The Supreme Court’s Right to Privacy Judgment – IV: Privacy, Informational Self-Determination, and the Idea of Consent

In our discussion of the Supreme Court’s judgment in Puttaswamy, so far, one common thread is emerging: the individual is at the heart of the Court’s understanding of the right to privacy. We saw this in the Court’s refusal to frame privacy in spatial or relational terms, in the plurality’s acknowledgment of the feminist critique of privacy, and in the judgment’s resurrection of Justice Subba Rao’s dissenting opinion in Kharak Singh in its discussion of privacy and the human body. In this essay, I shall focus on the second aspect of privacy outlined in Puttaswamy – privacy as informational self-determination – and examine how the judgment’s overarching concern with the individual translates into how the separate opinions frame and understand the right to informational self-determination.

In Puttaswamy, informational self-determination was discussed in the judgments of Nariman and Kaul JJ, and in the plurality opinion of Chandrachud J. Nariman J. held that “informational privacy… does not deal with a person’s body but deals with a person’s mind, and therefore recognizes that an individual may have control over the dissemination of material that is personal to him. Unauthorised use of such information may, therefore lead to infringement of this right.” (para 81) Kaul J. observed that “an aspect of privacy [is] the right to control dissemination of personal information. The boundaries that people establish from others in society are not only physical but also informational. There are different kinds of boundaries in respect to different relations. It is but essential that the individual knows as to what the data is being used for with the ability to correct and amend it.” (para 53) And in the plurality, Justice Chandrachud noted that “informational control empowers the individual to use privacy as a shield to retain personal control over information pertaining to the person.” (para 142) Later in his judgment, he discussed the issues raised by aggregation of data from separate silos, that, when combined, provided observers with a 360-degree view of an individual’s life (paras 173 and 174), and also observed that “apart from safeguarding privacy, data protection regimes seek to protect the autonomy of the individual. This is evident from the emphasis in the European data protection regime on the centrality of consent. Related to the issue of consent is the requirement of transparency which requires a disclosure by the data recipient of information pertaining to data transfer and use.” (para 177)

The issue of informational self-determination – and the allied issue of data protection – will undoubtedly have a crucial impact on the adjudication of the Aadhaar challenge, from which the Puttaswamy reference arose. Towards the end of his judgment, Justice Chandrachud acknowledged that the issue of data protection was presently before the government-appointed Shrikrishna Committee, which had been tasked with drafting an appropriate bill. In the days to come, there will undoubtedly be rigorous debate on the Committee’s work, and the issue of informational self-determination will be at the fore when the Aadhaar challenge is heard in November. Consequently, in this essay, my intention is not to go too deep into the mechanics of these issues. What constitutes “personal data”, what kind of information does an individual have the right to control and to what extent,and  does an individual have a stronger right to control some aspects of her personal data and a weaker right over others – all of this remains to be litigated in concrete factual situations. It was not for this nine-judge bench, sitting in referral, to address these questions in the abstract – as indeed it has not.

What I do want to focus on here, however, is the consensus between all the judgments on one basic principle: that what is central to informational self-determination is the principle of informed consent. Justice Nariman framed it as a question of “unauthorised” use of personal information. Justice Kaul insisted that a person “know” what his data is being used for, and be able to “correct and amend” that use. Justice Chandrachud explicitly referred to European principles of data protection, formulating it as a question of protecting individual “autonomy” (as we have seen, autonomy is one of the foundational concepts underlying the plurality judgment). Importantly, “transparency” – that is, disclosure and transparency about the use of personal data, which is a question of accountability – appeared in the Justice Chandrachud’s plurality opinion as a “related issue”, after an express observation about the centrality of consent. In other words, principles of transparency, disclosure and accountability cannot substitute the basic principle of informed consent, although they can supplement it. The point was put in simple, straightforward and explicit terms by Justice Kaul, who stated the principle in so many words:

“The State must ensure that information is not used without the consent of users and that it is used for the purpose and to the extent it was disclosed.” (para 70)

Readers will note that while in the first part of the sentence, Justice Kaul focuses on consent, in the second part – related to specific use – he uses the word “disclosed”. This might create some momentary doubt about whether, in the second part of the sentence, there is some slight dilution of the principle of informed consent.

This, however, would be a mistaken reading of Kaul J.’s opinion – and it is here that the operative order of the Court once again assumes crucial relevance. Recall that in the operative order, all nine judges held that “decisions subsequent to Kharak Singh which have enunciated the position in (iii) [that is, that privacy is a fundamental right] above lay down the correct position in law.” One of these decisions was a 2005 judgment of a three-judge bench of the Supreme Court called District Registrar vs Canara Bank.

In Canara Bank, Section 73 of the Stamp Act, that allowed – inter alia – the Collector to access private records that would normally be subject to the confidentiality relationship between banker and customer, was challenged. Responding to the contention that once one had voluntarily given over one’s bank records to a third party, there was no privacy interest remaining in them (as held in the much-critcised American case of US v Miller), the Supreme Court held that:

 “… the right to privacy deals with ‘persons and not places’, the documents or copies of documents of the customer which are in Bank, must continue to remain confidential vis-`-vis the person, even if they are no longer at the customer’s house and have been voluntarily sent to a Bank.”

