Last Updated on by Admin LB
This article is written by Melvin John Joseph, and the title is The enduring impact of the ‘Right to Privacy Judgement’: An analysis of the current and prospective Data protection regimes in India.
The Personal Data Protection Bill of 2021 is projected to be passed by the parliament in its upcoming session. A proper understanding of the prospective impact of said legislation may be contingent upon a direct analysis of the Supreme Court judgement that induced the drafting of the bill, as well as an audit of the legislative, administrative and societal repercussions of the same.
In the case of Justice K.S Puttaswamy (Retd.) v. Union of India and Ors (2017), the Supreme Court addressed the question of whether the constitution guaranteed the fundamental right to privacy. The same was to determine whether the norms and methods utilized in the compilation of demographically-focused biometric data, required for the Aadhaar database, were adherent to the provisions of the constitution. The Court proceeded to determine that the ‘right to privacy’ is a fundamental right. It was held as an intrinsic component of ‘the right to life and personal liberty’, as protected under Article 21, as well as the freedoms enumerated within Part III of the Constitution.
The SC rejected the argument that the advancement of welfare objectives had explicit precedence over the right to privacy, but it also indicated that the fulfillment of welfare objectives could be considered as legitimate reasoning for the controlled infringement of the right to privacy, provided that reasonable restriction are met.
The inhibition and/or limiting of interference into the private lives of citizens’ from both state and non-state entities, was a prospect that was examined on the basis of both the specific autonomy that the right bestowed upon the individual, as well as the legislative, administrative, contractual and socio-economical determinants, that could potentially impede the proper exercise of the same.
Direct implications of the aforementioned judgement (upon the Aadhar systems)
The judgment was a peripheral address of the constitutional challenge brought against The Aadhaar (Targeted Delivery of Financial And Other Subsidies, Benefits And Services) Act, 2016, specifically whether the collection of personal information such as biometric information, by the government, satisfied the basic tests of Article 14 and 21. The government-mandated manner of utilization of the Aadhaar Card was also scrutinized under the privacy judgment.
The RBI’S Know Your Customer Direction of 2016 required entities regulated by the RBI to conduct a customer identification process, while processing virtual transactions. Section 57 of the Aadhaar Act, allowed private companies to utilize Aadhaar numbers for the identification of customers, for an unspecified range of commercial purposes, pursuant to a signed contract. Provided compliance to the relevant regulations, these entities could also commercially circulate the e-KYC data of their customers.
The Supreme Court adjudged the section as being violative of the fundamental right to privacy, and partially dismantledthe same. The authority made available to private entities under the provision was regarded as disproportional to the objective sought, as it substantially elevated the potential for commercial exploitation of customers.
Additional legislative and judicial implications
After the analysis of different definitions of privacy, based on both scholastic writings, as well as Indian and foreign judgments, the court specified principal elements of the same, namely, personal privacy (bodily, special, associational and behavioural privacy), informational privacy, decisional privacy and the privacy of movement. Such stratification was considered to be potentially helpful to lawmakers in being especially mindful of the fundamental right, in the framing of prospective legislation.
Privacy has been established as inviolable, and therefore cannot be considered as being subject to amendment or annulment, based on the immediate determination of the legislature. That is, an abridgement of the same is to fulfil a higher standard of qualification, as evidenced in the 2019 case of Vineet Kumar vs. Central Bureau of Investigations and Ors, where it was held that the state only possessed highly limited (and non-intrusive) authority to surveil its citizens (under the provisions of Section 5(2) of the IT Act, provided that the matter was not prescient for ensuring public interest of public safety.
As far as legitimate restrictions upon the Right to privacy are concerned, infringement may be based on the provisions of a legislation that satisfies the test of permissibility, as applicable to the ‘right to personal liberty’, the same was specifically iterated in the Menaka Gandhi case. Judicial Warrants may also be issued for intrusive search and seizure procedures, provided that the same is adjudged as being necessary for the protection of state interests. Depending on the case, executive or administrative actions may also facilitate the placement of a degree of restriction upon the exercise of the right
The Judgment directly dealt with informational privacy, even though it substantially focused the discussion upon the manner in which the government intends to utilize the same. The commercial exploitation of an individual’s identity and private information, especially in the contexts of online transactions, both monetary and informational, was addressed by the court. A certain level of command over the matter being assigned to the citizen was considered as being imperative. That is, the right to privacy allows people to prevent the commercial use of their digital imprint, such as their image or any other private information, or the dissemination of the same, without their consent.
While the government’s encroachment upon privacy are to be regulated by constitutional tests, that monitor the presence of a legitimate state aim (article 14), statutory validity of the state-action, as well as the situational proportionality of the same, the regime proposed by the court would not impose similar standards upon non-state entities. Such a distinction,made specifically to facilitate innovational and market freedom, was still underlined by an assertive endorsement for the creation of a new data protection law
The cataloguing and analysis of internet-user data by companies, for commercial designs such as targeted marketing, was also discussed. The judgement emphasized the necessity for regulations in regards to the collection, and subsequent use of ‘big data’ by non-state entities, as well as the need for safeguards guarding such information from unsecured access by the state.
In pursuance of the same, MeitY introduced The Personal Data protection Bill in 2019. The bill drafted by a committeeunder the chairmanship of Justice B N Srikrishna, advanced proposals that included the introduction of a National Data protection authority, as well as the placement of increased priority upon procedures and regulations, that would restrict the data collection, while promoting data localisation, and explicit consent requirements.
The bill was refered to a Joint Parliamentary Committee, which reviewed the same and submitted the Data Protection Bill of 2021 to the Parliament. The proposed legislation deviates from the original bill as it places considerable focus upon non-personal data, and also imposes restrictions upon the data collection practices of social media companies.
In the context of the aforementioned bill, which is projected to be passed by the parliament in its upcoming session, considerable strides can be potentially made in regards to data protection, as far as corporate overreach is concerned, and while there are legitimate concerns in regards to governmental obtrusion, the bill does introduce necessary regulations governing non-state in the matter
But as far as state intrusion is concerned, the restrictions established by the privacy judgement in regards to government surveillance, both targeted and large scale, have most probably contributed in the state recently passing such programmes, exclusively under the official grounds of ‘maintenance of national security and/or public safety’. The actual necessity, proportionality and functionality of these measures have widely varied. Since the judgement, several government proposals and preliminary authorizations have been advanced, for the establishment or development of systems or initiatives that are either broadly intrusive or directly violative of the right to privacy.
The instances of the same include, the separate propositions extended by the Ministry of Information Broadcasting and UIDAI for the institution of a National Social Media Monitoring authority, and the 2019 notification from the Ministry of Home Affairs that afforded the blanket authority to several intelligence agencies for the access and monitoring of digitized information, as they saw fit. The income tax department’s ‘project insight’ programme also falls under the above classification. Collection of private data has also been conducted on similar principles, as evidenced by the emphatic state-support behind the Vaahan database, and the commendation its data-monetisation scheme received from the National Economic Survey.
Therefore, the proper imposition of the stipulation espoused within the judgement, may be contingents on the passing of data protection legislation, specifically designed for the protection of individual rights, which in addition to the previously proposed regulations, also comprises comprehensive reformatory provisions in regards to mass surveillance, while also installing a judicial-oversight mechanism for targeted surveillance.