Stephen Mathias reports on a judgment of the Supreme Court of India which held that privacy is a fundamental right
In a judgment delivered on 24 August, a nine-judge constitutional bench of the Supreme Court of India held that the right to privacy is a fundamental right under the Constitution of India. Most notably, the decision was unanimous with nine judges coming to the same conclusion through six separate judgments.
The Supreme Court has held that the right to privacy is part of the right to life and is on similar terms to the right to human dignity. The judgments have by and large held the view that the right to privacy is also part of the ‘freedom rights’ under Article 19 (right to speech, movement, etc) or under all of the fundamental rights enumerated in Part III of the Constitution.
The case relates to a constitutional challenge to the implementation of Aadhaar, the biometric identification project of the Central Government using fingerprint and iris scans. Its implementation was challenged before the Supreme Court, mostly on grounds of privacy. During the hearings, counsel for the government contended that there is no fundamental right to privacy. The historical basis for this argument arises from the fact that, while there are numerous judgments that have held that right to privacy is a fundamental right, there were two previous judgments by larger benches that held otherwise.
The two-judge bench hearing the Aadhar case decided to refer the larger question of whether there is a fundamental right to privacy to a nine-judge constitutional bench. Thereafter, the case went into cold storage with the court not finding any pressing need to hear the case. In July 2017, the Chief Justice decided to take up the case and posted it for hearing with just a few days’ notice. The Aadhaar case will now be heard in the light of this recent ruling.
Key aspects of the judgments
The court concluded that the right to privacy is a part of the right to life and liberty. Different judgments dealt with the question of the right to privacy being part of the freedom rights – while some included it within the freedom rights, others went further to state that it is covered by all of the fundamental rights under Part III of the Indian Constitution.
The main judgment by Justice DY Chandrachud traced the history of case law dealing with privacy as a fundamental right. The judgment includes an extensive review of case law and jurisprudence in foreign jurisdictions, most notably of the US, EU, Canada and South Africa. The court also noted the significance of India having ratified the International Covenant on Civil and Political Rights.
The court dealt with the issue of whether it is entitled to read into the right to life, the right to privacy or recognize only rights expressly stated in the Constitution. It stated that the court cannot freeze the content of constitutional guarantees and that many contemporary problems would not have been contemplated by the draftsman of the Constitution. As society evolves, so must constitutional doctrine. In any case, the court had in numerous cases in the past read various other rights into the right to life.
The court also confirmed that the right to privacy is not an absolute right and can be curtailed by law but such restrictions must stand the tests applicable to restrictions on fundamental rights, such as that such restrictions must be fair, just and reasonable.
Consequences of the Decision
What does this decision mean for India? The judgment probably paves the way for the enactment of comprehensive privacy legislation. Indeed, India will be one of the last remaining constitutional democracies in the world to enact a comprehensive privacy law; most of North America, Europe, Japan, and the Asean region already have comprehensive privacy regulation in place.
During the hearings, the government appointed a committee to recommend a framework for data protection and to prepare a draft enactment. It is not clear whether the government did this as a means to support its argument that privacy can be a statutory rather than a fundamental right or whether it was really serious about introducing a data privacy law. Further, the terms of reference cover only data protection and references to privacy are missing.
Since the judgment was released, the government has affirmed that it plans to move ahead with drafting a new law to deal with privacy and data protection. Justice (retd) Srikrishna, who has been appointed to head the committee, has stated that it would take a maximum of one year to finalize the draft law. He also plans to hold meetings with experts, release drafts to the public and hold public hearings.
The age of big data poses a significant challenge to the existing privacy law jurisprudence. Historically, it has been felt that one could collect and use data only in such manner as was necessary for the purpose of collection of such data. This is a difficult approach in the context of big data where the collection and use of data is itself a source of income.
Another key issue relates to consent which has been the bedrock of privacy law. Consent has been found to be less useful given that descriptions of use of personal data are often buried in difficult to understand privacy policies. Requiring simple and more direct privacy use descriptions and that the request for consent must be distinguishable from other matters make the idea of consent more meaningful. Even so, most users are likely to simply click ‘Accept’ and proceed. This does not mean that consent must be abandoned – one should not take away the right of a user to consent; it is just that consent cannot be the only standard for use of personal data.
India therefore has an opportunity to reexamine existing privacy jurisprudence and evaluate whether other concepts may strike a better balance between protecting privacy and encouraging innovation. Some concepts that the committee could consider would be whether use is reasonable or legitimate or whether different standards can be set for anonymised data. Further, compensation must be paid to users in case they suffer harm without reference to negligence standards or mens rea requirements.
Indeed, one of the key requirements of a privacy law is a technology savvy and nimble Privacy Commissioner who can move quickly to adjust regulations to deal with real-life scenarios which will play out regularly. Given the diverse ways in which personal information is used and the changing use of personal information in the age of big data, a ‘one size fits all’ regulation may not work in every situation. Specific and micro regulations that deal with specific issues may be required from time to time, including revision of the regulations as and when those regulations are challenged by new situations. Further, the privacy authority needs to co-ordinate efforts with other sector-based authorities, such as the RBI in the banking space, so that multiple regulations can be implemented harmoniously.
In India, we have miles to go before we have a developed privacy ecosystem in place, with a statute, regulations and a sophisticated regulatory authority. The judgment does however appear to have set India on the path to enacting a comprehensive data privacy law.
The full Supreme Court judgment can be found here: http://supremecourtofindia.nic.in/pdf/LU/ALL%20WP(C)%20No.494%20of%202012%20Right%20to%20Privacy.pdf
Stephen Mathias is the Resident Partner of the Bangalore office of Kochhar & Co. He also co-chairs the firm's Technology Law Practice.