On Day 32 of the Aadhaar Hearing, Senior Advocate Rakesh Dwivedi continued his submissions before the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ on the issue of reasonable expectations of privacy.
Below are the highlights from Day 32 of the Aadhaar Hearing:
- Privacy is strongest in the inner sanctum of the mind, but shrinks as you move outside into the world. It has to be considered whether private life is protected outside your home, because people frequently give up their privacy in these conditions. the US and UK Supreme Court treat reasonable expectation of privacy as very significant, and that the Indian position is closer to this.
- Tthe only question is whether the restriction on the right to privacy is proportionate to the government purpose. Nothing else can be taken into account. Petitioners have applied the wrong standard in arguing that the restriction on rights should be least intrusive.
- In the public sphere, the right to privacy is diluted. The entire Aadhaar activity is in the relational and public sphere. He says that demographic information and facial photograph don’t have any privacy concerns. There is no reasonable expectation of privacy. At the requesting entity point, it’s all dispersed and decentralised, and so it doesn’t deserve the level of protection that the CIDR is given.
- Chandrachud, J: The point seems to be that core biometric information has higher privacy concerns. That does not mean that there is no privacy concern elsewhere.
- I agree but the reasonable expectation of privacy varies according to context. Petitioners have cited no judgments involving identity cards. 120 countries use biometric passports and nineteen European countries use biometric ID cards. The CJEU or the ECHR have never expressed any concerns with biometric ID cards.
- In the privacy judgment, it has been said that if you willingly put up your personal information on Facebook, then you may not have a right to privacy in that information.
- Safeguards can be read into Article 21. Degrees of safeguards will vary – for nuclear plants it will be one, and for CIDR is another.
- The standard must be “adequate safeguards”. The risk can never be zero.
- There must be constant vigilance. We are always improving and upgrading our safety, and after the Srikrishma Report, we will upgrade more.
- We have provided a complete bar on sharing, and what is available with the REs is totally dispersed. The extent of privacy is much more diluted. And there is consent and a bar on using for anything other than authentication. If there are breaches, then point them out to us. But petitioners don’t want to improve it, they just want to knock it off.
- The data protection draft law will be out by May.
- Chandrachud, J: One area that requires consideration is remedies for breaches.
- The IT Act provides for penalties, and penalties have been imposed on Airtel etc.
- The Court and the government should work in coordination as the two great wings of State, and not in opposition. The sword should be unsheathed only in the last resort. The Court should be like a doctor and save the patient.
- Member States have been left free to make laws.
- Chandrachud, J: That is subject to the test of proportionality
- I am not disputing that.
- EU is now contemplating a biometric ID card.
- Chandrachud, J (Jokes): Are they planning to seed it with Aadhaar?
- Dwivedi: UIDAI collects only limited technical metadata.
- Chandrachud, J: Is it necessary to retain metadata? Why do you have to retain it?
- Dwivedi: It’s important to exercise control over the RE. There is no data about location or purpose of transaction, but only about the system, and that’s required for audits.
- Sikri, J: So you’re not collecting metadata about the person but only about the machine?
- Dwivedi: Yes. We don’t know location or purpose, just device ID.
- Chandrachud, J: Your argument might be supported By Regulation 26 proviso, which bars storing the purpose of a transaction.
- Dwivedi: Yes, in any case the Aadhaar Act bars storing of purpose.
- Chandrachud, J: What is the meaning of “authentication transaction data”, which can be stored under Regulation 26?
- Dwivedi: It’s the data pertaining to a specific transaction, and there is a bar on storing purpose.
To read the highlights from the PowerPoint Presentation made by the CEO of UIDAI, click here.
To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU Singh, Sanjay Hegde and Counsel Jayna Kothari, click here.
To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.