Law made Easy

[Disclaimer: This note is for general information only. It is NOT to be substituted for legal advice or taken as legal advice. The publishers of the blog shall not be liable for any act or omission based on this note]

Note: This article aims at discussing the domestic laws in EU countries which implement GDPR and various guidelines released by data protection authorities to align with the respective country’s legal regime with GDPR.


INTRODUCTION



Due to violations of privacy attributable to the misuse of data by large and even some well-known organizations, a Data Protection Law/Data Privacy Law has become imperative. This need has been felt across the globe. Concerns over loss of privacy and misuse of data led to the enactment of the General Data Protection Regulation (“GDPR”) which came into force on May 25, 2018, as plausibly one of the toughest laws governing online privacy.  GDPR is considered to be a milestone and is an essential step to strengthen an individual’s right in the digital age. It is designed to protect the personal information of individuals and to restrict organisations using personal data of their consumers. The Regulations reflects a paradigm shift in the understanding of the personal data and collection of data by controllers.

GDPR provides number of ways to protect the data such as rectification, deletion etc in case the data subject[1] fears misuse of its data. It has a direct effect across all EU member States and covers all EU “established” entities and certain non-EU “established” entities. Under the former, if an entity is operating in the EU through one of its establishments, and is processing the information of EU data subjects, irrespective of whether the processing is occurring in the EU or not, such entity is covered under the ambit of the GDPR. Till now, around 28 countries have passed the national legislation in line with GDPR.


PRINCIPLES


GDPR provides strict data protection principles that are to be complied by the Data Controller and Processor[2], while dealing with personal data. The Controller[3] must make sure that the personal data is:

  • used fairly, lawfully and transparently;
  • used for specified, explicit purposes;
  • used in a way that is adequate, relevant and limited to only what is necessary;
  • accurate and, where necessary, kept up to date;
  • kept for no longer than is necessary; and
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

DATA PROTECTION LEGISLATION IN EU MEMBER STATES


AUSTRIA

CZECH REPUBLIC

LUXEMBOURG

Federal Act concerning the Protection of Personal Data (DSG)

 

Supervisory Authority:

Austrian Data Protection Authority

Act No. 110/2019 Coll. on the Processing of Personal Data

 

Supervisory Authority:

Office of Personal Data Protection (UOOU)

Act of 1st August on the Organization of the National Data Protection Commission and General Data Protection Framework

 Supervisory Authority

National Data Protection Commission

 

 BELGIUM

CROATIA

FRANCE

Protection of Natural Persons regarding the Processing of Personal Data

 

Supervisory Authority: Gegevensbeschermingsautoriteit

 

Law on Implementation of the General Data Protection Regulation

 

Supervisory Authority: Croatian Data Protection Personal Agency

 

 

Law n°2018-493 of June 20, 2018

 

Supervisory Authority:

CNIL (Commission nationale de l’informatique et des libertés_

GERMANY

 

IRELAND

DENMARK

 

Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG)

 

Supervisory Authority: The Federal Commissioner for Data Protection and Freedom of Information

 

Data Protection Act 2018

 

Supervisory Authority: The Data Protection Commission

 

Danish Data Protection Act

 

Supervisory Authority: The Danish Data Protection Agency (Datatilsynet)

 

FINLAND

                 ITALY

NETHERLANDS

 

Data Protection Act – ‘HE 9/2018 vp

 

Supervisory Authority: Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)

 

Legislative Decree No. 101/2018

 

Supervisory Authority: Italian Data Protection Authority (Garante per la protezione dei dati personali)

 

Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming)

 

Supervisory Authority: Dutch Data Protection Authority (Autoriteit Persoonsgegevens )

 

 

POLAND

             SLOVAKIA

 

SPAIN

 

Personal Data Protection Act

 

Supervisory Authority: President of the Office for Personal Data Protection

 

Protection of Personal Data (Act No. 18 of 2018)

 

Supervisory Authority: Office of Personal Data Protection

 

Organic Law 3/2018 of December 5

 

Supervisory Authority: Spanish Data Protection Agency (Agencia Española de Protección de Datos)

 

SWEDEN

 

SWITZERLAND

 

 

UNITED KINGDOM

 

Data Protection Act (2018:218)

Supervisory Authority: Swedish Data Protection Authority

 

Swiss Federal Data Protection Act

Supervisory Authority: Information Commissioners Office

 

 

Data Protection Act 2018

 

Supervisory Authority: Information Commissioners Office

 

ROMANIA

PORTUGAL

 

 

Law no. 190/2018

Supervisory Authority: National Supervisory Authority for Personal Data Processing

 

 

Law no. 58/2019, of 08 of August

Supervisory Authority: National Data Protection Authority (CNPD)

UNITED KINGDOM (“UK”)

The Information Commissioners Office (“ICO”) is the body responsible for implementing the Data Protection Act and providing further guidance’s to create awareness regarding rights, role and responsibilities under the Act. Some of the important guidance’s released by ICO are discussed below:The Data Protection Act 2018 is the implementation of the GDPR which came into effect on May 25, 2018. The Act makes the data protection laws fit for the digital age in which an ever-increasing amount of data is being processed. It also empowers people to take control of their data and supports businesses and organisations in the United Kingdom through the change.

  1. Guidance on Contracts: The guidance discusses contracts and liabilities between controllers and processors. It provides the provisions in a contract which can be included in contract between controllers and processors. It also helps processors to understand their new responsibilities and liabilities under the GDPR.
  2. Guidance on Controllers and processors: The Guide provides a ready reckoner checklist that helps controllers, processors and joint controllers to easily identify their roles. Additionally, it also outlines some of the responsibilities of the controllers when using a processor. In addition to its contractual obligations to the controller, a processor has some direct responsibilities under the GDPR and makes a processor liable in case of failure in meeting any of the obligations mentioned in the contract.
  3. Encryption: The ICO has updated its GDPR guidance in order to provide an advice on compliant use of encryption to protect personal data. This guidance helps in understanding the importance of encryption as an appropriate technical measure for protecting the personal data an organisation holds whether as a controller or a processor. Following things which are required to be taken into consideration while implementing encryption:
  • choosing the right algorithm;
  • the right key size;
  • the right software; and
  • keeping the key secure.
  1. Passwords : The ICO has updated the guidance on the use of passwords in order to protect data. The Guidance talks about the use of Passwords and the level of security which is required while choosing a password. It recommends using a suitable hashing algorithm or other mechanism offering similar protection.
  2. Exemptions: The GDPR and the Data Protection Act, 2018 (‘DPA’) sets out certain exemptions for some of the rights and obligations. Relying on exemptions depends on case-to-case basis but it cannot be routinely followed. The exemptions in the DPA relieve one from some of their obligations under the Act, such as:
  • the right to be informed;
  • the right of access;
  • dealing with other individual rights;
  • reporting personal data breaches; and
  • complying with the principles.
  1. International transfers : The guidance provides clarification regarding
  • where a transfer of personal data is considered a ‘restricted transfer’; and
  • which mechanisms can be deployed in this case to transfer personal data.
  1. Personal Data Breaches : The Guidance outlines breach notification requirements under the GDPR, including what information needs to be included in a notification, and when organizations are required to notify supervisory authorities and those affected.
BELGIUM

On September 5, 2018, the Law of 30 July 2018 on the Protection of Natural Persons regarding the Processing of Personal Data (the “Act”) entered into force and abolished the Law of 8 December 1992 on privacy protection which regulated processing personal data in Belgium. The Act applies to the processing of personal data in connection with the activities of an establishment from a controller or processor on Belgian territory, whether the processing on Belgian territory takes place or not. The Act significantly broadens the scope for data processing related to criminal offences and convictions. It determines that associations and foundations for which the processing of sensitive data is necessary for the purposes of achieving their statutory objectives can make an exception for processing of such data.

The Data Protection Authority (Gegevensbeschermingsautoriteit) is supervisory authority that monitors the protection of privacy and the use of personal data in the country.

CROATIA

The Law on Implementation of the General Data Protection Regulation (the ‘Act’) provides for the implementation of GDPR on the protection of individuals regarding the processing of personal data and on the free movement of such data. The Act is not applicable to the processing of personal data carried out by the competent authorities for preventing, investigating, detecting or prosecuting criminal offenses or carrying out criminal sanctions, including protection against public safety threats and their prevention, as well as in the area of ​​national security and defence.

As per the Act, the processing of employees’ biometric data is permitted for recording working hours and controlling access to premises where the employees have provided their consent. The Act also restricts processing of personal data of employees through a video surveillance system and provides that it may only be carried out if the conditions laid down by the regulations governing occupational safety are met, and if the employees have been adequately informed in advance of such measure.

Croatian Data Protection Personal Agency is responsible for carrying out administrative and professional tasks related to personal data protection.

DENMARK

The Danish Data Protection Act has been passed by the Danish parliament. The Act supplements and implements GDPR on the protection of individuals with respect to the processing of personal data and on the free exchange of such data. The law and GDPR is applicable to all processing of personal data made wholly or partly by automatic data processing and for other non-automated processing of personal data which is or will be contained in a register. According to the Act, the processing of personal data is permitted in the employment context if the data subject consented or the processing is necessary for certain purposes.

The Danish Data Protection Agency (Datatilsynet) exercises surveillance over the processing of data to which the Act applies. The Agency primarily deals in specific cases on the basis of inquiries from public authorities or private individuals or cases taken up by the agency on its own initiative.

FRANCE

Law n°2018-493 of June 20, 2018 on the protection of personal data was promulgated on June 20, 2018 and was published in the Official Journal on June 21, 2018.

The purpose of the Law was to adapt Law n° 78-17 of January 6, 1978 on information technology, data files and liberties (‘French Data Protection Act’) following the GDPR that entered into force on May 25, 2018  and Directive  2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties that ought to be transposed into domestic law.

The CNIL is the responsible authority for informing individuals of their rights accorded to them by the French Data Protection Act. Some of the guidance’s issued by CNIL in furtherance of Data Protection Act are discussed below:

  1. CNIL Guidance on Collection and Transmission of Data to Data Brokers: Many companies collecting data directly from individuals, whether on online or paper forms, transmit this information to “commercial partners” or more generally to other organizations, so that they send out prospection through SMS or email. This transmission must comply with a series of conditions, including those posed by the RGPD, to be valid and allow people to maintain control over their personal data.

 

  1. Standards for DPO certification : In order to identify the skills and know-how of the Data Protection Officer (DPO), the CNIL adopts two standards for DPO certification.
  • a certification reference system that sets the conditions for the admissibility of applications and the list of 17 skills and know-how expected to be certified as a DPO;
  • an accreditation framework that sets out the criteria applicable to organizations wishing to be authorized by the CNIL to certify the DPO’s competencies based on the certification framework developed by the CNIL.
  1. Deliberation n ° 2018-326 of 11 October 2018: CNIL adopted guidelines on data protection impact assessments (DIPs) provided for in the GDPR.
  • The Guidelines describe three examples of processing operations requiring a DPIA provided by Article 35(3) of the GDPR. The Guidelines also list nine criteria of the Article 29 Working Party identified as useful in determining whether a processing operation requires a DPIA, if that processing does not correspond to one of the three examples provided by the GDPR;
  • The Guidelines provide that an AIPD must be conducted before the implementation of a treatment presenting a high risk for the rights and freedoms of the natural persons concerned; it must be reviewed regularly, in any case every three years, to ensure that the level of risk remains acceptable;
  • The Guidelines specify that data controllers may rely on the CNIL’s industry standards, compliance with a standard will allow to consider that there is no high residual risk while the processing is In the case of dismissal, it will be necessary to lead the controller concerned to, at least, question the level of residual risk that may require the mandatory consultation of the board.
FINLAND

On 13 November 2018 the Finnish Parliament approved the Data Protection Act – ‘HE 9/2018 vp (the ‘Act’). The Act supplements GDPR and repealed the old Finnish Personal Data Act (Henkilötietolaki 523/1999).

The Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) remains the national data protection authority under the GDPR, supervising data protection in Finland. However, in e-privacy matters, the Finnish Communications Regulatory Authority continue to act as the supervisory authority. The new legislation also introduces an internal advisory board in the Data Protection Ombudsman’s office. The board is given power to issue advisory statements on data protection legislation upon the Data Protection Ombudsman’s request.

GERMANY

Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) entered into force on May 25, 2018. The Act is applicable to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system unless such processing is conducted by natural persons during a purely personal or domestic activity.

The Federal Commissioner for Data Protection and Freedom of Information is the authority responsible for supervising Data Protection activities. Some of the guidance’s released by the Authority are discussed below:

  • Guidance on the privacy requirements of app developers and app providers: The orientation aid is aimed at developers and providers of mobile applications (apps). It reveals data protection and technical requirements and makes them understandable by means of striking examples.
  • Cryptographic methods: Based on the realization that absolute data security cannot be achieved in practice, the principles of “adequacy” and “necessity” have been enshrined in data protection laws. This means that appropriate security measures must be taken depending on the need for protection of the personal data concerned. The present guidance on the use of cryptographic procedures has been developed by a Working Group on Technical and Organizational Data Protection Issues of the Conference of Federal Data Protection Officers.
IRELAND

Data Protection Act 2018 was signed into law on 24 May 2018, to coincide with the GDPR. The Act implements derogations permitted under the GDPR and represents a major overhaul of the regulatory and enforcement framework.

The Data Protection Commission is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. The DPC is the Irish supervisory authority for the GDPR, and has functions and powers related to other important regulatory frameworks including the Irish ePrivacy Regulations (2011) and the EU Directive.  The Commission recently released certain responsibilities for the Organisations to carry out under GDPR.

  1. Responsibilities of Organisations under the General Data Protection Regulation : The Authority provided information about organisational obligations under data protection legislation and the General Data Protection Regulation, including transparency with service users and how to respond to an individual who is exercising their data protection rights. More detailed information provided regarding:
  • your obligations under data protection;
  • how to respond to an individual exercising their rights;
  • how to make a notification to the Data Protection Commission in cases where your organisation or business has breached personal data.
ITALY

Italy adopted Legislative Decree No. 101/2018 which came into effect on September 4, 2018, concerning the provisions for the adaptation of the national legislation to the GDPR on the protection of individuals regarding the processing of personal data and rules to the free movement of such data.

