A student-run group at NALSAR University of Law
This post, authored by Mr. Srikanth Lakshmanan, is part of TLF’s blog series on Account Aggregators. Other posts can be found here.
Mr. Srikanth Lakshmanan is the founder of CashlessConsumer, a consumer collective working on digital payments to increase awareness, understand technology, represent consumers in digital payments ecosystem to voice perspectives, concerns with a goal of moving towards a fair cashless society with equitable rights.
On 28th June 2019, the National Crime Records Bureau (NCRB) released a Request for Proposal for an Automated Facial Recognition System (AFRS) which is to be used by the police officers in detecting potential criminals and suspects across the country.
The AFRS has potential use in areas like modernising the police force, information gathering, and identification of criminals, suspects, missing persons and personal verification.
In 2018, the Ministry of Civil Aviation launched a facial recognition system to be used for airport entry called “DigiYatra”. The AFRS system is built on similar lines but has a much wider coverage and different purpose. States in India have taken steps to introduce Facial Recognition Systems to detect potential criminals, with Telangana launching its system in August 2018.
The Automated Facial Recognition System (AFRS) will be a mobile and web application which will be hosted and managed by the National Crime Records Bureau (NCRB) data centre but will be used by all police stations across the country.
The AFRS works by comparing the image of an unidentified person captured through CCTV footage to the image which has been kept at the data centre of the NCRB. This will allow the data centre to match the images and detect potential criminals and suspects.
The system has the potential to match facial images with changes in facial expressions, angle, lightening, direction, beard, hairstyle, glasses, scars, tattoos and marks.
The NCRB has proposed to integrate AFRS with multiple existing databases: these include the Crime and Criminal Tracking Network & Systems (CCTNS) which was introduced post Mumbai attacks in 2009 as a nationwide integrated database to criminal incidents by connecting FIR registrations, investigations and chargesheets of police stations and higher offices, the Integrated Criminal Justice System (ICJS) which is a computer network which enables judicial practitioners and agencies to electronically access and share information and Khoya Paya Portal which is a portal used to detect missing children.
In September 2017, the Supreme Court in the historic judgment of K.S. Puttaswamy vs. Union of India declared the right to privacy as a fundamental right under Article 21 of the Indian Constitution. The Supreme Court asserted that the government must cautiously balance individual privacy and the legitimate concerns of the state, even if national security is at stake. The Court also asserted that any invasion of privacy must satisfy the triple test i.e. need (legitimate state concern), proportionality (least invasive manner) and legality (backed by law) to ensure that a fair and reasonable procedure is undertaken without any selective targeting and profiling.
Privacy infringement without legal sanction and through executive action would be violative of the fundamental right to privacy and would disregard the Supreme Court directive. Cyber experts are of the view that such a system could be used as a tool of government abuse and risk the privacy of the citizens and since the country lacks a data protection law, the citizens would become vulnerable to privacy abuse.
Moreover, investigating agencies in the United States like the FBI operate probably the largest facial recognition system in the world. Cyber experts and international institutions have criticised the Chinese government for using surveillance system and facial recognition to keep an eye on the Uighur community in China. However, there have been claims that this system has an accuracy of hardly 2%, which makes it unreliable and cities like London are facing calls to discontinue this system to safeguard the privacy of its citizens.
Finally, such a tracking system impinges upon human dignity by treating every person as a potential criminal or suspect. There are no clear guidelines as to where such cameras are to be placed. The cameras will put every individual under surveillance and even the innocent ones would be tracked. Such surveillance would create fear amongst the citizens which has long term implications.
A rise in the crime rate poses a daunting challenge in front of the investigating agencies and robust measures must be undertaken to counter it. However, such measures should be ably backed by law and should not impinge upon the dignity and the right to privacy of the citizens.
The Data Protection Law drafted by the Justice Srikrishna Committee should be enacted by the Parliament to give legal sanction to such surveillance. Furthermore, the AFRS should be used cautiously to prevent any violation of the fundamental right to privacy.
AFRS system has the potential to bring a paradigm shift in the criminal justice system if its use is well-intentioned and within the democratic framework which ensures right to privacy and limited state surveillance.
INTRODUCTION TO SERIES
The Personal Data Protection Bill has garnered a fair degree of attention in the last few weeks. For the uninitiated, a brief description of the Bill and its significance can be found here.
