31 August 2017
The Supreme Court of India (‘the Court’) issued, on 24 August 2017, its ruling in Justice K S Puttaswamy and Anr. v. Union of India and Ors. (Writ Petition (Civil) No. 494 of 2012) (‘the Case’), in which a bench of nine judges unanimously held that the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution of India. The judgement follows recent announcements by the Ministry of Electronics and Information Technology, the Telecom Regulatory Authority of India and the Reserve Bank of India, emphasising various initiatives and approaches to the development of a comprehensive privacy and data protection framework.
Mathew Chacko, Partner at Spice Route Legal, told DataGuidance, “In many ways, this judgment is just the end of the beginning for data protection/privacy in India. I expect derivative actions clarifying the impact of a fundamental right to privacy on issues such as Aadhaar, the manner in which Section 43A of the Information Technology Act 2000 has been drafted, the appropriateness of large scale data collection and transfers by companies, including but not limited to some of the social media giants, and obligations to protect information from data breaches and compensate for the same, will all hit courts in the next few years.”
The Case originally stems from a constitutional challenge surrounding the implementation of the largest biometric enrolment scheme in the world, commonly known as Aadhaar. In particular, Aadhaar was challenged principally on privacy grounds and was originally heard by a three-judge panel, which observed that while smaller benches of the Court had upheld in other cases the existence of the right to privacy as a fundamental right, prior precedents set by larger benches had not.
Some of the more adventurous opinions on how to interpret the data protection rules may no longer be appropriate
Srishti Saxena, Assistant Legal Manager at the Goods and Services Tax Network, highlighted, “The Court has recognised that the right to privacy is enforceable against both state and non-state actors. However, for enforcing the right to privacy against non-state actors a legislative enactment would be required. The Court specifically recognised the need for such legislation protecting privacy, [noting that] ‘there is an unprecedented need for regulation regarding the extent to which such information can be stored, processed and used by non-state actors.'”
The Court’s decision addresses the scope of the right to liberty and notes the significance of the ruling for the country going forward. Paragraph 1 of the 500-page verdict observes that “[i]f privacy is to be construed as a protected constitutional value, it would redefine in significant ways [the] concepts of liberty and the entitlements that flow out of its protection.”
On the impact of the decision Chacko concluded, “Actions based on the tortious violation of the right to privacy will be bolstered. The Government will now have no choice but to establish a procedure by which privacy rights are protected, and rules for transfers established, so there is now no doubt that a comprehensive data protection/privacy law is about to be drafted; and large scale data transfers from India could come under scrutiny. However, at this stage, the judgement does not require any changes to the regime that private companies follow in respect of data, except to be slightly more cautious in the manner of collection and transfer of data. Some of the more adventurous opinions on how to interpret the data protection rules may no longer be appropriate.”
Hernán R. Dutschmann | Privacy Analyst