Consent and the Aadhaar Judgments: Puttaswamy and After

The nine-judge bench in Puttaswamy (2017) was convened specifically to resolve the conflict between the 1954 and 1963 decisions, which subsequent benches had declined to follow but had also never formally overruled. The bench was constituted under the presidency of then Chief Justice J.S. Khehar and included Justices J. Chelameswar, S.A. Bobde, R.K. Agrawal, R.F. Nariman, A.M. Sapre, D.Y. Chandrachud, S.K. Kaul, and S.A. Nazeer. All nine held that privacy is a fundamental right. They divided, however, on the jurisprudential basis and the precise contours of that right.

Justice D.Y. Chandrachud, writing for four judges, located privacy within the trilogy of Articles 14 (equality), 19 (freedom of speech, expression, movement, and association), and 21 (life and personal liberty), arguing that privacy is not a free-standing right but inheres in each of these guarantees and in the broader constitutional scheme. His opinion drew extensively on comparative jurisprudence from the United States (Griswold v. Connecticut, 1965; Roe v. Wade, 1973; Lawrence v. Texas, 2003) and from the European Court of Human Rights (S and Marper v. United Kingdom, 2008, a case directly concerning biometric data retention) to argue that privacy encompasses the right to control one's personal information, to make autonomous decisions about one's own life, and to be free from surveillance by the State. The opinion explicitly addressed informational privacy, holding that individuals must have the ability to control information about themselves, which is the constitutional foundation for data-protection regulation.

Justice J. Chelameswar's concurring opinion emphasised the right to be let alone, drawing on Samuel Warren and Louis Brandeis's 1890 Harvard Law Review essay that first articulated the concept in American legal discourse. Justice S.K. Kaul grounded privacy in personal liberty and individual dignity, stressing that the constitutional guarantee is not absolute and is subject to reasonable restrictions, but that any restriction must be lawful, necessary, and proportionate. The proportionality test articulated in Puttaswamy 2017 (necessity, legitimate state aim, proportionality between means and objective, and procedural safeguards against abuse) became the doctrinal framework applied in the 2018 Aadhaar judgment and has been applied consistently by the Supreme Court and High Courts in subsequent cases involving state surveillance, phone tapping, and data collection.

The European Court of Human Rights delivered its Grand Chamber judgment in S and Marper v. United Kingdom on 4 December 2008. The case concerned two applicants: S., a minor who had been acquitted of attempted robbery, and Mr Marper, who had been acquitted of harassment. Both had had their fingerprints, cellular samples, and DNA profiles taken on arrest. Under the Criminal Justice Act 2003, England and Wales retained biometric data indefinitely regardless of acquittal, and the police had declined to delete S. and Marper's records.

The Grand Chamber held, by 17 votes to zero, that the indefinite retention of fingerprints, cellular samples, and DNA profiles of unconvicted persons violated Article 8 ECHR (right to respect for private and family life). The court's reasoning proceeded in two stages. First, retention of fingerprint and DNA data constituted an interference with the right to private life, regardless of whether the data was actually used in any specific investigation, because the mere retention created a risk of misuse and affected the way individuals related to the State. Second, the interference was not "necessary in a democratic society" because England and Wales's blanket retention policy (no distinction between suspects, unconvicted persons, and convicted offenders; no time limit; no mechanism for deletion) went further than was necessary to achieve the legitimate aim of detecting and preventing crime. The court contrasted England and Wales with Scotland, which at the time deleted biometric records of unconvicted individuals within specified periods.

S and Marper led directly to the Protection of Freedoms Act 2012, which reformed England and Wales's retention regime to require deletion of DNA profiles and fingerprints of unconvicted adults within specified periods (with exceptions for serious offences) and created the National DNA Database Strategy Board to oversee retention decisions. It remains the leading ECHR authority on biometric data retention and has been cited by courts in Ireland, Germany, and India.

The five-judge bench (Chief Justice Dipak Misra, Justices A.K. Sikri, A.M. Khanwilkar, D.Y. Chandrachud, and Ashok Bhushan) delivered its judgment in Unique Identification Authority of India v. Central Board of Secondary Education (the consolidated Aadhaar constitutionality case) on 26 September 2018. The majority (4:1, with Justice Chandrachud dissenting) upheld the Aadhaar Act 2016 as constitutional in its core application to government welfare delivery and taxation services. The majority also struck down Section 57 of the Aadhaar Act, which had permitted private companies and individuals to require Aadhaar authentication for their own purposes, as unconstitutional.