The purpose of this series is to analyze the bare text of the Data Principal Rights espoused in the Bill (Chapter VI), namely the Right to Confirmation and Access, Right to Correction, Right to Data Portability and the Right to be Forgotten, in light of the text used in the European legislations to espouse the same values. Each post will deal with each of the above rights.
Part I of the series can be accessed here.
INTRODUCTION TO POST
Over the course of the ensuing section, I shall contrast the text of the Confirmation and Access provisions of the (PDPB) Personal Data Protection Bill (India) (S. 24) with the corresponding provisions of the (GDPR) General Data Protection Regulation (European Union) (Art. 15).
For the purposes of convenience, I have reproduced the relevant provisions below. (Emphasis supplied)
Personal Data Protection Bill (India)
“24. Right to confirmation and access. —
(1) The data principal shall have the right to obtain from the data fiduciary—
(a) confirmation whether the data fiduciary is processing or has processed personal data of the data principal;
(b) a brief summary of the personal data of the data principal being processed or that has been processed by the data fiduciary;
(c) a brief summary of processing activities undertaken by the data fiduciary with respect to the personal data of the data principal, including any information provided in the notice under section 8 in relation to such processing activities.
(2) The data fiduciary shall provide the information as required under this section to the data principal in a clear and concise manner that is easily comprehensible to a reasonable person.…
General Data Protection Regulation (European Union)
“Article 15
Right of access by the data subject
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
ANALYSIS
The right provides “data subjects”/ “data principals” (varying terms used by the GDPR and PDPB respectively for referring to natural persons to whom the data relates to) with the authority to demand from “controllers”/ “data fiduciaries” (varying terms used by the GDPR and PDPB respectively for referring to entities which determine the purpose and means of processing of data), dealing with the data subject’s personal data, certain information pertaining to the personal data. The right ensures that there exists lesser information asymmetry between those to whom the personal data pertains and those who are processing or controlling said data. Refer here for a summary.
At first glance, the Indian draft-legislation’s provision “Right to Confirmation and Access” (S. 24) might seem to be rather abstract and vague in comparison to its European counterpart, but closer inspection reveals that both are quite similar. While the GDPR provides guidelines within a mostly self-contained provision, the PDPB’s S. 24 cross-references S. 8, which contains the list of necessary information disclosure obligations placed on the “data fiduciary”.
Though there exists considerable degree of similarity, in text, between both the jurisdictions, certain distinctions in orientations are quite evident from the language of the provisions.
The Indian Bill, admirably, places explicit emphasis on the accessibility of disclosures. S. 24 (2) mandates that the disclosures be “easily comprehensible”. Wherever there exists a power imbalance, those with access to expertise and other resources are better placed to abuse the system through indulging in complex legalities. Such statutory protections reduce the likelihood of resource-rich (access to expertise & infrastructure) “fiduciaries” utilizing complexity to overwhelm citizens incapable of processing technical information.
Furthermore, the Indian draft-legislation requires a “brief summary” (necessarily disclosing the statutorily prescribed information), as opposed to its European counterpart, which doesn’t place any such requirement. The legislative intent behind the same seems to be consistent with the logic of accessibility (prevent provision of information that cannot be processed meaningfully) mentioned above.
Listing the specific data that needs to be disclosed could enable “fiduciaries” to utilize the provision as an avenue to avoid disclosure of other unlisted, but relevant information. I submit that an additional sub-section requiring disclosure of all relevant information over and above the statutorily mandated disclosures (a general overarching clause, in addition to the prescribed disclosure requirements) would have tilted the balance favourably towards data privacy.
Additionally, the Indian Bill doesn’t seem to be placing as much significance on profiling (processing of personal data for analyzing or predicting data subject’s behavior, characteristics, location, etc.; the GDPR’s Art. 4(4) and PDPB’s S 2 (33) define the term in varying detail but essentially, the definitions are of similar import) as its European counterpart. Though the PDPB refers to profiling and allied restrictions across the Bill, it lacks mention in Chapter VI (Data Principal Rights). Even upon analyzing the entirety of the documents, the EU legislation tends to be placing greater restrictions on profiling than PDPB. The Indian Bill, has instead, preferred allowing profiling subject to an assessment (S. 33: “Data Protection Impact Assessment”) carried out by the Data Protection Authority of India (established under Chapter X of the Bill).
