct category of intermediaries called social media intermediaries. Under clause 26(4) a social media intermediary is ‘an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services’. Intermediaries that primarily enable commercial or business-oriented transactions, provide access to the Internet, or provide storage services are not to be considered social media intermediaries.
Social media intermediaries may be notified to be significant data fiduciaries, if they have a minimum number of users, and their actions have or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India.
Under clause 28 social media intermediaries that have been notified as a significant data fiduciaries will be required to provide for voluntary verification of users to be accompanied with a demonstrable and visible mark of verification.
The Bill also introduces the idea of a ‘consent manager’ i.e. a (third party) data fiduciary which provides for management of consent through an ‘accessible, transparent and interoperable platform’. The Bill does not contain any details on how consent management will be operationalised, and only states that these details will be specified by regulations under the Bill.
Data Protection Principles and Obligations of Data Fiduciaries
Consent and grounds for processing
The Bill recognises consent as well as a number of other grounds for the processing of personal data.
Clause 11 provides that personal data shall only be processed if consent is provided by the data principal at the commencement of processing. This provision, similar to the consent provision in the 2018 Draft Bill, draws from various principles including those under the Indian Contract Act, 1872 to inform the concept of valid consent under the PDP Bill. The clause requires that the consent should be free, informed, specific, clear and capable of being withdrawn.
Moreover, explicit consent is required for the processing of sensitive personal data. The current Bill appears to be silent on issues such as incremental consent which were highlighted in our comments in the context of the Draft Bill 2018.
The Bill provides for additional grounds for processing of personal data, consisting of very broad (and much criticised) provisions for the State to collect personal data without obtaining consent. In addition, personal data may be processed without consent if required in the context of employment of an individual, as well as a number of other ‘reasonable purposes’. Some of the reasonable purposes, which were listed in the Draft Bill 2018 as well, have also been a cause for concern given that they appear to serve mostly commercial purposes, without regard for the potential impact on the privacy of the data principal.
In a notable change from the Draft Bill 2018, the PDP Bill, appears to be silent on whether these other grounds for processing will be applicable in relation to sensitive personal data (with the exception of processing in the context of employment which is explicitly barred).
The Bill also incorporates a number of traditional data protection principles in the chapter outlining the obligations of data fiduciaries. Personal data can only be processed for a specific, clear and lawful purpose. Processing must be undertaken in a fair and reasonable manner and must ensure the privacy of the data principal – a clear mandatory requirement, as opposed to a ‘duty’ owed by the data fiduciary to the data principal in the Draft Bill 2018 (this change appears to be in line with recommendations made in multiple comments to the Draft Bill 2018 by various academics, including our own).
Purpose and collection limitation principles are mandated, along with a detailed description of the kind of notice to be provided to the data principal, either at the time of collection, or as soon as possible if the data is obtained from a third party. The data fiduciary is also required to ensure that data quality is maintained.
A few changes in the application of data protection principles, as compared to the Draft Bill 2018, can be seen in the data retention and accountability provisions.
On data retention, clause 9 of the Bill provides that personal data shall not be retained beyond the period ‘necessary’ for the purpose of data processing, and must be deleted after such processing, ostensibly a higher standard as compared to ‘reasonably necessary’ in the Draft Bill 2018. Personal data may only be retained for a longer period if explicit consent of the data principal is obtained, or if retention is required to comply with law. In the face of the many difficulties in ensuring meaningful consent in today’s digital world, this may not be a win for the data principal.
Clause 10 on accountability continues to provide that the data fiduciary will be responsible for compliance in relation to any processing undertaken by the data fiduciary or on its behalf. However, the data fiduciary is no longer required to demonstrate such compliance.
Rights of Data Principals
Chapter V of the PDP Bill 2019 outlines the Rights of Data Principals, including the rights to access, confirmation, correction, erasure, data portability and the right to be forgotten.
Right to Access and Confirmation
The PDP Bill 2019 makes some amendments to the right to confirmation and access, included in clause 17 of the bill. The right has been expanded in scope by the inclusion of sub-clause (3). Clause 17(3) requires data fiduciaries to provide data principals information about the identities of any other data fiduciaries with whom their personal data has been shared, along with details about the kind of data that has been shared.
This allows the data principal to exert greater control over their personal data and its use. The rights to confirmation and access are important rights that inform and enable a data principal to exercise other rights under the data protection law. As recognized in the Srikrishna Committee Report, these are ‘gateway rights’, which must be given a broad scope.
Right to Erasure
The right to correction (Clause 18) has been expanded to include the right to erasure. This allows data principals to request erasure of personal data which is not necessary for processing. While data fiduciaries may be allowed to refuse correction or erasure, they would be required to produce a justification in writing for doing so, and if there is a continued dispute, indicate alongside the personal data that such data is disputed.
The addition of a right to erasure, is an expansion of rights from the 2018 Bill. While the right to be forgotten only restricts or discontinues disclosure of personal data, the right to erasure goes a step ahead and empowers the data principal to demand complete removal of data from the system of the data fiduciary.
Many of the concerns expressed in the context of the Draft Bill 2018, in terms of the procedural conditions for the exercise of the rights of data principals, as well as the right to data portability specifically, continue to persist in the PDP Bill 2019.
