[Editorial Note: Justice is an indivisible concept. We cannot, therefore, discuss contemporary Supreme Court judgments without also acknowledging the Court’s failure – at an institutional level – to do justice in the case involving sexual harassment allegations against the Chief Justice. This editorial caveat will remain in place for all future posts on this blog dealing with the Supreme Court, until there is a material change in circumstances.]
It has been more than a year since the Supreme Court’s judgment in K.S. Puttaswamy v Union of India (II) [“the Aadhaar Judgment”], which was delivered on September 26, 2019. The intervening period has seen some legislative developments – for example, resurrecting the use of the Aadhaar database by private parties, which had been struck down by the Court. It has seen the promise of fresh laws (such as the Data Protection Act, which – it is rumoured – will be placed before Parliament in the winter session). It has also seen the proposed extension of the Aadhaar programme (for example, mandatory linking of voter IDs), as well as other legislative proposals involving the collection and use of personal data (facial recognition systems, DNA profiling, and so on).
It is therefore important to revisit the Aadhaar Judgment, and determine what, precisely, the Supreme Court held in that case. While the judgment is widely known for having upheld the constitutionality of the Aadhaar programme while also limiting its scope in certain important respects, it was also the first time the Supreme Court dealt with the intersection of contemporary data collection, storage, and use practices, and fundamental rights. The principles that emerge out of that discussion, therefore, have a significance that goes beyond the specific holding in that case.
To understand clearly what is at issue, let us begin with certain conceptual distinctions. The Aadhaar Judgment involved three levels of analyses: (i) an analysis of facts involving the Aadhaar programme; (ii) an analysis of applicable legal and conceptual standards; (iii) and an application of those standards to the facts (in order to determine whether and to what extent the Aadhaar programme passed constitutional muster). On this blog, in the aftermath of the judgment, a group of us analysed (i) and (iii) in some detail, and criticised the Court on both counts. The Court’s decision to uphold the Aadhaar programme, we argued, was premised on a wrong understanding of facts, and a wrong application of legal standards to those wrongly-determined facts. In this post, I intend to bracket those two questions, and complete the analysis be examining issue (ii) in some detail: i.e., the legal standards themselves.
I will argue that if we read the Aadhaar Judgment along with the nine-judge bench decision that upheld privacy as a fundamental right in K.S. Puttaswamy v Union of India (I) [“the Privacy Judgment”], certain important principles emerge (and on these principles, both the majority and Chandrachud J.’s dissenting opinion were in broad agreement). In summary, the Supreme Court held that (i) the collection, storage, and use of data in a manner that enables profiling is unconstitutional, (ii) data minimization, purpose limitation, and limited data retention are integral to any legislation or executive act involving data collection; (iii) use by private parties of the Aadhaar database is forbidden; and (iv) in testing the constitutionality of any specific measure that infringes the right to privacy/involves data collection and processing, the proportionality standard is applicable. This standard places an evidentiary burden upon the government to justify both the rationality of the measure, as well as its necessity (i.e., no alternative measures that infringe rights to a lesser degree are available).
The Role of Facts and Law
To understand the holding of the Supreme Court in the Aadhaar Judgment, it is important to begin with the main grounds of challenge. As indicated above, the Aadhaar challenge involved a set of legal claims, based upon a set of factual assertions. Relevant for our purposes here were the contentions that (i) Aadhaar enabled a surveillance State by allowing the government to track individual transactions through the authentication mechanism, (ii) Aadhaar enabled profiling by allowing the merging of data silos, (iii) the data collection was excessive and breached the right to privacy, (iv) Section 57, which private parties’ access to the database, breached the principle of purpose limitation, and also enabled commercial surveillance.
It is of vital importance to note that the Aadhaar Judgment rejected none of the petitioners’ legal claims; rather, to the extent that the Court found against the Petitioners, it did so because it disagreed with their factual arguments, while agreeing with the legal claims (and it was those findings that we criticised last year on this blog). In other words (to take one example), the Court found that the Aadhaar programme did not allow for the merging of data silos; however, it becomes clear from a reading of the judgment that had it been the case that the merging of data silos was allowed, the Court’s conclusion would also have been different.
So: on the first contention (surveillance), the Court found on facts that, among other factors, the legal prohibitions upon the sharing and disclosure of core biometric data, sharing of e-KYC data only with user consent, no transmission of identity information back to the Requesting Entity, and the retention of authentication logs only for a short period, precluded the possibility of State surveillance. In addition, the Court found on facts that the merging of data silos was prohibited, the data collection at the time of enrollment was minimal (fingerprints and iris), and the Authority was purpose blind. Consequently, the Court specifically held that “we are of the view that it is very difficult to create profile of a person simply on the basis of biometric and demographic information stored in CIDR.”
