This post is essentially a compilation of tweets from Gautam Bhatia, Prasanna and SFLC to understand how the Aadhaar hearing happened in the Supreme court.


Day 32: 24 April ’18

Senior Advocate Rakesh Dwivedi the last counsel for the State/UIDAI arguing.

  • Rakesh Dwivedi continuing the argument for the State. The State will finish this week.
  • Rakesh Dwivedi is talking about reasonable expectations of privacy.
    • Reads a judgment of the Constitutional Court of South Africa to argue that privacy is strongest in the inner sanctum of the mind, but shrinks as you move outside into the world.
    • Says that it has to be considered whether private life is protected outside your home, because people frequently give up their privacy in these conditions.
    • Says that the judgments of the European Court don’t take into account the issue of reasonable expectation of privacy.
    • Says that the US and UK Supreme Court treat reasonable expectation of privacy as very significant, and that the Indian position is closer to this.
    • Reads out an article from the Harvard Law Review saying that privacy is in opposition to the pursuit of knowledge.
    • Has argued that Indian needs innovation and development of knowledge, and also that the right to privacy is subject to the rights KS others to lead ordinary lives.
    • Says that the only question is whether the restriction on the right to privacy is proportionate to the government purpose. He says that nothing else can be taken into account. He says that the Petitioners have applied the wrong standard in arguing that the restriction on rights should be least intrusive.
    • Says that there is a vital state interest in ensuring that welfare benefits are not dissipated, and data mining to ensure this is permitted. (The last few extracts are passages from Justice Chandrachud’s plurality opinion in the privacy judgment)
    • Says that in the public sphere, the right to privacy is diluted.
    • He says that the entire Aadhaar activity is in the relational and public sphere. He says that demographic information and facial photograph don’t have any privacy concerns. There is no reasonable expectation of privacy.
    • He says that at the requesting entity point, it’s all dispersed and decentralised, and so it doesn’t deserve the level of protection that the CIDR is given.
  • Justice Chandrachud says that the point seems to be that core biometric information has higher privacy concerns.
    • Says that that does not mean that there is no privacy concern elsewhere.
  • Rakesh Dwivedi says that he agrees, and that he’s just saying that the reasonable expectation of privacy varies according to context.
    • Says that petitioners have cited no judgments involving identity cards. He says that 120 countries use biometric passports and nineteen European countries use biometric ID cards.
    • Says that the CJEU or the ECHR have never expressed any concerns with biometric ID cards.
    • Says that we don’t need to go to Europe for proportionality, because India developed the test in 1952 in V. G. Row’s case.
    • Says that the Indian Supreme Court has never accepted the requirement that a restriction on fundamental rights be least intrusive.
    • Now arguing about the perils of the sue process standard.
    • Says that in the privacy judgment, it has been said that if you willingly put up your personal information on Facebook, then you may not have a right to privacy in that information.
    • Cites some American judgments. Ohio v Akron, which was about disclosure requirements to authorities in abortion cases.You can read the case here.
    • Cites the case of Doe v Reed, which was about disclosure of signatures on a referendum campaign.
    • Cites the UK SC judgment in Wood v Commissioner of Police, which said that the taking of photographs in itself does not violate privacy.
    • Says that the American judgments cited by the AG on fingerprints have all been approves by the US SC.
    • Says that the Petitioners have relied heavily on the ECHR’s judgment in Marper, but actually, Marper supports the case of the State.
    • Says that Marper held that that the question of whether retention of data raises privacy concerns depends on the context.
    • Says that Marper has drawn a distinction between fingerprints and DNA profiling, and examined them separately.
    • Says that Marper was decided on the context of crimes, where the collection and retention of personal data actually casts stigma. That is not the case with Aadhaar.
    • Says that Marper held that DNA was problematic because it had “non-neutral” information. That is not the case with Aadhaar.
    • Says that the ECHR in Marper focused on a lack of consent, and fingerprints being “non-neutral” in the context of identification for crime purposes. Those conditions don’t apply in the case of Aadhaar.
    • Says that Marper held that the relevant test is that of “appropriate safeguards”, not 100% or near to 100%.
    • He repeats that Marper stressed that it was only being decided in its specific context.
    • Says that Marper has been distinguished by the UK SC in [2015] UK SC, Gaughran v Chief Constable, where there was no collection of cellular samples, and acquitted people were not sampled.
    • He says that this shows how it is always a contextual enquiry.
    • Says that the Petitioners cases are all in the crime context or about censuses, which have been upheld by this Court.
  • Bench rises for lunch.
  • Session 2.
  • Rakesh Dwivedi continuing the case for the State.
    • Comes to the issue of metadata. Says that the Petitioners have cited cases on metadata (such as Digital Rights Ireland) which involved large scale storage of metadata that was completely unrelated to any State purpose.
    • Says that in the Digital Rights case, the metadata stored involved identifying the date, time, location, duration of communication, and the nature of the machine used. In that context, the Court held that this metadata allows for complete profiling.
    • Says that petitioners have just placed all these cases without explaining the context. The metadata at stake in those cases was much more intrusive.