Exceptions and Exemptions
While the PDP Bill ostensibly enables individuals to exercise their right to privacy against the State and the private sector, there are several exemptions available, which raise several concerns.
The Bill grants broad exceptions to the State. In some cases, it is in the context of specific obligations such as the requirement for individuals’ consent. In other cases, State action is almost entirely exempted from obligations under the law. Some of these exemptions from data protection obligations are available to the private sector as well, on grounds like journalistic purposes, research purposes and in the interests of innovation.
The most concerning of these provisions, are the exemptions granted to intelligence and law enforcement agencies under the Bill. The Draft Bill 2018, also provided exemptions to intelligence and law enforcement agencies, so far as the privacy invasive actions of these agencies were permitted under law, and met procedural standards, as well as legal standards of necessity and proportionality. We have previously discussed some of the concerns with this approach here.
The exemptions provided to these agencies under the PDP Bill, seem to exacerbate these issues.
Under the Bill, the Central Government can exempt an agency of the government from the application of this Act by passing an order with reasons recorded in writing if it is of the opinion that the exemption is necessary or expedient in the interest of sovereignty and integrity, security of the state, friendly relations with foreign states, public order; or for preventing incitement to the commission of any cognizable offence relating to the aforementioned grounds. Not only have the grounds on which government agencies can be exempted been worded in an expansive manner, the procedure of granting these exemptions also is bereft of any safeguards.
The executive functioning in India suffers from problems of opacity and unfettered discretion at times, which requires a robust system of checks and balances to avoid abuse. The Indian Telegraph Act, 1885 (Telegraph Act) and the Information Technology Act, 2000 (IT Act) enable government surveillance of communications made over telephones and the internet. For drawing comparison here, we primarily refer to the Telegraph Act as it allows the government to intercept phone calls on similar grounds as mentioned in clause 35 of the Bill by an order in writing. However, the Telegraph Act limits the use of this power to two scenarios – occurrence of a public emergency or in the interest of public safety. The government cannot intercept communications made over telephones in the absence of these two preconditions. The Supreme Court in People’s Union for Civil Liberties v. Union of India, (1997) introduced guidelines to check abuse of surveillance powers under the Telegraph Act which were later incorporated in Rule 419A of the Indian Telegraph Rules, 1951. A prominent safeguard included in Rule 419A requires that surveillance and monitoring orders be issued only after considering ‘other reasonable means’ for acquiring the required information. The court had further limited the scope of interpretation of ‘public emergency’ and ‘public safety’ to mean “the prevalence of a sudden condition or state of affairs affecting the people at large and calling for immediate action”, and “the state or condition of freedom from danger or risk at large” respectively. In spite of the introduction of these safeguards, the procedure of intercepting telephone communications under the Telegraph Act is criticised for lack of transparency and improper implementation. For instance, a 2014 report revealed that around 7500 – 9000 phone interception orders were issued by the Central Government every month. The application of procedural safeguards, in each case would have been physically impossible given the sheer numbers. Thus, legislative and judicial oversight becomes a necessity in such cases.
The constitutionality of India’s surveillance apparatus inclduing section 69 of the IT Act which allows for surveillance on broader grounds on the basis of necessity and expediency and not ‘public emergency’ and ‘public safety’, has been challenged before the Supreme Court and is currently pending. Clause 35 of the Bill also mentions necessity and expediency as prerequisites for the government to exercise its power to grant exemption, which appear to be vague and open-ended as they are not defined. The test of necessity, implies resorting to the least intrusive method of encroachment up on privacy to achieve the legitimate state aim. This test is typically one among several factors applied in deciding on whether a particular intrusion on a right is tenable or not, under human rights law. In his concurring opinion in Puttaswamy (I) J. Kaul had included ‘necessity’ in the proportionality test. (However, this test is not otherwise well developed in Indian jurisprudence). Expediency, on the other hand, is not a specific legal basis used for determining the validity of an intrusion on human rights. It has also not been referred to in Puttaswamy (I) as a basis of assessing a privacy violation. The use of the term ‘expediency’ in the Bill is deeply worrying as it seems to bring down the threshold for allowing surveillance which is a regressive step in the context of cases like PUCL and Puttaswamy (I). A valid law along with the principles of proportionality and necessity are essential to put in place an effective system of checks and balances on the powers of the executive to provide exemptions. It seems unlikely that the clause will pass the test of proportionality (sanction of law, legitimate aim, proportionate to the need of interference, and procedural guarantees against abuse) as laid down by the Supreme Court in Puttaswamy (I).
The Srikrishna Committee report had recommended that surveillance should not only be conducted under law (and not executive order), but also be subject to oversight, and transparency requirements. The Committee had argued that the tests of lawfulness, necessity and proportionality provided for under clauses 42 and 43 (of the Draft Bill 2018) were sufficient to meet the standards set out under the Puttaswamy judgment. Since the PDP Bill completely does away with all these safeguards and leaves the decision to executive discretion, the law is unconstitutional. After the Bill was introduced in the Lok Sabha, J. Srikrishna had criticised it for granting expansive exemptions in the absence of judicial oversight. He warned that the consequences could be disastrous from the point of view of safeguarding the right to privacy and could turn the country into an “Orwellian State”. He has also opined on the need for a separate legislation to govern the terms under which the government can resort to surveillance.
