By Stephen Mathias
A nine judge constitutional bench of the Supreme Court of India has held the right to privacy is a fundamental right under the Constitution of India. Most notably, the decision was unanimous with 9 judges coming to the same conclusion through six separate judgments. Justice DY Chandrachud wrote the main judgment for himself and three other judges.
The court has held the right to privacy is part of the right to life and is on similar terms with the right to human dignity. The judgments have by and large held the view the right to privacy is also part of the “freedom rights” under Article 19 (right to speech, movement, etc) or under all of the fundamental rights enumerated in Part III of the Constitution. In arriving at this conclusion, the court examined past case law in India dealing with the right to privacy, as well as court decisions and jurisprudence in numerous other countries, including the US, EU, Canada and South Africa.
What does this decision portend for India? For a start, it will result in a paradigm shift in the way the government deals with personal information. Up till recently, not only has there been little protection of personal information but the government has largely practiced a “no privacy” policy. Large amounts of citizen data are freely available on government databases on the internet. In this digital age, this is becoming increasingly dangerous as it makes it easy for individuals to become victims of identity theft.
The judgment probably paves the way for the enactment of a comprehensive privacy legislation. Indeed, India will be one of the last remaining democracies in the world to enact a privacy law; most of North America, Europe, Japan, and the ASEAN region already have comprehensive privacy regulation in place. The government recently appointed a committee to recommend a framework for data protection and to prepare a draft enactment. So perhaps we are going down the right path already.
For supporters and opponents of Aadhaar, their euphoria and disappointment over the judgment is somewhat misplaced. Those who support Aadhaar have argued the social and economic benefits of Aadhaar far outweigh privacy concerns. It is more important to feed a poor man than worry about his privacy, so goes the argument. Opponents of Aadhaar believe its implementation is now in doubt and may collapse under constitutional challenge before the Supreme Court.
There is however a middle path, one I have been advocating for some time. The problem with Aadhaar is not so much with the biometric and other basic information that the UIDAI collects. That is undoubtedly important and needs to be protected, but some protection is already available under the Aadhaar Act.
The key concern with Aadhaar relates to information about individuals which is touched by the Aadhaar number. As Aadhaar is used for more and more government and quazi-government services, more and more databases will have your Aadhaar number in them. Once these databases are connected, a government official can, with a click of a mouse and some reasonably simple data analytics tools, engage in very extensive profiling. Indeed, such a profiling has never before been done in the history of the world and the consequences are nothing short of frightening.
With this ruling, the Government will be forced to frame rules that guide when an individual’s personal information can be accessed and in what manner it can be used. Thereafter, Aadhaar can continue to be implemented and indeed, made mandatory for more services. As for those who wish to live without Aadhaar, this ruling is unlikely to help them. The right to privacy cannot result in an unfettered right to be left alone. Indeed, the judgments reiterate that government actions can limit the right to privacy provided it is done in a manner that meets the standards already laid down by the court to test infractions of fundamental rights.
A privacy law will have many other benefits, such as promoting greater reliability for India as a destination for offshoring or for the Government to deal with real privacy threats resulting from the increasingly digital world that we live in. The argument has been made that Aadhaar is no different from individuals divulging their personal information on social media sites. While there are significant differences between Aadhaar and such conduct and that should be debated separately, a privacy law will give the Government the framework to deal with these kinds of issues as well.
In enacting a privacy law, we need to be circumspect, drawing on the experiences of other countries. Privacy law is a fairly complex field; this is because personal information exists in so many different sectors – education, healthcare, banking, telecom, to mention just a few. Regulations need to take into account all sorts of different scenarios.
Indeed, one of the key requirements of a privacy law is a technology savvy and nimble Information Commissioner who can move quickly to adjust regulations to deal with real life scenarios which will play out regularly during the initial years. Further, the privacy authority needs to co-ordinate efforts with other sector based authorities, such as for example, the RBI in the banking space, so that multiple regulations can be implemented harmoniously.
We have every reason to celebrate, to be proud of our Supreme Court. This moves the country forward. But we have miles to go before we have a developed privacy ecosystem in place, with a statute, regulations and a sophisticated regulatory authority.
Stephen Mathias is a technology lawyer with law firm Kochhar & Co. with a specialisation in privacy law.