Supreme Court holds that the right to privacy is a fundamental right guaranteed under the Constitution of India
The technology and privacy law team of Nishith Desai Associates is presenting this analysis of the landmark Supreme Court (“SC”) judgment of Justice K.S Puttaswamy (Retd.) v. Union of India and Ors.1 holding privacy to be a fundamental right under the Constitution of India (“Constitution”).
While the reasoning and analysis in the judgment makes for a very interesting read for its sheer depth, in this update, we have endeavored to focus on the impact of declaring privacy as a fundamental right, the impact on private entities (non-state parties) and the potential impact on the anticipated data privacy law.
The constitutional validity of the Aadhaar system (a nationwide biometric identification system) had been challenged before the SC. This issue was before a 5 judge bench of the Court (“Aadhaar Bench”). One of the key issues is whether the norms for compilation of the demographic biometric data by the government violates the right to privacy. To answer this question the SC had to first answer: whether there is a constitutionally mandated fundamental right to privacy. Due to conflicting judgments of the SC in the past, the Aadhaar Bench referred this question before a 9 judge bench of the SC (“Privacy Bench”) to finally determine whether there existed a fundamental right to privacy. To quote the Aadhaar Bench:
“During the course of the hearing today, it seems that it has become essential for us to determine whether there is any fundamental right of privacy under the Indian Constitution. The determination of this question would essentially entail whether the decision recorded by this Court in M.P. Sharma and Ors. vs. Satish Chandra, District Magistrate, Delhi and Ors2 by an eight-Judge Constitution Bench, and also, in Kharak Singh vs. The State of U.P. and Ors.3 by a six-Judge Constitution Bench, that there is no such fundamental right, is the correct expression of the constitutional position. (emphasis as per Court order)”
The Privacy Bench unanimously held that the right to privacy is fundamental right protected under the Constitution. The judges have delivered 6 judgments: Justice Chandrachud has written on behalf of himself, Chief Justice JS Khehar, Justice Agrawal and Justice Abdul Nazeer (“Lead Judgment”). Justice Chelameshwar, Justice Bobde, Justice Sapre, Justice Nariman and Justice Kaul have written separate judgments providing their own findings, conclusions and observations (referred to as “Single Judge Judgment(s)”). A consolidated order (“Order”) holds that:
The judgments in total run into 547 pages. The judgments trace the history of Indian constitution, development of jurisprudence with respect to fundamental rights through various SC cases, examine scholastic articles, foreign jurisprudence and case laws and of course international treaties.
The Lead Judgment starts by acknowledging that (i) Privacy allows each individual / person to be left alone in a core which is inviolable; (ii) this autonomy is conditioned by their relationships with the rest of society; (iii) those relationships pose questions to autonomy and free choice. The overarching presence of state and non-state entities regulates aspects of social existence which bear upon the freedom of the individual; and (iv) privacy is required to be analyzed in an interconnected world and the SC has to be sensitive to the needs of and the opportunities and dangers posed to liberty in a digital world. The Single Judge Judgments also refer to digital economy and non-state parties’ role. These observations are discussed in detail later.
Though the Lead Judgment and Single Judge Judgments reach the same conclusion, each judgment deals with arguments of the petitioner and the state separately and at times in slightly different manner. Hence, an in depth analysis may be required of different aspects to arrive at the binding ratio. Some aspects dealt with in Single Judge Judgments may not be dealt with in the Lead Judgment or may not be dealt with in equal detail. In such cases, the binding nature of such aspect will have to be analyzed further.
Further, all earlier cases that deal with the fundamental rights, its ambit and principles on which restrain may be applied to its exercise will be applicable with respect to privacy as a fundamental right. Hence, in subsequent cases when state action is challenged on the ground of privacy, in addition to the present case, such earlier cases may also come to aid.
I. What was the position of ‘privacy’ as a fundamental right earlier?
The Judgment has not created a new right to privacy as a fundamental right but has clarified the status of the right to privacy as fundamental right under the Constitution. It traced its recognition in the right to life and personal liberty under Article 21 of the Constitution of India (“Constitution”), but found that it was also footed in certain other rights, such as Article 194.
