India: Privacy Judgment

September 3, 2017

In a judgment delivered on 24 August, a
nine-judge constitutional bench of the Supreme Court of India held that the
right to privacy is a fundamental right under the Constitution of India. Most
notably, the decision was unanimous with nine judges coming to the same
conclusion through six separate judgments.

The Supreme Court has held that the right
to privacy is part of the right to life and is on similar terms to the right to
human dignity. The judgments have by and large held the view that the right to
privacy is also part of the ‘freedom rights’ under Article 19 (right to speech,
movement, etc) or under all of the fundamental rights enumerated in Part III of
the Constitution.


The case relates to a constitutional
challenge to the implementation of Aadhaar, the biometric identification
project of the Central Government using fingerprint and iris scans. Its
implementation was challenged before the Supreme Court, mostly on grounds of
privacy. During the hearings, counsel for the government contended that there
is no fundamental right to privacy. The historical basis for this argument arises
from the fact that, while there are numerous judgments that have held that
right to privacy is a fundamental right, there were two previous judgments by
larger benches that held otherwise.

The two-judge bench hearing the Aadhar case
decided to refer the larger question of whether there is a fundamental right to
privacy to a nine-judge constitutional bench. Thereafter, the case went into
cold storage with the court not finding any pressing need to hear the case. In
July 2017, the Chief Justice decided to take up the case and posted it for
hearing with just a few days’ notice. The Aadhaar case will now be heard in the
light of this recent ruling.

Key aspects of the judgments

The court concluded that the right to
privacy is a part of the right to life and liberty. Different judgments dealt
with the question of the right to privacy being part of the freedom rights –
while some included it within the freedom rights, others went further to state
that it is covered by all of the fundamental rights under Part III of the
Indian Constitution.

The main judgment by Justice DY Chandrachud
traced the history of case law dealing with privacy as a fundamental right. The
judgment includes an extensive review of case law and jurisprudence in foreign
jurisdictions, most notably of the US, EU, Canada and South Africa. The court
also noted the significance of India having ratified the International Covenant
on Civil and Political Rights.

The court dealt with the issue of whether
it is entitled to read into the right to life, the right to privacy or
recognize only rights expressly stated in the Constitution. It stated that the
court cannot freeze the content of constitutional guarantees and that many contemporary
problems would not have been contemplated by the draftsman of the Constitution.
As society evolves, so must constitutional doctrine. In any case, the court had
in numerous cases in the past read various other rights into the right to life.

The court also confirmed that the right to
privacy is not an absolute right and can be curtailed by law but such
restrictions must stand the tests applicable to restrictions on fundamental
rights, such as that such restrictions must be fair, just and reasonable.

Consequences of the Decision

What does this decision mean for India? The
judgment probably paves the way for the enactment of comprehensive privacy
legislation. Indeed, India will be one of the last remaining constitutional democracies
in the world to enact a comprehensive privacy law; most of North America,
Europe, Japan, and the Asean region already have comprehensive privacy
regulation in place.

During the hearings, the government
appointed a committee to recommend a framework for data protection and to
prepare a draft enactment. It is not clear whether the government did this as a
means to support its argument that privacy can be a statutory rather than a
fundamental right or whether it was really serious about introducing a data
privacy law. Further, the terms of reference cover only data protection and
references to privacy are missing.

Since the judgment was released, the government
has affirmed that it plans to move ahead with drafting a new law to deal with
privacy and data protection. Justice (retd) Srikrishna, who has been appointed
to head the committee, has stated that it would take a maximum of one year to
finalize the draft law. He also plans to hold meetings with experts, release
drafts to the public and hold public hearings.

The age of big data poses a significant
challenge to the existing privacy law jurisprudence. Historically, it has been
felt that one could collect and use data only in such manner as was necessary
for the purpose of collection of such data. This is a difficult approach in the
context of big data where the collection and use of data is itself a source of

Another key issue relates to consent which has
been the bedrock of privacy law. Consent has been found to be less useful given
that descriptions of use of personal data are often buried in difficult to
understand privacy policies. Requiring simple and more direct privacy use
descriptions and that the request for consent must be distinguishable from
other matters make the idea of consent more meaningful. Even so, most users are
likely to simply click ‘Accept’ and proceed. This does not mean that consent
must be abandoned – one should not take away the right of a user to consent; it
is just that consent cannot be the only standard for use of personal data.

India therefore has an opportunity to
reexamine existing privacy jurisprudence and evaluate whether other concepts
may strike a better balance between protecting privacy and encouraging
innovation. Some concepts that the committee could consider would be whether
use is reasonable or legitimate or whether different standards can be set for
anonymised data. Further, compensation must be paid to users in case they
suffer harm without reference to negligence standards or mens rea requirements.

Indeed, one of the key requirements of a
privacy law is a technology savvy and nimble Privacy Commissioner who can move
quickly to adjust regulations to deal with real-life scenarios which will play
out regularly. Given the diverse ways in which personal information is used and
the changing use of personal information in the age of big data, a ‘one size
fits all’ regulation may not work in every situation. Specific and micro
regulations that deal with specific issues may be required from time to time, including
revision of the regulations as and when those regulations are challenged by new
situations. Further, the privacy authority needs to co-ordinate efforts with
other sector-based authorities, such as the RBI in the banking space, so that
multiple regulations can be implemented harmoniously.


In India, we have miles to go before we
have a developed privacy ecosystem in place, with a statute, regulations and a
sophisticated regulatory authority. The judgment does however appear to have
set India on the path to enacting a comprehensive data privacy law.

The full Supreme Court judgment can be
found here:

Stephen Mathias is the Resident Partner of the
Bangalore office of Kochhar & Co. He also co-chairs the firm’s Technology
Law Practice.