One Year From Puttaswamy : Data Protection On The Touchstone Of SC Judgment

'The Data Protection Bill may be considered as one step in achieving the objective of optimal protection of privacy'

Privacy has been given many definitions and connotations over the ages. In the Indian context, the momentous judgement of the Supreme Court in Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors[1] is a remarkably concrete touchstone upon which developments that deals with privacy may be examined. The judgement affirms that privacy in India is a right that protects interests ‘pertaining to the physical realm and interests pertaining to the mind^[2]’. Particularly, on the occasion of the first anniversary of the judgement, an analysis of the Personal Data Protection Bill, 2018, as proposed by the Justice Srikrishna Committee, seems to be relevant.

Puttaswamy Judgment & Different Facets Of Privacy

Once we recognize privacy as a constitutional value^[3] and the ultimate expression of the sanctity of the individual^[4], the need for an effective legislation for data protection becomes imperative. The fact of contemporary life is that data relating to ‘food habits, language, health, hobbies, sexual preferences, friendships, ways of dress and political affiliation[5]’, along with services such as internet banking, trading, communications as well as others, together occupy those facets that dwell within the zones of privacy of any individual, and which together enables any analyst of such data to have a clear virtual biography of such individual. As the judgement says, “to put it mildly, privacy concerns are seriously an issue in the age of information[6].”

In such a context, unmitigated and unwarranted use of personal data has to be thwarted, where excessive, and harmonized, where permissible, not only against the State but also other entities.

Nine Judges' SC Bench of Privacy Judgment

The opinion penned by Chandrachud J.^[7], similar to the opinion by Bobde J., articulates a dual classification of the role to be played by the State -positive as well as negative- in terms of privacy as a fundamental right. The negative aspect prevents the State from unnecessary interventions into the rights of its people whereas the positive role enjoins the State to dynamically adopt measures to check and prevent such interferences by other entities. Bobde J. additionally speaks about the duty of the State to endow its people with conditions for the development and dignity of individuals.

Chandrachud J., speaking for 4 judges including himself, views privacy as a human right, the protection of which is within the international obligations of the State. The opinion clarifies that what is protected under the right to privacy is “people, not places”^[8]. In today’s age of ‘ubiquitous dataveillance^[9]’, the state has also become an ‘Informational State^[10]’ and together with the evolving and ever-advancing technologies of data mining and data aggregation, the concerns that privacy faces today has been realistically portrayed[11].

As per the plurality opinion, ‘legitimate state interests’ may be considered as limitations on the right to privacy, if and only if they satisfy three sine-qua-nons, namely an existing law, a need or a legitimate aim and proportionality of such state aim with the measure seeking to restrict/limit privacy^[12]. Examples of such state aims provided here include national security concerns, prevention and investigation of crime and protection of the revenue, similar to the foreign judgements quoted therein. Very interestingly the judgement places the allocation of ‘scarce public resources to ‘legitimate beneficiaries’ at par with the above concerns as constituting a vital state interest that may justify an exception to privacy of the individuals. Even so, the court points out that ‘the data which the state has collected has to be utilised for legitimate purposes of the state and ought not to be utilised unauthorizedly for extraneous purposes’, thus placing any unauthorized secondary use of the data so collected, otherwise than for the stipulated purpose, as a clear encroachment into the right of privacy.

As per Chelameswar J., the test of judicial review in privacy matters should encompass ‘Article 14 type reasonableness enquiry; limitation as per the express provisions of Article 19; a just, fair and reasonable basis (that is, substantive due process) for limitation per Article 21; and finally, a just, fair and reasonable standard per Article 21 plus the amorphous standard of ‘compelling state interest^[13]’. The last must also reflect the benchmark of ‘highest standard of scrutiny’. This test is a highly evolved one, which mandates that the right of privacy is not to be interfered with by the State except for extraordinary circumstances which truly and legitimately warrant such interference, and without which some critical and vital State function may not be performed adequately or competently.

Further, Nariman J. opines that the test of review to be applied depends on the particular situation and case, from which the privacy claim arises^[14]. As per this analysis, depending on the specific right which is being claimed as infringed, review by the court will be fashioned accordingly^[15]. Sapre J. considers that the right to privacy is subject to ‘social, moral and compelling public interest, which the State is entitled to impose by law^[16]’.Sapre J. concurs with the opinion by Nariman J. that the exact scope and test of privacy is subject to a case-by-case development.