The Decree sets the minority threshold in relation to the offer of information society services to 14 years. For children under that age, the processing of their data still requires parental consent. The Decree provides the specific conditions for the lawful processing of genetic data, biometric data or data concerning health. The Italian Supervisory Authority is tasked with such adoption, at least every two years. As per the Decree, existing practices in relation to the subject rights of deceased persons remain primarily unchanged. These rights can be exercised by those who have a proper interest or who act to protect the data subject or relevant family interests.

The Italian Data Protection Authority (Garante per la protezione dei dati personali) is an independent administrative authority established by Privacy Law. It is the supervisory authority responsible for monitoring application of the General Data Protection Regulation and the national legislation.

CODE OF CONDUCT:

Code of Ethics and Conduct in Processing Personal Data for Business Information Purposes : This Code of conduct sets out the adequate safeguards and arrangements to process personal data by protecting data subjects´ rights that must be in place in pursuing business information purposes; this is aimed to ensure, on the one hand, certainty and transparency in business relations along with adequate knowledge and circulation of business and economic information and, on the other hand, quality, relevance, accuracy and topicality of the processed personal data.

NETHERLANDS

The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) applies in the Netherlands from 25 May 2018.

Dutch Data Protection Authority [Autoriteit Persoonsgegevens (‘AP’)] is the independent administrative body that has been appointed by law as the supervisory authority for regulating the processing activities of personal data. Some of the publications of AP are discussed below:

  1. AP’s Recommendations for Register of Processing : On 28th November 2018, the Netherlands Authority for the Protection of Personal Data (AP) provided 5 concrete recommendations that organizations should consider when maintaining their registers of processing.
  • Organizations must state the duration and the purpose of processing personal data. Under European privacy legislation, it is not allowed to store personal data longer than necessary for the purpose with which they were collected. Organizations must also be able to explicitly mention the purpose why they collect this data.
  • Contact details of the controller must be included in the register.
  • Organization should provide a well-organized file of all processing activities carried out in relation to personal data, thereby enabling the users to easily navigate through it.
  • Location or the place where personal data is stored must be stated clearly in the register. This information is relevant when people submit a request for access or deletion.
  • Organizations must specify the goal of each processing activity. Only a mere enumeration of the processing activity, department wise, in combination with a summary of the various purposes of the processing is not sufficient
  1. Policy rules prioritization complaints investigation Authority Personal Data : The Dutch Data Protection Authority published policy rules regarding the prioritization of the investigation of complaints. Pursuant to the GDPR, every data subject has the right to lodge a complaint with the Dutch Data Protection Authority if it is violative of their rights provided in GDPR. It also follows from the GDPR that the Dutch Data Protection Authority must in principle investigate and respond to each complaint. The Dutch Data Protection Authority is free to make an assessment regarding the intensity of the investigation of a complaint.
POLAND

The Personal Data Protection Act entered into force on 25 May 2018 to help the implementation of the GDPR in Poland.

The President of the Office for Personal Data Protection is a competent authority for the protection of personal data on the territory of Poland, created by the Act of 10 May 2018 on the protection of personal data. Some of the guidelines adopted or released by the Authority are discussed below:

  1. Guideline 1/2018 regarding certification and determination of certification criteria in accordance with Article 42 and 43: The EU guidelines on certification have been adopted by Poland. The Guidelines explore the rationale for certification as an accountability tool; It also explains the key concepts of the certification provisions in Articles 42 and 43 and the scope of what can be certified and the purpose thereof.
  2. Protection of personal data at the workplace : The Guide indicates how to process personal data both during recruitment and during the whole period of employment. It is not limited to employment based on an employment relationship. It also treats other, more and more popular forms of employment, such as civil law contracts.
  3. Tips for data controllers – how to apply the GDPR: The Personal Data Protection Office prepared 10 tips for data controllers to help them to apply the GDPR rules on a daily basis such as:
  • Establish the proper basis for collecting and using personal data;
  • Comply with the information obligation in accordance with the new rules;
  • Communicate in a transparent way;
  • Always respect the rights of people;
  • Remember that consent can be withdrawn at any time;
  • Data breaches should be reported to the President of the Personal Data Protection Office and when necessary, to the persons whose data have been violated;
  • Do not create unnecessary documentation;
  • You have the right to profile, but remember about limitations;
  • Invest in a professional DPO;
  • Watch out for cheaters.
SLOVAKIA

The Protection of Personal Data (Act No. 18 of 2018) regulates the protection of the rights of natural persons against wrongful interference with their private data. The Act regulates the rights, duties and liabilities in connection with personal data processing and establishment, scope of powers and organization of the Office for Personal Data Protection of the Slovak Republic.

Office of Personal Data Protection is the supervisory authority responsible for the implementation of the Act. Some of the guidelines released by the authority are discussed below:

  1. Methodological Guideline no. 2/2018: Office for Personal Data Protection of the Slovak Republic issued the guideline on legality of processing. The principle of legality also expresses the requirement for fair and lawful processing and must be in accordance with the law of the Union, the law of the member the State and good morals, so as not to be violative of the fundamental rights and freedoms of the persons concerned.
  2. Methodological Guideline no. 3/2018: Office for Personal Data Protection of the Slovak Republic issued the guideline on the obligations of the e-shop operator from the point of view of personal data protection. The obligations are as follows:
    • to allow the operator to legally process the customer’s personal data, it must have an appropriate legal basis;
    • customers have the right to be informed about the terms of processing, how they are processing their applications for the exercise of the rights of the persons concerned, etc.;
    • data obtained should be processed by the operator only for a specific, expressly stated and legitimate purpose, furthermore they cannot be processed in a manner which is not compatible with such a purpose;
    • operator should process only the personal data that is necessary to achieve a specific purpose of processing;
    • operator must process correct and up-to-date personal data;
    • operator must keep personal data only for the necessary time to achieve the purpose of processing;
    • operator must guarantee the adequate security of the processed personal data; and
    • operator must be able to show compliance with the previous one the principles of processing.
SPAIN

The Organic Law 3/2018 of December 5 guarantees the digital rights of citizens and employees, beyond the GDPR. The law includes some specifications about data subjects’ rights. The new rule recognises a set of “digital rights” (or rights in the context of the Internet) to every individual, starting with the net neutrality right (or the right to be granted with Internet access without being discriminated for technical and/or economic reasons) and ending with the right to a digital testament.

Spanish Data Protection Agency (Agencia Española de Protección de Datos) (AEPD) is the public law authority overseeing compliance with the legal provisions on the protection of personal data and enjoying an absolute independence from the Public Administration. The guides released or adopted by the Agency are discussed below:

  1. Practical Guide of risk analysis for the treatment of personal data: The guide is aimed at data controllers/processors for the processing of personal data and which may affect data security breaches. It provides the interpretation of the RGPD regarding the obligation to notify the competent authority through appropriate channel. It aims to cover the wide range of Spanish business, small, medium or large companies of all kinds, companies with large data treatments and companies with reduced treatments and that, in the same way, can be of help to those in charge and in charge of treatments of the Public Administrations involved in the tasks of management of the gaps of security.
  2. Guide for the Person responsible for the processing of personal data: The guide presents systematically the main issues that organizations should be considered for the application of the RGPD. It is designed to help those responsible and those in charge to adapt the new obligations during the transition period. A ready recknor Checklist is included which organizations can use to determine if they have given the necessary steps to be able to make a correct application of the RGPD.
  3. Guide for the management and notification of security breaches: The guide aims to be useful for anyone who wants or needs to familiarise themselves with the issues regarding the management and notification of security breaches. It is designed for different data controllers processing personal data who could be affected by data security breaches, with the aim of enabling understanding of the GDPR regarding its requirement to notify the competent authority and, when relevant, the data subjects, so that the competent authority is notified through the correct channel, with useful and accurate information for statistical and monitoring purposes, and the new GDPR demands are met.
SWEDEN

The Data Protection Act (2018:218) entered into force on May 25, 2018. It provides for the processing of social security numbers and processing of data pertaining to criminal offences. The Act is applicable to the processing of personal data carried out within the framework of activities carried out at the premises of the personal data controller or personal data assistants in Sweden. The law is also applicable to the processing of personal data carried out by personal data controllers who are not established in Sweden, but in a place where Swedish law applies according to international law.

The Swedish government has designated the Swedish Data Protection Authority to be the supervisory authority under the GDPR.

SWITZERLAND

The Swiss Federal Data Protection Act (‘Act’) and the Data Protection Ordinance (‘Ordinance’) regulate data processing activities across the country. The Act is applicable in any of the following circumstances:

  • The data subject has its habitual residence in Switzerland, provided that the data processor can anticipate that damage may be sustained in Switzerland.
  • The data controller or processor (as the potentially infringing party) is a Swiss resident.
  • Damage resulting from a data breach is sustained in Switzerland, provided that the data processor can anticipate that damage may be sustained in Switzerland.

The Federal Data Protection and Information Commission is the Authority responsible for supervising the data protection activities. The Commission recently released a guide for technical and organisational measures for the introduction of data protection risks and measures which can be taken to ensure protection for personal data.

  1. Guide for technical and organizational measures – This guide is an introduction to the data protection risks that can arise in connection with modern IT systems. It intends to help the reader implementing measures and ensuring optimum and appropriate protection for personal data. The guide is primarily intended for IT systems managers and those who are directly involved in the management of personal data, whether they are technicians or not. The guide is structured around four main topics – data access, data lifecycle, data transmission and right to information.
 AUSTRIA

The Federal Act concerning the Protection of Personal Data (DSG) has considerably amended the Data Protection Act 2000 in order to implement GDPR. The Act regulates processing of personal data, appointment of data protection officers, maintaining confidentiality of data, investigation or prosecution of criminal offenses and rights of data subject in order to modify, rectify or delete.

Based on Art 8 GDPR, the Act provides that children may consent to data processing in the course of information society services starting with 14 years – instead of 16 years as stipulated by the GDPR. Art 10 GDPR generally provides that criminal data may only be processed “under the control of official authority”, unless otherwise authorised by the Member States. The Austrian legislator closed the potential gap by providing that criminal data may also be processed based on legitimate interests pursued by the controller.[4]

CZECH REPUBLIC 

Czech Republic enacted the Act No. 110/2019 Coll. on the Processing of Personal Data incorporating the provisions of GDPR. The law came into effect on April 24, 2019. It replaces the older Personal Data Protection Law (Act No. 101/2000 Coll., as amended) and regulates personal data processing within the scope of GDPR and also processing of the data by competent authorities for preventing, searching for and detecting criminal activity, ensuring safety and public order.

The Office for Personal Data Protection published various Guidance material for the implementation of the Law. Some of them are mentioned below:

  1. Data Breach Notification Guidance[5]: The Office for Personal Data Protection (‘UOOU’), published a guidance on data breach notifications. Key features of the guidance are provided below:
  2. outlines that any breach of personal data security that may result in a risk to the rights and freedoms of individuals must be reported;
  3. provides examples of such incidents, including an attack on a computer in which personal data is processed which results in the leakage of personal data, as well as the loss of paper documents containing personal data that was a part of manually kept records;
  • provides that where an infringement is unlikely to result in a high risk to the rights and freedoms of data subjects, such as if it becomes impossible to trace a paper document that was or should have been part of a manually kept record, no notification must be made;
  1. lists what should be included in the notification, as well as the exceptions to the obligation to report data breaches to affected individuals.
  2. DPIA Methodology[6]: The Office for Personal Data Protection (‘UOOU’) published a methodology for conducting Data Protection Impact Assessments (‘DPIAs’). Key points discussed in Methodology are:
  3. contains questions and answers, information on who needs to carry out a DPIA and when this is required, and outlines the four stages of a DPIA;
  4. provides that the data controller needs to ascertain whether a DPIA needs to be carried out with respect to the personal data obtained, the legal basis for processing, data retention periods, and data transfers;
  • highlights that the data controller should, when carrying out a DPIA, provide a systematic description of the intended processing activities, follow a risk assessment procedure through identifying assets, vulnerabilities, and threats related to the processing of personal data, and determine the level of risk following a DPIA;
  1. includes examples of vulnerabilities such as insufficient maintenance of supporting information and communication technologies, and insufficient physical protection of personal data.
LUXEMBOURG

 On 16 August 2018, the Luxembourg Government adopted and published the Law of 1 August 2018 on the organisation of the National Commission for Data Protection and implementation of GDPR and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

The Law repeals the law of 2 August 2002 on the protection of persons regarding the processing of personal data.

ROMANIA

The Parliament of Romania adopted Law No. 190/2018 implementing the General Data Protection Regulation. The Law regulates special rules for the processing of certain categories of personal data, derogations from the GDPR, provisions regarding data protection officers (‘DPO’) and certification bodies, as well as provisions on the applicable sanctions for public and private entities. 


Conclusion: Critique of GDPR


As is evident from the EU countries’ domestic laws, GDPR is a privacy legislation that serves as a guideline for the upcoming laws on data privacy. GDPR strengthens individual privacy rights and increases the obligations of companies towards personal data. Also, it has uncurbed power that is also to say that like most of its counterparts, it is not toothless, since it not only provides for obligations towards the organisations but also has provisions to impose heavy penalties on breach of any of the obligations of organizations.

The largest sanctions have been imposed under privacy laws by CNIL where the restricted committee imposed a heavy financial penalty of around €50 million[7] against the company GOOGLE LLC, for lack of transparency, inadequate information and lack of valid consent regarding the ads’ personalization. The decision by the CNIL came like a warning that tough enforcement actions are not just in the theory and therefore, the organizations must take the privacy laws seriously.

