This is in continuation of our earlier Article in this topic
The judgement of the three judges made a significant observation which may leave a significant impact on the PDPA 2018.
While answering the question “Whether the Aadhaar Act violates right to privacy and is
unconstitutional on this ground?”, the judges observed as follows:
“…it is held that all matters pertaining to an individual do not qualify as being an inherent part of right to privacy. Only those matters over which there would be a reasonable expectation of privacy are protected by Article 21”
Article 21 is the Article under which Privacy has been held as a fundamental right. When the earlier Puttaswamy judgement was pronounced there was some ambiguity about what rights are protected under “Privacy”. Though some of the judges in the bench correctly identified that Privacy is a “Mental State” and not possible to be properly defined and we can only protect “Information Privacy”, there were at least one Judge who went at a tangent to say that any thing can come under “Privacy”. ..What you eat, Where you go, etc are all part of Privacy.
The current judgement however is more sober and it recognizes that any thing and everything connected to a person cannot be considered as a matter of privacy.
In other words, when we identify what is “Personal Information” which is subject to “Privacy Protection” we need to identify ony “those matters over which there would be a reasonable expectation of privacy” as part of the personal information.
For an individual, will his father’s name be considered as private? Will his grand father’s name or mother’s name be considered as private”, Will the mobile number or e-mail address or IP address or meta data associated with a message be considered as “expected to be held private”? are issues that need to be considered.
In other words, the definition of “Personal Information” cannot be omnibus and include “any information that can directly or indirectly be used to identify a person”, which was the opinion which most carried after the GDPR and even in the draft of PDPA 2018.
Now there is a need to tone down the rhetoric of “Any information about a person” being held as “Personal Information” and check if there was a “Reasonable Expectation by the individual that the information had to be held private”.
This is a significant opinion that also has a conflict with that part of the judgement which prohibits collection of meta data such as time of location of a transaction, IP address etc. Can we say that the user of an Aadhaar authentication has a reasonable expectation that UIDAI should not know such information about the transaction? In most cases there is no such expectation.
On the contrary, the Aadhaar users would have a reasonable expectation that such records would be kept by Aadhaar and tomorrow if there is any crime or dispute, the user can call for help from Aadhaar for the information.
For example, if I make a payment of Rs 10000/- through PayTM to another person and later he disputes that he has received the payment, we expect PayTM to stand as witness and confirm that the payment was made from such and such account to such and such account at such and such time etc. Similar expectation about Aadhaar is also reasonable.
Hence the view that meta data should not be collected and if some transaction authentication data is recorded, it is to be discarded within 6 months becomes a contradiction to the view that “All matters pertaining to an individual donot qualify as being inherent part of the right to privacy”.
I welcome this clarification which can be cemented in the PDPA 2018 by the Government.
The Section 3(29) of PDPA 2018 should therefore be redefined as follows:
“3 (29) “Personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information; subject to the data principal having a reasonable expectation that such data would be protected under Article 21 of the Indian Constitution.”
Naavi
Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.
Pingback: Aadhar Judgement-10: Let us debate the changes required in PDPA 2018 | Naavi.org
Pingback: Recent Developments in PrivacyProtection in India – Privacy Knowledge Center