Data Protection and Privacy: Principles of Data Minimisation, Purpose Limitation, and Safeguards
On the issue of data protection and privacy, the Court specifically observed that “the crucial requirements, which are indicative of the principles for data protection that India adheres to, inter alia include… information collected shall be used for the purpose for which it has been collected [“purpose limitation”]… Body corporate or any person on its behalf shall, prior to the collection of information, including sensitive personal data or information, provide an option to the provider of the information to not to provide the data or information sought to be collected … Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation.” (paragraph 166)
In this context, the Court’s discussion of case law from the European Union was particularly illuminating. The Court discussed judgments such as Marper, where the storage of DNA profiles had been struck down because of their “blanket and indiscriminate nature” (paragraph 178) (in particular, failing to distinguish between suspects and convicts); Digital Ireland, where an EU Directive that enabled profiling without any temporal or spatial limits; Tele2, where metadata collection was struck down because it violated the data protection principles referred to above (again, it was indiscriminate in nature, and affected individuals without any probable cause of suspicion). The Court concluded by noting that “it is evident from various case laws cited above, that data collection, usage and storage (including biometric data) in Europe requires adherence to the principles of consent, purpose and storage limitation, data differentiation, data exception, data minimization, substantive and procedural fairness and safeguards, transparency, data protection and security. Only by such strict observance of the above principles can the State successfully discharge the burden of proportionality while affecting the privacy rights of its citizens.” (paragraph 187) It will be noted that these are the exact principles that the Court held operated in India as well; European case-law, thus, is heavily persuasive authority on this issue.
The Court then went on to specifically analyse the provisions of the Aadhaar Act on the touchstone of these principles. It held that “data minimization” was satisfied because the information collected was minimal, and the nature of the transaction or the individual’s location was not revealed during authentication; at the same time, the Court invalidated the storage of any form of metadata other than “process metadata”, in order to meet the requirements of data minimization; it also held that “purpose limitation” was satisfied because certain definitional provisions had been read down – and – critically – Section 57, which allowed private parties to use the database under cover of any “law or contract” had been struck down (as would be done later in the judgment); on data retention, the Court restricted the time period for which the data could be stored to six months.
On both counts, the petitioners made a specific argument that there were insufficient safeguards under the framework of the Act with respect to data sharing, as – in particular – the police could gain access to the database. The Court answered this by holding that these concerns were assuaged by (a) reducing the period of data retention to six months, (b) requiring that if through a judicial order any individual’s information was to be shared, that person would have to be given a hearing (under S. 33 of the Act); in particular, and crucially, the Court noted that “there is a reasonable presumption that the said court shall take into consideration relevant law including Article 20(3) of the Constitution as well as privacy rights or other rights of that person before passing such an order.” (c) sharing of information that did not go through a judicial process (such as in cases of national security under S. 33(2)) was invalid, and a judicial member would have to be added to the decision-making authority; and that Section 57 had been struck down (paragraph 220).
Thirdly, on the aspect of the integration of data silos, the Aadhaar Judgment noted that in the Privacy Judgment, it had clearly been held that isolated information silos, when aggregated, could enable profiling (paragraph 232); as indicated above, the Court found that as a matter of law silos remained integrated, and were not permitted to be aggregated.
As an overall point, the Court held additionally – while addressing the privacy claim – that as part of the balancing process, the expectation of privacy in biometrics and irises was relatively low (as opposed to, for example, medical data); thus, overall, data collection remained “minimal”, and that this helped tip the balance of rights in favour of Aadhaar. (paragraphs 295 – 297, 308)
Fourthly, moving on to specific challenges beyond the Aadhaar Act, the Court upheld the mandatory linking of Aadhaar with PAN, but struck down linking with bank accounts and SIM cards. In each case, the Court’s rationale was founded on the question of whether the government had managed to discharge its evidentiary burden under the proportionality standard (i.e., demonstrating a legitimate State aim, a rational connection between the measure and the aim, that the measure was least restrictive with respect to fundamental rights as compared to all other alternatives, and finally, that on balance, it was proportionate). On the issue of PAN Cards, it held that the government had demonstrated with “empirical data” that as Aadhaar was a unique identifier, it could deal with the problem of bogus or duplicate PAN cards (paragraph 421, 423); on the other hand, as far as bank accounts were concerned, the Court specifically held that “that it does not meet the test of proportionality and is also violative of right to privacy of a person which extends to banking details.” (paragraph 429); importantly: “under the garb of prevention of money laundering or black money, there cannot be such a sweeping provision which targets every resident of the country as a suspicious person. Presumption of criminality is treated as disproportionate and arbitrary.”
The Court went on to hold that the State had not even demonstrated how mandatory linking would solve the problem of black money, and why alternative methods of KYC were insufficient; mere “ritual incantation” of black money would not suffice under the proportionality standard (paragraph 434), in a world in which maintaining a bank account had become “almost a necessity” (paragraph 435); rather, “there should have been a proper study about the methods adopted by persons who indulge in money laundering, kinds of bank accounts which such persons maintain and target those bank accounts for the purpose of Aadhaar. It has not been done.”
