In Justice K.S. Puttaswamy (Retd.) Vs. Union of India :

Law on Data Protection:

163) In order to determine this aspect, i.e. the nature and magnitude of data protection that is required to enable legal collection and use of biometric data, reliance can be placed on –

(a) various existing legislations – both in India and across the world; and

(b) case law including the judgment in K.S. Puttaswamy.

(a) Legislation in India:

(i) Information Technology Act, 2000 The only existing legislation covering data protection related to biometric information are Section 43A and Section 72A of the IT Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter “Sensitive Personal Data Rules”). Although the IT Act and Rules do not determine the constitutionality of use of biometric data and information by the Aadhaar Act and Rules, they are instructive in determining the safeguards that must be taken to collect biometric information68.

164) Following are the provisions which cover biometric information under the IT Act: Section 43A of the IT Act attaches liability to a body corporate, which is possessing, handling and dealing with any ‘sensitive personal information or data’ and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person. ‘Sensitive personal information or data’ is defined under Rule 3 of the Sensitive Personal Data Rules to include information relating to biometric data. Section 43A reads as follows:

“43A. Compensation for failure to protect data. -Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

Explanation. -For the purposes of this section,-

(i) “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;

(ii) “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;

(iii) “sensitive personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.]”

165) Similarly, Section 72A of the IT Act makes intentional disclosure of ‘personal information’ obtained under a contract, without consent of the parties concerned and in breach of a lawful contract, punishable with imprisonment and fine. Rule 2(i) of the Sensitive Personal Data Rules define “personal information” to mean any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. Thus, biometrics will form a part of “personal information”.

The Section reads as under- “72A. Punishment for disclosure of information in breach of lawful contract – Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.”

166) The Sensitive Personal Data Rules provide for additional requirements on commercial and business entities (body corporates as defined under Section 43A of the IT Act) relating to the collection and disclosure of sensitive personal data (including biometric information). The crucial requirements, which are 567 indicative of the principles for data protection that India adheres to, inter alia include:

(i) The body corporate or any person who on behalf of body corporate collects, receives, possesses, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view.

(ii) Body corporate or any person on its behalf shall obtain consent in writing from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.

(iii) Body corporate or any person on its behalf shall not collect sensitive personal data or information unless –

(a) the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and

(b) the collection of the sensitive personal data or information is considered necessary for that purpose (iv) The person concerned has the knowledge of –

(a) the fact that the information is being collected;

(b) the purpose for which the information is being collected;

(c) the intended recipients of the information; and

(d) name and address of the agency collecting and retaining the information.

(v) Body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.

(vi) Information collected shall be used for the purpose for which it has been collected.

(vii) Body corporate or any person on its behalf shall, prior to the collection of information, including sensitive personal data or information, provide an option to the provider of the information to not to provide the data or information sought to be collected.

(viii) Body corporate shall address any discrepancies and grievances of their provider of the information with respect to processing of information in a time bound manner.

(ix) Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation.

(x) A body corporate or a person on its behalf shall comply with reasonable security practices and procedure i.e. implement such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business.

In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies. The above substantive and procedural safeguards are required for legal collection, storage and use of biometric information under the IT Act. They indicate the rigour with which such processes need to be carried out.

Position in other countries:

(a) EUGDPR (European Union General Data Protection Regulation)69 EUGDPR which was enacted by the EU in 2016 came into force on May 25, 2018 replacing the Data Protection Directive of 1995. It is an exhaustive and comprehensive legal framework that is aimed at protection of natural persons from the processing of personal data and their right to informational privacy. It deals with all kinds of processing of personal data while delineating rights of data subjects and obligations of data processors in detail. The following fundamental principles of data collection, processing, storage and use reflect the proportionality principle underpinning the EUGDPR –

(i) the personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject (principle of lawfulness, fairness, and transparency);

(ii) the personal data must be collected for specified, explicit, and legitimate purposes (principle of purpose limitation);

(iii) processing must also be adequate, relevant, and limited to what is necessary (principle of data minimization) as well as accurate and, where necessary, kept up to date (principle of accuracy);

(iv) data is to be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (principle of storage limitation);

(v) data processing must be secure (principle of integrity and confidentiality); and

(vi) data controller is to be held responsible (principle of accountability).

