PUTASWAMY JUDGMENT: IMPLICATIONS FOR INDIA

-Tanshi Bajaj

Data handling has changed drastically over the years and classical ‘panopticon’ has now
taken a digital outfit. In this age and time, privacy becomes a pressing concern and
policies need to catch up to the changing technological era. In Indian context this change
was effectively cemented by the landmark decision of Justice K.S Puttaswamy (Retd.) v.
Union of India and Ors.

This essay aims to analyse the issue of right to privacy in India through an analysis of the
Puttaswamy judgment1. Thereafter, it attempts to answer the pressing question of its
implications on data protection and also traces the consequences of it on the larger debate
of privacy as right based approach versus informational security.

THE LANDMARK JUDGMENT

In 2012, the UPA government in India tested waters for their nationwide Aadhar
( Biometric identification system) scheme, making it mandatory for all citizens to enrol in
for an Aadhar card. They didn't stop here, but also consequently made it mandatory to link
Aadhar card to avail other schemes such as banking transactions, mobile sims etcetera.

In the same year, a retired justice of the high court, J. KS Puttaswamy filed a writ petition
challenging the constitutional validity of this Aadhar scheme. It was a result of an executive
order and therefore lacked legislative backing.

In 2015, a 9 judges bench was constituted to decide on this question of whether or not the
Indian constitution guaranteed a right to privacy. Justice Chandrachud, writing for majority
declared the right to privacy as an integral and inalienable part of right to personal liberty
under Article 21 of Part 3 of the Indian Constitution. He further analysed dangers of data
mining, positive obligations on the State to protect and prevent privacy of body and data of
its citizens, and the need for a data protection law.

It was Justice Kaul however, who in his separate but concurring opinion went a step
further and identified the concerns pertaining to profiling and surveillance by state actors.
Such actions, he clarified should not facilitate discrimination and may only be justified
when done for public interest or national security. He even elucidated on role of non state
actors in the age of technology which is but not limited to pervasive data generation,
collection and usage in economy. In his opinion, non state actors cannot be held to same
standard as state actors, for it would make the regime very restrictive. However, Non state
actors, can also use the personal data collected to induce harm as it is capable of
influencing decision making processes, effecting representations and shaping behaviour.

1 WP (C) 494 of 2012, Justice K.S Puttaswamy (Retd.) v. Union of India and Ors
The need hence arises for a well regulated regime and hence the proposal for a data
protection law which eventually led to Data Protection Bill being introduced.

Both majority decision and individual opinions of justices however agreed on a consent
based model2 for data protection law. What information may be collected and the extent of
its exact usage need to be disclosed by data collectors and consented to by the users, in
light of this judgment.
. 
IMPLICATIONS ON DATA PROTECTION

Data Protection in India must be guided by broader contours of the right to privacy. The
Putaswamy judgment reiterated that individuals have a right to establish boundaries; both
physical and informational. Consequently, the user must knows what the data is being
used for in addition to being able to correct and amend it. The privacy hence acts as a
shield to the govern the extent of usage of data permitted by the individual, whose data is
in question.

In another case of Canara Bank 3, used as authority in the aforementioned judgment, It is

reaffirmed that individuals retain the right to control data to the extent that specific consent
is required for disclosure of data to a third party, and even after the data is transferred to a
third party, the user still retains the right to privacy pertaining to that information. This is
pertinent in context of big data analytics, where transfer of data often takes place with an
objective of profiling or commercial gains.

The judgment was also progressive in context of not limiting the definition of information
that qualifies for protection. Instead of using the preexisting, sensitive personal information
or data’ (“SPDI”), the definition was expanded to cover all information pertaining to an
individual including electronic correspondences such as emails. Privacy of
correspondences is enshrined by various international frameworks 4 and this judgment
ensures that Indian law shall align with the same international standards.

Even though the judgment iterated in lengths how the law ‘ought to be’, the ball now lies in
court of legislature. A major setback in data protection framework in India is due to lack of
lack of horizontal right to privacy. Big companies not incorporated in India fall outside the
scope of application of SDPI rules. In light of such, Indian users, whose data is being
generated in India when stored or used by such companies on servers outside of India
leaves Indian users with little to no remedy.

