“Privacy as an autonomy or control over the intimacies of personal identity.”
– Gerety
This article is a tribute to Justice K S Puttaswamy, former Karnataka High Court judge and the lead petitioner in the seminal ‘right to privacy case’, who is responsible for recognizing privacy as a fundamental right in India passed away on 28-10-2024 at the age of 98. Being a professor of law I am teaching cyber laws which is also known as information technology law responsible for regulation of activities in the cyber world.
With the advent of various types of technology and availability of such technology at lesser cost, every human being around the world has fallen trap to use technology in day-to-day life. From ordering food online to shopping clothes, books and other necessary items to booking tickets, appointments with doctors etc., to digital payments, every aspect of one’s life has become dependent on technology. To put it in simple words, life has become dependent on two essential things smart phone and internet access. However, it is important to note that the success of such technology is inter-alia dependent on the availability of data/information that it collects and/or collected for it. Thereby, data has definitely become the ‘new oil’ since availability of data, processing it and utilizing it in formulating a perfect algorithm for technology has become very expensive for companies providing digital services. It is has opened a Pandora’s Box of issues to discuss and worry about misuse. Few very important aspects for us to understand are our rights over our data, how does law protect our rights and what should companies do to safeguard our rights.
The debates about privacy are almost always revolving around new technology, ranging from genetics and the extensive study of bio-markers, brain imaging, drones, wearable sensors and sensor networks, social media, smart phones, closed circuit television, to government cybersecurity programs, direct marketing, RFID tags, Big Data, head-mounted displays and search engines. There are basically two reactions to the flood of new technology and its impact on personal information and privacy: the first reaction, held by many people in IT industry and in R&D, is that we have zero privacy in the digital age and that there is no way we can protect it, so we should get used to the new world and get over it . The other reaction is that our privacy is more important than ever and that we can and we must attempt to protect it.
According to me Privacy as a positive obligation, for the performative, denudes the very idea of individual autonomy, which the right to privacy seeks to secure and nurture. Privacy is also envisaged as a positive condition if the State is in a position to determine and differentiate between good and bad privacy. Good privacy would relate to cases in which the State can suitably establish that there is absence of public harm and bad privacy would be determined when it results in public harm. However, arguably the trouble with anointing the State with authority to make this determination is that it may result in first, the rapid expansion of the category of activities which result in public harm (including gauging the potential impact of activities) and second, it would also provide the State with a justification for authoritatively determining for what purpose good privacy should be used. This indeed would in effect turn the citizenry into subjects.
India has one of the fastest growing markets in terms of internet access and connectivity in the world. This expansion has been primarily led by the growth in mobile telephony. The mobile telephony market has been fiercely competitive with new players like Jio Telecom entering the market thereby further driving down prices in an already highly price sensitive market. Nevertheless, internet penetration still continues to be limited to not more than 35% of the Indian population. This is an important figure to keep in mind while discussing the issue of privacy on the internet in the context of India. Often discussions of privacy in India and the lack of protection thereof is assailed by charges of elitism and privilege but as our discussion will show this is a fig leaf because privacy is not just a public policy issue for those Indians who have access to the internet but should be of concern for everybody else as well. This is because the use of the internet to access public and private services has expanded rapidly through the Digital India project and the perverse incentives created by the official use of private services to address all forms of public outreach including grievance redressal.
In January 2017, the Government of Puducherry, a Union Territory issued an administrative order mandating as follows: “Hon’ble Chief Minister, Puducherry has noted that many Officers are using digital mode and social media such as Facebook, WhatsApp, Twitter, etc., for official communication. The servers of these multinational companies are based outside the country. Therefore, any foreign country can get these official communication and documents uploaded therein. This is violation of Official Secrets Act and also against the guidelines issued by the Ministry of Information Technology, Government of India, New Delhi. Hon’ble Chief Minister has directed that all Government Officers/officials and employees of Societies/Organisation run by Government shall desist from use of such social media for official works. No group shall be formed for official communication and they should not be members of any official group run in such social media nor interact with seniors bypassing the Administrative hierarchy and routine official channel. Strict compliance should be ensured by all concerned and violation, if any, of these instructions brought to notice shall invite disciplinary action and further penal action as per rules in force.” This order was thereafter cancelled by the Lieutenant Governor of Puducherry, Kiran Bedi, as it was in contravention of relevant guidelines, rules and policies.