New Age Privacy Threats Identified By Justice Kaul's Judgment.

Kaul J. indicates that in the current era privacy has to be safeguarded keeping in view the scope for potential interferences, particularly on account of evolving technological advancements. He asserts that privacy may be protected against State as well as non-State actors (through legislative interventions), which is also along the dichotomous nature of the role played by the State in terms of the right to privacy. While mentioning changes in the post-Snowden world of surveillance and escalating avenues of profiling as well as data collection and processing by the State, he also outlines the possible repercussions of such profiling-discrimination from a negative angle and furthering of public interest and benefits of national security from a positive vantage.

The most pertinent aspect of this judgement by Kaul J., in the context of analysis of data protection, is that it recognizes and acknowledges that both active and passive generation of primary and secondary data have the potential to affect privacy. Concerns related to big data, data mining and the possibility of raising associations and patterns from the analysis of digital footprints and interactions with the internet service providers are highlighted. He particularly underlines the right to informational privacy i.e. the right of an individual to control the dissemination of personal and commercial information, so that they can define their boundaries in an information-driven and information-centred society.

While clarifying that in some instances, even if privacy is violated, such violation may still be legal, Kaul J. points out the possible repressive effects of State-sponsored data processing and interpretation on the quality of any given democracy. This gives the background for the caution in favour of ‘regulating the regulators’ in the matter of protection of the right to privacy. In the context of data protection, perhaps the most effective summing up of his position would be this statement- “In today’s world, privacy is a limit on the government’s power as well as the power of private sector entities”.

In the words of Kaul J., ‘informational privacy, as a part of the larger right of privacy, has to be balanced against other fundamental rights like the freedom of expression, or freedom of media, fundamental to a democratic society.’ He lays down the Principle of Proportionality and Legitimacy to determine the boundaries that may be imposed on the right to privacy as follows:-

(i) The action must be sanctioned by law;

(ii) The proposed action must be necessary in a democratic society for a legitimate aim;

(iii) The extent of such interference must be proportionate to the need for such interference;

(iv) There must be procedural guarantees against abuse of such interference.

According to Kaul J., national security, prevention investigation, prosecution of criminal offences, applicable provisos to the different fundamental rights, public interest, use of anonymized or pseudonymized data, limited data relevant to financial transactions e.g. tax, are illustrations of such limitations on the right to privacy, to be applied with due deference to the principle of proportionality. An outstanding facet of this judgement is that it appreciates that even when the threat of violation of privacy is to a minuscule minority within the population, the threat needs to be responsibly and effectively addressed if the social connotations and relevance of the right to privacy are to be respected and observed. In so far as this factor is concerned, the social value that inheres in the protection of individual privacy stands acknowledged.

The Significance of the Puttaswamy Judgement: When can Privacy be Limited?

Control over data is power. That entity which controls the flow and ebb of data is one with great power. Hence, any entity in a position to (legitimately) access the data generated in any given State is an extremely powerful being indeed. As the Facebook– Cambridge Analytica example has shown us, a wrong or improperly supervised use of collective data can be a tool for social manipulation with great ramifications, apart from effects on individual rights.

 Hence, any data protection law must seek to ensure that no one, not even the State, can use data in such a way as to control, manipulate or fashion opinion and thereby commandeer minds, values, reactions and ultimately the people themselves using such power.

In Puttaswamy, 5 out of the 9 judges have concurred that proportionality is a yardstick by which State intervention in matters of privacy is to be judged as legal[17]. This means that even if all other tests pertaining to ‘just, fair and reasonable’ legal standards are substantially and procedurally observed, the particular State action must be one which causes such limitation to privacy as is proportionate to the legitimate state aim sought to be achieved. While Chandrachud J. in his judgement speaks about legitimate state aim, Kaul J. goes a step further in mandating that the state aim must not only be seen to be legitimate, it must also be a ‘necessary’ one, if a state action that countermands privacy is to be countenanced as legal.