Lastly, the European legislation (Art. 20(4)) clarifies that the request for information as a matter of right cannot be in abrogation of other’s “rights and freedoms”. Though S. 27(2) of the PDPB refers to balancing of rights in the context of “Right to Be Forgotten”, S. 24 doesn’t refer to any form of weighing of rights. Given that there could be numerous varied instances of legitimate conflicting rights, allowing the judiciary to decide on a case by case basis seems to point towards prudence.
Image taken from here.
Unlocking Novel Frontiers of Digital Control: The Potential Emergence of Social Credit Systems in India
Development of technology has begun to tread the fine line between liberation and oppression of society. In other words, the ever-evolving digital sphere has led us to face the paradox of having means to achieve new levels of inclusivity (liberation) while running an exponentially large risk of highly intrusive surveillance (oppression).
This dilemma was addressed in Charlie Brooker’s dystopian series Black Mirror. In an episode “Nosedive”[1], Brooker depicted a society in which every member possessed a personal score ranging anywhere between 0 to 5. These personal scores were determined based on rankings from people who viewed the member’s profile and rated their posts. Further, a change in this score could result in significant socioeconomic consequences.
Given the importance of the score to the quality of life of an individual in society, every human interaction was transformed into an exercise of disingenuous camaraderie, for fear that a stray remark would result in a poor rating, creating a world where everybody strived to be trustworthy and respectful towards one another, creating a perfect Eden.
This perfect Eden could be a reality for China by 2020. The Communist Party, with the aim of building a socialist utopia under its able guidance, has been developing a social credit system in which it intends to inculcate a culture of “trustworthiness” and “sincerity” into its society.
This system of social credit would involve the government monitoring every digitally traceable action of an individual, making it a powerful force that collects copious amounts of sensitive information on nearly every interaction made by an individual. The system would consequently assign each individual a numerical score that acts as a direct indicator of one’s “trustworthiness”.
One of the most prominent state-approved pilot projects currently in place is run by Zhima Credit (Sesame Credit), the subsidiary financial wing of the world’s biggest online shopping platform, Alibaba. Users of the Alibaba mobile app may voluntarily request to be provided with a social credit score based on not only their credit history, but their behaviour as well.
The need for such a social credit system arises out of the lack of a traditional functioning credit system that is generally built based on mortgage and credit card bill payment patterns of individuals. In China however, consumers primarily use cash and the country’s central banking regulator (The People’s Bank of China) doesn’t maintain adequate financial records of their consumers either. Since adhering to the traditional mode of credit scoring is not a viable option for the citizens of China, they decided to opt for other means of determining their credit risk. The Zhima system thus has a large number of citizens volunteering to avail the social credit facility provided by Alibaba. A poor Zhima score cannot get a citizen blacklisted, given that the government concluded that it would not be permissible to allow a private corporation to have control over such sensitive areas.
China, in addition to the eight firms authorized to conduct such alternative credit score programmes, has a local government approved social credit score regime in place as well. Although the government contends that the regime has been designed to be “objective” in nature, it ultimately draws a parallel to the understanding of what constitutes “good” and “bad” behaviour according to the government. Further, the scores in this regime operate on a 1000-point scale and can have an impact on the socioeconomic benefits available to a person, their implications ranging from an individual’s opportunity to apply for a government job, to sending their children to an elite private school.[2] The scores are therefore an omnipotent, omnipresent and omniscient force to be reckoned with.
As stated in a high-level policy document released in September, the overriding principle that this social credit regime aims to follow at its core is: “If trust is broken in one place, restrictions are imposed everywhere.”[3]
Some elements of the social credit system appear to be making its way to India with the Income Tax department reportedly chalking out a new policy where “honest” and consistent taxpayers will be rewarded. As per the proposal by the Central Board of Direct Taxes, honest taxpayers are to receive priority treatment in accessing public services at places such as airports or railway stations. According to the Press Trust of India, “honest” taxpayers could be issued special identification numbers or be flagged as a special part of the maiden taxpayer facilitation proposal in their permanent account number (PAN).
Evidently, apart from creating a metric to determine one’s credit score, the primary vision of the implementation of a social credit system is to strive to achieve a utopian future for society. The question is, at what cost are we willing to adopt to this process of Eden-ification? Just as the Aadhar has previously been labelled as a mass surveillance tool, a social credit system would involve the collection and storage of highly sensitive personal information which could indeed become a target for hackers as previously demonstrated by various flaws and reported hacks within the Aadhar database itself.