Given its constitutional primacy, this would entail the right to privacy being given the status of non-derogable and non-alienable fundamental right. This would imply that under no circumstances can this right be taken away by the State or other non-state actors even in case of extreme circumstances like a national emergency. Further, certain core aspect of right to privacy cannot be shared even if the individual so wished. This is akin to the way the fundamental right to life and personal liberty under Article 21 of the Constitution is conceptualized as disallowing the right to commit suicide. The doctrine of non-waiver of fundamental rights is an established constitutional norm that would support such a conceptualization. If privacy takings are of the nature that cause not only extreme individual deprivation but also cumulatively lead to constitutional harms, it is imperative to enlarge the referential canvas to better appreciate their constitutional impact. Constitutional morality as a conceptual idea may provide us with more enriched canvas to review current developments. Simply put, the idea of Constitutional morality refers to certain fundamental values embedded in the Constitution which requires protection vis-à-vis State action and inaction. Further, Constitutional morality also requires that every public official as well private citizens would uphold these constitutional values through their actions. What are these fundamental values? These values are both which are expressly enumerated, for instance, the fundamental right guaranteeing life and personal liberty or democracy (provided in the Preamble to the Constitution) and unremunerated but which can be interpreted from the Constitution, such as federalism which has been identified as part of the basic structure doctrine. Securing the dignity of the individual is one of fundamental values expressly enumerated in the Preamble to the Constitution of India. The right to privacy received explicit recognition by the Supreme Court, as a fundamental right under the Constitution of India in K.S. Puttaswamy v. Union of India. It is important to note the constitutional implications of this recognition. This was first applied to review a claim that the Aadhaar project was violative of newly recognised right to privacy. The Court upheld the Aadhaar project subject to specific conditions including the establishment of an effective data protection regime. In its decision, it was held that the ‘legitimate state interest’ standard rather than a ‘compelling state interest’ standard. The Court found that the measure, namely Aadhaar, passed the legitimate State interest test because the measure was proportional. Interestingly at the necessity stage, the Court found that the lack of an alternative measure, that would be equally effective but with a lesser degree of restrictiveness. This begs the question that on whom should the burden rest of justifying the search of alternative measures and in defending the lack of alternative? Clearly it is the State who is proposing the measure. What is confounding is that the Court faulted the petitioner’s failure to suggest alternative measures. On the question of balancing of two competing rights, the Court acknowledged that social entitlements are constitutionally protected and it ensures a right to live life with dignity. The right to privacy also protects individual dignity. It finds that the measure is reasonable as it balances these two aspects of dignity since information collected at the time of authentication is minimal. This is a specious and circular argument. The challenge is not against the provisioning of social welfare benefits. The mechanism of delivering those benefits i.e. Aadhaar is privacy intrusive to say the least. Moreover, the Court is completely aware of its framing this as a facile trade-off since it states that “we are by no means, accepting that when dignity in the form of economic welfare is given, the State is entitled to rob the person of liberty. That can never be allowed. We are concerned with the balancing of the two facets of dignity.” This requirement of balancing would not have arisen in the first place if the measure in question was not Aadhaar, which requires the sacrifice of privacy by citizens in order to access their constitutionally protected social entitlements. In effect, by coercing citizens to make this choice between binaries, it fundamentally reduces social entitlements to privileges and citizens themselves to subjecthood. Here it would be appropriate to also discuss Justice Chandrachud’s dissent on the application of the proportionality principle. He found that the cases cited to justify Aadhaar were inapplicable since those cases related to national security and prevention of crime. He held that the collection of demographic and biometric information in the Aadhaar project, effectively justified the treatment of all citizens as criminals without making a distinction for those indulging in identity fraud and therefore infringed upon the justifiable expectations of privacy of ordinary citizens. Thus he held Aadhaar to be disproportionate to the objective sought to be achieved by the State. The Aadhaar judgement of the Court reflects its failure to appreciate the current reality of how information is collected, stored and shared and also the inability of individuals to assess and negotiate singular actions of information sharing and differentiating them from the cascading effects of information merging and the potential harms which may result from the abuse of such data convergence. This failure is also more problematically reflected in the continued emphasis on individual consent as the fundamental principle for allowing for privacy intrusions, when in fact individuals have little knowledge, information or agency in negotiating such acts of sharing of privacy.