Clause 36 of the Bill deals with exemption of some provisions for certain processing of personal data. It combines four different clauses on exemption which were listed in the Draft Bill 2018 (clauses 43, 44, 46 and 47). These include processing of personal data in the interests of prevention, detection, investigation and prosecution of contraventions of law; for the purpose of legal proceedings; personal or domestic purposes; and journalistic purposes. The Draft Bill 2018 had detailed provisions on the need for a law passed by Parliament or the State Legislature which is necessary and proportionate, for processing of personal data in the interests of prevention, detection, investigation and prosecution of contraventions of law. Clause 36 of the Bill does not enumerate the need for a law to process personal data under these exemptions. We hadargued that these exemptions granted by the Draft Bill 2018 (clauses 43, 44, 46 and 47) were wide, vague and needed clarifications, but the exemptions under clause 36 of the Bill are even more ambiguous as they merely enlist the exemptions without any specificities or procedural safeguards in place.
In the Draft Bill 2018, the Authority could not give exemption from the obligation of fair and reasonable processing, measures of security safeguards and data protection impact assessment for research, archiving or statistical purposes As per the current Bill, the Authority can provide exemption from any of the provisions of the Act for research, archiving or statistical purposes.
The last addition to this chapter of exemptions is that of creating a sandbox for encouraging innovation. This newly added clause 40 is aimed at encouraging innovation in artificial intelligence, machine-learning or any other emerging technology in public interest. The details of what the sandbox entails other than exemption from some of the obligations of Chapter II might need further clarity. Additionally, to be considered an eligible applicant, a data fiduciary has to necessarily obtain certification of its privacy by design policy from the DPA, as mentioned in clause 40(4) read with clause 22.
Though well appreciated for its intent, this provision requires clarification on grounds of selection and details of what the sandbox might entail.
 At the time of introduction of the PDP Bill 2019, the Minister for Law and Justice of India, Mr. Ravi Shankar Prasad suggested that over 2000 inputs were received on the Draft Bill 2018, based on which changes have been made in the PDP Bill 2019. However, these comments and inputs have not been published by MeitY, and only a handful of comments have been published, by the stakeholders submitting these comments themselves.
The deadline to link PAN cards with Aadhaar was extended to December 31 this week; the Election Commission ruled that voting rights of those excluded in the NRC process remain unaffected; the Home Minister proposed a digital census with multipurpose ID cards for 2021; and 27 nations including the US, UK and Canada issued joint statement urging for a rules-based order in cyberspace – presenting this week’s most important developments in law, technology and national security.
Aadhaar and Digital IDs
[Sep 23] Home Minister announces
digital census in 2021, proposed multipurpose ID card, Entrackr report; Business Today report.
[Sep 24] NRIs can now apply for
Aadhaar on arrival without 182-day wait, The Economic Times report.
[Sep 24] Aadhaar will be linked
to driving license to avoid forgery: Ravi Shankar Prasad, The Indian Express report.
[Sep 24] One nation, one card?
Amit Shah floats idea of all-in-one ID; here are all the problems with that
idea, Medianama report; Money Control report.
[Sep 24] Explained: Is India
likely to have a multipurpose national ID card? The Indian Express report.
[Sep 24] UIDAI nod to ‘voluntary’
use of Aadhaar for National Population Register rollout, The Economic Times report.
[Sep 24] Govt must decide on
Aadhaar-social media linkage:SC, Deccan Herald report.
[Sep 25] New law needed for
Aadhaar-social media linkage: UIDAI, The Economic Times report; Inc42 report.
[Sep 26] NPR process to include
passport, voter ID, Aadhaar and other details, Business Standard report.
[Sep 27] Gang involved in making
fake Aadhaar cards busted, The Tribune report.
[Sep 27] What will happen if you
don’t link your PAN card with Aadhaar by Sep 20, The Quint report.
[Sep 27] Explained: The National
Population Register, and the controversy around it, The Indian Express report.
[Sep 27] Aadhaar to weed out
bogus social security beneficiaries in Karnataka, Deccan Herald report.
[Sep 29] Bajrang Dal wants
Aadhaar mandatory at dandiya to keep ‘non-Hindus’ out, The Hindustan Times report; The Wire report.
[Sep 30] Kerala urges Centre to
extend deadline to link ration cards with Aadhaar, The News Minute report.
[Sep 30] PAN-Aadhaar linking
deadline extended to December 31, The Economic Times report.
[Sep 25] India’s regulatory
approach should focus on the regulation of the ‘core’: IAMAI, Livemint report.
[Sep 27] India may have to offer
sops to boost electronic manufacturing, ET Tech report; Inc42 report.
[Sep 27] Digital India, start-ups
are priorities for $5 trillion economy: PM Modi, Medianama report.
[Sep 29] Tech giants aim to skill
Indian govt officials in AI, cloud, ET CIO report.
[Sep 29] India’s share in IT,
R&D biz up in 2 years: report, The Economic Times report.