Apart from the surveillance and privacy concerns, there is also the possibility that this system would imbibe a sense of disingenuity in its users. The best course of action inevitably involves understanding the “objective” system and using it to your advantage. This results in a number game of sorts where everyone is after a higher score instead of genuinely striving to become a better person out of one’s own volition.
Finally, the standards set in a social credit system cannot be “objective” given that the quality being standardised is trustworthiness. There is no objective panel from society or democratic process being utilised to set the standards of “trustworthiness” or “socially acceptable behaviour” in society. This is obviously a wrongful imposition of power. Further, those involved in the actual creation of these “objective” standards have an unfair advantage in earning a higher score due to their proximity to the programme itself.
In conclusion, it is not wrong to strive to build a perfect Eden for ourselves. The issue lies with the highly problematic and abuse-prone means by which we intend to reach our goal of doing so.
References –
[1] Joe Wright, (Director). (2016, October 21). Nosedive [Television series episode], In Laurie Borg (Producer), Black Mirror. Netflix.
[2] Alice Vincent, Black Mirror is coming true in China, where your “rating” affects your home, transport and social circle, The Telegraph, Dec. 15, 2017, https://www.telegraph.co.uk/on-demand/2017/12/15/black-mirror-coming-true-china-rating-affects-home-transport/ (last visited Nov 21, 2018)
[3] China’s plan to organize its society relies on ‘big data’ to rate everyone – The Washington Post, https://www.washingtonpost.com/world/asia_pacific/chinas-plan-to-organize-its-whole-society-around-big-data-a-rating-for-everyone/2016/10/20/1cd0dd9c-9516-11e6-ae9d-0030ac1899cd_story.html?utm_term=.76106c42e93e (last visited Nov 21, 2018)
The first post in the series can be found here. Keep watching this space for more posts in the series!]
With the Supreme Court upholding the constitutional validity of the Aadhaar Act and scheme on the 27th of September, 2018, a significant impact will be felt by the Data Protection Bill. If one looks at the larger aim of a Bill like the Data Protection Bill, it is to recognize that an individual’s data and their rights over it are of utmost importance. With the Apex Court upholding the validity of Aadhaar albeit certain caveats, a thorn is created in the larger realization of the Bill’s goal. Principally, the limitation of the role of Aadhaar by the judgment would secure rights in terms of who uses available data and the interference of private parties. However, the fact that biometric data collection is still a valid process creates doubts regarding the conflicting nature of the aims of data protection and Aadhaar.
The sheer amount of private and confidential data amassed in one singular database has given rise to concerns over data security and its privacy. Many critics have pointed out that the use of biometric data instead of smart cards is a mechanism of choosing surveillance over the use of e-governance technologies.
1. Consent, AADHAR and Data Protection
The idea of consent does not present itself when a data subject is mandatorily required to register themselves with the Aadhaar programme. The Supreme Court held that Aadhaar is essential for filing Income Tax Returns (ITR) and to obtain a new PAN Card. Accountants in Nottingham exclaimed that the recent judgment makes linking of Aadhaar to PAN also mandatory which again takes away the idea of choice in giving out information that concerns personal data. Thus while in theory the programme remains voluntary, in practice it simply is not, as most services are linked to the PAN Card, including crucially opening a bank account.
Especially with reference to the provision of subsidies and benefits, Aadhaar has become ‘the’ identification metric. Failure of Aadhaar authentication has resulted in the loss of the subsidy or the benefit. The government has refused to use in other forms of identification as an alternative for the same. Therefore, the idea of consent embodied under Section 12 of the Draft Bill is violated. Even if on a central level Aadhaar is made non-mandatory for the provision of certain services, there are many State-level provisions that are necessarily linked to solely the Aadhaar – most painfully sometimes in denying education to students.
2. The AADHAR infrastructure and purpose of limitation
Section 5 of the Data Protection Bill is the ‘purpose limitation’ clause. Section 5(1) states that ‘personal data shall be processed only for purposes that are clear, specific and unlawful’. A very obvious counter to this is presented in the form of Aadhaar. The nexus that the Government draws upon to justify Aadhaar is the linking of it to subsidy and welfare benefit schemes. While Aadhaar has become mandatory for the same, there is no limitation as to what extent the purpose can be determined until which it is legitimate for making Aadhaar mandatory. The creation of an Aadhaar number associated with an individual is itself the individual giving up on certain rights that concern their biometric data and physical markings. Even if the Aadhaar is made for the singular purpose of accruing social welfare benefits, the fact that every new scheme may seek the same makes the idea of purpose determination difficult if not impossible. The scope available to the Government for drawing out information under the guise of the Aadhaar is notably expanded.
