TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | The Indian Supreme Court's Aadhaar judgment — A privacy analysis Related reading: Understanding India’s draft data protection bill

rss_feed
PrivacyTraining_ad300x250.Promo1-01
GDPR-Ready_300x250-Ad

The Supreme Court of India recently, by a 4 to 1 majority, upheld the constitutional validity of the Aadhaar project, after some minor tweaks and suggestions. This 1148-page judgment was delivered after a 38-day hearing, the second longest hearing in the history of the court. This post only concerns itself with the challenge that the project was violative of the right to privacy, which was given fundamental-right status under Article 14, 19 and 21 of the Constitution of India in a landmark privacy judgment.

The Aadhaar project

The goal of the project was to issue a unique identification number to all Indian residents that would be robust enough to eliminate duplication and could be verified easily. The main purpose is to ensure targeted delivery of benefits, services and subsidies by the government through digital identification.

In order to get the Aadhaar card, individuals are required to submit their demographic and biometric information. They are also required to undergo biometric authentication each time they want to establish their identity.

Main arguments and privacy question

The main privacy arguments of the petitioners were that this project forces the individual to part with biometric information (fingerprints and iris scan), and the authentication process is susceptible to misuse. Further, the information relating to different transactions across the life of the individual is connected to a central database which may enable the state to profile citizens, track movements, assess their habits and influence behavior. It was thus contended that the Aadhaar Act strikes at the fundamental right to privacy of the individual. The question before the court was whether the act is unconstitutional for this reason.

Prelude to tests to determine constitutionality

Before dwelling into the findings of the court, it would be helpful to understand the main rights and activities (with some overlapping) that decided the fate of the project:

Rights/activities favoring the project

  • Welfare activities (right to life and liberty). Aadhaar is considered to be an enabler to the deserving sections of the society, thus allowing them to exercise their right to life and liberty. This, to a large extent, is universally recognized — even by the petitioner and the dissenting judgment.
  • Right to dignity. The court said that by giving individuals a unique identity and by enabling them to avail fruits of the welfare schemes, the project also ensures right to dignity for them. I refer to these as “part 1."

Rights/activities favoring privacy

  • Right to dignity. There is another form of dignity, which is a facet of the right to privacy of the beneficiaries. I refer to these as “part 2.” The court, however, did not allow the petitioner to use this right to their advantage. The reasoning provided, in not so clear terms, was that the right to receive the benefits of welfare schemes under Aadhaar, has itself attained the status of fundamental right which the petitioners are relying upon and that the “Constitution does not exist for a few or minority of the people of India, but We the people.” In essence, it means that the court regards the right to dignity — part 1 as more valuable than the right to dignity — part 2.
  • Right to privacy. The court created a separate inferior class of privacy rights of the beneficiaries here. It set the tone for this by saying that only those matters over which there is “reasonable expectation of privacy,” get protection under the fundamental right to life and liberty. It then projected the right to privacy of the beneficiaries as such inferior right to privacy. The suggestion of the court here was that if the “data collected is minimal,” there are “sufficient safe guard measures” and the possibility of profiling is ruled out (the court however also used the term “very difficult” elsewhere), then the “inroads into the privacy rights where these individuals are made to part with their biometric information, is minimal.” I refer to these as “inferior rights to privacy.”

Throughout the judgment, the court further strengthens the points favoring Aadhaar and diminishes the points favoring privacy. As if this was to ensure that when it tests the issue of constitutionality, the former turn out to be the winner.

Some presumptions by the court

It must be pointed out that the majority made some significant presumptions here and that their judgment essentially rests on these. Based on specific facts, it considered parting of biometric information as “minimal” and presumed that no profiling is possible in the present case. In the absence of these presumptions, it would have been extremely difficult for it to come to its final conclusion.

Three-part test to judge the reasonableness of the invasion to privacy

The landmark privacy judgment held that when a state action is challenged on the ground that it is violative of the right to privacy, then in order to determine the permissible limits of the invasion and the validity of the legislation, it has to be judged based on a three-part test comprising of the doctrine of proportionality. The court thus tested the project as such and found that it satisfied this test (except for some minor deviations which are not covered in this post).

The test conducted by the court has been classified as such:

  1. There must be a law, i.e., the action must be sanctioned by law.
  2. The action must serve a legitimate state aim.
  3. There must be proportionality, i.e., the extent of interference by such action should be proportionate to the need for such action. This part is then further sub-classified as under:
    • Legitimate goal stage: The measure restricting a right must have a legitimate goal.
    • Suitability or rationale connection stage: The measure must be a suitable means of furthering such goal.
    • Necessity stage: There should be no other alternative which is less restrictive but equally effective.
    • Balancing stage: The action should not have a disproportionate impact on the holder of the right. This is also the stage which dominated the legal analyses by the court.

