On day 32 of the final Aadhaar hearing, Senior Advocate, Rakesh Dwivedi, appearing for the State and UIDAI resumed his submission on Aadhaar. He discussed ‘reasonable and legitimate expectation of privacy’ from a United Kingdom court judgment and stated that context is very important when deciding what would qualify as reasonable expectation of privacy. Quoting a South African judgment, Mr. Dwivedi stated that, “Only a person’s inner sanctum is protected from other conflicting rights. As a person moves into communal relations, her personal space also shrinks.” He asserted that individuals live in communities and their personality is shaped by imbibing cultural and social values of the society. Regulations are designed to protect objective principles that define reasonable expectation of privacy. He also stated that the only question is whether the restriction on the right to privacy is proportionate to the government purpose, and nothing else can be taken into account. Mr. Dwivedi was of the view that the petitioners have applied the wrong standard in arguing that the restriction on rights should be least intrusive. He contended that the activities related to Aadhaar are in the public sphere and there should be no reasonable expectation of privacy with respect to demographic information and photograph as such data is already available in the public domain.
As regards identity cards, Mr. Dwivedi argued that hundred and twenty countries use biometric passports and nineteen European nations use biometric ID cards. He emphasized that the Court of Justice of the European Union (CJEU) and the European Court of human rights (ECHR) have never expressed any concerns with biometrics ID cards. Mr. Dwivedi cited the 1952 judgment of V.G Row and said that the Indian Supreme Court has never accepted the requirement that a restriction on fundamental rights must be least intrusive. Next, he cited the UK Supreme Court judgment in Wood v. Commissioner of Police which said that the taking of photographs in itself does not violate privacy. He also contended that the petitioners have relied on the ECHR’s judgment in S and Marper v. United Kingdom but in actuality, Marper supports the case of the State. In this regard, Mr. Dwivedi mentioned that the ECHR in Marper focused on a lack of consent, and fingerprints being “non-neutral” in the context of identification for crime purposes. Those conditions don’t apply in the case of Aadhaar. He stated that Marper has been distinguished by the UK Supreme Court in Gaughran v Chief Constable, where there was no collection of cellular samples, and the acquitted people were not sampled which proves that expectation of privacy is always a contextual enquiry.
Mr. Dwivedi’s next submission was on metadata. He began by stating that the petitioners have cited cases on metadata which involved large scale collection and storage of data that not related to any legitimate State purpose. Also, the data that was collected included date, time, location as well as duration of communication, which the Court had held allowed profiling of individuals. He contended that the petitioners have cited these cases without clarifying the context, and that the metadata in those cases was much more intrusive. In Mr. Dwivedi’s view, the standard that should be applied is that of “adequate safeguards” as held in the case of US v. Westinghouse. As regards this test, Mr. Dwivedi cited G. Sunder Rajan v. State of Tamil Nadu about the Kundankulam nuclear power plant. In that case, it was held that apprehensions such as something like Chernobyl or Fukushima disaster may recur cannot be a ground to cease the project as the setting up of a nuclear power plant would ensure economic and social welfare of the people. He stated that this proposition was also adopted by the US Supreme Court in NASA v. Nelson. Mr. Dwivedi pointed out to that part of the judgment that said that data breaches are always a possibility but that cannot be a ground to strike down data collection. He asserted that the Aadhaar Act along with the Information Technology Act provides enough safeguards, and the State will soon come out with a data protection law which would act as an additional safeguard.
With respect to the EU- General Data Protection Regulation, Mr. Dwivedi mentioned that the data protection context is totally different and the purpose of GDPR is to balance free flow of data, whereas, Aadhaar has got nothing to do with free flow of data. J. Chnadrachud remarked that the GDPR envisages a ban on biometric data processing, to which, Mr. Dwivedi, stated that there are exceptions to that rule and member State laws can provide for them with appropriate safeguards. He read out the exceptions which included “legitimate state purpose.” Going back to the point on metadata, he asserted that UIDAI collects only “limited technical metadata.” J. Chnadrachud enquired why it was necessary to even store metadata, to which Mr. Dwivedi stated that it was an important exercise to maintain control over requesting entities by way of audits. J. Chandrachud then asked the meaning of “authentication transaction data” which can be stored under regulation 26 of the Aadhaar Act. In reply, Mr. Dwivedi submitted that it is the data pertaining to a specific transaction.
The hearing will continue tomorrow (April 25, 2018)