In the infamous ‘ADM Jabalpur’ case, the government held that Constitutional rights of citizens stood suspended. Justice H R Khanna asked, “Life is also mentioned in Article 21 and would government argument extend to it also?” Niren De, the then Attorney General, replied, “Even if life was taken away illegally, courts are helpless.” On April 28, 1976, the Supreme Court had ruled: “Under Clause (1) of Art. 359, no person has any locus standi to move any writ petition under Art 226 before a High Court for habeas corpus.” Thankfully the ‘ADM Jabalpur’ judgment is dead.
On August 24, 2017, a nine-judge Constitutional bench of the Supreme Court, in a landmark judgment in India’s democracy, held that the Right to Privacy is ‘intrinsic to life and liberty’ albeit with reasonable restrictions. The Court announced that a five-judge bench would look into the contours of privacy, and mentioned that the government had set up a Committee led by Justice B N Srikrishna to review data protection norms and make recommendations.
This week, the Justice Srikrishna Committee submitted a white paper on data protection norms. The work done by the Committee is laudable given the short time frame it had. The 243-page white paper looks at the gamut of issues relating to data protection and has outlined an exemplary approach. The white paper moots seven critical aspects — technology agnosticism, holistic application, informed consent wherein it has examined the importance of meaningful choice, data minimisation, controller accountability, structured enforcement and deterrent penalties.
The white paper has been put up in the public domain (https://tinyurl.com/y883tbcx) for comments/suggestions. Previously, this column had argued for the right to reclaim digital footprint from data Goliaths (http://bit.ly/2xCAWnZ). The white paper affords an occasion to focus on citizen-state relationship and the need to establish boundaries for the state and private entities.Critical to securing the Right to Privacy is the hierarchy of objectives. What data is the law aiming to protect? The primary construct of privacy is identity, and therefore, the first task must be protection of identity from theft and arbitrary systemic action. Habeas corpus, a recourse against unlawful dentention, literally translates into “that you have the body”. The question is what if the body is unable to establish and assert that s/he is the body?
Earlier this year, the government announced that it cancelled Aadhaar cards of 8.1 million persons—roughly the population of Israel. In the systemic maze, senior citizens, daily wage earners, pensioners and middle class folks were driven from pillar to post to enquire and redress the issue. Worse, the affected were told by the banks they cannot access what is theirs. Aadhaar was conceptualised for inclusion, and the Aadhaar Act for delivering welfare to the intended—with a no-denial proviso. It is unclear under what law entities can deny persons access to what is theirs.
The fulcrum of securing liberty requires the right to privacy and ergo right to identity. In his judgment, Justice Sanjay K Kaul opined: “The old order changeth yielding place to new.” The new order must protect the right of the body to assert that s/he is the person s/he claims to be. The law must establish a due process — issue of notice, a hearing and real time redressal — for updation or replacement. For other exigencies, there are multiple laws. The data protection law must through a permanent institutional mechanism preclude the possibility of a modern day Niren De arguing for a coercive regime to deny a person the instrument of identity.
And belief in assurances of protection, of identity and data, depend on the independence of the institution. Yes, the letter of the law matters, so does institutional stature and heft. Therefore, the authority must be accorded the status of a Constitutional body. The hub and spokes template structure of the Election Commission is a good one to consider. The choice of the person to lead the authority must be bi-partisan, and s/he could be assisted by a rotating collegium of experts and administrators.
Efficacy of the law and system calls for optimisation. The Committee deliberated on data minimisation — purpose specification, use limitation and relevance. What also needs assessment is the width of Aadhaar linkage — by government and private entities. For instance, insurance policy holders and mutual fund investors have been asked to link their Aadhaar. Apparently, the Prevention of Money Laundering Act requires this. The question is: is this necessary even when the bank accounts the payments are made from are already linked? The law must reduce repetitive compliance burden on individuals and the system.
In recent weeks private entities have joined the race. E-commerce platforms, payment apps, internet telephony services and car hire companies want Aadhaar linkage. Is this legit? And who will be responsible for the data that may be hosted on overseas servers — already entities are doing this and harvesting revenue? Thirdly, must every authentication spew out all the demographic data? Why not limit authentication to a Yes/No response?
Finally, there is the issue of connecting the dots — what Alexander Solzhenitsyn described as the spider’s web. Can the law ensure that the many linkages are not connected to profile the individual? Personhood is the essence of the construct of democracy and requires protection in law and by institutional mechanisms from the overreach of systemic zeal and ideological compulsions.
Shankkar Aiyar is the author of Aadhaar: A Biometric History of India’s 12 Digit Revolution, and Accidental India