167) The EUGDPR under Article 9 prohibits the collection of biometric data unless except in few circumstances which include (but are not limited to) –

(a) there is an explicit consent by the party whose data is being collected. The consent should be freely given, which is clearly distinguishable in an intelligible and easily accessible form, using clear and plain language. This consent can be withdrawn at any time without affecting the actions prior to the withdrawal; (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law;

(c) processing relates to personal data which is manifestly made public by the data subject; and

(d) processing is necessary for reasons of substantial public interest, and it shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

168) The Regulation also institutes rights of the data subject (the person whose data is collected), subject to exceptions, which include the data subject’s right of access to information about the purpose of collection of data, details of data controller and subsequent use and transfer of data, the data subject’s right to rectification of data, right to erasure or right to be forgotten, the data subject’s right to restriction of processing, the right to be informed, the right to data portability and the data subject’s right to object to illegitimate use of data.

(b) Biometric Privacy Act in the United States of America

169) Some States in the United States of America have laws regulating collection and use of biometric information. Illinois has passed Biometric Information Privacy Act (740 ILCS 14/1 or BIPA) in 2008. Texas has also codified the law for capture of use of biometric identifier (Tex. Bus. & Com. Code Ann. §503.001) in 2009. The Governor of the Washington State signed into law House Bill 1493 (“H.B. 1493”) on May 16, 2017, which sets forth requirements for businesses who collect and use biometric identifiers for commercial purposes. BIPA, Illinois, for example makes it unlawful for private entities to collect, store, or use biometric information, such as retina/iris scans, voice scans, face scans, or fingerprints, without first obtaining individual consent for such activities. BIPA also requires that covered entities take specific precautions to secure the information.

(b) Case Laws:

170) In K.S. Puttaswamy’s judgment, all the Judges highlighted the importance of informational privacy in the age of easy access, transfer, storage and mining of data. The means of aggregation and analysis of data of individuals through various tools are explained. Chandrachud, J. observed that with the increasing ubiquity of electronic devices, information can be accessed, stored and disseminated without notice to the individual. Metadata and data mining make the individual’s personal information subject to private companies and the state. In this background, His Lordship discusses the necessity of a data protection regime for safeguarding privacy and protecting the autonomy of the individual. The following observations in the conclusion of the judgment are worth quoting:

“328. Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well. We commend to the Union Government the need to examine and put into place a robust regime for data protection. The creation of such a regime requires a careful and sensitive balance between individual interests and legitimate concerns of the state. The legitimate aims of the state would include for instance protecting national security, preventing and investigating crime, encouraging innovation and the spread of knowledge, and preventing the dissipation of social welfare benefits. These are matters of policy to be considered by the Union government while designing a carefully structured regime for the protection of the data. Since the Union government has informed the Court that it has constituted a Committee chaired by Hon’ble Shri Justice B N Srikrishna, former Judge of this Court, for that purpose, the matter shall be dealt with appropriately by the Union government having due regard to what has been set out in this judgment.”

171) S.K. Kaul, J. cited the European Union General Data Protection Regulations70 to highlight the importance of data protection and the circumstances in which restrictions on the right to privacy may be justifiable subject to the principle of proportionality. These include balance against other fundamental rights, legitimate national security interest, public interest including scientific or historical research purposes or statistical purposes, criminal offences, tax purposes, etc.

172) There are numerous case laws – both American and European – presented by the petitioners and the respondents with respect to the collection, storage and use of biometric data which have been taken note of above. They are illustrative of the method and safeguards required to satisfy the proportionality principle while dealing with biometric data. The first set of cases cited by the petitioners are cases from European Human Rights Courts.

173) The European Human Rights legislations have both explicitly and through case laws recognized the right to informational privacy and data protection. The EU Charter of Fundamental Rights states in Article 7 that ‘everyone has the right to respect for his or her private and family life, home and communications’ and in Article 8 it grants a fundamental right to protection of personal data. The first article of the EU Charter affirms the right to respect and protection of human dignity. The ECHR also recognises the right to respect for private and family life, home and his correspondence which have been read to include protection of right to control over personal biometric information.

174) As pointed out above as well, a prominent case which addresses the question of storage of biometric data, i.e. whether storage and retention of DNA samples and fingerprints violates Article 8 of the ECHR, is S and Marper71. In this case, the storing of DNA profiles and cellular samples of any person arrested in the United Kingdom was challenged before the ECtHR. Even if the individual was never charged or if criminal proceedings were discontinued or if the person was later acquitted of any crime, their DNA profile could nevertheless be kept permanently on record without their consent.