Recently, some of the major fines were imposed in the year 2020, such as:

  • In April 2020, the Dutch Data Protection Authority imposed its largest fine €725,000 (US$ 821,600 million) to date to an unknown company for illegally using employees’ fingerprint scans for its attendance records over the period of 10 months. As per the GDPR, biometric data is classified as sensitive information and subjected to stringent protections.[8]
  • On December 07, 2020, the French Data Protection Authority issued two fines totalling €100 million against Google LLC, Google Ireland Limited and Amazon for cookie violations. In an audit, it was revealed that cookies, many of which were used for marketing purposes, were automatically placed on user equipment without affirmative action.[9]
  • On December 07, 2020, the Norwegian Data Protection Authority (‘Datatilsynet’) sent a notice of an infringement to the Norwegian Sports Confederation (‘NIF’) and imposed fine amounting to NOK 2.5 million (approx. €236,000) following the disclosure of the personal data of 3.2 million Norwegians after an error that took place when testing a cloud solution.[10]

Also, since the digital environment across the world has granted access of private data on a single click, privacy laws have become the talk of the town and its breach could mean heavy penalty for the data controller and processors. The borderless nature of the Internet raises several jurisdictional issues in data protection, therefore, gradually, even non-EU members are bringing in the supplementing laws in line with GDPR to protect the personal data of consumers. India and China have introduced Data Privacy Bills and on the other hand, China has also included data privacy principles in China Civil Code.

The emergent necessity of all the organizations to review their privacy policies and make them in compliance with the national legislation of their respective countries and GDPR, only reflects on the growing acceptance of GDPR, transcending beyond the EU.


† Consultant at Ernst and Young | Data Privacy and Occupational Health and Safety Compliance Professional

[1] Data subjects as “identified or identifiable natural person[s].” In other words, data subjects are just people—human beings from whom or about whom you collect information in connection with your business and its operations.

[2] Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

[3] According to Article 4 of the EU GDPR, a data controller is the entity (person, organization, etc.) that determines the why and the how for processing personal data. A data processor, on the other hand, is the entity that actually performs the data processing on the controller’s behalf.

[4] https://www.dorda.at/en/publications/new-austrian-data-protection-act-implementing-gdpr-passed-austrian-parliament Last accessed on December 11, 2020.

[5] https://www.uoou.cz/vismo/zobraz_dok.asp?id_org=200144&id_ktg=5020&n=poruseni-zabezpeceni

[6] https://www.uoou.cz/vismo/dokumenty2.asp?id_org=200144&id=46497

[7]Deliberation of the restricted formation n ° SAN – 2019-001 of January 21st, 2019 pronouncing a financial penalty against the company GOOGLE LLC

[8] https://cisomag.eccouncil.org/four-biggest-gdpr-fines-of-2020/ Last accessed on December 11, 2020.

[9] https://www.cnil.fr/en/cookies-financial-penalties-60-million-euros-against-company-google-llc-and-40-million-euros-google-ireland Last accessed at December 14, 2020

[10]https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2020/varsel-om-overtredelsesgebyr-til-norges-idrettsforbund/

Case BriefsInternational Courts

European Court of Justice (Grand Chamber): Striking a blow on companies dependent upon the transfer of data between Europe and the US via the Privacy Shield Decision, the Court held that Privacy Shield Decision does not provide adequate data protection of European citizens from US surveillance activities. It was further observed that the Privacy Shield Decision is incompatible with Art. 45(1) of the General Data Protection Regulation (GDPR) read in the light of Arts. 7, 8 and 47 of the Charter of Fundamental Rights of the European Union and is therefore invalid. Further examining the European Commission Decision 2010/87/EU dated 05-02-2010 on ‘standard contractual clauses’ (SCCs) for the transfer of personal data to processors established in third countries, the Court agreed with the Opinion delivered on the instant matter by the CJEU Advocate General on 19-12-2019 wherein it was stated that the SCCs offer adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights as required by Art. 26(2) of Directive 95/46/EC of the European Parliament and the Council. 

As per the facts, any person residing in the European Union, who wishes to use Facebook is required to conclude, (at the time of registration) a contract with Facebook Ireland, a subsidiary of Facebook Inc., established in the United States. Some or all of the personal data of Facebook Ireland’s users residing in the European Union is transferred to servers belonging to Facebook Inc. that are located in the United States, where it undergoes processing.  Max Schrems, an Austrian Facebook user since 2008, filed a complaint with the Commissioner whereby he requested that Facebook Ireland be prohibited from transferring his personal data to the United States, on the ground that the law and practice in force in that country did not ensure adequate protection of the personal data held in its territory against the surveillance activities in which the public authorities were engaged. Mr Schrems claimed, inter alia, that United States law requires Facebook Inc. to make the personal data transferred to it available to certain United States authorities, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI).

Perusing the background of the case, the Court compared the legal mechanism of data protection vis-à-vis surveillance as prevalent in US and European Union. It was found that the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States, as assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law under Art. 52(1) of the Charter of Fundamental Rights of the European Union. It was further observed that US Government accepted that Presidential Policy Directive-28 (which imposes a number of limitations for “signals intelligence” operations and has binding force for U.S. intelligence authorities, and if particular relevance for EU data subjects) does not grant data subjects actionable rights before the courts against the US authorities. Therefore, the Privacy Shield Decision cannot ensure a level of protection essentially equivalent to that arising from the Charter of Fundamental Rights of the European Union, contrary to the requirement in Art. 45(2)(a) of the GDPR that a finding of equivalence depends, inter alia, on whether data subjects whose personal data are being transferred to the third country in question have effective and enforceable rights. [Data Protection Commissioner v. Facebook, Ireland Ltd., C-311/18, decided on 16-07-2020]

Call For PapersLaw School News

The  Personal  Data Protection Bill,  set to be  tabled  in the Indian parliament  in its recent winter session,  is based  on similar lines  as most of the Data Protection laws. Therefore, through the instant blog a comparative analysis of various Data protection legislation is sought.

Sub-Themes

  1. EU,  India,  USA  and  China:  A  comparative  analysis  of  Data  Protection Rules/Regulations
  2. GDPR and its effect on Global Trade
  3. Data Protection Impact Assessment
  4. Non-Consensual Data Processing under Data Protection Laws
  5. The Data Protection Authority under GDPR vis-à-vis authority under PDP Bill 2018 (India)
  6. Ramifications of GDPR on Social Networking Sites
  7. Transfer of Data under GDPR and PDP Bill 2018
  8. Jurisdictional Challenges inherent in Data Protection Laws
  9. Standard Clauses  for  Data-Protection:  Right  to  be  Forgotten,  Right  to Portability, Data Localization, Notice-Consent and Data Minimization.
  10. Need for Data Protection.

The submissions are,  however, not restricted to the aforesaid sub-themes,  provided they fall within the ambit of the main theme.

Instructions for Authors

  1. All submissions must be in Garamond, font size 12, spacing 1.5.
  2. All endnotes should be in Garamond 10, single-spaced.
  3. Margins: Left 1.5 Inch, Right 1 Inch, Top 1 Inch and Bottom 1 Inch.
  4. Word Limit for each post is a maximum of 1500 words (Exclusive of endnotes).
  5. Please ensure inclusion of endnotes instead of footnotes. A uniform style of Citation is necessary for acceptance.
  6. All entries should be submitted in .doc or .docx format.

Submission Guidelines and Procedure

  1. The  manuscript  should  be  accompanied  by  a  cover  letter  specifying  the author’s  name,  designation,  institute,  contact  number,  and  e-mail  for  future reference.
  2. All entries should be submitted in .doc or .docx format.
  3. The manuscripts must be e-mailed to submissionsrslr@rgnul.ac.in
  4. The subject should be titled “Submission for RSRR Blog Series Issue”.
  5. All selected entries shall be published on the RSRR Blog Series.
  6. An  E-Certificate  will  be  awarded  to  each  author  whose  submission  will qualify to be published as a blog.
  7. Co-authorship of maximum of 2 is permitted.
  8. The  author(s)  bear  sole  responsibility  for  the  accuracy  of  facts,  opinions  or views stated in the submitted Manuscript.
  9. In the case of gross plagiarism found in  the contents of submitted manuscript, the manuscript shall be subject to rejection.
  10. Copyright of all blog posts shall remain with RSRR. All Moral Rights shall vest with the author.

Deadline

The last date of submission is 15 December 2018.

Contact

In the case of any query, contact at submissionsrslr@rgnul.ac.in.

Or contact: Managing Editor-     Yavanika Shah (9872466478)

Executive Editors-    Aryan Babele (9926041054); Shrey Nautiyal (7988767598)

Legislation Updates

The borderless nature of the Internet raises several jurisdictional issues in data protection. A single act of processing of personal data could very easily occur across multiple jurisdictions. Traditional principles of sovereignty and territorial jurisdiction have evolved in circumstances where such cross-border actions were uncommon. As such, it is not easy to determine the kind of application clause in which a data protection legislation is a must have.

1. Context-Setting: Several jurisdictions have deliberated on the applicability of a data protection law to individuals as well as corporate entities/juristic persons. For instance, the EU General Data Protection Regulation (GDPR) applies to ‘natural persons’, as the definition of ‘personal data’ is specifically linked to individuals and not legal/juristic persons. Data related to juristic persons such as confidential business information and corporate strategies should be protected against various types of processing activities on such data. Further, such data should be subject to data security safeguards in order to ensure that the legitimate interests of juristic persons are protected.

Most key principles of data protection such as lawful processing and individual participation are intrinsically derived from the object of protecting the autonomy and dignity of the individual. It would be difficult to extend these principles to data relating to a juristic entity.

2. Nature of Personal data: This distinction between data and information in its ordinary usage is perhaps not determinative in data protection. As the object of the law is to demarcate the sphere of information relevant to the protection of the identity of an individual, the choice of the term “data” or “information” may not matter as these terms would not be used in their ordinary sense. The definition will have to cover both data and information if it bears a connection to the identity of the individual.

This is reflected in international practice as well. It further deals with identified or identifiable individual, pseudonymisation and anonymisation, personal data and new technologies.

3. Several Exemptions: There are some activities which cannot be brought under the purview of a data protection law. In other words, a data controller can be exempted from certain obligations of a data protection law based on the nature and purpose of the processing activity. For instance, if a law enforcement officer wants to collect or use personal information for the purpose of an investigation, seeking the consent of the data subjects or allowing them to access or rectify their data would delay the process and may even defeat its purpose. Specific exemptions include personal or household purpose, journalistic/artistic/literary purposes, research/historical and statistical purposes, investigation and detection of crime, national security or security of State and other similar grounds.

4. Cross-Border Flow of Data: With the advent of the Internet, huge quantities of personal data relating to employees and customers are being transferred internationally. Such data transfers often occur between and among units of the same corporate enterprise that are located in different countries as many of these global enterprises have customer databases and storage facilities in a number of regional locations. Cross-border flow of data is vital to accessing valuable digital services.

There are two tests identified for the formation of laws related to cross-border data flow – the adequacy test and the comparable level of protection test, for personal data. In order to implement the adequacy test, there needs to be clarity as to which countries provide for an adequate level of protection for personal data. The data protection authority should be given the power to determine this. The adequacy test is particularly beneficial because it will ensure a smooth two-way flow of information, critical to a digital economy.

5. Data Localization & related Issues: Data localization requires companies to store and process data on servers physically located within national borders. Governments across the globe driven by concerns over privacy, security, surveillance and law enforcement have been enacting legislation that necessitates localization of data. A nation has the prerogative to take measures to protect its interests and its sovereignty, but it must carefully evaluate the advantages and dangers of locally storing data before taking a firm decision on an issue that has the potential to cause a major ripple effect across a number of industries. Issues such as protecting rights of data subjects, preventing foreign surveillance, easy access of data in support of law enforcement and national security, IT-BPO/BPM industrial growth, digitisation of product and service offerings, India as a capital of analytics services, cloud services brokerage, global in-house centers (GICs), etc. have been dealt with in the report.

6. Grounds of Processing, Obligation on Entities and Individual Rights (Informational Privacy): The report deals with grounds of processing, the obligation on entities and individual rights. Consent forms the foundation of data protection law in many jurisdictions. There is great value in using consent as a validating mechanism for data processing. It satisfies two needs. First, consent is intuitively considered the most appropriate method to ensure the protection of an individual’s autonomy. Allowing an individual to have autonomy over her personal information allows her to enjoy “informational privacy”. Informational privacy may be broadly understood as the individual’s ability to exercise control over the manner in which her information may be collected and used. Second, consent provides a “morally transformative” value as it justifies conduct, which might otherwise be considered wrongful.

 The report also deals with the concept of ‘Child consent’.

7. Consent: The report further throws light on the idea of ‘consent’ as is operationalised through the mechanism of “notice and choice”. The underlying philosophy is that consent through notice puts the individual in charge of the collection and subsequent use of her personal information. Notice purports to respect the basic autonomy of the individual by arming her with relevant information and placing in her hands the ultimate decision of whether or not her personal information is to be used.

8. Other grounds of Processing: Lawfulness of processing is a core principle under data protection law. The Organisation for Economic Cooperation and Development (OECD) Guidelines recognise lawfulness of processing under the collection limitation principle, which provides that collection of personal data must be limited, and any such collection should be done only by lawful and fair means, and where appropriate, with the consent of the concerned individual. Issues such as ‘requirement to have additional grounds of processing, along with consent’ and ‘lack of clarity with respect to certain grounds of processing, such as “public interest”, “vital interest” and “legitimate interest” have been dealt with.

9. Purpose specification and Use Limitation: An entire chapter deals with the Purpose Specification and Use Limitation. Purpose Specification is an essential first step in applying data protection laws and designing safeguards for the collection, use and disclosure of personal data.

10. Sensitive Personal Data: Definitions of “sensitive data”  is as per the Sensitive Personal Data Rules, 2011. The need to further examine the rationale behind certain categories of personal data, difficulty in determining the context of use which could make data sensitive, have been covered in the report.

11. Individual Participation rights: Two specific chapter deals with individual participation rights such as right to confirmation, right to access, and right to rectification, right to object to processing, right to object to processing for purpose of direct marketing, right to not be subject to a decision based solely on automated processing, right to data portability, and, right to restrict processing. Following these two, there is another chapter that deals entirely with ‘right to be forgotten’.