[Sep 24] Supreme Court to MeitY:
What’s the status of intermediary guidelines? Tell us by Oct 15, Medianama report.
[Sep 26] Will not be ‘excessive’
with social media rules, ay Govt officials, Inc42 report.
[Sep 26] Government trying to
balance privacy and security in draft IT intermediary norms, The Economic Times
[Sep 27] Citizens, tech companies
served better with some regulation: Facebook India MD Ajit Mohan, ET Tech report; Inc42 report.
[Sep 27] Balance benefits of
internet, data security: Google CEO Sundar Pichai, ET Tech report; Business Today report.
[Sep 25] Jadavpur University
calls upon ‘stakeholders’ to ensure free speech on campus, The New Indian
[Sep 28] RSS raises objections to
uncensored content of Maoj Bajpayee’s “The Family Man”, The Hindu report; Outlook report.
Privacy and Data Protection
[Sep 23] A landmark decision on
Tuesday could radically reshape how Google’s search results work, Business
[Sep 23] Google tightens its
voice assistant rules amidst privacy backlash, Wired report.
[Sep 24] Dell rolls out new data
protection storage appliances and capabilities, ZDNet report.
[Sep 24] ‘Right to be forgotten’
privacy rule is limited by Europe’s top court, The New York Times report; Live Law report.
[Sep 27] Nigeria launches
investigation into Truecaller for potential breach of privacy, Medianama report.
[Sep 29] Right to be forgotten
will be arduous as India frames data protection law, Business Standard report.
[Sep 30] FPIs move against data
bill, seek exemption, ET Telecom report; Entrackr report.
[Sep 26] Reconsider imposition of
data localisation: IAMAI report, The Economic Times report.
[Sep 27] Why data is not oil:
Here’s how India’s data localisation norms will hurt the economy, Inc42 report.
Digital Payments and Fintech
[Sep 23] RBI rider on credit
bureau data access has Fintech in a quandary, ET Tech report.
this was not the end of the conversation on the right to privacy, the recent
decision of the Supreme Court in the case of Amber
Tickoo vs Government of NCT of Delhi reignited the debate which
surrounds the right to privacy, specifically the right to privacy of minors.
The Amber Tickoo Case
September 2017, following the murder of a 4-year-old at Ryan
International School, Delhi education minister Manish Sisodiya made
to install CCTV cameras in every Delhi government school. These cameras
would cover not only the hallways and the common areas but also the classrooms.
Further, in December of the same year it was decided that the feed from these
cameras would be made available online for the parents to access.
In July 2019, a Delhi government school in
Lajpat Nagar became the first school fully equipped with CCTV cameras in all
classrooms. According to the government the next step would be to provide the
parents access to the live feed through a mobile app which they can access
using a password.
decisions of the Delhi government were challenged before the Supreme Court
though a public interest litigation in the Amber Tickoo case. The petitioners
argued that the installation of these cameras would result in an
infringement of the right to privacy ensured in the Puttaswamy judgement. They
also argued that making the live feed of students available online would
jeopardize the safety and security of the students.
the petition without granting any interim relief, and disposed
of the case. Consequently, the implementation of the programme will
see almost 1000 schools across Delhi equipped with CCTV camera’s by November.
Right to Privacy in Public
Puttaswamy judgement while broadly dealing with the issue of the right to
privacy, extended the right to privacy of individuals to the public space.
“If the reason for protecting privacy is the dignity of the individual,
the rationale for its existence does not cease merely because the individual
has to interact with others in the public arena. The extent to which an
individual expects privacy in a public street may be different from that which
she expects in the sanctity of the home. Yet if dignity is the underlying feature,
the basis of recognising the right to privacy is not denuded in public
spaces… Privacy attaches to the person and not to the place where it is
thus acknowledges that acts done by individuals in public spaces are not necessarily
public in nature, and that individuals would still be guaranteed the right to
privacy in such situations.
However, in this case, the right is not being extended to minors. In his interview, Akshay Marathe, a member of Delhi government’s Dialogue & Development Commission Task force on school education argues that classrooms cannot be considered to be private by ‘any stretch of imagination’. Following the principle laid down in the Puttaswamy judgement, despite classrooms being a public space, children still possess a right to privacy, since the right is attached to their person and not the space, they are in. The installation of CCTV cameras in classrooms would thus ignore these rights and appears to imply that minors do not possess the same right to privacy as adults.
CCTV cameras in Schools
government has supported its decision to install security cameras inside
classrooms for many reasons. The decision was made in response to incidents of
violence in schools such as the assault of a 4-year-old
girl . However, in
addition to assuaging safety concerns, the government also states
that having access to the live feeds from these cameras would bring down
delinquency and truancy complaints for children. This measure is also meant to
bolster the confidence of parents in the quality of education being imparted to
the students as they would personally be able to judge the performance of the
teachers via the live feed.
experiment with CCTV cameras in school is not a novel concept. Several other
jurisdictions have already implemented similar strategies in schools from
equipping teachers with two-way radios, to installing CCTV cameras in schools,
even in changing rooms. Almost 90%
of secondary schools in the UK are now equipped with security
cameras, and this constant surveillance has been criticized by many, including
the teachers. Research
suggests that pupils in UK are monitored as frequently as inmates in prisons
and customers at an airport.