Levels 1 and 2 were deemed satisfied on the premise that the project is backed by a statute, which serves a legitimate state aim to ensure that social benefit schemes reach the deserving (although the court added a caveat that it is necessary to ensure security).

For 3(a), the court had already, in the above point, said that the act serves a “legitimate state aim.” The court also added that the various orders pronounced by the court earlier, pertaining to various welfare measures under the project, further compliment this. For 3(b), it said that the measures taken are rationally connected to the objectives contained in the act. For 3(c), it said that there are no alternative measure with lesser degree of limitation which can achieve the same purpose.

Level 3(d), the balancing stage, was examined by the court at two levels. First, it examined whether the social interest and the reasonableness of the restrictions (imposed on the right to privacy) outweigh the right to privacy in this case. Secondly, it examined the two competing fundamental rights — right to food, shelter and employment on the one hand (right to dignity — part 1) and right to privacy (comprising of the inferior right to privacy and right to dignity — part 2).

For the first level, all that the court was required to do was to weigh the welfare activities here, together with the reasonableness of restrictions imposed on right to privacy, against the inferior privacy rights. This is what the court did, but not so clearly in the operative part. It finally said that “information collected at the time of enrollment as well as authentication is minimal, balancing at the first level is met.”

The principal issue at the second level was that the two facets of the same right of the same person — human dignity “in the form of autonomy (informational privacy)” (right to dignity — part 1) and dignity “in the form of assuring better living standards” (right to dignity— part 2), were in conflict with each other. The question thus was, whether the sacrifice of the right to privacy by the beneficiary, so that they get the benefits they're entitled, is so invasive that an imbalance is created.

For this level, the court pitted the right to dignity — part 1, against the inferior privacy rights and the non-existent right to dignity — part 2, because of the earlier efforts of the court, this was an easy contest and right to dignity — part 1 was regarded as more dominant.

Project not to be shelved — remedy is "plug the loopholes"

Finally, the court said that the project should not be shelved because otherwise, a large percentage of beneficiaries would suffer. It opined that the remedy is not to take down the whole project, because of privacy concerns, but to plug the loopholes in the system.

Converting percentage to numbers 

At this stage, it would be helpful to convert some percentage figures to actual numbers. The respondent claimed that the biometric failure rate is only about 0.232 percent (although it also maintained that this is remediable) and this low figure was one important reason for the court to conclude that the project should not be shelved. But then Aadhaar card has been issued to about 1.17 billion of the total of about 1.31 billion population. So an error of 0.232 percent would mean approximately 2.7 million Indian citizens.

The dissenting judgment — advice for the future

Chandrachud, J, was the only dissenting judge here. Incidentally, he is the same judge who also authored the majority judgment (on behalf of three other judges) in the landmark privacy judgment. On many issues, the dissent is in clear contrast to the majority view — both on law and facts.

The dissent rejected the current Aadhaar framework and said that, in its current form, this framework does not satisfy the privacy concerns. It further clarifies that the biometric technology is problematic and has led to authentication failures. It then hits upon the foundation of the majority view by pointing out that the data collected by the authority cannot be termed as “minimal data.” Emphasizing the uniqueness feature of the biometric data, it says that, “Once a biometric system is compromised, it is compromised forever.”

Unlike the majority, instead of being dismissive of the failure rates, the dissent goes on to say that “No failure rate in the provision of social welfare benefits can be regarded as acceptable.”

Regarding the balancing stage of the proportionality test, the dissent notes that “a program like Aadhaar, which infringes on the justifiable expectations of privacy of citizens flowing from the Constitution, is completely disproportionate to the objective sought to be achieved by the State.” 

To the “plug the loopholes” suggestion of the majority, the dissent had this to say — “you cannot be ironing out the glitches when Articles 14 and 21 are at stake.”

The dissent gains particular importance also in view of the upcoming data privacy law in India. It recommends several modern privacy principles to be followed in reference to Aadhaar and emphasizes that creating strong privacy protection laws and instilling safeguards may also address the concerns associated with the project.

Conclusion

The Aadhaar project has survived, but the right to privacy and choice of the beneficiaries has suffered. The facts were not to the liking of the majority and they failed the proportionality test determined by the majority judgment. Paradoxically though, the dissent gives a choice to both the government and the legislature. The government may either feel vindicated and be content by fixing the glitches that the majority judgment pointed out, or it may rise to the occasion and look at the issue afresh from the dissent’s perspective. The legislature also has a choice to either come up with a data privacy law based on the lower standards of privacy protection set up by the majority or to follow the dissent and use it as the foundation of the upcoming data privacy law.

Photo credit: Taken from Wikipedia 

Comments

If you want to comment on this post, you need to login.