12. Enforcement Models: Part IV of the work deals with enforcement models. The enforcement of data protection norms is complicated primarily by two factors: first, the application of the norms across different fields, sectors, industries and contexts and, second, the rapid pace of development and change in data processing technologies. These factors produce unique enforcement problems not found in other regulatory fields. Model types such as command and control regulation, self-regulation, co-regulation are explained in brief.

13. Data Protection: Central to accountability are the concepts of ‘privacy by design’ and ‘privacy by default’ which oblige businesses to consider data privacy at the initial design stages of a project as well as throughout the life cycle of the relevant data processing. In this sense, accountability does not redefine data protection, nor does it replace existing law or regulation, since accountable organisations must comply with existing applicable law. Instead, accountability shifts the focus of privacy governance to an organisation’s ability to demonstrate its capacity to achieve specified privacy objectives.

14. The last part of the report throws light on Personal Data Breach notification, categorisation of data-controllers, Data Protection Authority.

15. Penalties: The last chapter deals with the provision of penalties. In the context of a data protection law, civil penalties may be calculated in a manner to ensure that the quantum of civil penalty imposed not only acts as a sanction but also acts as a deterrence to data controllers, which have violated their obligations under a data protection law.

Hot Off The PressNews

Supreme Court: The Bench comprising of CJ Dipak Misra and AM Khanwilkar, Dr DY Chandrachud and Ashok Bhushan JJ., in an order, refused to take on record the Srikrishna Committee report on data privacy and protection.

Attorney General K K Venugopal stated that the Srikrishna committee report is in the public domain and that if the court wanted the Centre would place the same on record. But CJI on consultation with the other judges on the bench declined to do so.

The Srikrishna Committee laid down the measures that could be adopted in order to protect the personal information of the citizens, the role and duties of the data processors and rights of Individuals along with the penalties for violation of the data protection measures.

[Source: The Pioneer]

Case BriefsInternational Courts

European Court of Justice: The ECJ recently held that the data protection authority of the Member State in which the administrator has its seat may, under Directive 95/46/EC of the European Parliament and of the Council of 24-10-1995 on data protection (OJ 1995 L 281, p. 31), act both against the administrator and against the Facebook subsidiary established in that Member State.

In this case, a German company operated in the field of education and offered educational services inter alia by means of a fan page hosted on Facebook. Administrators of fan pages could obtain anonymous statistical data on visitors to the fan pages via a function called ‘Facebook Insights’ which Facebook made available to them free of charge under non-negotiable conditions of use.

By decision of 3-11-2011, the Independent Data Protection Centre for the Land of Schleswig-Holstein, Germany as supervisory authority (the authority) within the meaning of Directive 95/46 on data protection, ordered one of the administrators to deactivate its fan page. According to the authority, neither administrator nor Facebook informed visitors to the fan page that Facebook, by means of cookies, collected and processed personal data concerning them. Administrator brought an action against that decision before the Federal Administrative Court, Germany which asked ECJ to interpret Directive 95/46. Administrator argued that the processing of personal data by Facebook could not be attributed to it and it had not commissioned Facebook for that purpose.

ECJ started by observing that it was not disputed that the American company Facebook and, for the EU, Facebook Ireland must be regarded as ‘controllers’ responsible for processing the personal data of Facebook users and persons visiting the fan pages. Next, the Court found that an administrator must be regarded as a controller jointly responsible with Facebook Ireland for the processing of that data. Court observed that administrator takes part, by its definition of parameters (depending in particular on its target audience and the objectives of managing or promoting its own activities), in the determination of the purposes and means of processing the personal data of the visitors to its fan page. Administrator of the fan page can ask for demographic data and request its processing including in terms of age, sex, relationships and occupations, information on the lifestyles and centres of interests of the target audience telling the fan page administrator where to make special offers and organise events and more generally enabling it to target best the information it offers. So, an administrator who makes use and benefits from the associated services of Facebook cannot be exempted from compliance with its obligations concerning the protection of personal data.

In addition, the Court found that the authority was competent, for the purpose of ensuring compliance in German territory with the rules on the protection of personal data, to exercise with respect not only to administrators but also to Facebook Ireland all the powers conferred on it under the national provision transposing Article 28(3) of Directive 95/46. The same provision further entitles it to exercise those powers with respect to Facebook Germany even though it was not responsible for collecting and processing personal data due to division of work. [Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH, Case C-210/16, order dated 05.06.2018]

Hot Off The PressNews

After hearing the much-debated Aadhaar matter for 38 days, the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ has reserved the judgment. The hearing had begun on January 17, 2018.

Below are the highlights from the arguments advanced on the last day of the Aadhaar Hearing:

  • Senior Advocate Gopal Subramanium: 
    • Is Aadhaar really affirmative action? Is the act an enabler or is it in the guise of enabler? The act is not an instrumentality to deliver services. It is only a means of identification. We have to read the true purpose of law and whether the law seeks to achieve that purpose. Dignity and autonomy is not preserved by section 7 of the Aadhaar Act.
    • Aadhaar Act does not have a proper purpose. A claim to a proper purpose is not proper purpose. Authentication is at the heart of the Act. Failure of authentication is a ground for denial of services.
  • Chandrachud, J: An act like Aadhaar needs a regulator which is absent.
  • Gopal Subramanium: The state seeks to take away our data without the backing of a strong data protection framework. Words like “grant of subsidies, benefits and services” are expressions of condescension in Section 7. They are not treated like an entitlement. The burden is on the people to authenticate and establish their identity. Should the State logically be the holder of such information?
  • Chandrachud, J: Is “subsidy” a benefit or a right, that has to be decided.
  • Gopal Subramanium: 
    • Private players have access to Aadhaar data. There is no regime of protection. There is no vertical protection.
    • Section 7 has been interpreted to be mandatory. Can’t make citizens subservient under section 7 and call rights, benefits.
    • The Act is to be struck down completely as it fails all three tests laid down in Puttaswamy. There’s no legitimate state aim as the real aim is different from the purported aim. There was no law when Aadhaar was implemented and there’s no proportionality.
    • This Court consciously overruled ADM Jabalpur. The doctrine of possibility of misuse does not apply here because there is actual denial of rights in the case of Aadhaar.
    • Aadhaar Act should be completely struck down and the architecture and database must be destroyed.

_________________________________

  • Senior Advocate Arvind P. Datar:
    • Aadhaar cannot be a money bill. At most, it can be a financial bill of category 3 under Article 117(3) of the Constitution.
    • Doctrine of severability will not apply to Aadhaar, since the doctrine is only applicable to validly enacted laws.
    • Mohd.Saeed Siddiqui and Yogendra Jaiswal should be overruled. Finality of speaker’s decision doesn’t mean that the bill cannot be subject to judicial review.
    • Under PMLA, Aadhaar is not just confined to banks but has gone beyond it’s scope. Aadhaar is needed for mutual funds, insurance policies and credit cards as well, among other things.
    • Only magic words like black money, national security and terrorism are being thrown around by the State. The justification of a law for proportionality cannot be a ritualistic exercise. Aadhaar is not justified under Article 300A of the Constitution.
    • Linking Aadhaar will never solve problems of money laundering and black money because the source of such money is different. This is colorable exercise of power. Black money and money laundering is being used as a ruse to collect people’s biometrics.
    • Section 57 should go completely. Anything outside Section 7 is completely violative of the Puttaswamy judgement. S.139AA of the income tax act is inconsistent with the Aadhaar Act.
    • There should be an option of opting out of Aadhaar.

_________________________________

  • Senior Advocate P. Chidambaram:
    • AG’s reading of the word “only” in Article 110(g) is erroneous. There is no need to tamper the language of the Article.
    • Section 57 travels beyond Article 110 of the Constitution. Clause (g) of 110 (1) must be read very restrictively. The provision has to be incidental to (a) to (f) to come under (g). Clause (g) is not a substantive provision.
    • The implications of passing a non money bill as a money bill are very serious: One half of the parliament is virtually disabled from making any amendments. It denudes the highest constitutional authority of the country, the President of India.
    • There is no provision in the Constitution which gives the court the power of severability in case of an invalidly enacted legislation. The Australian constitution has such a provision.
    • The bill was passed without the effective participation of the Rajya Sabha and without assent from the President. The court cannot save a legislation that is fundamentally unconstitutional.
    • Pith and Substance doctrine cannot be applied in cases where the applicability of Article 110 is being interpreted. Only limited to entries of legislative lists.
    • The Court must strike down the Aadhaar Act as it is not a money bill. It is a mockery of Article 110.

_________________________________

  • Senior Advocate K.V Vishwanathan: 
    • Respondents’ argument that the least intrusive method is not a facet of proportionality is completely erroneous. You can’t balance your own bundle of rights. Balancing Right to food and right to privacy is wrong.
    • Section 59 doesn’t protect Aadhaar during the time it was not an Act. Its a wrong submission made by the state. To rely on the exception handling mechanism is ultra vires the Act.
    • If it’s my rights and their duty, then they cannot discharge their duty by subjecting the poor and downtrodden of this country to a technological menace.
    • There can be no data collection and digitalization of records. The underpinning of the Aadhaar Act is authentication of individuals.
    • Harmonization of rights is being mis-applied by the respondents.

____________________________________________________________________________________________________________________________

To read the highlights from the rejoinder submitted by the petitioners, click here and here.

To read the highlights from the submissions of AG KK Venugopal on the issue of money bill, click here.

To read the highlights from the submissions of Advocate Zoheb Hossain, click here.

To read the highlights from the submissions of Advocate Gopal Sankarnarayanan and Senior Advocate Neeraj Kishan Kaul, click here.

To read the highlights from the submissions of Senior Advocate Rakesh Dwivedi, click here , here , here , here and here.

To read the highlights from the submissions by ASG Tushar Mehta, click here and here.

To read the highlights from the submissions by the Attorney General, click here, here , here and here.

To read the highlights from the PowerPoint Presentation made by the CEO of UIDAI, click here.

To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU Singh, Sanjay Hegde and Counsel Jayna Kothari, click here.

To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.

To read the highlights from Senior Advocate Arvind Datar’s submissions, click here, here and here.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click herehere and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source: twitter.com/SFLCin

Hot Off The PressNews

On the penultimate day of the Aadhaar hearing, Senior Advocate Shyam Divan continued with his rejoinder before the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ.

Below are the highlights from the arguments advanced on Day 37 of the Aadhaar Hearing:

  • Shyam Divan:
    • We’re linking Individuals Aadhaar with their bank accounts and mobile numbers without their permission. It’s called inorganic seeding. Without statutory backing UIDAI collected biometrics of hundred crore people which is the entire population of Europe and North America.
    • From the citizens perspective, there’s authentication tower and enrollment tower. IP address, ID, date, time and purpose of authentication can be known because of the architecture of Aadhaar. Source code of the Aadhaar software belongs to foreign companies. It is impossible to live in contemporary India without Aadhaar.
    • Aadhaar linking is not a one time thing. It’s a continuous process.
    • ID4D 2015 report was relied on by the Attorney General KK Venugopal. World bank had partnered with Accenture to write this report. Therefore the report is not impartial.
    • Collecting biometrics was ultra vires the 2009 notification. Assuming the notification was an act of parliament, even then it would’ve been ultra vires for collecting something as intrusive as biometrics. Also there was no informed consent and penalties that time.
    • UIDAI has been flouting the interim orders of the SC. Aadhaar schemes under section 7 should not involve children, merit education. Exclude schemes for rehabilitation and involve stigma like bonded labourers, exclude food and nutrition, matters related to health.
    • There cannot be retrogression of human rights.
    • Sarva shiksha Abhiyan and mid day meal schemes requires children to furnish Aadhaar to avail benefits of these schemes. This should be completely excluded from section 7. There should be no conditions placed on children to avail these benefits.
    • Aadhaar was even required to participate in essay competition. This is way beyond any reasonable limit of proportionality.
    • Highly vulnerable groups should not be mandated to provide Aadhaar. Even Ujjwala scheme for women rescued from trafficking requires Aadhaar.
  • Sikri, J: The problem is that wrong beneficiaries receive such benefits.
  • Shyam Divan:
    • Even tuberculosis patients were mandated to disclose Aadhaar numbers. 
    • Please don’t consider Section 7 by itself but the overall impact of the Act. This is an over extension of the coercive powers of the State. Section 7 beneficiaries are demoted to the status of second class citizens. Aadhaar authentication is a violation of personal autonomy.
    • Also, Aadhaar is probabilistic. Non retrogression of rights is an important principle of human rights law.
    • This act has a huge impact on human rights. Constitution has an intricate scheme to defend part III with the final defence lying with the SC. Cannot bypass wisdom of Rajya Sabha and Article 111 to pass Aadhaar as a money bill.
    • Demographic information in many situations is also important and should not be trivialised. People must have the choice to preserve and protect it.
    • The architecture of Aadhaar with full traceability enables mass surveillance, and profiling. There are a lot of lawyers who are doing this pro Bono because they believe this is a huge constitutional matter. There’s no commercial interest.
    • The Aadhaar Act will not survive the first five words of the preamble, “We the people of India”.

____________________________________

  • Senior Advocate Gopal Subramanium:
    • State functionaries have a continuing constitutional obligation. If the obligation is not met, it cannot be reversed and the burden of proof cannot be on Individuals to establish their identity.
    • Do children want fake mid day meals? Do poor disabled people want to fake their identity?
    • Section 33 will allow sharing of authentication records. Footprints of ones activities are known by the State. Is there any nexus between such knowledge of the State and delivery of services?
    • You need all the other identity documents like ration cards, along with Aadhaar number. A person can ping the authentication machine three times and get rejected and then get accepted on the fourth ping. How can we subject citizens to this?
    • Is Aadhaar really for the oppressed? Because everyone is now supposed to link it with banks, telecom etc. What exactly is the compelling state interest that has been demonstrated?
    • Admissions to schools is denied for lack of Aadhaar. The legislation is not an enabler, and not used for empowerment. Therefore, it falls on all grounds that is Articles 14, 19 and 21.
    • Data of citizens can be used for political exercise. Aadhaar’s preponderant nature is likely to invade. Aadhaar alters the symbiotic nature between state and citizen.
    • This law is a fetter on self actualization. However noble your intentions maybe, if you step out of the boundaries of the Constitution, then there’s no saving such legislation.