Personal Data Protection Bill, 2018: Applying the tests evolved in Puttaswamy

The focal feature that emerges from an examination of the Bill is that it assumes that the protection of personal data is primarily an individual concern. While that may be so from a straightforward standpoint, the fact is that where personal data is not properly contained or safeguarded, instead of the projected benefits to be garnered from harnessing the data, the repercussions are likely to be astronomically toxic and deleterious[18]. When the data collected from the people of one of the most populous countries in the world is stored in databases to which their biometric information as well as bank records, financial statements, income tax returns, phone numbers, subsidy schemes, public distribution systems and even enrolment to competitive examinations are linked, the security and safety of such a gargantuan database is a colossal concern in itself. Referred by some as ‘the most massive honeypot of sensitive biometrics ever compiled on the planet[19]’, the privacy concerns that surround the data protection ambits of Aadhaar[20] are also proportionately grave. This gives additional impetus to the argument that the right to personal data protection is not only operative against the State, but its enforceability is an undeniable State duty.

While it is possible to analyze the provisions of the Bill from various angles, this work attempts purely to ascertain whether the provisions are sturdily constructed in a manner facilitative and  propitious to the privacy paradigms laid down in Puttaswamy. Hence, the provisions to which attention is directed here are provisions that highlight the aspect of privacy and tests to be applied to the same.

Provision 12 clarifies that consent, free as per the standards of the Contract Act, 1872, is to be collected from the data principal by the fiduciary, and must be informed, specific, and clear.

Provisions 13 to 16 deal with processing of personal data, and provisions 19 to 22 relate to processing of sensitive personal data, without the consent of the data principal. Provision 13 deals with processing of personal data for the exercise of any function of the State authorised by law for provision of any service or benefit to the data principal from the State or the issuance of any certification, license or permit for any action or activity of the data principal by the State functions of the State. Identically, provision 19 stipulates the same conditions in the case of sensitive personal data, if it is ‘strictly necessary’ for certain functions of the State. It is to be noted that sensitive personal data may be processed usually on the basis of explicit consent, which shall be clear, specific and informed^[21].

Provision 17 is perhaps one of the most interesting provisions of this Bill- it states that additional to earlier provisions, personal data may also be processed if it is necessary for such reasonable purposes as may be specified after taking into consideration—

(a) the interest of the data fiduciary in processing for that purpose;

(b) whether the data fiduciary can reasonably be expected to obtain the consent of the data principal;

(c) any public interest in processing for that purpose;

(d) the effect of the processing activity on the rights of the data principal; and

(e) the reasonable expectations of the data principal having regard to the context of the processing.

 Such reasonable purpose is to be determined by the Authority, along with safeguards ‘as may be appropriate to ensure the protection of the rights of data principals’, and also whether the option of notice, if exercised in favour of the individual/entity concerned would prejudicially affect  such ‘reasonable purpose’. Such tremendous power and discretion vested in a single authority, which can create not only classes and classifications, but also dictate all the parameters in connection with the same, is mind-boggling. While the judgement in Puttaswamy spoke of a case-by-case determination of the exact scope of privacy, it is submitted that the exercise of such overarching powers by a single authority seems to be contrary to the Puttaswamy edict.

Further, Provision 22 provides that further categories of personal data as may be specified by the Authority shall be sensitive personal data. The Authority may also specify any further grounds on which such specified categories of personal data may be processed and includes:-

a) the risk of significant harm that may be caused to the data principal by the processing of such category of personal data;

(b) the expectation of confidentiality attached to such category of personal data;

(c) whether a significantly discernible class of data principals may suffer significant harm from the processing of such category of personal data; and

(d) the adequacy of protection afforded by ordinary provisions applicable to personal data.

As per this provision, the Authority can not only prescribe categories of personal data which require additional safeguards or restrictions where repeated, continuous or systematic collection for the purposes of profiling takes place, but also safeguards to be applied in such cases. Such power, while wide and extensive, may be necessary in order to accomplish the objectives of the legislation, yet the fact that combined with other powers under other parts of the Bill, resulting in an accumulation of discretionary capacity, is disturbing.

In such an authority, conferred with such vast and expansive powers, independence of functioning and operation is of essence.  While the appointment of the functionaries in the authority is appropriate and practically sound,[22] the removal of the members is the prerogative of the Central Government[23].  In such an authority, which is to balance exceedingly vital and possibly conflicting interests between the individuals and the State, a greater degree of impartiality and independence is desirable. Possibly the most problematic provision, from the point of view of independence is Provision 98, which enables the Central Government to issue directions in certain circumstances. While it provides that the Central Government has the power to issue to the Authority such directions as it may think necessary in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order, in such times as it deems necessary, the interesting aspect is that in exercise of its powers or performance of its functions under this Act, the Authority shall be bound by such directions on questions of policy as provided by the Central Government. In view of the possibility of involvement of the Authority in such matters, Provision 98(3) provides that as far as practicable, such direction issued by the Central Government shall be given after providing an opportunity to the Authority to express its views in this regard. However, Provision 98(4) categorically provides that ‘the decision of the Central Government on whether a question is one of policy or not, shall be final.’ This provision, keeping in view the vast and varied powers of the Authority, seems to tilt the balance in favour of the State as against the individual in matters of protection of personal data, and is contrary to the spirit of privacy of an individual as an inalienable right, subject only to the restrictions discussed above with reference to Puttaswamy judgement.