The judgment clarifies that a constitutional right to privacy can be defined in both negative and positive terms, i.e:
The SC’s ruling is rooted, inter alia, in the following reasoning:
II. What are the specific facets of privacy that have been referred to by the Court?
The submission of the government was that the SC cannot recognize a juristic concept which is so vague and uncertain that it fails to withstand constitutional scrutiny. The judgments rejected this argument. In the simplest form, the judgments recognize the right as “right to be let alone”. Justice Nariman categorizes the right as having three aspects: personal privacy (such as the right to move freely), informational privacy and the privacy of choice.
The SC has traced the history of recognition of various facets of the right to privacy by citing various scholastic writing, .Indian and foreign judgments and provides description of privacy right. However, the Lead Judgment succinctly concludes that:
“This Court has not embarked upon an exhaustive enumeration or a catalogue of entitlements or interests comprised in the right to privacy. The Constitution must evolve with the felt necessities of time to meet the challenges thrown up in a democratic order governed by the rule of law. The meaning of the Constitution cannot be frozen on the perspectives present when it was adopted. Technological change has given rise to concerns which were not present seven decades ago and the rapid growth of technology may render obsolescent many notions of the present. Hence the interpretation of the Constitution must be resilient and flexible to allow future generations to adapt its content bearing in mind its basic or essential features.’
Justice Bobde has stated that scope and ambit of a constitutional protection of privacy can only be revealed on a case-by-case basis.
In this context, the Lead Judgment relies on an article that represents privacy through a diagrammatic structure8 that identifies nine types of privacy:
However, it is important to examine each judgment to have an illustrative list of rights enumerated by the SC so that while framing any law or taking any action, the government has enough guidance on whether such law or action is likely to violate the right to privacy.
III. What is the impact of declaring privacy as a fundamental right? What is the impact of the judgment on non-state parties ?
The impact of recognizing privacy as a fundamental right, as opposed to a statutory or a common-law right, is that it is an inviolable right. A fundamental right provides a touchstone on which the validity of a law may be determined or a state’s action may be assessed. While a statutory right may be modified, amended, or annulled by a simple act of legislation, a constitutional right is not subject to amendment or annulment at the instance of the legislature. Any abridgment of a constitutional right, must meet the tests prescribed under Article 21, Article 19, or the specific freedom it seeks to abridge. The impact of the Order is already apparent. In a recent case Delhi High Court has raised a question whether private blackberry messenger messages can be relied upon by the state to impugn a criminal offence against the person, in view of the privacy ruling of the SC9.
To clarify, fundamental rights under Article 19 and 21 are as such enforceable only against the state or instrumentalities of the state and not against non-state parties. However, almost all the 6 judgments highlight the need for data protection law to control actions of the non-state parties as well. The horizontal application of the right to privacy will have to be tested in the view of this judgment. In fact the Lead Judgment calls upon the government to bring out a detailed data protection regime based on the broad guidelines laid down in the judgments. Most of the views are expressed in this connection – referred to as ‘informational privacy’ in the Judgment – are discussed in detail below in section VIII.
At present as against the non-state entities, privacy is recognized as a common law (as opposed to a constitutional) right. The enforcement will depend on facts and circumstances of the case. Under the Information Technology Act, 2000 and rules framed thereunder there are limited provisions with respect to protection of personal information and sensitive data and personal information.
IV. What are the reasonable restrictions on the fundamental right to privacy that have been recognized by the Court?
Since the fundamental rights are not to be read in a silo, any infringement of fundamental rights will therefore have to pass the basic tests of Articles 21 and 14 of the Constitution. These tests are10:
The judgments have recognized the below mentioned restrictions on the right to privacy
V. Can fundamental rights be waived by consent?
The state argued that privacy cannot be held to be a fundamental right, as fundamental right cannot be waived. This would lead to several complications arising with regard to the functioning of the state. This argument was made on the basis that the state would be virtually barred even from contractually collecting any information from individuals in India and this would hamper the functioning of the state as it is required to collect certain information of citizens while exercising its required functions.