conducted on CCTV surveillance of primary school children in Israel also
concludes that the cameras lead to a growing fear in the children that they
were constantly being recorded everywhere. The study also revealed a tension between
the normalisation of school surveillance, but increased resistance to other
surveillance among children which could eventually cause behavioural problems
in the children outside of school.
to the previous problems faced in the implementation of CCTV systems in
schools, the Delhi government also faces
increased concerns about the responsibility of the government
towards the children, as there are no laws which govern the use of CCTV cameras
in schools in India. The question of parental access to feeds is also in
question as the present digital infrastructure may not be able to support this
venture, and the government has given no answers on how it intends to validate
the identity of the parents on the smartphone app.
Rights of Minors
of minors differ in aspect and scope from the rights provided to adult citizens
of a state. As a vulnerable group of society, the state has chosen to
prioritise security concerns over the right to privacy of children. While the
installation of CCTV cameras in Delhi government schools is in the limelight
now, this is by no means the only policy of such a nature to be implemented in
the country. A bench at the Madras High Court recently directed
the Tamil Nadu transport commissioner to issue orders mandating the
installation of CCTV cameras and GPS in all school buses. Schools in Gurugram
are now also set to follow in the footsteps of the Delhi model where
the district education officer has called for all government schools to install
CCTV cameras. They also allow schools with a paucity of funds to seek
additional grants for the installation of these cameras.
installation of the cameras has generated
mixed reviews with parents being generally happy with the news and
teachers apprehensive about the same, the move has ignored some large concerns
relating to the scrutiny of minors. The livestreaming of the classroom feeds is
one such issue, due to the enormous scale of the process, it will be impossible
to ensure the safety of this feed. The feed can be accessed though a mobile app
and a password, which makes it vulnerable to leaks. There has also been no
research done to investigate the effect of such constant scrutiny on children
To sum up,
the right to privacy of children is often considered subjugated to other
concerns, this can most accurately be seen in the statement by CM Kejriwal which
states that “There will be no privacy breach, children go to school
for education, to learn discipline and become good citizens of the country…
they do not go there for anything private”. It also fully ignores the question
of illegal access to these live-feeds by unauthorized parties arguing
that “Hypothetically even if one does get access, he will only see
40 kids studying. Nothing more can be obtained out of it.”
decision to install CCTV cameras in schools ultimately
made to benefit students and bolster the security in schools
following recent events. However, the move to live-stream feeds from these
classrooms has come under considerable scrutiny, with the Government School
Teachers Association protesting
the same. Following the refusal of the Supreme Court to intervene on the
matter, Delhi schools are set to implement the policy, with other places
With the G20 Summit in Osaka easing trade tensions between the US and China, India has seen a week of developing policy positions on data localisation, tech startups and the fate of telecom providers — presenting this week’s most important developments in law and tech.
[June 24] New Aadhaar regulations by Government to bring it back
in full force, will be voluntary, India Today report.
[June 24] Aadhaar bill introduced amid opposition protests, The
Live Mint report.
[June 25] Bill on Aadhaar tabled, ‘doesn’t violate privacy’, The
[June 29] One nation, One ration card’
scheme from July 1, 2020, The Hindu report.
[June 28] Myanmar: Internet Shutdown Risks Lives, Human Rights
[June 27] Modi Government stops advertising in The Times Group,
The Hindu and The Telegraph news paper, PGurus report;
[June 28] Modi Government
freezes ads placed in Times of India, The Hindu and The Telegraph, The Wire report;
The Deccan Herald report.
[June 24] UAE data protection law, similar to GDPR, likely landing
this year, Tech Radar report.
[June 27] Home, IT Ministries discuss
data protection bill, The Hindu report.
[June 27] National Centre being planned
to hold and manage all public data, The Economic Times report;
The Quint report.
[June 26] Data storage rules out of e-commerce policy, Live Mint report;
CNBC TV18 report;
[June 26] Government to decide if data issues need to be out of
e-commerce policy, The Economic Times report.
[June 27] Personal data storage:
Government not in a mood to dilute data localisation rule, Financial Express report.
[June 28] India stands by data
localisation at G-20 summit, US opposes it, ETtech report.
[June 28] Data Localisation: What India
can dictate, and what she can’t, Business Today report.
[June 29] India surrenders to US
pressure on ‘data localisation’: Piyush Goyal and RBI send out confusing
signals, National Herald report.
[June 26] Not ready for global e-tail rules, India to tell G-20,
ET Tech report.
[June 26] India to come out with national e-comm policy within 12
months: Piyush Goyal, ETtech report.
[June 27] The E-Commerce disaster that
never was, The Economic Times report.
[June 30] Draft e-comm policy, data
protection may figure at India-EU meet in Brussels on July 4, Your Story report.
[June 26] Digital literacy drive needs more funds: MeitY, The
Hindu Business Line report.
[June 27] RBI Committee recommends setting up Universal Enterprise
ID, linkage across individual and enterprise PAN, Medianama report.
