Editor's Note: This copy was published on 25 April, 2018. It is being republished in light of the Supreme Court's verdict on the constitutionality of Aadhaar likely being pronounced tomorrow.
On Day 32 of the Aadhaar hearings, senior counsel Rakesh Dwivedi continued his arguments on behalf of the state. First, he argued that the reasonable expectation of privacy, in terms of permissible invasions of the right to privacy, was not subject to the standard of the least intrusive invasion, as argued by the petitioners. Instead, the standard was whether the invasion was proportional to the state's purpose for which it (the invasion) was being made.
He further disputed the applicability of many of the foreign judgments cited by the petitioners in support of their arguments. Lastly, the issue of metadata was discussed, where he argued that the metadata collected was in relation to the machine, and not the person.
No reasonable expectation of privacy in the public sphere
Dwivedi commenced his arguments for the day with a discussion on the reasonable expectation of privacy. He first quoted a judgment from the Constitutional Court of South Africa, which found that privacy is the strongest in the inner sanctum of the mind, but shrinks as you move outside into the world. Based on this, he questioned if private life is entitled to protection outside the home, since there, people often given up their privacy. He further argued that in Europe, the concept of a reasonable expectation of privacy was not considered by the Courts, making US and UK laws and judgments more relevant in the Indian context.
Next, it was argued that in India there is a need for innovation and development of knowledge, along with the right to privacy. The correct test, he argued, was therefore not whether the invasion of privacy was least intrusive, but whether it was proportional to the purpose sought to be achieved. To emphasise the purpose sought to be achieved through Aadhaar, he quoted from the Puttaswamy judgment, arguing that ensuring that welfare benefits are not dissipated is a vital state interest.
Expectation of privacy varies according to the context
Next, he argued that in the public sphere, the right to privacy is diluted. The entire Aadhar project, he argued, is in the public sphere. Privacy concerns or reasonable expectation of privacy, further, could not be attached to information collected via Aadhaar, like demographic information and photographs. He further argued that since at the requesting entity level, the entities and the information in them are dispersed and decentralised, these don’t deserve the same level of protection as the CIDR storing centralised information.
The Bench, here, observed that core biometric information has higher privacy concerns, but this does not imply that there are no concerns with other information. Dwivedi agreed, stating that his point was that the reasonable expectation of privacy varies according to context.
Applicability of EU and US judgment
Next, he argued that 120 countries use biometric information, and nineteen European countries use biometric ID cards. Neither the Court of Justice of the European Union nor the European Court of Human Rights ever expressed any issued with such biometric cards.
Further, he argued that there was no need to refer to European laws for tests on proportionality for an invasion of privacy since this had already been developed by the Indian Supreme Court in the case of State of Madras v. VG Row. The Supreme Court, he argued, has never accepted the proposition that a restriction of fundamental rights must be the least intrusive one.
He also cited the US judgment of Ohio v. Akron, which dealt with disclosure requirements to authorities in relation to abortions, and Doe v. Reed, which dealt with the disclosure of signatures on a referendum campaign. Further, he cited the UK judgment of Wood v. Commissioner of Police, which held that taking of photographs in itself does not violate privacy.
Marper case supports the case for the State
Further, Dwivedi also argued that the ECHR’s judgment in S and Marper v. UK, which had been quoted extensively by the petitioners, was actually in support of the State’s arguments. He argued that in Marper, it was held that whether retention of data raises privacy concerns depends on the context. He further argued that Marper had been decided in a very specific context, which was different from Aadhaar.
First, a difference had been drawn out between collection of fingerprints and the collection of DNA. DNA collection was held to be an issue because it contained non-neutral information. Fingerprint collection was also held to be non-neutral when collected in the context of crime. Aadhaar, it was argued, does not deal with the collection and retention of data in the context of crime, and also does not involve the collection of DNA. Further, he argued that Marper discussed appropriate safeguards, not 100 percent safeguards.
He also argued that most of the cases cited by the petitioners were similarly, in the context of crime or about censuses, and therefore inapplicable in the context of Aadhaar.
Aadhaar only collects limited technical metadata
Dwivedi next turned to the issue of metadata. He argued that the cases cited by the petitioners, such as the Digital Rights Ireland case, involved the large-scale storage of metadata which bore no relation to any State purpose, unlike the metadata collected via Aadhaar. The metadata being collected in the cases cited, he argued, was a lot more intrusive. The U.S. v. Jones case, additionally, dealt with GPS systems, which is not used in Aadhaar.
He argued that Aadhaar, instead, only involved the collection of limited technical data. He argued that the need for the collection of metadata arose due to the need to exercise control over the REs. Further, no data was collected on the location or purpose of a transaction, but merely on the system. The Bench observed that the metadata collection was of the machine, but not of the person.
Adequate safeguards and data collection
Considering that surveillance and similar concerns with privacy invasions were cited by the petitioners with respect to the metadata collection in Aadhaar, he then cited the Supreme Court’s judgment in G. Sundarrajan v. Union of India. This case dealt with the setting up of a nuclear power plant in Kundankulam. He argued that here, the Court held that apprehensions of a Fukushima like incident should not prevent the setting up of the power plant. The Court found that the power plant would help guarantee the right to life and that there were adequate safety measures in place.
Based on this, he argued that this case establishes that safeguards can be read into Article 21. Further, with respect to the CIDR, this case establishes that the standard to be applied to the safety measures must be of ‘adequate’ safety measures, and not of zero risk. Further, constant vigilance will be required to ensure safety. In the case of Aadhaar, he argued, the UIDAI was constantly improving and upgrading its safety measures.
He further argued that a similar position had been adopted by the US Supreme Court in NASA v. Nelson. The US, he argued, had discarded the standard of the least restrictive invasion. He further argued that as per this case, the possibility of a data breach was not a ground to strike down the collection of data.
Aadhaar completely bars the sharing of data
To emphasise the protection of data in the case of Aadhaar, he argued, there is a bar on the sharing of data, and the data with the REs is completely dispersed. He argued that in Aadhar, further, there was consent for the data collection, and also a bar on using the data for anything other than authentication. He argued that if there are data breaches, they should be pointed to the UIDAI.
Next, he pointed out that the data protection law will be in place by May. The Court, here, pointed out that an area that requires consideration is remedies for data breaches. The counsel pointed to the Information Technology Act and Section 43A Act as remedies, and to the actions taken against Airtel, etc. The EU’s General Data Protection Regulation, he argued, dealt with balancing the free flow of data with data protection, while Aadhaar, dealt not with free flow, but no flow of data.
The arguments will continue on 25 April.
You can read our complete coverage of the Aadhaar Supreme Court case below
The author is a lawyer and author specialising in technology laws. She is also a certified information privacy professional.