Interestingly, the Lead Judgement does not deal with this argument of the government. It merely refers to SC judgment “Behram Khurshed Pesikaka v. State of Bombay”12 and concurred with the view that “Part III of the Constitution is a part of the wider notion of securing the vision of justice of and, as a matter of doctrine, the rights guaranteed were held not to be capable of being waived”13.
In this regard Justice Nariman in his judgment has observed14 as follows:
Thus, the threshold for state collecting the data from the citizens and the purpose for which it will be used is stringent. The same threshold in our view however should not apply when the non-state parties collect and use data.
A question may be raised about, when the state acts in a commercial capacity, whether fundamental rights may still be enforced against the state and whether the same threshold for consent as discussed above will apply in relation to such commercial activity. In this connection, several earlier case laws have clarified that executive action (as stated below), will have to satisfy the test of Article 14 of the Constitution, irrespective of whether the function being exercised by the state in its capacity as a sovereign or in a commercial capacity or in any other capacity. This viewpoint was upheld by the Court in Air India Ltd. vs. Cochin International Airport Ltd15 and Ramana Dayaram Shetty vs. International Airport Authority of India and Ors.16.
In light of the above, it may be argued that there is a duty imposed on the state to act reasonably while obtaining consent from individuals for the collection of information which falls under the protections envisaged under the right to privacy, without regard to under what capacity function is being exercised by the state.
VI. What is the potential impact of the judgement on Aadhaar and what references have been made in the judgement which may have an impact on the Aadhaar judgement?
While the judgment itself does not seek to (and was not intended) to answer the constitutional challenge to The Aadhaar (Targeted Delivery of Financial And Other Subsidies, Benefits And Services) Act, 2016 (“Aadhaar Act”), the judgments will have bearing on Aadhaar ruling. The Aadhaar Act will have to satisfy the three pronged test as discussed above, since under the Aadhaar Act personal information such as biometric information is collected and processed by the government. Other than Aadhaar Act itself, the manner in which the use of Aadhaar Card is being mandated by the government for various purposes, will also need to be tested on the basis of the privacy judgment.
In the context of this evaluation, it is imperative to note that the Aadhaar scheme which was first introduced as a means of targeted distribution of subsidies, is today being implemented towards a variety of purposes, including the fight against black money, transaction authentication, and ‘know your customer’ requirements for banks and telecom companies. Aspects of Aadhaar Act, such as (i) security of the Aadhaar system, (ii) the inability of the individual to file complaints (for violation under the Aadhaar Act) relating to theft or misuse of their data17, and (iii) the inability to withdraw / delete one’s data once registered with the UIDAI, will also likely come under scrutiny.
The following observations of the court in the judgment throw light on some of the questions surrounding the Aadhaar challenge. First, while the court rejected the argument that furtherance of welfare objectives should take precedence over right to privacy18, it has indicated that the fulfillment of welfare objectives would be a legitimate aim towards which the right to privacy could be infringed (provided the other conditions of a reasonable restriction are met).19 Secondly, the primacy of individual consent (in relation to one’s data / information) as highlighted by the Court20, provides possible context to the discussion on the mandatory and permanent nature of the Aadhaar.
We will soon publish our detailed analysis on the Aadhaar Act and Aadhaar scheme in the light of this judgment.
VII. What would be the reasonable expectation of privacy, especially in a public place?
The Lead Judgment in its conclusion summarizes this aspect21 as follows:
“While the legitimate expectation of privacy may vary from the intimate zone to the private zone and from the private to the public arenas, it is important to underscore that privacy is not lost or surrendered merely because the individual is in a public place. Privacy attaches to the person since it is an essential facet of the dignity of the human being.”