[June 27] MeitY expenditure under
Digital India at Rs. 3,328 cr in 2018-19: Ravi Shankar Prasad, The Economic
[June 27] SEBI approves DVRs for tech startups, ETtech report.
[June 28] Indian startups cheer differential voting rights, ETtech
[June 28] Nitin Gadkari proposed Alibaba like platform for MSME
sector, Entrackr report.
[June 30] India’s OTT market will grow
at 21.8% CAGR, PwC report says, ET Telecom report.
[June 25] Digital India’s response readiness against cyber attacks
is frail, lack of online security awareness biggest weakness, Firstpost report.
[June 27] To avoid Huawei like situation, India plans desi
WhatsApp for official communication ET Telecom report;
[June 28] Infosys cyber security unit sees rising demand as
threats mount, ET Tech report.
[June 29] US FDA warns of cybersecurity
risk to certain Medtronic insulin pumps. Live Mint report.
[June 29] Indian manufacturing industry
at high cyber risk, The Asian Age report.
[June 29] Average DNS attack cost rises
by 19% to $814,150 in APAC, ET Telecom report.
[July 1] As cyber attacks increase,
Indian IT clients seek stricter contracts, more audits, ET Tech report.
[July 1] China increases cybersecurity
industry development, Global Times report.
[June 24] DoT may move SC against Airtel, Tata Tele merger, The Economic Times report.
[June 26] Broadband forum seeks lower 5G spectrum prices, change in auction design, ET Telecom report.
[June 26] Government gets 6 proposals for 5G trials, including Huawei, The Economic Times report.
[June 27] Lack of 4G, staff costs slow down BSNL, MTNL, ET Telecom report.
[June 27] DoT, MeitY eye EU ‘toolbox’ to address 5G-related concerns, The Economic Times report.
[June 28] Telcos’ health needs to be vetted before 5G pricing, ET Tech report.
[June 28] Modi, Trump discuss India-US collaboration in 5G tech, ET Tech report.
[June 30] DoT will move cabinet with BSNL, MTNL package: Ravi Shankar Prasad, ET Telecom report.
[July 1] Ericsson, Nokia assure telcos of speedy 5G rollout, ET Telecom report.
More on Huawei
[June 24] Huawei offers to sign ‘no-backdoor’ pact with India
govt, telcos to underline security commitment: CEO, The Economic Times report.
[June 24] UK’s approach to Huawei is flawed warns Ericsson’s US
boss, Financial Times report.
[June 26] Nokia warns UK over using rival Huawei’s 5G kit, BBC report.
[June 26] Huawei claims 50 commercial 5G deals globally amid
uncertainty in India, ET Telecom report.
[June 26] US-China trade war in 10 dates, ET Telecom report.
[June 26], Huawei’s telecom equipment is
more likely to have flaws than rivals’ claims report by US cybersecurity
company Finite State, Tech Radar report.
[June 26] India, US to discuss Huawei’s role in 5G trials, The Economic
[June 26] India may let Huawei conduct 5G trials defying trump
ban, International Business Times report.
[June 27] Tech companies find legal ways around Huawei blacklist,
ET Telecom report.
[June 27] Medianama’s Huawei roundup:
Promise of ‘no backdoor’ pact, 5G trial proposal and more.
[June 27] Huawei personnel worked with China’s military on
research projects, The Economic Times report.
[June 28] How the Huawei issue affects
India, The Economic Times report.
[June 28] Nokia’s CTO slams Huawei after
‘potential backdoors’ found in 55% of its devices, Forbes report.
[June 29] Nokia distances itself from
CTO comments about Huawei, Tech Radar report.
[June 28] As Trump and Xi talk trade.
Huawei will loom large, The New York Times report.
[June 29] Trump surprises G20 with Huawei concession: US companies
can sell to Huawei, Forbes report;
Live Mint report.
[June 30] Huawei lifeline shows Trump
prefers business deals over cold war, Live Mint report.
[July 1] Google gets nod to license
Android for Huawei, ET Telecom report.
[June 26] Google accused of working to prevent Trump return in 2020, ET Tech report.
[June 26] Next Google Chrome browser extension to increase data protection, Mediapost report; Forbes report, Medianama report.
[June 26] Google and University of Chicago sued over data sharing, The New York Times report.
[June 28] Italy stings Facebook with $1.1 million fine for Cambridge Analytica data misuse, TechCrunch report.
[June 29] Google may have leveraged Android unfairly, says CCI, Inc42 report.
[June 30] Spotify leaking use data with music labels: Report, ET Telecom report.
Emerging Tech/ AI
[June 22] White House updated national artificial intelligence
strategy, Defense One report.
[June 24] Tech Mahindra unveils AI-based Humanoid HR for its Noida
facility, Business Standard report.
[June 25] IT firms are buying niche firms to grow in emerging
areas like IOT, ET Tech report.
[June 27] Commission-appointed panel publishes recommendations for
artificial intelligence research. Science business report.
[Read the full report of the High Level Expert Group appointed by the European
Data exchange flowing from the EU (specifically the European Economic Area) to the US currently has no legal framework regulating it. Does it mean that any data transfer from EU to US is illegal? In my previous post on the issue I mentioned that the old agreement regulating the data transfer had been struck down at the Court of Justice of the European Union (CJEU). National data protection authorities in the EU have taken a pragmatic step by holding back on attacking all data transfer, until a new agreement is reached to replace the old Safe Harbour Agreement.
