The Right to Privacy Judgment: Initial Reflections on Implications for Digital Financial Services

The Supreme Court of India’s judgment on the fundamental right to privacy yesterday, 24 August 2017, speaks directly to the sweeping changes we are witnessing in the way that the State and private companies use citizens’ personal data. The collection and aggregation of individuals’ data to inform the entire chain of any welfare or commercial service provision is now de rigueur. In recent years, finance has become the poster child of this opportunity to use data: for first-time users of formal finance to be identified and diligenced; for products to be designed around their needs; for their digital and social information to stand-in where they have no assets to back their promises to re-pay credit. No where is this trend more alive than in India, and no where are the risks also writ as large. In the last 2 years we have seen a billion Indian mobile subscriptions, a billion Aadhaar numbers with over 67 crore bank accounts linked to Aadhaar numbers for direct DBT transfer among other services. We have also witnessed over 3.2 million individuals financial information being compromised by PoS/ ATM malware; the potential for stored biometrics to be used in unauthorised authentications, and for unauthorised entities to access citizen’s personal data for eKYC purposes.

If the direction of travel is towards a more digital world, what are our protections and how should we think about regulating data in our country? The judgements in Justice K S Puttaswamy & Anr v. Union of India & Ors have laid down some touchstones to anchor how we navigate these questions in the years ahead. This post first picks out some key messages from the judgment (especially around informational privacy which has special relevance for the use of personal data in retail finance) and then presents initial reflections on implications for financial services.

Privacy is recognised as an inalienable, natural right situated across our fundamental rights

This judgement—coming to the Court as it does, as a result of cases filed on the legality of the Aadhaar project—grounds its reasoning within the context of the world we find ourselves in today. Technology is now part of our lives in a way that could not have been imagined when the Indian republic was formed 67 years ago. However, the principles on which we have founded our republic have continued relevance precisely because they guide us towards solutions for the intractable problems of our time.[1] Taking stock of this, the Supreme Court has confirmed that privacy is a constitutionally protected right that emerges primarily from the guarantee of life and personal liberty in Article 21 of the Indian Constitution, and also arising across a whole raft of fundamental rights contained in Part III of the Indian constitution.[2]

The Court has tied back the right to privacy to the basic values that the Constitution and Indian society aspire to. These are given voice to in the preamble, among other parts of the Constitution. Across all six judgement texts delivered by the nine judges of the bench, certain values have been seen as inherent and intertwined with individual privacy.

Privacy is seen as a postulate of human dignity, and an essential part of individual liberty. Privacy enables individual autonomy. Indeed it is seen as lying across the spectrum of protections—for instance, its existence is needed to prevent the state from discriminating between citizens (and infringing the right to equality) by keeping certain aspects private. The Court has also noted that privacy has both subjective and objective elements i.e. subjectively, the expectation of individuals (where they desire) to be left alone AND objectively, those constitutional values that shape a protected zone where the individual ought to be left alone.[3]

In Puttaswamy, the Court has made several important observations about the nature and content of privacy protections which will no doubt be the subject of scholarship and interpretation for years to come. But two observations in particular merit the attention of those working to improve access to finance for the underserved. Firstly, the Court refuses any notion of a trade-off between individual freedoms and development. The Kesavananda Bharati[4] judgment’s view is re-iterated, that Parliament cannot abrogate the essential features of the individual freedoms secured to citizens in India. Our Constitution does not take the perspective that in order to build a welfare State, it is necessary to destroy some human freedoms. Indeed, to quote “Our constitutional plan is to eradicate poverty without destruction of individual freedoms.”[5]

Secondly, and crucially for those of us tracking the use of personal data in financial services, individuals’ informational privacy is now firmly within the protection of fundamental rights.

Informational privacy is part of our expectation of privacy as Indians

Informational privacy i.e. the interest in limiting or controlling the access to information about ourselves, is dealt with in the lead Puttaswamy judgement by Chandrachud, J which devotes an entire section to it.[6] The Court takes note of the way in which technology has changed our lives, the digital trails we leave behind as we transact online, and the aggregation of these data points to reveal things about us that we may not expressly disclose. It notes the use of cookies to track online behaviour, the collection of users’ browsing histories, and other tools like automated content analysis of emails which can be analysed with algorithms to profile individual users. The Court notes that the use of data mining techniques, Big Data and the possibility of database linking essentially allow for aggregation of data about every single person in a manner previously not encountered.