The SC has not however, gone on to examine or analyze the extent or scope of the legitimate expectation of privacy of an individual in a public place as such an examination / determination would differ based on the facts of each matter at hand. The aforementioned determination is additionally relevant in light of several instances wherein certain actions have been question to be in violation of the right to privacy of individuals in public such as the installation of CCTV cameras by the government in public areas. It may be argued that now the installation of the CCTV cameras by the government needs to satisfy the test of reasonable restriction as discussed above.
Justice Bobde has negated the argument of State of Gujarat that only those privacy claims which involve a ‘reasonable expectation of privacy’ be recognized as protected by the fundamental right. He goes on to explain
Such a formulation would exclude three recurring red herrings in the Respondents’ arguments before us. Firstly, it would not admit of arguments that privacy is limited to property or places. So, for example, taking one or more persons aside to converse at a whisper even in a public place would clearly signal a claim to privacy, just as broadcasting one’s words by a loudspeaker would signal the opposite intent. Secondly, this formulation would not reduce privacy to solitude. Reserving the rights to admission at a large gathering place, such as a cinema hall or club, would signal a claim to privacy. Finally, neither would such a formulation require us to hold that private information must be information that is inaccessible to all others.
Justice Nariman has also discussed the state’s argument on the “reasonable expectation of privacy test”, which provides that, ”if information is voluntarily parted with by an individual, no right to privacy exists”, as was laid down in Katz v. United States22 . Justice Nariman has rejected the state’s argument that the Court should follow the “reasonable expectation of privacy test”, while determining the contours of the right to privacy by referring to the judgment of the SC in District Registrar and Collector, Hyderabad & Anr. v. Canara Bank, etc.23, and thereby holding that that the “reasonable expectation of privacy test” has no plausible foundation under Article’s 14, 19, 20 and 21 of the Constitution of India.
VIII. Data protection or ‘Informational Privacy’
The Judgments at several places deal with informational privacy (especially in the context of inter-connected digital world), both in the hands of state and non-state entities.
The Lead Judgment specifically deals with informational privacy but substantial part of the discussion is on the handling of information by the State. The Lead Judgment contemplates a robust regime (as per requirements of Article 21) satisfying the tests below:
The Lead Judgment relied upon SC judgment in the matter of District Registrar and Collector, Hyderabad v Canara Bank24 in relation to the informational privacy in the hands of the nationalized Bank. Some Judgments also refer to the recommendations made by the Expert Group’s Report set up earlier by the government in 2012, proposing a framework for the protection of privacy concerns in India25. However, no binding observations have been made by the SC with respect to the recommendations made by the Expert Group.26
In the conclusion of the Lead Judgment the SC acknowledges that the government has set up committee under Justice B N Srikrishna (“MeiTy Committee”) for suggesting appropriate data protection law in India and directs that the matter shall be dealt with appropriately by the Union government having due regard to what has been set out in its judgment.27
Some judgments have alluded to different facets of data protection regime. Most of them appear more as discussion points rather than binding ratio. The Lead Judgment refers to non-discriminatory treatment on the basis of data collected. Justice Kaul has alluded to the need for “right to be forgotten”. He has also suggested that EU law may be a useful guidance.
Justice Kaul suggests that profiling of individuals by the State that leads to discrimination is not acceptable however, such profiling can be used for public interest and protection of national security. He deals with the right to control information in some detail and observes as follows. The following observations are not specifically distinguished as whether they apply in relation to state and/or non-state.
The impact of abovementioned observations in relation to right of celebrities will need to be examined in detail
Justice Kaul further discusses the right to control and correct information on the world wide web and alludes to right to be forgotten as essential ingredient subject to some limitations.
The three tests specified above that apply in relation to a fundamental right, should not necessarily apply in relation to handling of the data by non-state parties. If the same three tests were to be made applicable to non-State then the data protection regime will be very restrictive and will thwart innovation and efficient delivery of goods and services. Therefore, the proposed data protection regime ought to make distinction between the handling of the data by the State and Non-State parties.