____________________________________________________________________________________________________________________________

To read the highlights from the submissions of AG KK Venugopal on the issue of money bill, click here.

To read the highlights from the submissions of Advocate Zoheb Hossain, click here.

To read the highlights from the submissions of Advocate Gopal Sankarnarayanan and Senior Advocate Neeraj Kishan Kaul, click here.

To read the highlights from the submissions of Senior Advocate Rakesh Dwivedi, click here , here , here , here and here.

To read the highlights from the submissions by ASG Tushar Mehta, click here and here.

To read the highlights from the submissions by the Attorney General, click here, here , here and here.

To read the highlights from the PowerPoint Presentation made by the CEO of UIDAI, click here.

To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU Singh, Sanjay Hegde and Counsel Jayna Kothari, click here.

To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.

To read the highlights from Senior Advocate Arvind Datar’s submissions, click here, here and here.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click herehere and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source: twitter.com/SFLCin

Hot Off The PressNews

On Day 36 of the Aadhaar Hearing, Attorney General KK Venugopal concluded his arguments on the issue of Aadhaar Act, 2016 being introduced as Money Bill before the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ. It also marked the end of the submissions of the State and the petitioners began rejoinder post lunch.

Below are the highlights from the arguments advanced on Day 36 of the Aadhaar Hearing:

  • Attorney General KK Venugopal: Article 110(1)(g) is a standalone provision. There can be a bill that does not relate to 110(1)(a)-(g) but is still covered independently under 110(1)(g). Therefore, the Aadhaar bill did not have to to be passed by the Rajya Sabha. RS could only make recommendations.
  • CJI: Section 57 is an enabling provision that allows state legislature to introduce Aadhaar for various services. The state legislature may or may not introduce it as a money bill. It’s nature will then be examined if it’s challenged in a court of law.
  • AG (On Aadhaar SIM linking):
    • Aadhaar is not mandatory to obtain a new connection ,but there will be no chance of forgery and fraud if Aadhaar is linked to SIM card.
    • Aadhaar was made optional as per the direction of the Supreme Court but it will only remain optional till the final disposal of the matter. (SC had denied a few days ago that it had issued any direction to make Aadhaar mandatory for sim in the lokniti case)
    • We are recognizing the interim order passed in the Lokniti Foundation case, and hence making Aadhaar optional for the time being.
    • No core biometrics data is shared under the Aadhaar Act.
    • The State takes offense to the fact that words such as “electronic leash” and “concentration camps” were used.

________________________________________

  • Senior Advocate Shyam Divan (Rejoinder): 
    • First time in a democracy, something like CIDR has been implemented. SC is at the vanguard of balancing human rights and new technologies.
    • Cannot have a surveillance state in this democracy. Identity of the person, date and time, and location are the three elements of surveillance.
    • On March 9, 2018, state filed an affidavit appending an expert report by Manindra Agarwal of IIT kanpur who is also a member of technology and architecture review board of Aadhaar along with the security review board.
    • UIDAI’s presentation report says that biometrics database is accessible by third party vendors like Morpho, Accenture, identity solutions and one more. Breach of verification log leaks location of places where an individual did authentication.
    • The report admits that tracking of location of a person is possible. Prof. Agarwal has admitted that last five years location data can be accessed with the verification log. Even without the verification log, current location can be tracked. UIDAI knows the location of an individual. Third parties can access the approximate location if the verification log is breached.
    • Experts on both sides now agree that surveillance is possible. It’s not just a privacy issue, it’s a limited government issue. How far does the coercive power of the state extend? Cannot extend to creating an infrastructure that is capable of tracking people.
    • Can we have a law or system that sets up an authority that does not comport with our democracy? I’m speaking about a rudimentary level of surveillance. I’m not even talking about commercial surveillance.
    • State has created a structure of not just CIDR but AUAs and KUAs where all information is being tracked including location. In terms of power and control, the existence of a body like UIDAI is beyond my wildest imagination.
    • The Maninder Agarwal affidavit is a tipping point in this case. He’s careful and says that there are laws to protect us. SC cannot permit something so deeply flawed to function in our country.
    • Is this a case of the emperor who had no clothes? On the point of balancing, I would submit that this is an impairment of Part III of the Constitution. This is a moment in time to take a firm stance.
  • Chandrachud, J: There’s an inexorable march of technology. What are the kind of safeguards that we should take while balancing these rights is something we have to consider. Not like there’s quantitative lack of food in our country. The problem is that people can’t access that food. It is the duty of the State to look into this aspect also.
  • Shyam Divan:
    • Choice and option is important in a democracy. (Jokingly says that Mr. Zoheb Hossain also does not have an Aadhaar.)
    • UIDAI in their answer have said that they do not take responsibility for correct/incorrect identification. They only provide a matching system. It’s a self certification/ declaration system. Please consider this in the context of opening and operating bank account.
    • UIDAI takes no responsibility for correct name, address, date of birth Please consider if this meets minimum standard of rationality. UIDAI hasn’t answered how many authentication rejections have taken place. If you’re successful of performing five authentications in a year, it’s considered hundred percent successful.
    • UIDAI was asked if they verify if illegal immigrants are given Aadhaar. As a 2013 SC order said that illegal immigrants should not get Aadhaar.

____________________________________________________________________________________________________________________________

To read the highlights from the submissions of Advocate Zoheb Hossain, click here.

To read the highlights from the submissions of Advocate Gopal Sankarnarayanan and Senior Advocate Neeraj Kishan Kaul, click here.

To read the highlights from the submissions of Senior Advocate Rakesh Dwivedi, click here , here , here , here and here.

To read the highlights from the submissions by ASG Tushar Mehta, click here and here.

To read the highlights from the submissions by the Attorney General, click here, here , here and here.

To read the highlights from the PowerPoint Presentation made by the CEO of UIDAI, click here.

To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU Singh, Sanjay Hegde and Counsel Jayna Kothari, click here.

To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.

To read the highlights from Senior Advocate Arvind Datar’s submissions, click here, here and here.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click herehere and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source: twitter.com/SFLCin

Hot Off The PressNews

On Day 35 of the Aadhaar Hearing, Advocate Zoheb Hossain, appearing for the State of Maharashtra and UIDAI, resumed his submissions before the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ. Attorney General KK Venugopal made submissions on Aadhaar Act, 2016 being passed as a Money Bill.

Below are the highlights from the arguments advanced on Day 35 of the Aadhaar Hearing:

  • Advocate Zoheb Hossain:
    •  Data protection law is a positive obligation of the State. All rights give rise to a variety of duties. Aadhaar is a project to ensure socio economic rights of the people.
    • All human rights are equally important, indivisible and are interconnected. Socio economic rights are as important as civil and political rights.
    • a UN General assembly resolution says that ideal of freedom can only be achieved if conditions are created so that everyone can enjoy socio economic and civil political rights.
    • To judge proportionality, reasonableness of the measure/restrictions have to be shown from the point of view of the general public and not from the PoV of one affected party.
    • Right to privacy is an individual right which can be highly subjective or objective and the state cant be held to be vicariously liable for it. No petitioner has claimed infringement of right to privacy.questions the fact that right to Privacy violation is being heard as a PIL.
    • A person may use her aadhaar for obtaining SIM, opening bank account and getting PDS. Her telecom company will not have details of the bank/PDS. Similarly, her bank will not have info on her telecom and PDS. UIDAI won’t have any of the three details.
    • Aadhaar act provides adequate safety to identity and authentication records.
    • A party cannot expect strict adherance to the principles of natural justice during times of emergency.
    • Section 47 has been of challenge for not providing a right to complain. Purpose is discernible under the scheme of the act. A complaint can be filed to UIDAI therefore a person is not left remedy-less.
    • Aadhaar is technical and it’s best if UIDAI is given the power to complain as they best understand the matters. Similar provision in Industrial Disputes Act was upheld. UIDAI may authorize a person to make a complaint if they feel it’s genuine.
    • There are provisions under the IT act for offences such as Identity theft, violation of privacy etc.
    • The purpose of Aadhaar including section 139aa is to promote redistributive justice and ensure substantial equality along with furthering the dignity of the individual.  Aadhaar act and Income tax act are standalone acts and it cannot be said that parliament in it’s wisdom cannot make Aadhaar mandatory by way of an amendment.
    • This argument has already been examined and decided in binoy viswam. If the objects of the two statutes are different then they are said to run parallelly and not intersect. There’s no conflict.
    • Having Aadhaar for individuals also cures the evil vis-a-vis companies. Companies and individuals are treated differently in the income tax Act. That cannot be called unreasonable classification.
    • Section 165 of companies Act allows a person to be the director of twenty companies. If Aadhaar is linked with PAN, it can be checked whether a genuine person is the director of more than one company. The genuineness of the company can also be verified.
    • Problem of dummy directors and fake companies will be solved by linking Aadhaar with PAN.

______________________________________________

  • Attorney General KK Venugopal on the issue of Money Bill:
    • The term “targeted delivery of subsidies” contemplates expenditure of funds. The expenditure has to go into thousands of crores from the consolidated fund of India. This itself brings it into the ambit of money bill under Article 110 of the Constitution.
    • Even though the law has ancillary provisions, the main objective of the Act is delivery of services and benefits.
    • Sections 7, 24 and 25 along with the preamble of the Act brings it totally within the ambit of Article 110. Not a single provision in the act is unnecessary or unrelated to the main purpose/pith and substance of the act which is giving subsidies.
  • Chandrachud, J: Section 57 snaps the link with consolidated fund of India.
  • AG: When the contract is placed before your Lordships, then it has to be examined. We may not know today what color or aspect the contract under Section 57 would take.
  • Sikri, J: There’s no distribution of benefits and subsidies under section 57.
  • AG: Section 57 will be saved by Article 110(1)(g).
  • Chandrachud, J: You may be rewriting the Constitution!

____________________________________________________________________________________________________________________________

To read the highlights from the submissions of Advocate Gopal Sankarnarayanan and Senior Advocate Neeraj Kishan Kaul, click here.

To read the highlights from the submissions of Senior Advocate Rakesh Dwivedi, click here , here , here , here and here.

To read the highlights from the submissions by ASG Tushar Mehta, click here and here.

To read the highlights from the submissions by the Attorney General, click here, here , here and here.

To read the highlights from the PowerPoint Presentation made by the CEO of UIDAI, click here.

To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU Singh, Sanjay Hegde and Counsel Jayna Kothari, click here.

To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.

To read the highlights from Senior Advocate Arvind Datar’s submissions, click here, here and here.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click herehere and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source: twitter.com/SFLCin

Hot Off The PressNews

Advocate Gopal Sankarnarayanan, who had begun his submissions on Day 33 of the Aadhaar hearing, continued with his submissions before he 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ on day 34 of the Aadhaar Hearing.

Below are the highlights from Day 34 of the Aadhaar Hearing:

  • Chandrachud, J: Aadhaar section 7 seeks to identity the beneficiaries that require subsidies. It doesn’t take away other forms of identity.
  • Sankarnarayanan:
    • Aadhaar is a number which helps identify people who need subsidies. Many don’t need that identity.
    • I support Aadhaar for the control, security and safeguards it provides but Section 139aa of the Income Tax Act takes away those. “Individual Income tax pan holders (non corporates)” are targeted by the State via Aadhaar. With respect to financial scams, the problem was dummy companies, not individuals. Yet companies are not targeted.
    • For the purposes of Income tax, Aadhaar is mandatory, there’s no informed consent, and it is not related to Consolidated fund of India. Therefore proportionality test fails.
    • If the aim was curbing black money and preventing money laundering, then linking pan with individual Aadhaar holders doesn’t achieve that purpose. Therefore there’s no proportionality.
    • Indian law journal: users guide to privacy says Obfuscation is a technique by which privacy can be kept intact. It gives up on trust between individual and states though. Petitioners have a valid ground of lack of trust
    • “Identification of targeted beneficiaries” is key. Aadhaar is voluntary. It can be used as “proof of identity” for someone who doesn’t need subsidies.
    • Section 5 enjoins UIDAI to take special measures for vulnerable groups. It proves there is an element of discharge of obligation by the State.
    • The constitution lays down that any penny from the CFI has to go to the person for whom it was earmarked. It is an onerous obligation on the state. Aadhaar attempts to ensure, with the use of biometric authentication, that this obligation is dispersed.
    • If Aadhaar becomes the universal identity card replacing all other identity documents which were initially required to get an Aadhaar, then it is a concern.
    • Aadhaar identification is as secure and foolproof as one of the eighteen proof of identities taken at the time of enrollment because of the voluntary nature of section 7, there is balance in Aadhaar act, unlike Section 139aa wherein there’s no balance.
  • Chandrachud, J: Section 7 is not voluntary. Someone who wants subsidies will have to have Aadhaar.
  • Sankarnarayanan:
    • Aadhaar Act subserves articles 253 and 266(3) of the Constitution along with fundamental rights.
    • We don’t need the least restrictive test to show proportionality. Trust CIDR with my data.
    • Safeguards, balances and limitations provided under the Aadhaar Act makes it proportional.
    • National informatics centre runs both Supreme court website and UIDAI. SC website was hacked a few days ago.
    • UIDAI needs to plug the holes in the Aadhaar system before rushing with it. Aadhaar is not being able to keep up with technology.
    • Aadhaar has protection under the Aadhaar act and Section 43A of the IT Act, along with SPDI rules.