A reading of the Bill reveals that targeted advertising seems to be an accepted practice, provided it falls within the prescribed parameters of the Act, and the only prohibition applicable is when the advertisement is targeted at children and is likely to cause ‘significant harm’ to them[24]. While the legality of such business practices is still not clear even in more advanced jurisdictions[25], the Act is silent about the same. Also, security of the State, prevention, detection, investigation and prosecution of contraventions of law, processing for the purpose of legal proceedings, research, archiving or statistical purposes, personal or domestic purposes, journalistic purposes, manual processing by small entities are provided as exemptions, though many of these exceptions fall outside the scope of the ‘necessity’ weighing scales of proportionality standards prescribed in Puttaswamy.

While many jurisdictions express doubt about the continued and secondary use of data collected for one purpose, the Bill provides that personal data processed shall not be retained ‘once the purpose of prevention, detection, investigation or prosecution of any offence or other contravention of law is complete except where such personal data is necessary for the maintenance of any record or database which constitutes a proportionate measure to prevent, detect or investigate or prosecute any offence or class of offences in future’. Here again, the proportionality of the measure has to be fixed in such a manner as to prevent unwarranted intrusion to individual privacy. Further, the significance of exemption granted to manual processing by small entities[26], identity of which is fixed on the basis of annual turnover, is unclear. The scope and content of privacy cannot be limited on the basis of such considerations, which seems extraneous to the purpose of protection of privacy.

On a positive note, many of the standards and practices that are present in the Bill are adopted from more experienced jurisdictions, and hence cater to international standards of data protection.  Also, the provision relating to maintenance of records[27] shall apply to the Central and State Government, departments of the Central and State Government, and any agency instrumentality or authority which is “the State” under Article 12 of the Constitution[28].

Strong and responsible data protection is the only way to ensure such privacy, and the prototype of Personal Data protection adopted is very crucial to defining the evolution of the Indian population as a people in the coming days. As is clear from the analysis above, which though by no means complete, yet underscores the challenges before us- the loopholes are many, and the deficiencies substantial. It is submitted that the Bill may be considered as one step in achieving the objective of optimal protection of privacy by means of a robust and comprehensive data protection framework. Such an endeavour can become meaningful only when the boundaries of State intervention are kept within strict, lucid and rational confines, thus maximising the space and scope for maximization of human potential for a life complete with true dignity and liberty.

Dr Athira P S is the Director, Centre for Intellectual Property Rights, National University of Advanced Legal Studies(NUALS), Cochin. The author may be reached at athiraps@nuals.ac.in 

[The opinions expressed in this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of LiveLaw and LiveLaw does not assume any responsibility or liability for the same]

[1] Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors, (2017) 10 SCC 1, available at https://www.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf

[2] Page 404 of the judgment, supra n. 1 -As per Nariman J.,  the right to privacy is stated as having ‘travelled far from the mere right to be let alone to recognition of a large number of privacy interests, which apart from privacy of one’s home and protection from unreasonable searches and seizures have been extended to protecting an individual’s interests in making vital personal choices such as the right to abort a fetus; rights of same sex couples- including the right to marry; rights as to procreation, contraception, general family relationships, child rearing, education, data protection, etc.’

[3] Page 245, supra n. 1 - “It is a constitutional value which straddles across the spectrum of fundamental rights and protects for the individual a zone of choice and self-determination.”

[4] Id.

[5] Page 247, supra n. 1

[6] Page 248, supra n. 1

[7] Dr. Justice D Y Chandrachud wrote the plurality opinion for himself as well as judges Chief Justice J. Jagdish Singh Khehar , Justice R K Agrawal and Justice S Abdul Nazeer. Justice J Chelameswar, Justice S A Bobde, Justice Abhay Manohar Sapre, Justice Rohinton Fali Nariman and Justice Sanjay Kishan Kaul delivered separate judgments.