Justice Kaul has specifically dealt with privacy concerns against non-state parties, and some of the key observations are below:
One way to view the question of how the fundamental right to privacy affects non-state parties is to see the judgment as requiring (or, at the least, suggesting) that the State create a data protection law.28 This is to preserve citizens’ informational privacy (or per Justice Nariman, their privacy interest of “data protection”)29 against non-State parties. In the past, similarly, the SC observed the need for a law against sexual harassment in the workplace, and directed the government to frame such a law in the interest of protecting fundamental rights (Vishaka v. State of Rajasthan)30.
IX. Way forward
Justice Kaul has stated in Para 70 of his opinion that:
“The State must ensure that information is not used without the consent of users and that it is used for the purpose and to the extent it was disclosed”
This assertion has been supported by an observation by Justice Chandrachud in Para 177 of the Lead Judgement31. Read together, it appears that the need for ‘consent’ in the data protection regime will be one that is constitutionally mandated as part of the right to privacy.
Considering the observation in the Lead Judgment and by Justice Kaul with respect to consent and the discussion regarding the AP Shah Committee, it is likely that the data protection law will contain the following broad aspects:
1 WP (C) 494 of 2012
2 1950 SCR 1077
3 1962 (1) SCR 332
4 Article 19 of Constitution of India: Protection of certain rights regarding freedom of speech etc.
5 Article 51 of the Constitution, which forms part of the Directive Principles mandates that India foster respect for international law and its treaty obligations
6 Article 17 of the ICCPR states: 1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation 2. Everyone has the right to the protection of the law against such interference or attacks.
7 Article 12, Universal Declaration of Human Rights
8 Paragraph 141, Part L of the Lead Judgment
10 Paragraph 180 of the Lead Judgment and Paragraph 3(H) of the Lead Judgment’s conclusion
11 1978 SCR (2) 621
12 (1955) 1 SCR 613
13 Paragraph 112 of the Lead Judgment
14 Paragraph 60 of Justice Nariman’s judgment
15 (2000) 2 SCC 617
16 (1979) 3 SCC 489
17 See Section 47, the Aadhaar Act;
18 Paragraph 154-155 of the Lead Judgment, Paragraph 45 of Justice Nariman’s judgment
19 Paragraph 154-155 of the Lead Judgment..
20 .Paragraph 176 of the Lead Judgment.
21 Paragraph 3 (F) of the Conclusion of the Lead Judgment.
22 389 U.S. 347 (1967)
23 (2005) 1 SCC 496
24 (2005) 1 SCC 496
25 The framework was based on five salient features (i) technological neutrality and interoperability with international standards; (ii) multi-dimensional privacy; (iii) horizontal applicability to state and non-state entities; (iv)conformity with privacy principles; and (v) a co-regulatory enforcement regime. The Expert Committee proposed nine privacy principles, namely notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security and openness, and accountability.
26 Report of the Expert Group available at: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf
27 The Ministry for Electronics and Information Technology (“MeitY”) has constituted a committee of experts, in July, 2017, under the chairmanship of Justice B.N Srikrishna, in order to identify key data protection issues in India, recommend methods of addressing such issues and to prepare a draft data protection bill.
28 E.g., Paragraph 5 of the conclusion of the Lead Judgement.
29 Paragraph 46 of Justice Nariman’s opinion.
30 (1997) 6 SCC 241
31 “The sphere of privacy stretches at one end to those intimate matters to which a reasonable expectation of privacy may attach. It expresses a right to be left alone. A broader connotation which has emerged in academic literature of a comparatively recent origin is related to the protection of one’s identity. Data protection relates closely with the latter sphere. Data such as medical information would be a category to which a reasonable expectation of privacy attaches. There may be other data which falls outside the reasonable expectation paradigm. Apart from safeguarding privacy, data protection regimes seek to protect the autonomy of the individual. This is evident from the emphasis in the European data protection regime on the centrality of consent. Related to the issue of consent is the requirement of transparency which requires a disclosure by the data recipient of information pertaining to data transfer and use”