    • Says that in US v Westinghouse, the SC of the US said that the standard is one of “adequate safeguards”, and that is the standard that should be applied.
    • Says that petitioners have cited US v Jones, which was about a GPS device. Aadhaar does not have a GPS. Some Wi-Fi may be used at the time of sending the information to the CIDR, but not otherwise.
    • Says that the full court of the CJEU has recently issued an opinion saying that the ECHR judgments are only declaratory.
  • Justice Sikri says that at least they declare the law.
  • Rakesh Dwivedi says that it doesn’t have to be enforced.
    • Says that he will now deal with the issue of adequate safeguards.
    • Says that in G. Sunder Rajan v State of TN, (2013) 6 SCC 620, about the Kundankulan nuclear power plant.
    • In that case, the Court held that apprehensions that something like Fukushima would recur could not be a ground to stop the project. After a point, it must be left to destiny. The Court held that setting up a nuclear power plant would help to guarantee the right to life under Article 21, in the larger public interest – and that there were adequate safety measures.
  • Chief Justice of India had also written a judgment in this case. He asks Rakesh Dwivedi to read some paragraphs.
  • Rakesh Dwivedi reads out more paras on the same lines as above. Still reading out paras, on the same lines.
    • Says that there propositions emerge.
    • First, that safeguards can be read into Article 21. Degrees of safeguards will vary – for nuclear plants it will be one, and for CIDR is another.
    • Secondly, the standard must be “adequate safeguards”. The risk can never be zero.
    • And thirdly, there must be constant vigilance.
    • Says that we are always improving and upgrading our safety, and after the Srikrishma Report, we will upgrade more. R
    • Says that this proposition has also been adopted by the US Supreme Court in NASA v Nelson, which was about background checks of NASA employees.
    • Says that the US SC has discarded the least restrictive standard.
    • Says that the Aadhaar Act has enough security and control.
  • Justice Chandrachud points to the part of the judgment that says that an iron-clad disclosure bar is not required.
  • Rakesh Dwivedi agrees.
    • Points to the part of the judgment that says that data breaches are always possible, and that possibility can’t be a ground to strike down data collection.
    • Says that we are not even going that far. We have provided a complete bar on sharing, and what is available with the REs is totally dispersed. The extent of privacy is much more diluted. And there is consent and a bar on using for anything other than authentication.
    • Says that if there are breaches, then point them out to us. But petitioners don’t want to improve it, they just want to knock it off.
    • Says that the data protection draft law will be out by May.
  • Justice Chandrachud says that one area that requires consideration is remedies for breaches.
  • Rakesh Dwivedi says that the IT Act provides for penalties, and penalties have been imposed on Airtel etc.
    • Says that the Court and the government should work in coordination as the two great wings of State, and not in opposition. The sword should be unsheathed only in the last resort.
    • Says that the Court should be like a doctor and save the patient.
    • Says that the data protection context is totally different in the EUGDPR context. He says that that directive goes very far.
    • Says that the whole purpose of the EUGDPR is to balance free flow of data with data protection. However, we are not doing that with Aadhaar. Aadhaar is not about free flow of data, but no flow of data.
    • Says that this has no bearing on Aadhaar, and in any case, the Srikrishna Committee is handling it.
  • Justice Chandrachud says that the EUGDPR envisages a ban on biometric data processing.
  • Rakesh Dwivedi says that there are exceptions and state laws can provide for them, with appropriate safeguards.
    • Reads out the exceptions, which include legitimate State interests with appropriate safeguards.
    • Says that member States have been left free to make laws.
  • Justice Chandrachud says that that is subject to the test of proportionality.
  • Rakesh Dwivedi says that he is not disputing that.
    • Says that the EU is now contemplating a biometric ID card.
  • Justice Chandrachud humorously asks whether they are planning to seed it with Aadhaar.
  • Rakesh Dwivedi repeats his earlier point that the EU has opted for smart cards, India for a different architecture, and if Aadhaar succeeds there will be huge repercussions.
    • Comes to metadata.
    • He says that the petitioners have completely misunderstood the concept of metadata. He quotes from a book called The Data Warehouse Life Cycle Tool Kit.
    • Says that UIDAI collects only “limited technical metadata.”
  • Justice Chandrachud asks: is it necessary to retain metadata? Why do you have to retain it.
  • Rakesh Dwivedi says that it’s important to exercise control over the RE.
    • Says that there is no data about location or purpose of transaction, but only about the system, and that’s required for audits.
  • Justice Sikri says, so you’re not collecting metadata about the person but only about the machine.
  • Rakesh Dwivedi says yes.
    • Says that we don’t know location or purpose, just device ID.
  • Justive Chandrachud tells Rakesh Dwivedi that your argument might be supported By Regulation 26 proviso, which bars storing the purpose of a transaction.
  • Rakesh Dwivedi agrees. He says that in any case the Aadhaar Act bars storing of purpose.
  • Justice Chandrachud asks what is the meaning of “authentication transaction data”, which can be stored under Regulation 26.
  • Rakesh Dwivedi says that it’s the data pertaining to a specific transaction, and there is a bar on storing purpose.
  • Bench is rising.
  • Shyam Divan stands up and says that he has a point of information. The State cited the case of V.G. Row, which first laid down the principle of proportionality. V. G. Row’s son, S.G. Vombatkere, is one of the petitioners in this Aadhaar challenge.
  • Rakesh Dwivedi says that he will finish tomorrow by lunch.
  • Bench rises. To continue tomorrow.