[8] Page 164, supra n. 1. It includes ‘conscience, education, personal information, communications and conversations, sexuality, marriage, procreation, contraception, individual beliefs, thoughts and emotions, political and other social groups’.

[9] Page 250, supra n. 1

[10] Id.

[11] The nine principles as laid down by the Group of Experts on Privacy appointed by the Union Government has been noted - (i) Notice(ii) Choice and Consent (iii) Collection Limitation (iv) Purpose Limitation (v) Access and Correction (vi) Disclosure of Information (vii) Security (viii) Openness (ix) Accountability

[12] Page 308, supra n. 1

[13] Id.

[14] Page 414, supra n. 1 - Every State intrusion into privacy interests which deals with the physical body or the dissemination of information personal to an individual or personal choices relating to the individual would be subjected to the balancing test prescribed under the fundamental right that it infringes depending upon where the privacy interest claimed is founded.

[15] Page 456, supra n. 1 - “Each of the tests evolved by this Court, qua legislation or executive action, under Article 21 read with Article 14; or Article 21 read with Article 19(1)(a) in the aforesaid examples must be met in order that State action pass muster.”

[16] Page 488, supra n. 1

[17] The four judges for whom Chandrachud J. penned the judgment, as well as Kaul J. See supra n. 7 for details

[18] See generally Taylor L. The ethics of big data as a public good: which public? Whose good? Philosophical transactions Series A, Mathematical, physical, and engineering sciences. 2016;374(2083).

[19] https://www.firstpost.com/tech/news-analysis/aadhaar-privacy-issues-extend-beyond-the-security-of-its-biometric-database-4848791.html

[20] Many reports indicate that such breach may already be a reality- See https://www.tribuneindia.com/news/nation/trai-chairman-dares-aadhaar-details-leaked/628574.html, https://timesofindia.indiatimes.com/india/editors-guild-condemns-fir-against-tribune-reporter-who-exposed-aadhaar-leaks/articleshow/62403264.cms, https://thewire.in/featured/data-breach-aadhaar-details-grabs-just-rs-500, etc.

[21] Section 18, Personal Data Protection Bill, 2018

[22] Section 50 (2), Personal Data Protection Bill, 2018- The chairperson and the members of the Authority shall be appointed by the Central Government on the recommendation made by a selection committee consisting of—

 (a) the Chief Justice of India or a judge of the Supreme Court of India nominated by the Chief Justice of India, who shall be the chairperson of the selection committee;

(b) the Cabinet Secretary; and

(c) one expert of repute as mentioned in sub-section (6), to be nominated by the Chief Justice of India or a judge of the Supreme Court of India nominated by the Chief Justice of India, in consultation with the Cabinet Secretary.

The persons who are members shall be ‘persons of ability, integrity and standing, and must have specialised knowledge of, and not less than ten years professional experience in the field of data protection, information technology, data management, data science, data security, cyber and internet laws, and related subjects’.

[23] Section 52- (1) The Central Government may remove from office, the chairperson or any member who—

(a) has been adjudged an insolvent;

(b) has become physically or mentally incapable of acting as a chairperson or member;

(c) has been convicted of an offence, which in the opinion of the Central Government, involves moral turpitude;

(d) has so abused her position as to render her continuation in office detrimental to the public interest; or

(e) has acquired such financial or other interest as is likely to affect prejudicially her functions as a chairperson or a member.

[24] Section 23, Personal Data Protection Bill, 2018 deals with the processing of personal data and sensitive personal data of children.

[25] Emerging use of technologies and techniques such as Browser Fingerprinting, Deep Packet Inspection and History Sniffing as well as Big data analysis are still largely not cleared on their legal ramifications. See Damian Clifford, EU Data Protection Law and Targeted Advertising: Consent and the Cookie Monster - Tracking the crumbs of online user behaviour 5 (2014) JIPITEC 194, para 1.

[26] Section 48, Personal Data Protection Bill, 2018

[27] Section 34(1), Personal Data Protection Bill, 2018- The data fiduciary shall maintain accurate and up-to-date records of the following—

(a) important operations in the data life-cycle including collection, transfers, and erasure of personal data to demonstrate compliance as required under section 11;

(b) periodic review of security safeguards under section 31;

(c) dataprotection impact assessments under section 33; and

(d) any other aspect of processing as may be specified by the Authority.

[28] Section 34(3), Personal Data Protection Bill, 2018.