In doing so, the Court specifically rejected something called “the third party doctrine”, which was a staple feature of American privacy law. The doctrine originated with the judgment in  United States vs Miller, where the question was whether a person had a privacy interest in personal records held by a bank. The Court held he did not, since:

The depositor takes the risk, in revealing his affairs to another, that the information will be conveyed by that person to the Government. This Court has held repeatedly that the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed.”

This is known as the third-party doctrine. Speaking for four members of the Court in dissent, Justice Brennan rejected it, reasoning that:

[A] depositor reveals many aspects of his personal affairs, opinions, habits, associations. Indeed, the totality of bank records provides a virtual current biography. . . . Development of photocopying machines, electronic computers and other sophisticated instruments have accelerated the ability of government to intrude into areas which a person normally chooses to exclude from prying eyes and inquisitive minds.”

Three years later, in Smith vs Maryland, the question arose whether a pen register (that is, an electronic device that records all numbers called from a particular telephone line), installed on the telephone’s company’s property, infringed upon a legitimate expectation of privacy. The US Supreme Court held that it did not, because:

Telephone users, in sum, typically know that they must convey numerical information to the phone company; that the phone company has facilities for recording this information; and that the phone company does in fact record this information for a variety of legitimate business purposes. Although subjective expectations cannot be scientifically gauged, it is too much to believe that telephone subscribers, under these circumstances, harbor any general expectation that the numbers they dial will remain secret.”

Smith vs Maryland is essentially the third-party doctrine applied to telephone records. Records in question are knowingly and voluntarily passed on to a third party (the telephone company), the customers being aware that the third party is storing and recording them. Consequently, there is no reasonable expectation of privacy – or so held the US Supreme Court.

In rejecting US vs Miller, did the Indian Supreme Court, in Canara Bank, reject the third-party doctrine as well? In my view it did so, because the Court observed, at para 54, that:

Once we have accepted in Govind and in latter cases that the right to privacy deals with ‘persons and not places’, the documents or copies of documents of the customer which are in Bank, must continue to remain confidential vis-a’-vis the person, even if they are no longer at the customer’s house and have been voluntarily sent to a Bank.”

In other words, even if we voluntarily had over private information to a third party, we continue to retain our right to privacy in that information. And in Puttaswamy, Justice Nariman’s separate opinion examined Canara Bank in great detail (paragraph 47 and 59), and noted as well that Miller had itself been overturned in the United States through congressional legislation.

Now, when we combine the principle of informed consent, which was affirmed by multiple judgments in Puttaswamy, with the principle that individuals retain privacy rights even over information voluntarily handed over to third parties (the holding in Canara Bank, affirmed by the operative order in Puttaswamy), we get the following proposition: for the purposes of the fundamental right to privacy, consent is not a one-time waiver of your right to control your personal information, but must extend to each and every distinct and specific use of that information, even after you have consented to the State collecting it from you. In other words, voluntarily handing over personal information to the State does not give it a carte blanche to use for whatever purposes it deems fit – but rather, the State is constitutionally bound to take the individual’s informed, meaningful consent at every stage that it wants to use that individual’s information. This, I would suggest, is the correct reading of Justice Kaul’s opinion: the first part of the sentence – that “the State must ensure that information is not used without the consent of users” – refers to separate, discrete and individual instances of use, while the second part of the sentence tags on disclosure and accountability as a supplementary principle.

In the beginning of this essay, I had observed that the centrality of the individual is the golden thread that runs through the six separate opinions in Puttaswamy. In the last essay, I argued that in the first of the three aspects of privacy that the judgment outlined, it accorded paramount importance to the individual, human body, and its relationship with the State. In this essay, I have argued that in developing informational self-determination as the second aspect of privacy, the Court placed the principle of informed, meaningful consent at the heart of its conception of what it meant to have the right to control your personal information. And in the next essay, we shall see how the individual, once again, features at the core of the Court’s vision of decisional autonomy.

Advertisements

5 Comments

Filed under Bodily Privacy/Integrity, Privacy

5 responses to “The Supreme Court’s Right to Privacy Judgment – IV: Privacy, Informational Self-Determination, and the Idea of Consent

  1. Pingback: The Supreme Court’s Right to Privacy Judgment – VI: Limitations | Indian Constitutional Law and Philosophy

  2. N S

    Aren’t they in essence upholding the principles of affirmative consent?

  3. Pingback: What to read on Privacy: Cross border data sharing, surveillance, consent, nutritions labels, AI - MediaNama

  4. Pingback: The Supreme Court’s Right to Privacy Judgment – VII: Privacy and the Freedom of Speech | Indian Constitutional Law and Philosophy

  5. Pingback: The Supreme Court’s Right to Privacy Judgment: Round-up | Indian Constitutional Law and Philosophy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s