The right to privacy is an emanation of the right to self-determination of an individual. The role of the State in delaying the provisioning of a robust data protection framework for ensuring this right in the digital space should be suspect, especially given that it is an “interested party” in increasingly using internet and specifically private intermediaries for a range of public functions. The Right to Privacy judgement located the philosophical basis of the right to privacy as inalienable natural right that seeks to protect the dignity and autonomy of the individual. This is one of the fundamental values on which India as a constitutional republic was founded. Privacy takings and privacy intrusions both significantly undermine the autonomy of the individual and the right to self-determination. In the internet era, privacy takings and intrusions are manifestly more insidious and multiple. It is imperative therefore to develop an understanding of these infractions and to examine them in light of constitutional morality. Perhaps the idea of not only personal harm but also potential constitutional harm to the republic should be developed to better appreciate the cumulative implications of these developments. In the final analysis we need to look at the internet as allowing for a collective range of relationships that mutually reinforce each other.
In such a context, a pursuance of narrow legalistic analysis of constitutional provisions and assessment of actions which may potentially violate such provisions are of limited utility. Constitutional theory and jurisprudence is also a rich source of fundamental political values which I refer to as constitutional morality. Contemporary developments like the rapid intrusion of the internet into the public and the private life of the Indian citizen can undermine constitutional morality in terms of fundamentally altering the relationships between the citizen and the state and between citizens inter se. It may lead to a greatly unequal public sphere and fundamentally compromise the individual right to self-determination and autonomy of choice which privacy seeks to protect and nurture. The idea of constitutional morality refers to the fundamental values that are explicitly mentioned in the preamble to the Constitution. It is also necessary to examine the Constituent Assembly debates to provide us an insight into the context in which such fundamental values were sought to be protected through the guarantee of fundamental rights and the administrative structures that govern the institutional functioning of the constitutional authorities which were tasked with the safeguarding of those values. An imagination of constitutional morality should permeate the actions of all constitutional functionaries including the executive. This will also allow for self-evaluation by the executive in undertaking legislative measures such as Aadhaar which are essentially in the nature of a privacy taking or to aggressively intervene in safeguarding privacy takings and intrusions by non-state actors. The idea of constitutional morality provides us the imaginative and the legal space to examine current practices on the internet in reclaiming the debate in terms of the fundamental values. Our inability or unwillingness to respond to the challenges posed by the rapid penetration of the internet and that of big data would reduce citizens to nothing more than the crocodiles in Alipore Zoo, whose privacy is a privilege granted only when it is deemed to be productive by others (be it the executive or by commercial enterprises in search of good quality ‘data’ to design models for artificial intelligence).
With an approximate 500 million active internet users in India, points discussed about are very crucial to understand and deliberate upon. Companies have to take into account the prospective law being legislated in India and be future ready to protect the interests of data protection. It is important to balance between the need for technology and the fundamental concept of privacy. As the technology grows leaps and bounds, the privacy law also has to be dynamic and meet the need of the hour.
