The court’s judgment implies that the state will have to be cautious of its activities even before it begins implementing them. Projects or initiatives that involve collection of personal data would have to take into account explicit limitations on how such information can be used.
The recognition of a right to informational privacy cannot be understated in current times. Credit: Reuters
In a landmark decision on Thursday, a nine-judge bench of the Supreme Court unanimously held that privacy is a fundamental right. The recognition of privacy as an inherent facet of dignity, personal liberty and individual autonomy has anchored this highly contested right firmly within our constitutional scheme. The vigour with which the court has defended the right, and the clarity of its reasoning is likely to impact judicial decision making for a long time.
Beyond the meaningful addition to the right to choose and the right of self-determination of sexual minorities, the recognition of a right to informational privacy cannot be understated in current times. In an age where ‘data is the new oil’ has now become a cliché, it’s useful to see how Thursday’s judgment bolsters our right to informational privacy. Importantly, the court’s treatment of limitations or legitimate interference of the right to privacy must also be scrutinised to understand the judgment’s true impact.
While there has been an unbroken line of decisions recognising the right to privacy over the last forty years, the court’s jurisprudence on informational privacy has been somewhat limited. Up until now, any articulation privacy as an aspect of personal information was limited to the ‘offline’ world. Mass surveillance, which has been made possible by leaps in technology, has never been adjudicated before the court. In other cases where the role of Internet based platforms has been in issue, the court’s interim decisions have been somewhat disappointing. Thursday’s decision is in stark contrast as far as the court’s understanding of technology related issues is concerned. The judgment displays remarkable clarity in outlining contemporary threats to privacy and the importance of a rights based approach to protect it.
It is important to recall that this case arose in the backdrop of the challenge to Aadhaar. The reference was limited to the issue of deciding the correctness of two early Supreme Court decisions and whether the subsequent line of cases on privacy was good law.
However, the court displayed a keen interest in understanding the nuances of informational privacy, data protection and surveillance by corporations during the course of the hearing. It was feared that since there were no real dispute before the court, it might inadvertently prejudge these issues based on its limited understanding. However, the judgment shows restraint as it acknowledges that the contours of privacy may have to be redefined in light of newer and unforeseen threats.
With respect to Aadhaar, barring the opinion penned by Justice D.Y Chandrachud, the court categorically refused to consider any aspect of the project or its impact on privacy. However that said, the status of the fundamental right to privacy and where it lies in the constitution has definitely been made clearer, if not elevated, making it harder for the state to justify its biometric coercion. At a general level, harms associated with data mining, profiling and aggregation of information have also been noted, which would also make it difficult to implement Aadhaar as an all-purpose, ubiquitous ‘identity platform’.
But the judgment’s impact is not necessarily limited to Aadhaar, or other intrusions by the state. While a fundamental right traditionally only applies against the state, this decision has paved the way for the right to be extended to non-state actors in a fit case. This is based on the court’s reasoning that there is a positive obligation on the state to protect the privacy rights of individuals. In the face of a privacy violation by a non-state actor (such as a corporation), the state may be asked to provide an adequate remedy or effective redressal. In the absence of any privacy or data protection law, the implications of the court’s decision cannot be emphasised enough.
Over five hundred pages, six judges have outlined several contemporary threats to privacy. There is hope that just an acceptance of these troubling realities would trickle down, enabling lower courts to treat them as legitimate concerns. Last year, while disposing off the petition challenging WhatsApp’s updated privacy policy, the Delhi high court largely reduced the privacy concerns in the case to an issue of contractual rights. Admittedly, the privacy case was pending then, but it can be argued that the court might have at least taken a more serious view of the concerns raised.
In a well-researched judgment, Justice Chandrachud sets out how important information can be gleaned from metadata, leading to the creation of detailed profiles of an individual. The issue of metadata is somewhat central to the case challenging sharing of data between WhatsApp and Facebook. One can hope that a judicial recognition of these privacy harms would enable subsequent benches of the court to develop the right in a more meaningful manner.
Similarly, in a separate opinion, Justice Kaul highlights how personal information online can cause discrimination by throwing up old, irrelevant and decontextualised information about individuals. This is one of rationales for a ‘right to be forgotten’, an issue that has come up before several high courts, and is currently pending before the Delhi high court. Importantly, he also clarifies that a balance would have to be struck between competing rights such as freedom of expression. Seen this way, this judgment can pave the way for nuanced privacy adjudication in India.
However, the judgment is careful to state that informational (or any other) privacy cannot be absolute. It highlights that there may be important countervailing interests resulting in legitimate intrusions of privacy. These could range from national security to tackling public health epidemics. These are well known ‘exceptions’ to privacy, and jurisdictions across the globe are trying to find the correct balance between these contesting claims. Importantly, the judgment does not set any limits to these intrusions or narrow down their scope in any way. Arguably, this creates a slippery slope – with the state considering itself entitled to deploy surveillance, both online and offline. However, any attempt at unfettered or even disproportionate surveillance would be a gross misreading of the judgment, which is now the law of the land.
I would argue that the court’s emphasis on privacy as a natural and inalienable right implies that the state would have to be cautious of its activities even before it begins implementing them. Projects or initiatives that involve collection of personal data would have to take into account explicit limitations on how such information can be used. The judgment endorses privacy principles such as express notice, consent from the individual and an obligation to use personal information only for that purpose for which it was collected. A recognition of these principles by the highest court of the land would imply that the state would have to adopt a rights-based approach to data protection, rather than mere technological frameworks.
Of course, much would boil down to the actual application of this judgment in subsequent cases. But at the very least, this judgment gives vigour and vitality to the struggle against the state’s intrusion into our private lives.
Kritika Bhardwaj is a lawyer. She assisted the petitioners’ counsel in the right to privacy case.