___________________________________

  • Senior Advocate Neeraj Kishan Kaul:
    • If Aadhaar is a reliable, speedy tool for identification and authentication, then there’s no reason to hold it invalid.
    • Aadhaar authentication has made life easier for women in villages, migrants, etc.
    • Microfinance institutions will have a larger reach by virtue of Aadhaar and predatory financing will reduce.
    • Private players are also governed by the Act. Give private players the choice to use Aadhaar if they want since section 57 is an enabling provision under the Aadhaar Act.
  • Chandrachud, J: The need for verification should not be decided by private players.
  • Kaul:
    • The bench can make Privacy and data security regulations as stringent as possible. But as long as the private player and customer have consensus on using Aadhaar, it shouldn’t be disallowed as Aadhaar is the most effective and powerful tool for verification.
    • Aadhaar is based on matching algorithms, not learning ones like Google and Facebook.
    • I request the bench to not exclude AUAs and KUAs from using Aadhaar for their businesses. Merely because there’s a scope of misuse, a statute cannot be struck down.
    • Location of AUA and KUA is not revealed, so there’s no question of surveillance.

___________________________________

  • Advocate Zoheb Hossain:
    • Socio economic rights are justiciable rights, the SC has held in the past. Article 56 of UN charter talks about inter-relation between socio economic and civil political rights. Positive obligations of the State like food, shelter etc are embedded in Article 21.
    • In this case, the bench is balancing interference with the right to Privacy which is the numerator and denominator is the socio economic rights of the people. It is not just a case where part IV requirements are being read.

____________________________________________________________________________________________________________________________

To read the highlights from the submissions of Senior Advocate Rakesh Dwivedi, click here , here , here , here and here.

To read the highlights from the submissions by ASG Tushar Mehta, click here and here.

To read the highlights from the submissions by the Attorney General, click here, here , here and here.

To read the highlights from the PowerPoint Presentation made by the CEO of UIDAI, click here.

To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU Singh, Sanjay Hegde and Counsel Jayna Kothari, click here.

To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.

To read the highlights from Senior Advocate Arvind Datar’s submissions, click here, here and here.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click herehere and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source: twitter.com/SFLCin

Hot Off The PressNews

On Day 33 of the Aadhaar Hearing that has been going on since January 17, 2018, Senior Advocate Rakesh Dwivedi concluded his submissions and made way for other counsels to present their arguments before the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ.

Below are the highlights from Day 33 of the Aadhaar Hearing:

  • Dwivedi: UIDAI’s control over RE is a fair and reasonable safeguard under Article 21. Data under REs is segregated. There’s no way to aggregate that data as there are over 300 REs.
  • Sikri, J: What about an individual RE collecting data?
  • Dwivedi:
    • Lets take the example of Vodafone. what will vodafone do with the authentication data? They can’t track any individual. Vodafone can do targeted advertising using the data which is already happening without Aadhaar. Vodafone has far more demographic data about an individual than UIDAI has. In the case of UIDAI, there are so many regulations and penal consequences that don’t apply to Vodafone.
    • Nobody is questioning what banks and telecoms are collecting. The single target is Aadhaar. (shows a credit card statement to the bench to show that banks have a record of all transactions made by an individual including the place of transaction.)
    • It’s not difficult to collect data about someone from Google. How much senior advocates charged for particular cases is also available online. We need to have big data, processing power and statistical know how to do big data analysis as Google is doing. Google and Facebook process tremendous data on a daily basis. UIDAI does not have that kind of algorithms.
    • It is doubtful that an RE that collects data and transfers that data without any other data has any value. Also RE s do not have authentication records. We are still conscious about providing as much security as possible because we want to gain the trust of the people.
    • Explaining the control of RE:
      • RE buys fingerprint device from a vendor. We control the vendor with respect to the hardware and software of the device.
      • We also put a key in the device so that the data is encrypted and sent to CIDR. Machine is then taken to STQC and that Dept looks into the device to see whether it meets all the requirements. Device preparation and certification happens without the knowledge of RE.
      • Information systems operator then conducts an audit of the RE and the report is submitted to UIDAI. If it is approved then the RE gets a license from UIDAI in order to operate as an RE.
      • Meta data is important for validation that the data is coming from a particular RE with which uidai has an agreement. Meta data is required for fraud management and verification.
      • REs have a data vault as well. It is controlled by trusted people. Apart from this there are two more audits conducted: annual audit and random audits by UIDAI. Even ASAs are audited likewise. Relevant regulations are 19(1)(g) and 21.
      • Nature of information is such that it is not of any commercial value. All REs are already possessed of this information and much more. UIDAI has device control which happens before the device is purchased. There are double pairs of keys.Encryption is immediate and time stamped.
      • Transmission requires digital signature with a private let. There’s a data vault. There’s complete prohibition of storing PID block. Even demographic info is prohibited from transfer. Three level auditing by information system auditor.
      • There are penal consequences if any provision of the Aadhaar Act or regulation is violated.
      • Central government has no access to UIDAI’s data as UIDAI is an autonomous body. Hence, no surveillance is possible.
    • While examining the problem of smart cards, even the EU has said that having a centralized database is important. Decentralization leads to fakes and duplicates.
    • Aadhaar SIM linking helps in ensuring that Sim card is given to the person who’s applying for it. This is a legitimate state interest. he measure to verify your SIM card one time is not excessive at all. Therefore it’s proportional to the object sought to be achieved.
  • Chandrachud, J: SC never directed in LokNiti foundation order to carry out e-KYC of mobile nos. using Aadhaar. The DoT notification says that Aadhaar SIM linking is being done on the direction of the SC while the SC had not issued any such direction.
  • Dwivedi:
    • No, it was done on the recommendation of TRAI before the Lok Niti order had even come out. My submission is that the government had a legal basis to link Aadhaar with SIM by virtue of section 4 of the telegraph act. Also, the measure is reasonable in the interest of national security.
    • There’s no possibility of surveillance via CIDR. CIDR is absolutely necessary to avoid fakes. The entire architecture is such that there’s no aggregation of data and therefore no surveillance. That’s why there’s a mix of public and private players.
    • The system stands the test of article 21 on its own and there’s no infringement of right to privacy. This project has the support of two governments because Congress had started this and Mr. Sibal was part of the cabinet that time.

_______________________

  • ASG Tushar Mehta: Does Aadhaar pass the muster of Article 300A? “Authority of law” phrase in 300A gives the power to the legislature to link Aadhaar with bank account under PMLA. The PMLA rules have the backing of the PMLA. A statutory rule is akin to law under Article 300A of the Constitution. The parliament cannot every time amend the law (PMLA) for example in respect of money laundering. Therefore a wide statutory network is provided and power is given to the rule making authority.

_______________________

  • Senior Advocate VV Giri: I want to appear on behalf of State of Kerala in order to argue on legislative competence.
  • Bench: States cannot challenge a central govt statute. You can submit bullet points on what you want to argue and then the bench will decide if you can be allowed.

_______________________

  • Senior Advocate Jayant Bhushan:
    • RBI has issued the master circular by virtue of its power under banking regulation act.PMLA Rule 9(4) provides that Aadhaar has to be submitted to reporting entity.
    • Under Rule 9(14) provides that the regulator (RBI in this case) shall provide guidelines incorporating the requirements of sub-rules (1) to (13) above and may prescribe enhanced or simplified measures to verify identity.
    • Requirements under Rule 9(1)-(13) is made mandatory by Rule 9(14). The master circular is now in conformity with PMLA rules. RBI has no option but to amend the master circular.

_______________________

  • Advocate Gopal Sankarnarayanan:
    • Aadhaar Act is valid subject to three specific provsions that have to be read down or struck down.
    • Right to identity is an absolute fundamental right. Aadhaar provides one kind of proof for identification. It arises from recognition of an individual.

____________________________________________________________________________________________________________________________

To read the highlights from the submissions of Senior Advocate Rakesh Dwivedi, click here , here , here , here and here.

To read the highlights from the submissions by ASG Tushar Mehta, click here and here.

To read the highlights from the submissions by the Attorney General, click here, here , here and here.

To read the highlights from the PowerPoint Presentation made by the CEO of UIDAI, click here.

To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU Singh, Sanjay Hegde and Counsel Jayna Kothari, click here.

To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.

To read the highlights from Senior Advocate Arvind Datar’s submissions, click here, here and here.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click herehere and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source: twitter.com/SFLCin

Hot Off The PressNews

On Day 32 of the Aadhaar Hearing, Senior Advocate Rakesh Dwivedi continued his submissions before the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ on the issue of reasonable expectations of privacy.

Below are the highlights from Day 32 of the Aadhaar Hearing:

  • Dwivedi:
    • Privacy is strongest in the inner sanctum of the mind, but shrinks as you move outside into the world. It has to be considered whether private life is protected outside your home, because people frequently give up their privacy in these conditions. the US and UK Supreme Court treat reasonable expectation of privacy as very significant, and that the Indian position is closer to this.
    • Tthe only question is whether the restriction on the right to privacy is proportionate to the government purpose. Nothing else can be taken into account. Petitioners have applied the wrong standard in arguing that the restriction on rights should be least intrusive.
    • In the public sphere, the right to privacy is diluted. The entire Aadhaar activity is in the relational and public sphere. He says that demographic information and facial photograph don’t have any privacy concerns. There is no reasonable expectation of privacy. At the requesting entity point, it’s all dispersed and decentralised, and so it doesn’t deserve the level of protection that the CIDR is given.
  • Chandrachud, J: The point seems to be that core biometric information has higher privacy concerns. That does not mean that there is no privacy concern elsewhere.
  • Dwivedi:
    • I agree but  the reasonable expectation of privacy varies according to context. Petitioners have cited no judgments involving identity cards. 120 countries use biometric passports and nineteen European countries use biometric ID cards. The CJEU or the ECHR have never expressed any concerns with biometric ID cards.
    • In the privacy judgment, it has been said that if you willingly put up your personal information on Facebook, then you may not have a right to privacy in that information.
    • Safeguards can be read into Article 21. Degrees of safeguards will vary – for nuclear plants it will be one, and for CIDR is another.
    • The standard must be “adequate safeguards”. The risk can never be zero.
    • There must be constant vigilance. We are always improving and upgrading our safety, and after the Srikrishma Report, we will upgrade more.
    • We have provided a complete bar on sharing, and what is available with the REs is totally dispersed. The extent of privacy is much more diluted. And there is consent and a bar on using for anything other than authentication. If there are breaches, then point them out to us. But petitioners don’t want to improve it, they just want to knock it off.
    • The data protection draft law will be out by May.
  • Chandrachud, J: One area that requires consideration is remedies for breaches.
  • Dwivedi:
    • The IT Act provides for penalties, and penalties have been imposed on Airtel etc.
    • The Court and the government should work in coordination as the two great wings of State, and not in opposition. The sword should be unsheathed only in the last resort. The Court should be like a doctor and save the patient.
    • Member States have been left free to make laws.
  • Chandrachud, J: That is subject to the test of proportionality
  • Dwivedi:
    • I am not disputing that.
    • EU is now contemplating a biometric ID card.
  • Chandrachud, J (Jokes): Are they planning to seed it with Aadhaar?
  • Dwivedi: UIDAI collects only limited technical metadata.
  • Chandrachud, J: Is it necessary to retain metadata? Why do you have to retain it?
  • Dwivedi: It’s important to exercise control over the RE. There is no data about location or purpose of transaction, but only about the system, and that’s required for audits.
  • Sikri, J:  So you’re not collecting metadata about the person but only about the machine?
  • Dwivedi: Yes. We don’t know location or purpose, just device ID.
  • Chandrachud, J: Your argument might be supported By Regulation 26 proviso, which bars storing the purpose of a transaction.
  • Dwivedi: Yes, in any case the Aadhaar Act bars storing of purpose.
  • Chandrachud, J: What is the meaning of “authentication transaction data”, which can be stored under Regulation 26?
  • Dwivedi: It’s the data pertaining to a specific transaction, and there is a bar on storing purpose.

____________________________________________________________________________________________________________________________

To read the highlights from the submissions of Senior Advocate Rakesh Dwivedi, click here , here , here and here.

To read the highlights from the submissions by ASG Tushar Mehta, click here and here.

To read the highlights from the submissions by the Attorney General, click here, here , here and here.

To read the highlights from the PowerPoint Presentation made by the CEO of UIDAI, click here.

To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU Singh, Sanjay Hegde and Counsel Jayna Kothari, click here.

To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.

To read the highlights from Senior Advocate Arvind Datar’s submissions, click here, here and here.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click herehere and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source: twitter.com/gautambhatia88

Hot Off The PressNews

“Development requires the removal of major sources of unfreedom: poverty as well as tyranny, poor economic opportunities as well as systemic social deprivation, neglect of public facilities as well as intolerance or overactivity of repressive states.” – Amartya Sen

On Day 31 of the Aadhaar Hearing, the discussion between Senior Advocate Rakesh Dwivedi and the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ began with the former quoting the abovementioned lines.

Below are the highlights from Day 31 of the Aadhaar Hearing:

  • CJI: Liberating people from un-freedom (poverty) is at one end of the spectrum and right to privacy is on the other.
  • Chandrachud, J: Aadhaar is a means for identification according to you. The only caveat to that is that there should be no exclusion.
  • Dwivedi: The point of Aadhaar is to bring the provider of benefit face to face with the beneficiary.
  • Chandrachud, J: I’m not sure if that’s the best model. The individual should not be a supplicant. The State should go to him and give him benefits.
  • Dwivedi:
    • Various judgments of the Supreme Court on economic and social welfare culminated into the Parliament framing the Aadhaar Act.
    • What is being done under section 7 of the Aadhaar Act covers human rights of a lot of people of our country. This court should act as a sentinel to ensure that right to privacy is balanced with all the other rights under Article 21 that Aadhaar covers.
    • Privacy is a small price to pay for ensuring life itself and also the rights under Article 21 of the Constitution.
    • Aadhaar Act draws distinction between demographic info, optional demographic info (mobile no.), core biometric information, and biometric information like photograph. Idea of reasonable expectation of privacy varies from one set of data to another.
    • Reasonable expectation of privacy in case of demographic info and photo will be very low as such information is publicly available. We are concerned only about real and general apprehension or fear of the public with respect to Aadhaar. Fear is subjective.
  • CJI: Some fears are misconceived.