The majority's reasoning on upholding the core of Aadhaar rested on proportionality. The scheme's legitimate aim (preventing leakage of welfare subsidies through fake beneficiary identity) was accepted as sufficient. The means (biometric authentication) were held to be suitable and necessary because paper-document-based verification had proven inadequate. The privacy intrusion (collection and central storage of fingerprints and iris scans of approximately 1.2 billion people) was held proportionate to the benefit of ensuring that benefits reached genuine beneficiaries, given the UIDAI's architecture, which stores only the encrypted template and does not, the majority held, enable real-time tracking of individuals' movements or transactions.

Justice Chandrachud's dissent is intellectually significant and has been widely cited in subsequent litigation. He held that the Aadhaar Act was a Money Bill and had been passed improperly through the Lok Sabha without a vote of the Rajya Sabha, which he regarded as a fraud on the Constitution. He also held that the Aadhaar architecture enables the creation of a "panopticon state" through the metadata of authentication events, which a determined government could use to reconstruct individuals' movements, associations, and behaviours over time, constituting a disproportionate privacy intrusion. His dissent anticipated, in 2018, the surveillance-concern arguments that have since been raised about Aadhaar in academic literature and before Parliamentary committees.

The most practically consequential holding was the striking down of Section 57. Before the judgment, several private entities including telecom operators and financial institutions were requiring Aadhaar authentication as a condition of service. The majority held that a private entity's interest in verifying customer identity does not meet the standard of public interest that can justify compulsory biometric authentication under Article 21's proportionality framework. The Aadhaar Act was subsequently amended (in 2019) to permit a voluntary, offline Aadhaar-based e-KYC system for private entities, distinct from the mandatory authentication used for government services.

The Puttaswamy/Aadhaar architecture has been applied and extended in several significant cases. In Shafin Jahan v. Asokan K.M. (2018), the Supreme Court affirmed the right to choose one's partner as falling within the privacy guarantee, relying on Justice Chandrachud's opinion in Puttaswamy 2017. In Navtej Singh Johar v. Union of India (2018), a five-judge bench struck down Section 377 of the Indian Penal Code insofar as it criminalised consensual adult same-sex conduct, explicitly grounding the decision in the privacy guarantee articulated in Puttaswamy. In Anuradha Bhasin v. Union of India (2020), the Supreme Court applied the proportionality test to the suspension of internet services in Jammu and Kashmir, requiring the government to publish suspension orders and demonstrate necessity and proportionality for any extended shutdown.

For biometric privacy specifically, the High Courts of several states have applied the Puttaswamy proportionality standard to challenges involving police fingerprinting, face recognition at checkpoints, and CCTV surveillance. The Delhi High Court in 2019 dismissed a petition challenging Delhi Police's use of a face-recognition system at the Kumbh Mela on procedural grounds, without reaching the merits, leaving the constitutional question open. The Karnataka High Court in 2020 applied the Puttaswamy framework to a challenge involving biometric attendance monitoring of government employees, holding the scheme constitutional but requiring the government to demonstrate a genuine need for the biometric system rather than less intrusive alternatives.

The DPDP Act 2023 is formally aligned with the Puttaswamy framework. Its Statement of Objects and Reasons cites the fundamental right to privacy as the constitutional foundation for the statute, and its consent-first architecture reflects the Puttaswamy proportionality standard for state interference with private information. The Act's Section 17(2)(b) allows the Central Government to exempt State instrumentalities from the Act's provisions in the interests of sovereignty, security, and public order, which must, under Puttaswamy, be exercised proportionately and with procedural safeguards. Practitioners have noted that the breadth of the Section 17 exemptions could, if exercised expansively, render much of the Act's protection illusory for individuals dealing with government biometric systems, a tension that the Data Protection Board of India (once constituted) and courts will need to resolve.

The challenge of consent in biometric data collection is structural, not procedural. When a government welfare programme requires fingerprint authentication as the only means of accessing food rations, or when an employer deploys a fingerprint clock-in system and dismisses workers who refuse, the formal act of providing a fingerprint is not freely given consent in any meaningful sense. This recognition has led legislators and courts across multiple jurisdictions to move away from consent as the primary lawful basis for high-stakes biometric collection, towards necessity and proportionality tests that can constrain both public and private actors.

In the EU, the GDPR's Article 9(2)(a) permits biometric processing on the basis of "explicit consent," but the Article 29 Working Party Guidance on consent (2018, updated to EDPB guidelines) has consistently held that consent is not freely given where there is a clear imbalance of power between the data subject and the controller. This means employers, public authorities, and service providers with market power cannot generally rely on consent as their Article 9 basis. In practice, EU biometric systems operated by public authorities rely primarily on Article 9(2)(g) (substantial public interest, domestic law basis), and private employers who deploy biometric access systems rely on national employment-law provisions enacted under Article 88 GDPR, which typically require works-council agreement and a less-intrusive-alternative assessment.