The Aadhaar Act will have to be amended in order to ensure the autonomy of the UIDAI.
The Aadhaar project engages in a balancing exercise between the individual’s right to privacy and the state’s right to intrude upon that privacy but ultimately comes out heavily in favor of the latter. While the idea of a data protection Act appears to be based upon ensuring a fair and meaningful exercise of the right to privacy, this cannot be achieved unless the unjustifiable privacy incursions of Aadhaar are adequately dealt with. The Bill includes several exceptions to the requirement of consent for the processing of data, some of which pertain, inter alia, to the provision of welfare benefits and not merely state security exemptions (Section 42) or prosecution of offenses. This would bolster the functioning of Aadhaar to such an extent as to abrogate a (vulnerable) data subject’s expectation of privacy.
Sections 13 and 19 of the draft Bill are particularly relevant in this regard. While Section 13 allows for the processing of personal data even without consent for the exercise of “any function, for the delivery of services or benefits or issuance of certificates”, Section 19(b) in a similar vein allows for the processing of sensitive personal data (which includes biometric data) if it is “strictly necessary for… any function of the State authorized by law for the provision. The use of such broad and sweeping terms is reminiscent of the broad and sweeping ideals of any service or benefit to the data principal”. Similarly, Section 17 allows the Data Protection Authority (DPA) to process data for “reasonable purposes”, which as per the accompanying illustrative list includes such uses as credit scoring and debt recovery which could be easily taken from the Aadhaar database which, even after the judgment, intrude into multiple areas of everyday life. Hence, it is always advisable to know what must you must know before filing for bankruptcy as it can help you to overcome from being an insolvent. These are some of the things out of what should I know about bankruptcy. This merely strengthens a DPA that is already tasked with far too excessive levels of powers. By providing this increased scope for data interference and exceptions from being governed from the personal right to privacy, there is an increased scope of arbitrary action. Even in the presence of remedies to the same, there will still inevitably be a number of data privacy casualties as a product of this nearly unlimited power.
The key question to be answered in this regard is whether Aadhaar is, in practice, necessary to carry out the function of the State, and this remains extremely contentious (particularly in light of the purpose limitations laid out in Section 5 of the draft Bill). In light of the fact that notifications of breach of data are to be made only in the likelihood of ‘harm’ being caused to the data principal as under Section 32, this is even more troubling.
The draft Bill also states that personal and sensitive personal data can be processed if in accordance with an explicitly mandated Indian law, and this clearly justifies the Aadhaar in its entirety now that the court has validated its existence. Alarmingly, Section 45 does not discuss the requirement of consent when it comes to the large-scale use of data for research or archival purposes (seen to be a ‘national treasure’), which clearly gives further credence to the idea of a project premised upon mandatory collection of personal data.
These exceptions provide greater scope for surveillance, an issue the Bill remained silent on with regards to the Aadhaar.
The draft Bill appears to have strengthened the status of the UIDAI particularly in relation to matters of dispute settlement, by placing the burden upon the data fiduciary i.e. the UIDAI to approach the courts. While the Committee report recognizes the need to ensure the autonomy of the UIDAI, adjudicatory power has been proposed to be granted to the UIDAI (in addition to the power of other Adjudicatory Officers) and at the same time, the exclusivity of allowing the UIDAI to file complaints has been maintained. This only strengthens the legitimacy of privacy incursions by the UIDAI by allowing it to effectively have discretion over claims of data breaches.
The next post can be found here.
First Define ‘Privacy’
The problem with the nine-judge ruling is that after proclaiming privacy as a fundamental right, it has not defined what is privacy. It is now left to all adjudicators to give multiple interpretations in order to understand the term, writes Shailesh Gandhi.
The judgment of the nine-judge bench of the Supreme Court on privacy has been hailed with much enthusiasm. The right to privacy question was referred to this bench after a clutch of petitions challenging the Aadhaar Act came up before a five-judge bench. This article is an attempt to look at the consequences of the privacy ruling.
All laws and institutions in India are expected to be guided by the Constitution. To ensure that the Constitution can take changing circumstances into account Parliament has been given the authority to amend it in Article 368. The constituent assembly in its initial drafts had considered making the right to privacy a fundamental right. However, after extensive discussion, a conscious decision was taken not to do so.