____________________________________________________________________________________________________________________________

To read the highlights from the submissions of Senior Advocate Rakesh Dwivedi, click here , here and here.

To read the highlights from the submissions by ASG Tushar Mehta, click here and here.

To read the highlights from the submissions by the Attorney General, click here, here , here and here.

To read the highlights from the PowerPoint Presentation made by the CEO of UIDAI, click here.

To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU Singh, Sanjay Hegde and Counsel Jayna Kothari, click here.

To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.

To read the highlights from Senior Advocate Arvind Datar’s submissions, click here, here and here.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click herehere and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source:  twitter.com/SFLCin

Hot Off The PressNews

On day 30 of the Aadhaar Hearing, Senior Advocate Rakesh Dwivedi continued with his argument probabilistic method that he had begun on Day 29 of the hearing before the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ.

Below are the highlights from Day 30 of the Aadhaar Hearing:

  • Dwivedi: The algorithms which are probabilistic are not all identical. Parliament was conscious of the exclusion that could happen. It was also aware of the digital divide. Hence, provided three alternatives under section 7 of the Aadhaar Act. 2016. There can’t be denial of service. Option to furnish proof of possession of Aadhaar number under section 7 if authentication can’t be done.
  • Chandrachud, J: Does proviso to section 7 apply to third alternative?
  • Dwivedi:
    • Yes, it is applicable in case an individual has applied but has not been assigned Aadhaar number.
    • There is no question of denial. Denial is something that should not happen, ought not to happen. Though some more actions would be required to ensure this.
    • For limited purpose, ration cards are also included. If for some reason, one member of the family is unable to authenticate, any other member of family can come for authentication.
  • Chandrachud, J: Is there is any isolated pocket in country where Aadhaar services have not been able to reach?
  • Dwivedi:
    • In such a case, alternative methods will apply.
    • As of now-pending the judgment, even if someone has not enrolled for Aadhaar, there’s no compulsion under section 7. There’s still time. The third alternative under S. 7 can apply only if the enrolment process has begun.
    • In case of PDS scheme, the central govt. is competent to replace the identification card with which benefit is to be obtained if it thinks that the latter is more reliable. Thus, it can replace the ration card with Aadhaar card.
    • Every institution will have some kind of identification procedures and we will have to follow them. These are regulatory processes.
    • When you identify, it is a matter of dignity. Because you are recognised. We all strive to get recognised. It is a matter of pride.
    • No right is absolute. Regulations are permissible.
  • Chandrachud, J: There should be a choice of identity. If the choice is not there, it is not proportional.
  • Dwivedi: If you have to get benefits from an institution,you should comply with the requirements prescribed by it. Aadhaar is unique and universally applicable. No language barrier like other ID cards.
  • Chandrachud, J: If my biometric are attached to every transaction I undertake, it ceases to be just an identification mark.
  • Dwivedi: Only one finger or one iris is used for authentication. It discloses no information.
  • Chandrachud, J: Fingerprint by itself doesn’t disclose any info. But, when it attaches with all the other information, it forms a wealth of information. There comes the need of data protection.
  • Dwivedi: Data is disaggregated between different REs.
  • Chandrachud, J: In such a case, aggregation of data is all the more possible.
  • Dwivedi: In most cases, authentication is done only once. Eg. PAN. It is for lifetime. For sim cards, it is done only at the time of obtaining it. So, where is this multiplication of authentication from morning to evening coming from? Realistically speaking, there’s no trail of authentication from morning to evening. No real time tracking is done.
  • Shyam Divan interjects: The demo of withdrawing Rs 100 using a thumbprint was shown in the court. That’s tracking.
  • Dwivedi: Where is it provided in law that you need to give thumbprint every time you transact? You only have to link it with your bank account.
  • Shyam Divan: I am asked for my thumb impressions everytime I need to open a Fixed Deposit.
  • Dwivedi: Not everybody is capable of opening FD everyday. It is done only once or twice in a year generally.
  • Dwivedi (On dignity): There are two parts of preamble.
    • “To secure to all its citizens…” and
    • “to promote among them all…”
    • Securing justice is a part of the basic feature of the Constitution. Minimum requirements to enable a man to survive to live is a position duty of the State. And it is for these minimum requirements that the Acts like NFSA, etc. are there.
  • Chandrachud, J: Constitution protects dignity in all its forms.
  • Sikri, J: Food is a part of dignity and so is privacy. When there’s a conflict between the two, it has to be considered which should prevail. But, why can’t we say that there’s no conflict. Both are to be ensured.
  • CJI: The point is when you take fingerprints for Aadhaar, it gets stored in Aadhaar. This is an invasion of right to privacy.
  • Dwivedi: Any system which involves biometrics will require storage of biometrics- either at single point or multiple.
  • CJI: Minimal intrusion with legitimate interests have to be ensured.
  • Dwivedi: Providing services and benefits is to ensure dignity and liberty of individuals. Which is a legitimate interest.

____________________________________________________________________________________________________________________________

To read the highlights from the submissions of Senior Advocate Rakesh Dwivedi, click here and here.

To read the highlights from the submissions by ASG Tushar Mehta, click here and here.

To read the highlights from the submissions by the Attorney General, click here, here , here and here.

To read the highlights from the PowerPoint Presentation made by the CEO of UIDAI, click here.

To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU Singh, Sanjay Hegde and Counsel Jayna Kothari, click here.

To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.

To read the highlights from Senior Advocate Arvind Datar’s submissions, click here, here and here.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click herehere and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source:  twitter.com/SFLCin

Hot Off The PressNews

Senior Advocate Rakesh Dwivedi continued with his arguments before the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ on Day 29 of the Aadhaar Hearing.

Below are the highlights from Day 29 of the Aadhaar Hearing:

  • Dwivedi: It’s better to tighten the nuts and bolts of Aadhaar rather than demolishing it completely. Information is strictly confined to the purpose of authentication. Interplay of section 8 and 29 pf the Aadhaar Act, 2016 say that core biometrics are not shared. Data shared under section 29 is non biometric data.
  • Chandrachud, J: Section 8(3) combined with section 29(3) means that the requesting entity will know the purpose of the authentication.
  • Dwivedi: If the bench is unsure whether requesting agencies collect information that they are not supposed to then the bench should read down sections 8(3) and 29(3) to make sure that REs do not know the purpose of the authentication or collect any information.
  • Chandrachud, J: A hospital may have data on an individual based on the number of times the individual has requested authentication. This can be helpful information for pharmaceutical or insurance companies.
  • Dwivedi: GDPR provides no curative measures. Aadhaar Act provides enough data protection to citizens. No data protection law can provide hundred percent protection. The test should be ” reasonable, fair and just” protection. Aggregation, analysis or transfer of data is not allowed by the Aadhaar Act.
  • Chandrachud, J: : What use the REs are making of the data, we don’t know right now.
  • Dwivedi: We can only tackle real apprehensions.
  • Chandrachud, J: Real apprehension is that elections are swayed using data analytics. These problems are symptomatic of the world we live in.
  • Dwivedi: Can’t compare this to Cambridge analytica. We don’t have algorithms that Google has.
  • Chandrachud, J: We can’t have a blinkered view of reality.
  • Dwivedi: UIDAI does not have learning algorithms. Aadhaar Act does not authorize it. We have simple matching algorithms. The Bench should not give in to the hyper phobia that the petitioners have created. We have a powerful media and competitive interests to check any misuse of data.
  • Chandrachud, J: Interface of Aadhaar with the world outside is the area of concern.
  • Dwivedi: Examine the design of the Act. We don’t want any scare mongering. We want people of India to trust us. Section 28 of the Act also provides protection of information. The information will be in the control of UIDAI and will be kept secure in CIDR. Section 57 does not allow just anyone to become a requesting entity. It’s a limited exercise. UIDAI will not approve anyone to become an RE unless it is satisfied that the particular entity needs to use the facility of authentication.
  • Chandrachud, J: Why are words “body corporate or any person” used in section 57? That breaks the nexus of the Act with the consolidated fund of India. What is the point of involving private parties in the Aadhaar infrastructure?
  • Dwivedi: Private players are not exempt from constitutional norms. And the divide between public and private sector is narrowing.
  • Chandrachud, J: Section 3 says Aadhaar is an entitlement. How did it become mandatory?
  • Dwivedi: It was made mandatory by other Acts. Aadhaar Act has nothing to do with other linkages of Aadhaar except Section 7. UIDAI is mandate-neutral. The government is making it mandatory under other Acts. The bench can look at these Acts separately. Under the Aadhaar act, obtaining Aadhaar is voluntary.
  • Chandrachud, J: Aadhaar can be made mandatory under a law or through a contract under section 57.
  • Dwivedi: Object of section 57 is not to expand but to limit. Backing of contract is needed. Any paanwalla or chaiwalla cannot become a requesting entity. It has to be pursuant to a contract. UIDAI may still refuse an entity from becoming a requesting entity.
  • Chandrachud, J: How is need for authentication decided? For e.g a taxi service or software app.
  • Dwivedi: There has to be a prior contract and then uidai is approached for request.
  • Sikri, J: Where is the guideline for what will be considered a “need” for authentication and what won’t be.
  • Khanwilkar, J: Prior contract comes before permission from UIDAI is taken. Schedule A of the Act that outlines who call can be REs is very wide.
  • Dwivedi:
    • The rules of IT Act 2000 and the punitive provisions of the Act are also applicable to Aadhaar data under Section 30 of the Aadhaar Act. This is further security. Anyone who attempts to gain unauthorized access to CIDR will be imprisoned for ten years. CIDR comes under critical information infrastructure.
    • Aadhaar is not just an exercise to provide benefits and weed out fakes but also to bring the service providers face to face with the beneficiaries. That’s the revolutionary aspect of Aadhaar.
    • None of the other identification cards are universally held in the country. These cards are only for initial identity and address proof. Nobody will give their wrong name or address when biometrics are involved.
    • Aadhaar is not the panacea for all evils but the problems that were occurring on account of fake identity documents will be solved.
    • Petitioners were arguing that there’s no legal mandate to store information in CIDR. RD quotes section 10 in this regard.
    • Petitioners argued that we have hired foreign suppliers. Only software is used by UIDAI as licensee. The hard disks and servers belong to UIDAI. Even technicians are given access to CIDR only when there’s a problem in the process of UIDAI officials.
    • Another argument that was raised was that Aadhaar is probabilistic. It is not probabilistic, but deterministic.
  • Sikri, J: You have to give a proper response to that. Argument was from the exclusion angle.
  • Dwivedi: Probability governs us everywhere. Nothing is certain. Just because it is probabilistic, it cannot be discarded.
  • Chandrachud, J: If the probability leads to deprivation of fundamental rights, then there should be safeguards in place to ensure that this deprivation doesn’t happen. There should be an administrative machinery in place to ensure no genuine beneficiary is deprived.
  • Dwivedi: I agree that nobody should be denied benefits due to authentication failure. Our submission is inclusion. Section 7 itself provides a fall back mechanism if authentication failure happens. We have to look at effective implementation.

____________________________________________________________________________________________________________________________

To read the highlights from the submissions of Senior Advocate Rakesh Dwivedi, click here

To read the highlights from the submissions by ASG Tushar Mehta, click here and here.

To read the highlights from the submissions by the Attorney General, click here, here , here and here.

To read the highlights from the PowerPoint Presentation made by the CEO of UIDAI, click here.

To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU Singh, Sanjay Hegde and Counsel Jayna Kothari, click here.

To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.

To read the highlights from Senior Advocate Arvind Datar’s submissions, click here, here and here.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click herehere and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source:  twitter.com/SFLCin

Hot Off The PressNews

Additional Solicitor General Tushar Mehta concluded his arguments before the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ on Day 28 of the Aadhaar Hearing. He was then followed by Senior Advocate Rakesh Dwivedi.

Below are the highlights from Day 28 of the Aadhaar Hearing:

