If the Supreme Court rules that privacy is a fundamental right under Article 21, the consequences will be complex and far-reaching.
Ever since the Unique Identification Authority of India (UIAI) was constituted through a mere executive notification by the United Progressive Alliance (UPA) regime on 28 January 2009 as an arm of the now-defunct Planning Commission for issuing Aadhaar cards/numbers, many questions have been raised about the constitutional and ethical issues posed by the Aadhaar scheme. Of these, the right to privacy of an individual and consequently, protection of the data collected in the absence of a statutory framework are clearly among the central issues.
On 11 August 2015, after numerous hearings in a batch of writ petitions challenging the constitutionality of the Aadhaar scheme (the Aadhaar petitions), a three-judge Bench of the Supreme Court referred the petitions to a larger Bench on the question of whether Article 21 of the Constitution, which deals with the right to life and personal liberty, encompasses within its ambit the right to privacy as well. It is pertinent to note that Article 21, unlike Article 19, is not limited in its application to an Indian citizen or a natural person. In other words, even “juristic persons” such as corporations are entitled to invoke Article 21. Such being the case, if the right to privacy receives the imprimatur of the Supreme Court as a fundamental right within the meaning of Article 21, the larger question that is of interest is whether such an outcome would effect a sea change in our attitudes towards other rights and issues which are related to or flow from the concept of privacy.
For instance, an individual’s right to privacy would result in delimiting the right of the State to encroach upon her or his private space. Further, it gives rise to an obligation on the State to protect data collected by it from individuals under schemes like Aadhaar. The question that then arises is, are juristic persons such as corporations too entitled to similar expectations of privacy and data protection if the right to privacy under Article 21 is ultimately recognized by the Supreme Court? This question assumes significance in the backdrop of the efforts of the United States, the European Union and certain pharmaceutical companies to persuade the Indian government to create exclusive statutory rights in order to protect data submitted by them to regulatory authorities such as the Drug Controller General of India (DCGI).
These efforts, which are rooted in Article 39 of the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) as interpreted by this group, have thus far not met with success since India has consistently maintained that in light of the negotiating history of Article 39, there is no binding obligation on India to grant exclusive rights for data submitted to regulatory authorities. Notwithstanding this clear position, writ petitions have been filed in the past to explore the possibility of securing such rights through judge-made law, only to be dismissed by Indian courts as attempts to extend market monopolies.
However, if the right to privacy and consequent obligations on the State under Article 21 were to be recognized by the Supreme Court during the course of its cogitation in the Aadhaar petitions, it may justify and hence facilitate another round of attempts by those interested in protecting data through courts in the absence of a statutory framework. In this regard, it must be borne in mind that a fundamental right, once recognized by courts as forming part of the Constitution, is deemed to inhere in its beneficiaries. In other words, no statute needs to expressly recognize or vest such a right for it to be enjoyed by a person.
On the contrary, the State may not deprive or abridge or restrict the right “except according to procedure established by law”. This phrase has been interpreted by the Supreme Court to mean a statute or statutory rules and regulations to the exclusion of executive notifications. Simply put, in the absence of a valid, reasonable, fair and just legislation which justifies and permits the curtailment of a right encompassed by Article 21, the State cannot encroach upon it. If this position is applied to data submitted by corporations to regulatory authorities, these authorities cannot share the data with third parties or rely on such data themselves, unless the legislations which govern these activities expressly permit them to do so in a manner which passes muster on the anvil of Article 21.
In a nutshell, it may not be possible for these authorities to merely rely on the general object of the legislations and their silence to facilitate access to the data by third parties or rely on such data themselves. Therefore, in the event the right to privacy is recognized by the Supreme Court, the Indian government may need to effect amendments to existing legislations that govern submission of regulatory data for drugs, insecticides and pesticides if it wishes to maintain its position on the issue of data protection.
Having said so, one must note that a recognition of the right to privacy under Article 21 would only be with respect to the State, and not private parties, such as the media, individuals or any other entity which is not the State. Consequently, in the absence of a law which recognizes an individual’s right to prevent encroachment of privacy by private parties, the law of torts remains the primary and perhaps the sole source of remedy in most instances. As it stands today, apart from the law of torts, there are only a few islands where the obligation to protect privacy and data is cast on private players.
One such island is the Information Technology Act, 2000 which requires “body corporates” which collect “data”/“information” within the meaning of the Act to conform to the practices and procedures prescribed under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 to safeguard the privacy of individuals and to protect their data.
However, these Rules apply only to “body corporates” and to data/information dealt with by the Act, which is clearly a limited solution since the Rules may not apply to private entities (and agencies or initiatives of the State such as the Aadhaar scheme) which are not “body corporates”, and to those categories of information/data which are not covered by the Act. This again highlights the need for a comprehensive approach to privacy, as opposed to dealing with it in a piecemeal fashion.
The other important cousin of data protection is the protection of confidential information/trade secrets. Here too, although there are civil and criminal remedies available under the Information Technology Act, 2000 and the Indian Penal Code, 1860, industry has constantly bemoaned the lack of a codified trade secret law leaving the outcomes in civil disputes relating to trade secrets to the vagaries of individual proclivities of courts.
Each of these aspects clearly demonstrates that we as a society have a long way to go when it comes to recognizing and respecting the diverse variants of the concept of privacy. In a way, the Aadhaar petitions have perhaps come at the right juncture, when social media has forced us to revisit previously held notions of what constitutes “private”, and the thin red line separating the private from the public.
Importantly, this discussion requires us to strike the right balance between the right to free speech and expression, and the right to privacy. Perhaps, the first step in the right direction would be to recognize the right to privacy as a fundamental right, which is now in the apex court’s court.
Even if the Supreme Court recognizes the fundamental nature of privacy, it would then fall upon the government to take the next logical steps to address various aspects of privacy comprehensively so as to send out the message that India as a nation is no less sensitive and progressive in recognizing and protecting an individual’s private space.