An eight-judge bench of the Supreme Court had clearly come to the conclusion that the right to privacy is not a fundamental right (M P Sharma vs Satish Chandra) DM Delhi)2 in 1954. At that time, most of the members of the constituent assembly were also around, and there does not appear to have been any significant dissent with this decision. Thus it appears that the clear and conscious decision of the Constitution makers and all the Supreme Court judges (since that bench comprised all of them) was that privacy was not a fundamental right. The Supreme Court has the authority to interpret the Constitution and the law, but the authority to amend both clearly lies only with Parliament. It is worth contemplating whether a bench with about 33% strength should consider superseding an earlier judgment given by one of 100% strength. Besides, the 1954 judgment appears to be in consonance with the deliberations of the constituent assembly.
In the current judgment the apex court has recorded on page 204 at para 144:
On 17 March 1947, K M Munshi submitted Draft articles on the fundamental rights and duties of citizens to the Sub-committee on fundamental rights. Among the rights of freedom proposed in clause 5 were the following
…(f) the right to the inviolability of his home
(g) the right to the secrecy of his correspondence,
(h) the right to maintain his person secure by the law of the Union from exploitation in any manner contrary to law or public authority…”.
At para 148 on page 207 the apex court comes to the conclusion that
This discussion would indicate that there was a debate during the course of the drafting of the Constitution on the proposal to guarantee to every citizen the right to secrecy of correspondence in clause 9(d) and the protection to be secure against unreasonable searches and seizures in their persons houses, papers and assets. The objection to clause 9(d) was set out in the note of dissent of Sir Alladi Krishnaswamy Iyer and it was his view that the guarantee of secrecy of correspondence may lead to every private correspondence becoming a state paper……. The clause protecting the secrecy of correspondence was thus dropped on the ground that it would a serious impediment in prosecutions while the protection against unreasonable searches and seizures constitute was deleted on the ground that there were provisions in the Code of Criminal Procedure, 1898 covering the area. The debates of the Constituent Assembly indicate that the proposed inclusion (which was eventually dropped) was in two specific areas namely correspondence and searches and seizures. From this, it cannot be concluded that the Constituent Assembly had expressly resolved to reject the notion of the right to privacy as an integral element of the liberty and freedoms guaranteed by the fundamental rights.
I am not able to see this conclusion flowing from Munshi’s draft which has been recorded at para144. The draft which has been quoted appears to prove that the constituent assembly took a conscious decision not to accord privacy the status of a fundamental right, and this was confirmed by the Supreme Court bench in 1954.
It is true that the Constitution has to evolve with changes in the world, international covenants and changing realities and expectations of the people. But it has clearly defined the roles of the three estates, and the legislative function has been given to Parliament, which draws its legitimacy directly from the citizens who elect its members. Just as a percentage of members is specified for a constitutional amendment in Parliament, should not a percentage of judges of the Supreme Court be required to overturn an earlier ruling of this nature? There may be serious implications in future of such a transfer of powers.
What is Privacy?
It is evident that privacy is built into the common law in various ways. The real problem with the nine judge judgment is that after proclaiming privacy as a fundamental right, it has not defined what is privacy. It is now left to all adjudicators to give multiple interpretations to understand the term. Earlier in R Rajagopal vs State of TN3 the Supreme Court had given a broad definition of privacy and its domain where it stated that:
The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a “right to be let alone”.
A citizen has a right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, child-bearing and education among other matters. The Court could have defined this in a more precise way and then allowed some matters to be adjudicated. It must be appreciated that the right to privacy has a certain tension with Article 19 (1) (a) of the Constitution which guarantees that “All citizens shall have the right to freedom of speech and expression.”
From this is drawn the freedom to publish and the right to information (RTI). What can be published in matters relating to citizens in the media is the same as information from public records which can be given in the right to information. The reasonable restrictions on the exercise of this are given in Article 19 (2) and can only be “in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence.” Which of these will apply to privacy? In most cases restrictions in the interest of “decency and morality” would have to be invoked for restricting publication or information in RTI in matters relating to privacy. The RTI Act also bars such information from being given under Section 8 (1) ( j) which exempts information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information: Provided that the information, which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.”