175) In a unanimous verdict, the seventeen-judge bench held that there had been a violation of Article 8 of the ECHR. Fingerprints, DNA profiles and cellular samples, constituted personal data and their retention was capable of affecting private life of an individual. The retention of such data without consent, thus, constitutes violation of Article 8 as they relate to identified and identifiable individuals. It held that: “84. …fingerprints objectively contain unique information about the individual concerned allowing his or her identification with precision in a wide range of circumstances. They are thus capable of affecting his or her private life and retention of this information without the consent of the individual concerned cannot be regarded as neutral or insignificant.”

176) It articulated the proportionality principle in the following words:

“101. An interference will be considered “necessary in a democratic society” for a legitimate aim if it answers a “pressing social need” and, in particular, if it is proportionate to the legitimate aim pursued and if the reasons adduced by the national authorities to justify it are “relevant and sufficient

xx xx xx

The protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life, as guaranteed by Article 8 of the Convention. The domestic law must afford appropriate safeguards to prevent any such use of personal data as may be inconsistent with the guarantees of this Article. The need for such safeguards is all the greater where the protection of personal data undergoing automatic processing is concerned, not least when such data are used for police purposes. The domestic law should notably ensure that such data are relevant and not excessive in relation to the purposes for which they are stored; and preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored … The domestic law must also afford adequate guarantees that retained personal data was efficiently protected from misuse and abuse.”

177) The issue in the case according to the Court was whether the retention of the fingerprints and DNA data of the applicants, as persons who had been suspected but not convicted of certain criminal offences, was justified under Article 8 of the Convention.

178) The Court held that such invasion of privacy was not proportionate as it was not “necessary in a democratic society” as it did not fulfill any pressing social need. The blanket and indiscriminate nature of retention of data was excessive and did not strike a balance between private and public interest.

It held:

“125. the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the present applicants, fails to strike a fair balance between the competing public and private interests and that the respondent State has overstepped any acceptable margin of appreciation in this regard.

Accordingly, the retention at issue constitutes a disproportionate interference with the applicants’ right to respect for private life and cannot be regarded as necessary in a democratic society. This conclusion obviates the need for the Court to consider the applicants’ criticism regarding the adequacy of certain particular safeguards, such as too broad an access to the personal data concerned and insufficient protection against the misuse or abuse of such data.”

179) The two crucial aspects of the case that need to be kept in mind are – First, in that case, the fingerprints were collected for criminal purposes and without the consent of the individual to whom the fingerprints belonged. Second, the fingerprints were to be stored indefinitely without the consent of the individual and that the individual did not have an option to seek deletion. These aspects were vital for the Court to decide that the retention violated the citizen’s right to privacy.

180) Similarly, in the Digital Ireland case72, the European Parliament and the Council of the European Union adopted Directive 2006/24/EC (Directive), which regulated Internet Service Providers’ storage of telecommunications data. It could be used to retain data which was generated or processed in connection with the provision of publicly available electronic communications services or of public communications network, for the purpose of fighting serious crime in the European Union. The data included data necessary to trace and identify the source of communication and its destination, to identify the date, time duration, type of communication, IP address, telephone number and other fields. The Court of Justice of European Court (CJEU) evaluated the compatibility of the Directive with Articles 7 and 8 of the Charter and declared the Directive to be invalid.

181) According to the CJEU, the Directive interfered with the right to respect for private life under Article 7 and with the right to the protection of personal data under Article 8 of the Charter of Fundamental Rights of the European Union. It allowed very precise conclusion to be drawn concerning the private lives of the persons whose data had been retained, such as habits of everyday life, permanent or temporary places of residence, daily and other movements, activities carried out, social relationships and so on. The invasion of right was not proportionate to the legitimate aim pursued for the following reasons:

(i) Absence of limitation of data retention pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved.

(ii) Absence of objective criterion, substantive and procedural conditions to determine the limits of access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection or criminal prosecutions. There was no prior review carried out by a court or by an independent administrative body whose decision sought to limit access to the data and their use to what is strictly necessary for attaining the objective pursued.

(iii) Absence of distinction being made between the categories of data collected based on their possible usefulness.

(iv) Period of retention i.e. 6 months was very long being not based on an objective criterion.

(v) Absence of rules to protect data retained against the risk of abuse and against any unlawful access and use of that data.

(vi) Directive does not require the data in question to be retained within the European Union.