Given this context, the Court notes the important role of data protection laws in safeguarding the privacy and autonomy of an individual, and ensuring non-discrimination on the basis of racial or ethnic origin, political or religious beliefs, genetic or health status or sexual orientation. The Court has recognised that a good data protection law will need to delicately balance the complex issues between individuals’ privacy interests and legitimate concerns of the state.

Para 180 of the leading judgment by Chandrachud, J contains a three-fold prescription to act as important guidance when considering how privacy might be safeguarded by ensuring:

• that there must be a law: A law is needed to justify any encroachment on privacy, to fulfil the requirement in Article 21 of our Constitution that no deprivation of liberty can be undertaken except by a procedure established by law;
• that law must be reasonable: Such a law must fall within the zone of reasonableness as required by Article 14 as a guarantee against arbitrary state action;
• the law must be proportional: Any encroachment on individual privacy must be proportionate to the object and needs sought to be fulfilled by such a law.

Kaul J in his remarks presents the test of proportionality and legitimacy for limiting the state’s discretion, which requires an action to be sanctioned by law, necessary for a legitimate aim, proportionate to the need for such interference and with procedural guarantees against abuse of such interference.[7]

Reiterating the principles set out by the Government of India Group of Expert of Privacy in 2012, the Court takes note of the Committee of Experts chaired by Justice B N Srikrishna that has been constituted and will suggest a new data protection regime for the country. The work of ensuring balance is achieved in law and is manifested in practice lies ahead for all of us.

On the regulation of personal data and implications for financial services

The observations of the Court in Puttaswamy have direct implications for operational aspects of retail finance and for newer digital financial services provision. The use of new and alternative forms of data about consumers to target advertising and communication, and to appraise individuals is now a reality, as is the use of algorithms to mine data for use in processes like credit scoring. Negative outcomes from such processes that affect individuals’ privacy or cause discrimination will now be seen as infringements of fundamental rights, where state entities are involved. A horizontal data protection regime (applying to state and non-state actors) based on the same understanding of privacy would extend privacy protections for users against all types of entities.[8] As we debate the contours of privacy for our new data protection regulation and in existing financial sector regulations, we have an opportunity to shine a spotlight on existing data practices around consumers’ personal and financial information in financial institutions.

For those involved in the chain of financial services provision that is increasingly becoming more “digital”, this judgment has flagged up a new understanding of core issues. In particular, it forces more granular reflection on:

• the kinds of data that can and should be collected, keeping in mind values of privacy and dignity of the individual;
• the kind of data mining and algorithmic techniques that can be used, keeping in mind that such techniques cannot infringe privacy and liberty, autonomy and free choice, and equality of all individuals;
• whether individuals’ reasonable expectations of privacy can vary based on categories and context of data; and
• how a fair, just and reasonable law can help us find a way to ensure that the use of personal data is tied to legitimate proportionate objectives and interests.

This judgement has moved the gears for privacy and data protection in the country, ushering us into an era of change where we are seeing data protection laws globally being re-purposed for rapidly evolving technological advancements. All this will require a shift in our understanding of liability, and for our practices around accountability and reporting. All of this will need to be tackled by new data protection regulation and updating appropriate financial sector regulation – and ultimately, in the way in which our day-to-day data practices evolve within government, industry and between citizens of India.

—-

[1] Justice Puttaswamy & Anr v. Union of India & Ors, ALL WP(C) No.494 of 2012, DY Chandrachud, J at page 213. (Puttaswamy).

[2] ibid, page 262.

[3] supra n 1, para 169, page 246.

[4] Kesavananda Bharati v. State of Kerala, (1973) 4 SCC 225.

[5] Ibid, para 666, pages 486-487 cited in Puttaswamy, para 108, page 105.

[6] supra n.1, para 170 – 185, pages 246 – 260.

[7] supra n.1, Kaul J at para 71, page 27.

[8] The argument of some respondents (including the UIDAI) was that the right to privacy is a common law right. This would mean it was applicable to state and non-state actors. As noted by Bobde, J in Puttaswamy, a right can be simultaneously recognised as a common law and constitutional law right. Bobde, J also noted that the content of privacy in both forms (common and constitutional) is identical, which gives rise for the potential for similar considerations to apply across state and non-state actors. See Puttaswamy, Bobde, J at para 17-18, page 15-16.