A breakthrough in this respect came about a couple of weeks back, with the European Commission announcing that they have agreed on a new framework to protect the rights of individuals who give data to US companies that process the data in their local servers. The agreement once finalised will replace the Safe Harbour principles in order to legalise the data transfer. This new framework, called the US-EU Privacy Shield, has three sets of strong obligations: data handling, transparency, and redress mechanisms.
The first major obligation is on US companies to make and publish commitments on data protection and individual rights. These commitments hold them accountable to US Federal Trade Commission (FTC), as well as the diktats of the European Data Protection Authorities (DPAs). The second consists of restrictions on surveillance practices by US state authorities. Any kind of surveillance will now be subject to clear limitations, safeguards and oversight mechanisms, and the methods will be only those that are necessary and proportionate. Mass surveillance has been completely ruled out, and meetings to review these practices have also been planned for future follow-up. The third part of this arrangement consists of a redress mechanism. European DPAs can refer cases to the US Department of Commerce and the FTC, and the option of alternate dispute resolution is also provided.
The parties are now working towards the measures required to put the new agreement in place, specifically the US, who will try to formalise the commitments made in the agreement. The European Commission on the other hand is preparing a draft for an ‘adequacy decision’ that member states can adopt to formalise the process on the EU side. The full text of the agreement is expected to be made available in the coming weeks.
The agreement has also come under criticism from privacy experts, who claim that the agreement suffers from the same weaknesses of the Safe Harbour agreement. They argue that this agreement is a mere political compromise that does not help protect the rights and data of users. This would require amendments to the national laws in both locations. Controversial provisions in US law that continue to authorise infringements on users’ rights are still effective, like Section 702, which allows for surveillance of data relating to non-US persons to be carried out in the US. Executive Order 12333, which deals with surveillance outside of the US, has no legal oversight mechanism whatsoever. It is these laws that will need amendments in order to make surveillance subject to conditions of necessity and proportionality.
The other persistent problems which have remained include the provision for self-certification, which provides inadequate protection against ensuring enforcement of privacy standards. A recent amendment to a Bill which would provide redress mechanisms for EU users to enforce rights over their personal data, also adds to the problems which plague the possible effectiveness of the new agreement. The long term solution to this situation does not look like it will arise from a single event or set of negotiations, and we now await the release of the full text of the agreement to see where we can go from here.
The post originally appeared in The Hindu on 31st July 2015.
The Attorney General’s argument questioning the right of Indians to privacy is wrong on two counts. But worse, it goes against the interests of the people on every count.
“While opinions may vary about Aadhar, the government is expected to act in the best interests of the people.” Picture shows biometric particulars being collected in Tamil Nadu. Photo: K. Ananthan
The last ten days have spelt dark times for the right to privacy. On one hand, the DNA Profiling Bill, which may result in a database of sensitive personal data with little to prevent its misuse, is being tabled in Parliament. On the other hand, the Attorney General took a shocking position in the Supreme Court of disputing the very existence of the right to privacy in the Aadhar case.
Undermining decades of evolution of this right through Supreme Court judgments, Mukul Rohatgi argued that it is necessary to put together a constitutional bench to determine whether the citizens of India have a right to privacy.
He is in the wrong for two reasons. The first is technical: he is mistaken in his assertion that M.P. Sharma v Satish Chandra and Kharak Singh v. the State of U.P. created legal doctrine that is no constitutional right to privacy. The second reason is political. A lawyer holding the Attorney General’s office should consider the appropriateness of using that office and public resources when denying that Indian citizens have privacy rights, which are universally recognised human rights. This is all quite apart from the fact that India has ratified the International Covenant on Civil and Political Rights, which unequivocally supports the existence of the right to privacy. The United Nations has gone so far as to create a Special Rapporteur on the right to privacy this year. In the context of US surveillance of its citizens, the Indian government has acknowledged the existence of the right to privacy.
In the Constitution
The two decisions that Mr. Rohatgi references did not raise questions about the right to privacy as a whole. Both confined themselves to the limited question of whether principles mirroring the US Fourth Amendment may be read into the Indian Constitution, which is only one element of the right to privacy. The M.P. Sharma case did this while ascertaining if there are any constitutional limitations to the government’s search and seizure of people’s homes, persons and effects; and the Kharak Singh case did this in the context of physical surveillance of ‘history sheeters’.
In M.P. Sharma, the judgment states, “When the Constitution makers have thought fit not to subject such regulation to Constitutional limitations by recognition of afundamental right to privacy, analogous to the American Fourth Amendment, we have no justification to import it into a totally different fundamental right by some process of strained construction” (emphasis added). This makes it clear that it is not the right to privacy as a whole that is being referred to. The American Fourth Amendment pertains to the “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures”, not to the right of privacy in its entirety.
The M.P. Sharma judgment goes further to say, “It is to be remembered that searches of the kind we are concerned with are under the authority of a Magistrate… When such judicial function is interposed between the individual and the officer’s authority for search, no circumvention thereby of the fundamental right is to be assumed.” This makes it evident that the court desisted from intervening because it saw the requirement of a Magistrate’s order as safeguard enough.