182) In Tele2 Sverige AB vs. Post-och telestyrelsen73, the CJEU was seized with the issue as to whether in light of Digital Rights Ireland, a national law which required a provider of electronic communications services to retain meta-data (name, address, telephone number and IP address) regarding users/subscribers for the purpose of fighting crime was contrary to Article 7, 8 and 11 of the EU Charter. The CJEU struck down the provision allowing collection of such meta data on grounds of lack of purpose limitation, data differentiation, data protection, prior review by a court or administrative authority and consent, amongst other grounds. It held: “103. While the effectiveness of the fight against serious crime, in particular organised crime and terrorism (…) cannot in itself justify that national legislation providing for the general and indiscriminate retention of all traffic and location data should be considered to be necessary for the purposes of that fight.

xx xx xx

105. Second, national legislation (…) provides for no differentiation, limitation or exception according to the objective pursued. It is comprehensive in that it affects all persons using electronic communication services, even though those persons are not, even indirectly, in a situation that is liable to give rise to criminal proceedings. It therefore applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious criminal offences. Further, it does not provide for any exception, and consequently it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy.

xx xx xx

if it is to be ensured that data retention is limited to what is strictly necessary, it must be observed that, while those conditions may vary according to the nature of the measures taken for the purposes of prevention, investigation, detection and prosecution of serious crime, the retention of data must continue nonetheless to meet objective criteria, that establish a connection between the data to be retained and the objective pursued. In particular, such conditions must be shown to be such as actually to circumscribe, in practice, the extent of that measure and, thus, the public affected.”

183) With respect to measures for data security and data protection the court held :

“122. Those provisions require those providers to take appropriate technical and organisational measures to ensure the effective protection of retained data against risks of misuse and against any unlawful access to that data. Given the quantity of retained data, the sensitivity of that data and the risk of unlawful access to it, the providers of electronic communications services must, in order to ensure the full integrity and confidentiality of that data, guarantee a particularly high level of protection and security by means of appropriate technical and organisational measures. In particular, the national legislation must make provision for the data to be retained within the European Union and for the irreversible destruction of the data at the end of the data retention period.”

184) In BVerfG74, the German Constitutional Court rendered on March 02, 2010 a decision by which provisions of the data retention legislation adopted for, inter alia, the prevention of crime were rendered void because of lack of criteria for rendering the data retention proportional.

185) In Maximillian Schrems v. Data Protection Commissioner75, the CJEU struck down the transatlantic US-EU Safe Harbor agreement that enabled companies to transfer data from Europe to the United States on the ground that there was not an adequate level of safeguard to protect the data. It held that the U.S. authorities could access the data beyond what was strictly necessary and proportionate to the protection of national security. The subject had no administrative or judicial means of accessing, rectifying or erasing their data.

186) In Szabo and Vissy v. Hungary76, the ECtHR held unanimously that there had been a violation of Article 8 (right to respect for private and family life, the home and correspondence) of the European Convention on Human Rights. The case concerned Hungarian legislation on secret anti-terrorist surveillance introduced in 2011. The court held that the legislation in question did not have sufficient safeguards to avoid abuse. Notably, the scope of the measures could include virtually anyone in Hungary, with new technologies enabling the Government to intercept masses of data easily concerning even persons outside the original range of operation. Furthermore, the ordering of such measures was taking place entirely within the realm of the executive and without an assessment of whether interception of communications was strictly necessary. There were no effective remedial measures in place, let alone judicial ones. The court held:

“77. … Rule of law implies, inter alia, that an interference by the executive authorities with an individual right should be subject to an effective control which should normally be assured by the judiciary, at least in the last resort…”

187) Thus, it is evident from various case laws cited above, that data collection, usage and storage (including biometric data) in Europe requires adherence to the principles of consent, purpose and storage limitation, data differentiation, data exception, data minimization, substantive and procedural fairness and safeguards, transparency, data protection and security. Only by such strict observance of the above principles can the State successfully discharge the burden of proportionality while affecting the privacy rights of its citizens.

188) The jurisprudence with respect to collection, use and retention of biometric information in the United States differs from the EU. In the US context, there is no comprehensive data protection regime. This is because of the federal system of American government, there are multiple levels of law enforcement-federal, state, and local. Different states have differing standards for informational privacy. Moreover, the U.S. has a sectoral approach to privacy, i.e. laws and regulations related to data differ in different sectors such as health sector or student sector. In most cases, however, the Fourth Amendment which prohibits “unreasonable searches and seizures” by the government has been read by courts to envisage various levels data protection.