  • ASG: Prevention of Money Laundering Act (PMLA) amendment was made considering the larger public interest. The PMLA Rules are not ultra vires the Aadhaar act or RBI circular. There’s no challenge with respect to the PMLA rules being ultra vires the PMLA.
  • Sikri, J: Rule 9(4) is challenged on the ground of proportionality. What is the need to make Aadhaar compulsory when there are other officially valid docs available?
  • ASG: It is to prevent impersonation.
  • Chandrachud, J: What about Arvind Datar’s submission that PMLA Rules are ultra vires Act; there is no provision under PMLA to render a validly opened account non operational; why is Aadhaar linking extended mutual funds and insurance policies as well.
  • Sikri, J: Anyone can become a reporting entity under the PMLA, not just banks. How is this proportional?
  • ASG: We follow zero tolerance policy when it comes to money laundering. Public interest is interest of the nation here.
  • CJI & Bhushan, J: How is blocking accounts if Aadhaar is not provided not in violation of Article 300A of the Constitution?
  • ASG: It’s a reasonable restriction.
  • Chandrachud, J: Is the penal consequence authorized by the Act or rules itself?The Act only talks about verification of bank accounts.
  • ASG: The rules are part of the Act. Penal consequence is just an ancillary provision and can be provided by the rules. (Chandrachud, J doesn’t agree) Only plenary law is considered with respect to “procedure established by law” is wrong. The rules can also be considered. Freezing of bank account is not a penalty but just a consequence.
  • Sikri, J: It is a penalty. You’re depriving someone of their property.
  • ASG: The point of such a consequence ( freezing of bank accounts) is so that money launderers render their account non operational.
  • CJI: Our only question is whether the consequence is mandated under law or is it an overreach.
  • ASG:
    • Terror financing destroys the root of our democracy and threatens our national security. There are huge cross border implications. Both in and outside India this kind of menace happens. Therefore it’s important to link bank account with Aadhaar.
    • Scheme of PMLA is three fold:
      • Zero tolerance to money laundering
      • Curbing black money
      • Reaching beneficiaries.
    • There will be minor inconvenience to some citizens but it is in the interest of the nation.  Public interest and “perceived Privacy” should be weighed before taking a decision.
  • Rakesh Dwivedi: People have voluntarily signed up for Aadhaar. GOI has ample means to surveil. No need of Aadhaar.
  • Chandrachud, J: Technology is a very powerful enabler of mass surveillance. Elections of countries are being swayed with the use of data and technology.
  • Dwivedi: We can’t compare Google and Facebook’s algorithms with UIDAI’s technology.
  • Chandrachud, J: The Act does not preclude UIDAI to acquire that kind of tech.
  • Dwivedi: It’s an offence under section 33. The only purpose of Aadhaar is authentication and nothing else. There is no power provided under the Act to analyze data.  Meta data is also limited. The meta data is of authentication records and it does not reveal anything about an individual.  Meta data consists of authentication request, result of authentication and the time of authentication only.
  • Sikri, J: That is enough to reveal a lot about an individual.
  • Dwivedi: The authentication request will show from where the authentication request came (for example from Apollo hospital) but there’s no way to know the location from where it came. Also the identity of the person who requested authentication is not revealed.
  • Chandrachud, J: The requesting entity can store the data, considering there is not even a robust data protection law. Commercial information about an individual is also a gold mine. Surveillance doesn’t have to be interpreted in the traditional sense.
  • Dwivedi: Millions like me do not care about privacy.
  • Chandrachud, J: Giving fingerprints for a limited particular purpose is okay. Under Aadhaar, fingerprints are means for storing data in a central database for the purpose of authentication. Thats a problem.
  • Dwivedi: The biometrics are encrypted. Also the data is not shared with anyone. Even EU data protection law does not have the kind of protection that Aadhaar act has. There is no reasonable expectation of privacy wrt demographic information. I understand  if people have a problem with the implementation and enforcement of the Aadhaar act. But there’s no problem with the law and the technology.
  • Chandrachud, J: Section 29(b) allows sharing of data with third parties by requesting entities.
  • Dwivedi: Section 29(1) bars sharing of core biometrics completely. Section 29(b) has to be read in the context of section 29(1).
  • Chandrachud, J:  This Act has gone beyond section 7 benefits and that is our major concern. Section 29(3) uses the word “identity information” which seems to suggest biometrics can also be transferred.

____________________________________________________________________________________________________________________________

To read the highlights from the submissions by ASG Tushar Mehta, click here and here.

To read the highlights from the submissions by the Attorney General, click here, here , here and here.

To read the highlights from the PowerPoint Presentation made by the CEO of UIDAI, click here.

To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU Singh, Sanjay Hegde and Counsel Jayna Kothari, click here.

To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.

To read the highlights from Senior Advocate Arvind Datar’s submissions, click here, here and here.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click herehere and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source:  twitter.com/SFLCin

Hot Off The PressNews

On Day 27 of the Aadhaar hearing, ASG Tushar Mehta continued with his submissions before the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ.

Below are the highlights from Day 27 of the Aadhaar Hearing:

  • ASG:
    • The argument that the Aadhaar act was made in violation of interim orders of the SC has already been refuted in the case Binoy Viswam (Aadhaar PAN linking judgment). Only the challenge to article 21 is open with respect to Aadhaar. All the other aspects have already been dealt with in Binoy Viswam. It has already been proved that Aadhaar linking with PAN will help curb money laundering and black money, and prevent tax evasion. This question is not open to challenge anymore as it has already been decided by this court.
    • Biometrics will help curb the growth of shell companies. This is again a facet of reasonableness and proportionality.
    • Balancing of interests is also a facet of proportionality, which was propounded in the judgement of modern dental college.
    • Aadhaar will help law enforcement curb terrorism.
    • There’s no random scrutiny of people in the name of Aadhaar. The exercise of linking Aadhaar with bank, phone etc is only done to weed out fake or duplicates.
    • IT Dept uses third party information to identity cases of defaulters. Rule 114b requires quoting of PAN to file returns. A person can easily say that they don’t have PAN and then evade taxes. Pan Aadhaar linkage will prevent this kind of tax evasion.
    • A statutory measure should not be excessive with respect to the object it seeks to achieve and the court will not look into the legislature’s wisdom till it’s shockingly disproportionate.
    • If there’s a competition between right to privacy and the right to information of a citizen, the former has to be subordinated with the latter for the sake of larger public interest. The fair needs of the society and the nature of social control has to be kept in mind when enforcing reasonable restrictions.
    • Legitimate state interest is enough. No need to prove compelling state interest. The word ‘necessary’ is not synonymous with ‘indispensable’. It only has to be proved that it’s necessary for larger public interest. If there’s an overwhelming public interest then there’s no need to apply the “least intrusive” test.
    • Menace of hawala transactions and money laundering is a global concern.
  • Sikri, J: There’s no doubt that money laundering is a problem. The only question that needs to be answered is how Aadhaar will prevent money laundering.
  • ASG:  Prevention of Money Laundering Act not a toothless law anymore. The formation of rules flows from section 12(c) of the Act.

____________________________________________________________________________________________________________________________

To read the highlights from the submissions by ASG Tushar Mehta, click here.

To read the highlights from the submissions by the Attorney General, click here, here , here and here.

To read the highlights from the PowerPoint Presentation made by the CEO of UIDAI, click here.

To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU Singh, Sanjay Hegde and Counsel Jayna Kothari, click here.

To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.

To read the highlights from Senior Advocate Arvind Datar’s submissions, click here, here and here.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click herehere and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source:  twitter.com/SFLCin

Hot Off The PressNews

On Day 26 of the Aadhaar Hearing, Attorney General KK Venugopal completed his submissions before the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ. Additional Solicitor General Tushar Mehta began his arguments before the Bench.

Below are the highlights from Day 26 of the Aadhaar Hearing:

  • AG: Section 59 of the Aadhaar Act, 2016 provides retrospective effect. (Cites cases to show that a particular action can be validated by a subsequent Act, as it happened in the case of Aadhaar. Reads out the third version of the Aadhaar enrollment form. Reads out the content and says it’s free and voluntary and has provisions for taking informed consent.)
  • Chandrachud, J: The first two forms did not have any reference to biometrics. It was only inserted in the third form.
  • AG: The CBI had gone to Bombay high court to obtain biometrics in connection of a rape, since UIDAI had refused to provide them as biometric data cannot be shared without the individual’s consent. The state has no interest in collection of biometrics except for the benefit of the individual himself. Emphasizes that invasion is privacy. When there was no right to privacy, the government acted in a bonafide manner when they enacted Aadhaar. Therefore that action cannot be said to be void by retrospective action.
  • Chandrachud, J: the question of privacy was irrelevant in MP Sharma. Only the first part of Kharak Singh affirmed that there’s a right to privacy. The subsequent judgments that affirmed privacy relied on the first part of Kharak Singh.
  • AG completes his submissions.
  • ASG Tushar Mehta:
    • The challenge to section 139aa was examined by this court. Apart from right to privacy, all other aspects were considered.
    • In Privacy Judgment, all nine judges have affirmed that right to privacy is not absolute.
    • J. Chandrachud laid down the three tests under which privacy can be invaded in particular cases. Five out of nine judges have upheld the principles of legitimate state interests and proportionality.
    • A legislation has to pass all four tests to be valid. Three laid down in Privacy Judgment and also the test of manifest arbitrariness.
    • All these tests were examined in Binoy Viswam although in the context of Article 19.
    • Another test will be the test of larger public interest.
    • All the demographic information that is required under Aadhaar was already being taken since 1989 under section 139a of the income tax (for obtaining PAN).
    • Left hand thumb impression was also taken for people who can’t sign. Bench says there’s no collection of biometrics and there’s no authentication taking place.
    • Those who have already taken PAN do not have any legitimate interest in withholding information that they have already provided for obtaining PAN.
    • 1.3 lakh cases of duplicate PAN were found. Says that PAN can be misused for the purpose of tax evasion, black money , setting up shell companies etc. Aadhaar will ensure that one person has one PAN by interconnecting the PAN-aadhaar database.
    • Even companies need pan cards. And the documents used for obtaining PAN can be easily forged. Therefore, Aadhaar with the use of Biometrics will prevent that.
    • Fake PAN cards are used to create shell companies abroad and Aadhaar can make sure that this does not happen.
    • Uniqueness of pan is important. Deduplication test needs to be conducted. Demographic way of verifying de duplication is not fool proof. Hundred percent verification is possible with Aadhaar as biometrics and Iris scans will be used.
    • There’s a huge gap between the no.of PAN holders and the entire tax base.
    • Finance minister has described financial frauds in his Feb speech. Also our tax collection is very low in our GDP ratio. We are a largely tax non compliant country and the burden of people who evade taxes falls on honest tax paying citizens.
    • 17.4 cr out of 36 cr tax payers have already linked their Aadhaar with PAN. Even transgenders are included without having to disclose their gender.
  • Bhushan, J:  You’ll have to prove there’s no violation of privacy. In substance Puttaswamy and Shaira bano retrospectively ratifies what was held in Binoy Viswam.

____________________________________________________________________________________________________________________________

To read the highlights from the other submissions by the Attorney General, click here, here , here and here.

To read the highlights from the PowerPoint Presentation made by the CEO of UIDAI, click here.

To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU Singh, Sanjay Hegde and Counsel Jayna Kothari, click here.

To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.

To read the highlights from Senior Advocate Arvind Datar’s submissions, click here, here and here.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click herehere and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source:  twitter.com/SFLCin

Hot Off The PressNews

On Day 25 of the Aadhaar Hearing, Attorney General KK Venugopal continued arguing before the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, AM Khanwilkar, Dr. DY Chandrachud and Ashok Bhushan, JJ on the safety aspect of biometrics.

Below are the highlights from Day 25 of the Aadhaar Hearing:

  • AG:  Finger imaging technology is 99.9% accurate. Biometrics is a very safe and accurate technology and can solve problems such as money laundering, bank frauds, income tax evasion etc.
  • Sikri, J: Bank frauds weren’t caused because of multiple identities.
  • Chandrachud, J: Aadhaar will not prevent an individual from operating layers of commercial transactions. It won’t prevent bank frauds either. Can only help in providing benefits under section 7 of Aadhaar Act, 2016 at most. Mere legitimate state interest does not ensure proportionality. Your submission lacks this nuance.
  • AG: Aadhaar will help in income disparity and eliminating poverty.
  • Sikri, J: The gap is widening. More than 70% wealth is in the hands of 1%.
  • Chandrachud, J: Proportionality is key. How far can the state cast the net of Aadhaar. Only section 7 seems to be understandable.
  • Sikri, J: You cannot assume that the entire population consists of defaulters and violaters. What is the logic in linking all sim cards to aadhaar.
  • AG: Terrorism will be curbed by doing this.
  • Chandrachud, J: Do terrorists apply for sim cards? It’s a problem that you’re asking the entire population to link their mobile phones with Aadhaar.
  • AG:
    • We are asking for minimal information via Aadhaar. Most information is already available in public domain. The question is to what extent has Aadhaar invaded privacy? It’s as minimum as possible.
    • Aadhaar is required only for section 7 benefits, banks, income tax and mobile nos. Apart from that it’s purely voluntary.
    • Court needs to balance two competing rights. Maintains that right to food, right to employment, right to medical care, etc trump right to privacy. Can right to privacy be invoked to deprive other sections of the society?
    • The invasion to privacy is so minimal that it can’t even be considered an invasion. In X v. Hospital Z right to privacy was balanced against right to information. The appellant ( a man) had HIV and had the right to non disclosure. However, the court had held that his fiance had the right to know of his disease.
  • Sikri, J: This is the case of balancing the rights of two person. In the case of Aadhaar, you’re giving a person food in exchange of their privacy.
  • AG: The bare minimal requirements for identification for an individual is alone taken and to the extent that the technology permitted. Should people have basic right to life under article 21? Can it ever be challenged on the ground that we have a right to privacy?
  • Bhushan, J: Minimal invasion is subjective. What maybe minimal for one might not be minimal for you.
  • AG: Please look at the information that is taken and look at it from objective standards. We have to look at the larger interest of the country.
  • Chandrachud, J: We have to look at three things: informed consent, purpose limitation, and enough security.
  • AG: The CIDR is completely safe.
  • Chandrachud, J: We have to look at what proportionality means. Proportionality hasn’t been defined in the Privacy judgement.
  • AG: Without the minimal information that is collected, the entire architecture of Aadhaar couldn’t have been framed. Sections 29 a and b contain purpose limitation. Aadhaar was voluntary when it was rolled out, therefore there’s no question of violation of any right.
  • Sikri, J: Is it permissible to say that I’ll give you food, shelter, etc but you’ll be my slave?
  • AG: Slavery is not permissible.
  • Chandrachud, J: Your argument to save the validity of the act does not take into account what happened before the act was passed. There was no protection for the citizens that time. There’s no retrospective effect also. What about collection of data by state Governments?
  • AG: State Governments act as the agent of the Central Government.
  • Khanwilkar, J: Is biometrics locking option available for people who don’t want to use Aadhaar?
  • Shyam Divan intervenes: There’s no way to opt out of the Aadhaar system.

____________________________________________________________________________________________________________________________

To read the highlights from the other submissions by the Attorney General, click here, here and here.

To read the highlights from the PowerPoint Presentation made by the CEO of UIDAI, click here.

To read the highlights from submissions of Senior Advocates Meenakshi Arora, Sajan Poovayya, CU Singh, Sanjay Hegde and Counsel Jayna Kothari, click here.

To read the highlights from submissions of Senior Advocates KV Viswanathan and Anand Grover, click here.

To read the highlights from Senior Advocate Arvind Datar’s submissions, click here, here and here.

To read the highlights from Senior Advocate Gopal Subramanium’s submissions, click herehere and here.

To read the highlights from Senior Advocate Kapil Sibal’s arguments, click here, here and here.

Looking for the detailed submissions of Senior Advocate Shyam Divan? Read the highlights from Day 1Day 2, Day 3, Day 4 , Day 5, Day 6 and Day 7 of the hearing.

Source:  twitter.com/SFLCin