Parliament had laid down a simple acid test to determine which personal information should be denied under the RTI. If such information would assault “decency or morality” it would violate privacy and should not be given to Parliament also. Thus the R Rajagopal judgement and the RTI Act both are in consonance with Article 19 (2) of the Constitution. It would have been good if the Supreme Court had reiterated this or expanded it. Presently some of the information that is often denied under the RTI under Section 8 (1) (j) is as follows:
iii) Educational, caste, income certificates of people: There are instances where RTI has uncovered fake education certificates even of doctors working in government hospitals.
vii) Income Tax returns: It is a fact that the affidavits of politicians who stand for elections are never verified with their IT returns. These are not given in RTI also.
Misinterpretation of RTI
In some instances when such information has been disclosed it has led to the exposure of corruption. One of the objectives of the RTI (stated in its preamble) is to curb corruption. Because of the varied positions taken by the public information officers (PIO), information commissioners and Courts, the law is grossly misinterpreted. In fact, many state governments have issued directives to all the PIOs not to disclose information about public servants. With this decision of declaring privacy as a fundamental right without making any attempt to judicially define it, many wrong deeds will thus get protection. We must also understand that the same constraints will apply to the freedom to publish. If giving information about some matters is intrusion into privacy, then publication of it also cannot be permitted.
There are many more cases in which personal information is disclosed by some PIOs and denied by others on the basis of it being an invasion of privacy. All personal information does not constitute privacy. One of the most favourite exemptions to deny information is Section 8 (1) (j). In most cases the legal requirement of deciding whether it would be denied to Parliament is not applied. The right to privacy ends where the RTI and the right to publish starts. It is unfortunate that the nine member bench of the Supreme Court decided to proclaim privacy as a fundamental right, but did not take the responsibility of defining its domain. The PIOs, information commissioners and judges are now left to do this job on a “case to case” basis. There should be an attempt to make law as definitive as possible. It is evident that matters relating to a person’s body, home, sexual preferences, religious or political beliefs, should generally be considered as issues relating to privacy. These could be justified by Article 19 (2) which permits reasonable restrictions on the basis of “decency or morality.” However, with respect to a person’s body there have been some divergent opinions. The most easily identifiable part of a person’s body is the face. Can we now argue that taking a person’s photo and disclosing it or publishing it is an invasion of privacy?
Aadhar and Privacy
One of the primary causes for this entire controversy regarding privacy has been the Aadhar card and the requirement for linking it with all other interactions with government. Most of those who read this article are likely to be in favour of the domain and importance of privacy being extended. The personal details taken for Aadhar, which may not be given in many other government records,- are the biometric identification in terms of fingerprints and iris scans. Everyone going out of the country (and a large percentage of readers of this article) give their biometric identity at the emigration counter. Universal requirement of the Aadhar card is likely to reduce benami transactions and ghost names of beneficiaries.
The argument was made before the Supreme Court that privacy is an elitist concern. The Supreme Court disagreed. Citizens have said that all their transactions may be connected with Aadhar. The fact that corruption is one of our major concerns cannot be denied. I guess we must also admit that our governments are unable to really curb this. We have a number of people having multiple PAN cards, floating shell companies, and taking illegal benefit of various welfare schemes and so on. A large number of private companies are registered at the residences of public servants. These actually snatch morsels from the mouths of the disadvantaged. There may be some inconvenience for some people and perhaps some embarrassment. Calling the house a castle and saying privacy is an essential part for a dignified life sounds really good. If this were possible without reducing the scope of the RTI and the freedom to publish it would be fine. There is a possibility that the right to privacy will be at the cost of the right to information. Sometime in the future the freedom to publish may also be curbed.
There are perhaps two competing issues in thinking of the desirability of Aadhar: Concern for privacy and the need to curb corruption and leakages in welfare schemes. Going by the talisman of Gandhiji one should consider which step is likely to benefit the poor. It appears evident to me that having an Aadhar card linked to most government transactions will benefit the poorest in at least getting basic amenities.
Conclusions
It appears that Supreme Court, has, in claiming to interpret the Constitution, read it to claim that a concept discarded by the constituent assembly was meant to be included. In this decision the Supreme Court should have defined privacy and its contours. When deciding on the definition of privacy Article 19 (2) must be kept in mind and the RTI and the freedom to publish must not be curbed beyond what the Constitution permits.
The greater good is likely to be served by having an Aadhar card.