PRIVACY: RIGHTS BASED APPROACH VERSUS INFORMATIONAL SECURITY

2 Supra Id, para 117, J. Chandrachud’s majority opinion

3 District Registrar and Collector, Hyderabad v Canara Bank (2005) 1 SCC 496.
4 Art 8, Convention for the Protection of Human Rights and Fundamental Freedoms
Data breaches are on an all time high. In such a scenario this debate becomes pertinent to
take informed policy decisions. The nuances of this debate, in Indian context surfaced with
the Whatsapp case5. It became a starting point to address many deficiencies in Indian
legal data protection framework in the immediate aftermath of Putaswamy judgment 6. This
was a case instituted to ask for an injunction for Whatsapp to prevent them from sharing its
user’s data to Facebook when the former was acquired by latter to enhance the latter’s
advertisement algorithms. The Indian courts therein, did not grant an injunction however,
but issued certain limitations such as asking for disclosure of nature of information being
shared, ensuring it was consented to by users etc.

This case coupled with recent mass surveillance policies undertaken by Indian
government with little to no regard for tests of proportionality, need or justification, births
concern7. The focus of data protection in India has always been on Informational security
as opposed to a rights based approach of privacy. Though, on the face value they might
appear to be two sides of the same coin, both are pretty distinct 8. Information security is a
data centric process effected to ensure protection of business informational assets with
emphasis on storage, processing and transmission of information. It fails to address
collection of data and its associated need and justification as it is premised on the fact that
data will be collected regardless. Unlike Informational security, a rights based approach to
privacy is a person entered approach that aims to effect protection of personal information.

As can be witnessed from arguments advanced, the rights based model is a precursor to
information security as it starts to address the nuances from fundamental collection of data
and its legitimacy. User data collection cannot be taken for granted to ensure effective
privacy of people.

CONCLUSION

In conclusion, the ‘information is the new oil’ discourse employed by Indian government is
a limiting approach. Despite the court being eloquent in laying down the constitutional
interpretation and scope of right to privacy, the legislature and executive are constantly
undermining it. And this retaliation can be credited to the current BJP government at the
center, who are determined to give precedence to economic development at the cost of
rights of people. The new Data Protection Bill also embodies this sentiment and faces from
same shortfalls that accompany when informational security is given precedence over right

5 Karmanya Singh Sareen vs Union of India W.P.(C) 7663/2016.

6 Supreme Court holds that the right to Privacy is a fundamental right guaranteed under the
constitution of India, Nishit Desai and associates, September 07, 2017,
http://www.nishithdesai.com/information/news-storage/news-details/article/supreme-court-holds-
that-the-right-to-privacy-is-a-fundamental-right-guaranteed-under-the-constituti.html
7 Amit Mahal, Data Privacy in the Information Age: Can the Putaswamy judgment save us? IJLT,
August 19, 2018, http://ijlt.in/index.php/2018/08/19/data-privacy-in-the-information-age-can-the-
puttaswamy-judgement-save-us/#_edn11
8 The difference between security and Privacy: why it matters to your program,HIVGOV, April 26,
2018, https://www.hiv.gov/blog/difference-between-security-and-privacy-and-why-it-matters-your-
program
to privacy. In Indian context we need more than just lip service offered by the courts to
ensure more effective application of right to privacy, especially of user information.

REFERENCES:

• WP (C) 494 of 2012, Justice K.S Puttaswamy (Retd.) v. Union of India and Ors
• WP (C) 494 of 2012, para 117, J. Chandrachud’s majority opinion
• District Registrar and Collector, Hyderabad v Canara Bank (2005) 1 SCC 496.
• Art 8, Convention for the Protection of Human Rights and Fundamental Freedoms
• Karmanya Singh Sareen vs Union of India W.P.(C) 7663/2016.
• Supreme Court holds that the right to Privacy is a fundamental right guaranteed under
the constitution of India, Nishit Desai and associates, September 07, 2017,
http://www.nishithdesai.com/information/news-storage/news-details/article/supreme-
court-holds-that-the-right-to-privacy-is-a-fundamental-right-guaranteed-under-the-
constituti.html
• Amit Mahal, Data Privacy in the Information Age: Can the Putaswamy judgment save
us? IJLT, August 19, 2018, http://ijlt.in/index.php/2018/08/19/data-privacy-in-the-
information-age-can-the-puttaswamy-judgement-save-us/#_edn11
• The difference between security and Privacy: why it matters to your program,HIVGOV,
April 26, 2018, https://www.hiv.gov/blog/difference-between-security-and-privacy-and-
why-it-matters-your-program