And the Court returned a similar finding on the issue of SIM cards, noting that “for the misuse of such SIM cards by a handful of persons, the entire population cannot be subjected to intrusion into their private lives. It also impinges upon the voluntary nature of the Aadhaar scheme. We find it to be disproportionate and unreasonable state compulsion.” (paragraph 442)
The Legal Standards
In summary, therefore, the Aadhaar judgment proceeded in this way: the Supreme Court accepted the Petitioners’ constitutional tests for adjudicating the validity of the Aadhaar programme. It found that parts of the Aadhaar programme were compliant with these tests, and parts of it were not. At some places, the Court found that compliance was possible if certain provisions were read down, or interpreted narrowly. At other places, it found that it was not possible – and those provisions were struck down. When we read this holistically, and in view of the Privacy Judgment, the following principles (as indicated above) emerge:
- Profiling is unconstitutional. Consequently, aggregation of data silos that enables profiling is also unconstitutional. The “360 degree view” of citizens that certain states and police departments have proclaimed as a matter of pride, is not permitted under law.
- As a corollary, collection and storage of metadata that enables profiling is also unconstitutional.
- Purpose limitation is mandatory for data collection. In other words, if law enables data collection for “x” purpose, it cannot then be stored/used for any purpose other than X.
- Two important corollaries follow from (a) and (b). First, the Aadhaar database cannot be accessed by other bodies (for example, the police). Not only would this breach both (a) and (b), it would also – in this specific case – breach the right against self-incrimination (it is for this precise reason that the Court insisted that sharing of information could only be done through a specific and individual judicial order, or an order involving a judicial member).
- Secondly, laws for data collection cannot be framed in generic or open-ended terms. They must categorically specify the purpose for which data is collected (and will be stored and used), and their constitutionality will be judged on that count.
- Private parties are not authorised to access the Aadhaar database. This becomes important in light of the fact that after the judgment, an ordinance – and then a law – was passed just to allow this. This law is unconstitutional. It may be argued that there are parts of the judgment that suggest that the only part struck down in Section 57 was the part that allowed access even through a “contract.” This argument cannot succeed. The Aadhaar Judgment is clear on more than one occasion that the part involving body corporates is the one that is struck down – law or contract notwithstanding. There are three further reasons why this interpretation is correct: first, the fact that clearly the database should not be made accessible purely through a contract was not the only reason why the Court found Section 57 unconstitutional. Section 57 was also struck down because it violated purpose limitation – and the distinction between law and contract is agnostic in that regard; secondly, the Court upheld the Aadhaar Act as a money bill on the basis (inter alia) that it had already struck down Section 57 (and that the rest of the Act was substantially a money bill). Obviously, this could not have been the case if only a part of Section 57 had been struck down – the procedural flaw would have remained in that case; and thirdly, the Court struck down Section 57 because it enabled commercial surveillance – another point that is agnostic about the difference between law and contract.
- Any law requiring data collection must satisfy the principle of proportionality. This principle requires the government to demonstrate the necessity of the collection, through concrete evidence. (for example, if the government wants to mandatorily link Aadhaar with Voter IDs, it must demonstrate the factual necessity for it, and also that alternative methods of “de-duplication” are insufficient). Crucially, data collection cannot be blanket – that is, if the goal is to identify a specific instance of wrong-doing or prevent crime (in policing), the State cannot achieve that by blanket and indiscriminate data collection, that fails to distinguish between those against whom there is probable cause of suspicion, and against whom there is not. In other words, data collection statutes must be specific and targeted.
- The period of data retention also speaks to the proportionality of the measure. Retaining data for an excessive period renders the measure disproportionate.
- The greater the reasonable expectation of privacy in the data in question, the higher the burden of justification upon the State. In the Aadhaar Judgment, the Court held that the expectation of privacy in biometric details and iris scans was low. However, for any other species of data, (for example, DNA), the analysis will have to be undertaken afresh.
As we pointed out at the time of the judgment, there are some serious doubts over the Court’s analysis of facts, and application of law to the facts, throughout the course of the verdict. Those doubts remain. However, while issues of that kind are specific to the judgment – and to the constitutionality of Aadhaar – the interface between technology and fundamental rights obviously is not. It is here that the legal standards evolved by the Court in the Aadhaar Judgment are important, because is they – and not the concrete, fact-specific holding on the constitutionality of Aadhaar – that will provide the constitutional framework within which future disputes will be litigated. In this post, I have attempted to show that on that question, the Supreme Court articulated – and accepted – a rigorous and privacy-protective set of legal standards. A correct application of those standards would invalidate – or at least, throw into serious doubt – the government’s plans for open-ended data collection (under the guise of anodyne terms such as “data is the new oil), facial recognition tenders, and indiscriminate DNA profiling; most importantly, these standards provide a crucial yardstick from which to judge the adequacy of the Data Protection Act that is eventually passed by Parliament. Any such legislation – it hardly needs reminding – must comply with these standards, as they are grounded within the Constitution. In other words, the soon-to-come statutory landscape of data protection in India must adhere to the constitutional framework that has been traced out above.