Almost two years after a Supreme Court bench decided that challenges to Aadhaar should be heard by a Constitutional bench, the bench was finally constituted and began hearing the case. One of the main questions before the Constitutional bench is whether making Aadhaar compulsory violates citizens’ right to privacy.
But before the five-judge bench can decide either way on that question, a larger nine-judge bench of the SC first has to decide an even more fundamental question – does the Indian Constitution guarantee citizens a fundamental right to privacy?
The history of that question goes all the way back to 1954, when an eight-judge bench declared that privacy was not a fundamental right enshrined in the Constitution, and could not be brought in through a “strained construction”. Despite this verdict, however, since the 1970s various verdicts – starting from the case of Govind v Madhya Pradesh in 1975 – have recognised the right to privacy as a fundamental right. These verdicts have done so by reading privacy as a component of the right to life secured in Article 21 of the Constitution.
In 2015, the then Attorney General Mukul Rohatgi went back to the 1954 verdict to argue against a fundamental right to privacy. The SC decided to refer this question to a nine-judge bench, because this bench’s judgement would supersede the judgement of the eight judges in that earlier case.
Why is privacy law important?
While privacy concerns have been a part of legal debates for many years now, the growth of the internet and the smartphone revolution have fundamentally changed the contours of this debate. We now live in an eco-system where multiple apps monitor our every online move. And with the growth of technologies like GPS and smart wearables, even our offline activity is growing more monitored by the second.
In all of this, there are only piecemeal rules and legal provisions governing crucial questions such as who has the right to collect personal data from an individual, how can this data be collected and for how long can they store the data, what they are allowed to do with that data and so on. In fact, the current privacy provisions under the IT Act cover only corporate bodies involved in commercial or professional activities, and entirely leave out governments and non-profit bodies from their ambit. They also cover a very narrow range of personal information, leaving vast amounts of other kinds of data completely unregulated.
With cases like the October 2016 data breach involving 3.2 million debit cards in the country, we’ve begun to wake up to the dangers of lax protection of financial data. But there’s plenty of other information ranging from personal habits to shopping behaviour to even sensitive medical information, that doesn’t yet have the kind of privacy protection needed.
While the most obvious use of such information would be for targeted advertising and marketing campaigns, privacy advocates fear that such information can also be mined for discriminatory uses such as tailoring insurance premiums without giving patients any control of the process.
Where Aadhaar comes in to the privacy debate
There are two major concerns with the Aadhaar project. Firstly, Aadhaar is dependent on biometric information such as fingerprints and iris scans. The problem with such a system is that these identifying markers are permanent. Unlike a document like a passport or a smart card, which can be revoked, fingerprints and iris scans cannot be exchanged for a new set.
And while the UIDAI is insistent that biometric information stored on its systems is secure, there have been cases that prove such information can be duplicated in other ways for the purposes of fraud and identity theft. Fingerprints, for instance, which are often used without supporting iris scans, can be duplicated from just about any object one touches. Even students in a Mumbai college figured out how to duplicate fingerprints to commit attendance fraud.
Privacy advocates complain that such biometric systems are being made mandatory for the entire population, even before the various security concerns associated with it are completely addressed.
The second major problem privacy advocates find with Aadhaar is the manner in which the current government is rushing to make it the master identification document for accessing any benefit or service provided by the government or other parties. With Aadhaar being linked to even basic mandatory processes like filing taxes, the voluntary nature of Aadhaar has completely disappeared, and citizens now have no choice but to surrender their biometric information to the government.
And Aadhaar information, except for the biometrics, is actively being seeded across nearly every single government department, and with public and private sector entities such as banks and mobile phone companies.
The current legal framework does not have adequate standards for how such data can be stored and shared, and what oversight such processes will be subjected to. And let alone robust data protection measures, many government departments have wilfully leaked much of this Aadhaar-linked information on their websites. Such easily available and comprehensive data, available through a single identification key like Aadhaar, can be mined to leave us completely naked to the eyes of the government and private corporations.
While some of the problems identified with Aadhaar require improvements in technology, others can only be properly tackled with comprehensive legal measures for individual information privacy. It remains to be seen, however, whether the Supreme Court takes proper account of this need for a comprehensive legal framework.
(Views expressed in the article are personal.)