Summary of Arguments on Day 32 (24th April 2018)

On the 31st day of arguments, Mr. Rakesh Dwivedi had argued that the privacy is a small price to pay for ensuring the right to life and other rights under Article 21. Today, he resumed his arguments by speaking about the differing expectations of privacy in the private and public spheres. Relying on a case of the Constitutional Court of South Africa to argue that privacy is strongest in the inner sanctum of the mind, but shrinks as you move outside (i.e. public sphere). He argued that Aadhaar exists in the public sphere and thus the protection of privacy o certain data, like of residential address and facial photo, and cannot be legitimately expected to be shielded.

Mr Dwivedi argued that 19 European countries have some form of biometric ID cards. Neither the CJEU nor the ECHR has raised concerns. He reminded the bench of Justice Nariman, Justice Sapre and Justice Bobde’s opinions in the right to privacy judgement where they held that the test of reasonableness applies. He argued that it does not make sense to rely on foreign jurisprudence for proportionality and reasonableness, because ‘India is far ahead’. As early as in the 1950s, right from Madras v. V. G. Row, our Supreme Court has discussed excessiveness. European courts and courts of USA have only recently propounded similar jurisprudence. Even so, he relied on US cases which state that fingerprints encroach privacy lesser than cellular or DNA data, and are at par with photographs or voice samples.

Mr Dwivedi argued that although the Petitioners have relied heavily on the ECHR's judgment in S and Marper, but the case, in fact, supports the case of the State. He argued that Marper held that retention of data raises privacy concerns depending on the context. Thus, Marper drew a distinction between fingerprints and DNA profiling, and examined them separately. Marper was decided in the context of crimes, where the collection and retention of personal data actually cast stigma. But, he argued, that is not the case with Aadhaar.

Post lunch, Mr Dwivedi began to make arguments n the issue of metadata. He argued that the petitioners' reliance on cases like Digital Rights Ireland is inaccurate, as that case involved large-scale storage of metadata that was completely unrelated to any State purpose. The Court held that the metadata in Digital Rights Ireland allowed for complete profiling because it involved identifying the date, time, location, duration of the communication, and the nature of the machine used. He said that the metadata, in that case, was much more intrusive than in Aadhaar. Further, ECHR decisions cannot be relied on since they are merely declaratory.

Mr Dwivedi argued that the petitioners have completely misunderstood the concept of metadata. He quoted from a book called The Data Warehouse Life Cycle Tool Kit. He argued that the UIDAI collects only ‘limited technical metadata’. Justice Chandrachud asked why it is necessary to retain metadata. Mr Dwivedi responded that it is necessary to tighten control over stored data. He contended that the petitioners’ argument is contradictory because on the one hand, they raise security concerns saying the state has no control over the data, but on the other hand when it tries to exercise control over it using metadata, they say it has too much control.

Next, Mr Dwivedi argued that apprehensions about security ramifications of a project cannot override the justifications for introducing the project. In G. Sunder Rajan v State of Tamil Nadu the Court held that apprehensions of Nuclear spills cannot be a ground to stop the project. The Court held that setting up a nuclear power plant would help to guarantee the right to life under Article 21, in the larger public interest - and that there were adequate safety measures. Besides, as technology improves, security measures will improve. Even the US courts have rejected the ‘least restrictive’ test in NASA v Nelson. He made three propositions: First, safeguards can be read into Article 21, but the degree of safeguards will vary for different schemes. Secondly, the standard must be ‘adequate safeguards’. Nothing can ever be risk-free. Third, there must be constant vigilance. The State is constantly improving and upgrading safety measures. The absence of a data protection law is not a reason to strike down the entire Act, especially as the Justice Srikrishna Committee is working on drafting the law, which is expected in May. Mr Dwivedi argued that data breaches, if  pointed out, will be plugged by the State. Justice Chandrachud pointed out that remedies for breaches must be considered. Mr Dwivedi responded that the Information Technology Act provides for penalties.

Next, Mr Dwivedi read out sections of the EU Global Data Protection Regulations, to show that it has contemplated collection and usage of similar data. In fact, the EU is contemplating introducing biometric cards using such data, for various purposes including voting for the EU parliament.

Mr Dwivedi will resume his arguments on 25th April 2018.

(This post relies on the contributions of Ms Ashrutha Rai)