If any proof was required that the RTI Act is seriously threatening the arbitrary and corrupt actions of those who are powerful, the proposed Data Protection Bill provides it. The Supreme Court of India in various decisions before the advent of the RTI Act acknowledged that the Right to Information and Right to publish are fundamental rights of citizens under Article 19 (1) (a) of the constitution which guarantees freedom of speech and expression. Any constriction of this right can be based only on what the constitution permits. Article 19 (2) permits reasonable restrictions on the exercise of this right only “in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence.”
Section 8(1) of the RTI Act lists the types of information which may be denied to a citizen. Section 8 (1) (j) covers denial of personal information thus: “information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:
Provided that the information, which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.”
The law intends to deny information which is not related to any public activity or which would be an unwarranted invasion of an individual’s privacy. Since it does not define privacy, it must be read with Article 19 (2). The two words which could cover privacy are ‘decency or morality’. To make it easier to implement this clause it made a special proviso that when denying information the person denying it should make his subjective assessment whether he would deny it to parliament. Information which would invade privacy of an individual,-violating ‘decency or morality’-should not be given to parliament also. Details of ghost beneficiaries of government schemes, Adarsh Scam, False certificates and affidavits, foreign visits, lack of action against tainted officers and many other illegalities have been unearthed by a citizens using the Right to Information Act. Some of the actions, which RTI act can bring to light are:
Since this law is highly unpopular with most people in power, governments had initiated four attempts so far to amend the RTI Act to weaken its impact. These had to be withdrawn because of strong opposition from citizens to defend their RTI. Citizens have realized that this law gives them an opportunity to monitor accountability, keep corruption in check and convert India into a true , participatory democracy. Most statutory bodies commissioned to do this are not able to deliver in any significant manner. The citizens working individually have been fairly effective in this endeavor with the help of the RTI Act. It is also a fact that no great harm has been reported due to disclosure of information.
Now comes a fresh and dangerous attack in the proposed “Personal Data Protection Bill” which suggests amending RTI. This is being done by asking for an amendment to the citizen’s Right to Information! In the garb of protecting personal data and privacy, it asks for an amendment to Section 8 (1) (j). It is worth mentioning that a Group of Experts on Privacy under Justice AP Shah which was asked for inputs for a Privacy Bill had recognized the importance of ceding to the RTI Act and said: “The Privacy Act should clarify that publication of personal data for artistic and journalistic purposes in public interest, use of personal information for household purposes, and disclosure of information as required by the Right to Information Act should not constitute an infringement of Privacy.” Unfortunately, this wisdom has not been displayed by the proposed “Data Protection” bill.
The bill suggests changing the exemption for Section 8 (1) (j) to:
“ information which relates to personal data which is likely to cause harm to a data principal, where such harm outweighs the public interest in accessing such information having due regard to the common good of promoting transparency and accountability in the functioning of the public authority;”
Thus any information with the name of a person can be denied! It is unlikely that various officers will be able to determine whether any claimed harm to a person is greater or there is a larger public interest. The bill is confused about Article 19 (1) (a). It seeks to exempt ‘journalistic purposes’ from most of the restraints on data sharing but curbs citizen’s RTI. This is not in consonance with the constitution and many earlier judgments of the Supreme Court given before the advent of the RTI Act. The right to publish arises from the citizen’s right to information.
Citizens need to defend the RTI Act from such continuous attacks on their fundamental right by those with power. How often will we battle for this? The Expert Committee under Justice A.P.Shah had shown due to respect to the citizen’s right. Citizens must now reach out to political parties and elected representatives and demand that they give a commitment not to make any amendments to the RTI Act. If they want our vote, let them promise our fundamental right.
Ed. Note.: This post, by Benjamin Vanlalvena, is a part of the NALSAR Tech Law Forum Editorial Test 2016.
A background of the issue
Ed. Note.: This 101, by Vishal Rakhecha, is a part of the NALSAR Tech Law Forum Editorial Test 2016.
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 or simply the Aadhaar Act passed in the Lok Sabha to facilitate the transfer of benefits and services to the individuals. This is done by giving them Unique Identification Numbers. At first glance Aadhaar seems like a brilliant scheme to ensure that the tax payer’s money does not end in the wrong hands. But the provisions in the Act raise some serious concerns about the way it can be used by the state to encroach upon the right to privacy of individuals. Apart from this the centrally maintained system to save the data in the Central Identities Data Repository makes it vulnerable to cyber-attacks. The huge uproar against the government is also because of the way Aadhaar was passed, as a money bill, despite the fact that it does not qualify for the same.