Similarly, although the judgment in Kharak Singh contains the sentence with the ominous beginning “as already pointed out, the right of privacy is not a guaranteed right under our Constitution”, this sentence cannot be taken out of context. The ‘already pointed out’ refers to an earlier portion of the same judgment in which the court quotes the U.S. Fourth Amendment, and then declares that our Constitution does not confer any ‘like constitutional guarantee’. This makes it clear that it is the Fourth Amendment text specifically that the court was referring to.
The court also belied its own position by finding that unauthorised intrusion into a person’s home violates the common law principle of “every man’s house is his castle”. The judgment explicitly takes the position that Article 21 is a repository for residual personal liberty rights, leaving it open for future reading of such rights into Article 21.
It is apparent that the two cases do not rule out a broad constitutional right to privacy. It is almost impossible to consider the right to privacy in its entirety in a single case since it is a bundle of rights including everything from safeguards against unauthorised collection of personal data to restrictions on intrusion into private spaces. The cases that have emerged from the Supreme Court over the years make this apparent.
Different elements of privacy rights have been read into our right to life and our right to free expression. We have a right against untrammelled interception of our communication, and against doctors divulging personal medical information. Long before the Constitution or the Constituent Assembly came into being, the right to privacy of women in purdah was acknowledged by common law, which forbade the building of balconies above their quarters. We do, therefore, have a rich history of enforcing the right. Like many other nations, we called it by different names and have found it within legal and cultural norms unique to India.
It is common for lawyers to use every strategy they can to win cases but the Attorney General is no ordinary lawyer. S/he is a constitutional authority. It is inappropriate for someone of that stature to argue that the people of India do not have a right to privacy. Former Attorney General Niren De was criticised sharply for telling the Supreme Court that it could be helped if the right to life was violated during Emergency. Mr. Rohatgi’s argument is comparable.
This is a democracy, and while opinions may vary about Aadhar, the government is expected to act in the best interests of the people. Here, we have the Attorney General stepping away from arguing that the government’s actions are in the interests of the people to say that the people do not have rights in the first place.
It is not a case of the government’s lawyer arguing for the prevalence of the wider community’s interests over individual rights, or disputing what is in the interests of the majority of citizens. Mr. Rohatgi, on behalf of the Indian government, is making an argument that is blatantly against the rights and interests of all citizens of India.
Interestingly, the argument runs contrary also to the Minister of Communications and Information Technology’s statements recognising citizens’ right to privacy in the context of both US and Indian surveillance.
Time to clarify
This incident is about more than an argument made in court. It is a serious problem if the Union government makes statements that respect privacy and then takes actions that attempt to destroy it. It is also inconsistent for the government to argue internationally that the U.S. has violated Indian citizens’ right to privacy and then to argue before the Supreme Court that Indian citizens do not have the right to privacy.
Under the circumstances, it is necessary for the government to issue a statement clarifying its stand, which I hope will consist of some form of support for citizens’ privacy rights. Once this is clear, perhaps the Attorney General could continue the arguments that take his client’s wishes into account.
A clear statement from the Prime Minister’s office might also enable other ministries to ensure that they embed this right in their policies. This, for example, might have gone a long way in ensuring that cast-iron privacy safeguards were added to the DNA Profiling Bill.
Ignoring the right to privacy will not only affect India’s ‘global image’ more than any critical documentary does, it will also complicate international commercial relations. Who would send their information or employees to a country that disregards its residents’ right to privacy?
In a writ petition challenging the Indian government’s tacit insistence on citizens using Aadhar cards for public services, the Supreme Court passed an interim order on Monday asking the government to make sure that no citizen is denied services for not possessing an Aadhar card.
A bench comprising justices B. S. Chauhan and S. A. Bobde directed the union government to ensure that “no person should suffer for not getting the Adhaar card inspite of the fact that some authority had issued a circular making it mandatory”.
The court also asked the government to make sure that Aadhar cards are not being given to illegal immigrants: “it may be checked whether that person is entitled for it under the law and it should not be given to any illegal immigrant.”
In the instant case, a retired judge of the Karnataka High Court was told that he would not be paid his salary and dues, unless he got himself an Aadhar card. Unwilling to accept this, he filed a petition in the Bombay High Court.
An excerpt from a Press Trust of India report carried by Business Standard:
During the brief hearing, the bench of justices B S Chauhan and S A Bobde was told that despite the fact that the Aadhar card is “voluntary” in nature, an order has been issued by the Registrar of the Bombay High Court in pursuance of an order of the state government that it would be necessary for disbursal of salary of judges and staff also.
“The scheme is complete infraction of Fundamental Rights under Articles 14 (right to equality) and 21 (right to life and liberty). The government claims that the scheme is voluntary but it is not so.
“Aadhar is being made mandatory for purposes like registration of marriages and others. Maharashtra government has recently said no marriage will be registered if parties don’t have Aadhar cards,” senior advocate Anil Divan, arguing for Justice (retd) K S Puttaswamy, former judge of Karnataka High Court, said.