The Supreme Court judgement on Privacy delivered today by a 9 Judge bench, has categorically made a statement that “Right to Privacy is a Fundamental Right” under Article 21 of the constitution as part of the “Right to Life and Liberty”.
The media is making a big noise as if some thing fundamental has changed in India. But actually what has come out as a Supreme Court decision today was already a presumption. The difference is that Supreme Court has now raised it from a “Presumption” to a “Clarification”.
Even after this judgement, “Privacy is a Fundamental Right” continues to be an interpretation of Article 21 and not an amendment of the Constitution itself.
The 547 page judgement needs to be analyzed in detail, but the first impression is that Supreme Court has reiterated what was already the recommended practice in India. If some of the organizations were not so far giving value to the Privacy principle, they will at least now have to take note of the provisions and cannot continue to act as if they were ignorant. This increased respect for Privacy must be considered as the benefit of this judgement.
So, from today there is no doubt that “Right to Privacy” is a fundamental right of an Indian Citizen and it is also agreed that it will be subject to “Reasonable Restrictions”.
There are two exceptions under which Privacy Rights do not apply and they are:
- Any service provider who wants to collect personal information may seek and obtain information from the subject person by a process of “Consent”.
- Personal information may also be collected without consent under the justification that it is covered by the “Reasonable Restrictions” under which exemptions are provided. One example is that it is required in the interest of security of the State .
The above exceptions continue to be available even after the judgement.
Aadhaar Information for Ticket Booking
Many experts were seen commenting that Government may now not be able to ask for Aadhaar for booking Air Ticket or for Income Tax purpose because it may not be considered as justifiable under “Reasonable Restrictions”.
I however disagree and I will try to explain why.
As a Co-passenger in a common carrier like an airplane, I am interested in knowing if all the other passengers with whom I board a plane are people who can be trusted as “Non Terrorists” or people who will not endanger my security.
I agree that it is not possible to check the antecedents of people on the fly when are booking tickets but recording their identity and later analyzing the travel pattern of different persons is part of creating deterrence and gathering intelligence for prevention of crimes.
I may not want me as another passenger to be provided with the information about the Co-passengers but I consider that my security as a passenger has to be considered as the responsibility of the nation and for that purpose collecting personal information with or without Aadhar may be considered necessary.
Hence I expect that the airline does know the identity of every passenger even if I donot. This is not only required for the Air travel, but even for a Train or Bus travel or even for the Uber Sharing.
This would be a “Process” that is introduced by the Government to discharge its duty of safeguarding the interests of the citizens.
I may also consider it my right to ask my Co-Passenger if he is coughing incessantly whether he has “Swine Flu”? and I at least expect that he commits to saying “No”, implying ” I am not a risk for you sitting next to me”. He cannot turn back and say “Privacy” is my fundamental right and I am not going to tell you whether I have swine flu or not.
That in my view is the limitation of the “Privacy Right with Reasonable Restrictions”
It is also possible that the service provider (the airline) may obtain “Consent” at the time of booking of the ticket itself stating the reasons of Co-Passenger security and National security and justify the use of Aadhaar or any other KYC process.
Debate on “Consent”
Under the “Consent” provisions, the debate could be on
a) Whether the consent has been obtained properly
b) Whether the Consent is being misused
c) Whether the information is properly secured while it is in the hands of the service provider
d) How long the information will be held before it is purged
e) Whether the data subject has the right to ask for deletion of the data and exercise what Europe calls as “Right to Forget”.
While this judgement may provide some grounds for lawyers to file cases against service providers and the Government, it is unlikely to change the legal situation much on the ground.
As regards what is the consequence of a “Privacy Breach”, there should be another law on defining the punishments associated with “Privacy Breach”. At present, ITA 2000/8 already provides both civil and criminal penalties for “Breach of a Consent Provision” related to Personal Information. There are also obligations on “Reasonable Security”, “Responsible Disclosure”. “Purposeful use” etc. under Sec 79 and 43A.
So, in respect of personal information which is the form of “electronic documents”, there is already a system in place to protect the Privacy of an individual. This will be further fortified shortly with a Data Protection Act and Health Care Data Privacy and Security Act.
Information in Non Electronic Form
What this judgement may do is to bring information which is not in “Electronic Form” also into the ambit of Privacy protection. This means that the “Oral Conversation” and “Handwritten information” could be the additional types of information that may come under Privacy regulations.
A Digitally recorded oral conversation and any written paper meant for digital processing is already considered as “Electronic Documents” and hence there is only a small part of the documents that are not in electronic form but contains personal information that may come now under the ambit of “Privacy”.
In practice this is not of much value.
Most of our transactions which are in “Non Electronic Form” are not properly regulated to be able to record a “Consent” from the information receiver. Also when a breach occurs there will be difficulty in providing evidence about the absence of consent.
Hence there will be need to define what is an “Ethical Manner” of collecting personal information in non electronic form and how the Privacy of an individual can be protected in that context.
Aadhar as a KYC instrument
As regards Aadhaar, it will be one of the means of verification of the identity of a person which any service provider like a Bank or the Income Tax department may demand.After this Supreme Court judgement, they may have to justify the need for Aadhaar and obtain a proper consent. If necessary they may have to provide for alternate KYC options for which they may also charge an extra fees.
If for example a phone operator says that KYC is required and if it is provided through Aadhaar, the SIM will cost Rs 50 . Otherwise SIM will cost Rs 250/-, then most customers would still opt for Aadhaar based KYC only.
The critical aspect of Privacy protection is not to blame Aadhaar but ensure that Aadhaar data in the hands of the users is used only subject to the Privacy principles.
This will make life of Aadhar user organizations more complicated but may not affect Aadhaar itself.
Aadhaar authorities may have to however ensure that the users of Aadhar are not allowed to store Aadhaar data under any circumstances.
To that extent Aadhaar needs to change its current practices of dumping the entire Aadhaar information to the intermediary and also change the APIs which “Programatically populate data at the user end just on production of Aadhaar number and OTP”.
In our previous article on Mobile Apps, we discussed in detail the need for regulating and monitoring “Permissions” granted to Apps.
Similarly, even in the case Aadhaar related Privacy issue, there is a need to monitor how the intermediaries handle Aadhaar data and how Aadhaar has structured the responsibilities of the intermediaries in its contract with them.
We need to focus on these solutions instead of simply challenging Aadhaar usage per-se for different services.
Naavi