Aadhaar Day 32, Session 2. Rakesh Dwivedi continuing the case for the State.
Dwivedi comes to the issue of metadata.
Dwivedi comes to the issue of metadata.
RD says that the Petitioners have cited cases on metadata (such as Digital Rights Ireland) which involved large scale storage of metadata that was completely unrelated to any State purpose.
RD says that in the Digital Rights case, the metadata stored involved identifying the date, time, location, duration of communication, and the nature of the machine used. In that context, the Court held that this metadata allows for complete profiling.
RD says that petitioners have just placed all these cases without explaining the context. The metadata at stake in those cases was much more intrusive.
RD says that in US v Westinghouse, the SC of the US said that the standard is one of "adequate safeguards", and that +
RD says that in US v Westinghouse, the SC of the US said that the standard is one of "adequate safeguards", and that +
+ is the standard that should be applied.
RD says that petitioners have cited US v Jones, which was about a GPS device. Aadhaar does not have a GPS. Some Wi-Fi may be used at the time of sending the information to the CIDR, but not otherwise.
RD says that petitioners have cited US v Jones, which was about a GPS device. Aadhaar does not have a GPS. Some Wi-Fi may be used at the time of sending the information to the CIDR, but not otherwise.
RD says that the full court of the CJEU has recently issued an opinion saying that the ECHR judgments are only declaratory.
Sikri J says that at least they declare the law.
RD says that it doesn't have to be enforced.
RD says that it doesn't have to be enforced.
RD says that he will now deal with the issue of adequate safeguards.
RD says that in G. Sunder Rajan v State of TN, (2013) 6 SCC 620, about the Kundankulan nuclear power plant.
Read it here: indiankanoon.org/doc/184104065/
Read it here: indiankanoon.org/doc/184104065/
In that case, the Court held that apprehensions that something like Fukushima would recur could not be a ground to stop the project. After a point, it must be left to destiny.
The Court held that setting up a nuclear power plant would help to guarantee the right to life under Article 21, in the larger public interest - and that there were adequate safety measures.
CJI had also written a judgment in this case. He asks RD to read some paragraphs.
RD reads out more paras on the same lines as above.
Still reading out paras, on the same lines.
RD says that there propositions emerge. First, that safeguards can be read into Article 21. Degrees of safeguards will vary - for nuclear plants it will be one, and for CIDR is another. Secondly, the standard must be "adequate safeguards". The risk can never be zero.
And thirdly, there must be constant vigilance. RD says that we are always improving and upgrading our safety, and after the Srikrishma Report, we will upgrade more.
RD says that this proposition has also been adopted by the US Supreme Court in NASA v Nelson, which was about background checks of NASA employees.
en.m.wikipedia.org/wiki/NASA_v._N…
en.m.wikipedia.org/wiki/NASA_v._N…
RD says that the US SC has discarded the least restrictive standard.
RD says that the Aadhaar Act has enough security and control.
Chandrachud J points to the part of the judgment that says that an iron-clad disclosure bar is not required. RD agrees.
RD points to the part of the judgment that says that data breaches are always possible, and that possibility can't be a ground to strike down data collection.
RD says that we are not even going that far. We have provided a complete bar on sharing, and what is available with the REs is totally dispersed. The extent of privacy is much more diluted. And there is consent and a bar on using for anything other than authentication.
RD says that if there are breaches, then point them out to us. But petitioners don't want to improve it, they just want to knock it off.
RD says that the data protection draft law will be out by May.
Chandrachud J says that one area that requires consideration is remedies for breaches.
RD says that the IT Act provides for penalties, and penalties have been imposed on Airtel etc
Chandrachud J says that one area that requires consideration is remedies for breaches.
RD says that the IT Act provides for penalties, and penalties have been imposed on Airtel etc
RD says that the Court and the government should work in coordination as the two great wings of State, and not in opposition. The sword should be unsheathed only in the last resort.
RD says that the Court should be like a doctor and save the patient.
RD says that the data protection context is totally different in the EUGDPR context. He says that that directive goes very far. See here:
eugdpr.org
eugdpr.org
RD says that the whole purpose of the EUGDPR is to balance free flow of data with data protection. However, we are not doing that with Aadhaar. Aadhaar is not about free flow of data, but no flow of data.
RD says that this has no bearing on Aadhaar, and in any case, the Srikrishna Committee is handling it.
Chandrachud J says that the EUGDPR envisages a ban on biometric data processing.
RD says that there are exceptions and state laws can provide for them, with appropriate safeguards.
RD says that there are exceptions and state laws can provide for them, with appropriate safeguards.
RD reads out the exceptions, which include legitimate State interests with appropriate safeguards.
RD says that member States have been left free to make laws.
Chandrachud J says that that is subject to the test of proportionality. RD says that he is not disputing that.
Chandrachud J says that that is subject to the test of proportionality. RD says that he is not disputing that.
RD says that the EU is now contemplating a biometric ID card.
Chandrachud J humorously asks whether they are planning to seed it with Aadhaar.
RD repeats his earlier point that the EU has opted for smart cards, India for a different architecture, and if Aadhaar succeeds +
Chandrachud J humorously asks whether they are planning to seed it with Aadhaar.
RD repeats his earlier point that the EU has opted for smart cards, India for a different architecture, and if Aadhaar succeeds +
+ there will be huge repercussions.
RD comes to metadata. He says that the petitioners have completely misunderstood the concept of metadata. He quotes from a book called The Data Warehouse Life Cycle Tool Kit.
RD says that UIDAI collects only "limited technical metadata."
Chandrachud J asks: is it necessary to retain metadata? Why do you have to retain it.
RD says that it's important to exercise control over the RE.
Chandrachud J asks: is it necessary to retain metadata? Why do you have to retain it.
RD says that it's important to exercise control over the RE.
RD says that there is no data about location or purpose of transaction, but only about the system, and that's required for audits.
Sikri J says, so you're not collecting metadata about the person but only about the machine. RD says yes.
Sikri J says, so you're not collecting metadata about the person but only about the machine. RD says yes.
RD says that we don't know location or purpose, just device ID.
Chandrachud J tells RD that your argument might be supported By Regulation 26 proviso, which bars storing the purpose of a transaction.
RD agrees. He says that in any case the Aadhaar Act bars storing of purpose.
Chandrachud J tells RD that your argument might be supported By Regulation 26 proviso, which bars storing the purpose of a transaction.
RD agrees. He says that in any case the Aadhaar Act bars storing of purpose.
Chandrachud J asks what is the meaning of "authentication transaction data", which can be stored under Regulation 26. RD says that it's the data pertaining to a specific transaction, and there is a bar on storing purpose.
Bench is rising. Shyam Divan stands up and says that he has a point of information. The State cited the case of V.G. Row, which first laid down the principle of proportionality. V. G. Row's son, S.G. Vombatkere, is one of the petitioners in this Aadhaar challenge.
Bench rises. RD says that he will finish tomorrow by lunch.
To continue tomorrow.
To continue tomorrow.
Cheers.