In the United States, Illinois BIPA's written-release requirement is the closest thing to a structured consent regime in US biometric law, but even BIPA has produced controversy around what "freely given" means in an employment context. Illinois courts have held that an employee's fingerprint scan made a condition of employment is covered by BIPA's requirements, but BIPA does not itself invalidate biometric collection as a condition of employment, it merely requires that the procedures (written policy, notice, written release) be followed before collection. Several BIPA class actions have argued that releases obtained as a condition of employment are coerced and therefore invalid, but Illinois courts have not accepted this argument, focusing instead on whether the procedural requirements were met.

The UK Supreme Court's decision in R (Bridges) v. Chief Constable of South Wales Police (2020) provides the most direct common-law authority on state use of facial recognition for identification purposes. South Wales Police had deployed automated facial recognition (AFR) at public events, scanning passively attending members of the public against a watch-list. The Court of Appeal (affirming the High Court's finding on some grounds and reversing on others) held that the legal framework governing AFR deployment was not sufficiently clear, accessible, and precise to meet the rule-of-law requirements under Article 8(2) ECHR: the police had broad discretion in constructing the watch-list with insufficient oversight, and the data-protection impact assessment had not adequately addressed the risk of algorithm bias affecting different demographic groups. The case did not categorically prohibit police AFR but required a clearer statutory framework, which the UK Home Office has since consulted on but not yet enacted.

The Puttaswamy and Aadhaar judgments, read alongside S and Marper and R (Bridges), have operational implications that extend well beyond the courtroom. Forensic science laboratories, biometric system developers, and law-enforcement agencies designing or using biometric databases must translate the proportionality standard into system architecture and operating procedure.

For retention schedules, the proportionality standard means that indefinite retention of biometric records of unconvicted individuals is constitutionally suspect under Puttaswamy (applying the Article 21 proportionality test) and violates Article 8 ECHR under S and Marper. In England and Wales, the Protection of Freedoms Act 2012 enacted a structured retention framework: DNA profiles of unconvicted adults are generally deleted within three to five years (depending on the offence), fingerprints of unconvicted adults are deleted at the same time as DNA profiles, and convicted individuals' records are retained for the duration of their sentence plus a rehabilitation period. In India, there is no equivalent statutory framework for police fingerprint database retention; NCRB (National Crime Records Bureau) guidelines exist but are administrative, not statutory. Post-Puttaswamy, a retained fingerprint database with no deletion policy for records of acquitted individuals is constitutionally vulnerable to challenge.

For database access controls, the proportionality standard implies that access to biometric databases should be restricted to the purpose for which the data was collected. A fingerprint collected for immigration control cannot, under proportionality reasoning, be made available to a tax authority without fresh legal authority. This functional separation of databases is now explicitly required by the DPDP Act's purpose-limitation principle (Section 6(1)) and by GDPR Article 5(1)(b). The Aadhaar Act attempts this through the Section 29 prohibition on sharing identity information for non-Aadhaar purposes, and UIDAI's technical architecture isolates the biometric database from the authentication result (which confirms only "yes/no" without revealing the biometric template).

For oversight and audit, the Puttaswamy standard's procedural-safeguard component requires that biometric systems have independent oversight mechanisms that can detect and correct misuse. This translates to audit logging of all database queries (who queried, against which records, for what stated purpose), independent review of querying patterns to detect function creep, and accessible mechanisms for individuals to challenge incorrect records. The GDPR Article 15 right of access and the DPDP Act Section 11 right of access both give individuals a mechanism to discover what biometric data is held about them, which creates a practical audit trail beyond the official one.

1. Establish a documented legal basis before collection
   Identify the specific statutory provision authorising biometric collection (for government: the enabling Act or constitutional provision; for private entities: the DPDP Act legitimate use or GDPR Art 9(2) exception). Document the necessity and proportionality analysis before any collection begins. For BIPA-covered activities, obtain written releases before the first scan.
2. Define a retention schedule tied to the purpose
   Set a specific retention period in the system design, not in the SOP manual. Systems should auto-delete records when the purpose lapses (conviction expiry, case closure, employment termination). Retention periods should be publicly stated where required (GDPR Art 30, BIPA written policy).
3. Implement purpose limitation at the system level
   Design database access controls so that queries from one functional area (e.g. criminal investigation) cannot access records collected for another purpose (e.g. immigration). Log all cross-purpose access attempts as exceptions for review.
4. Conduct and publish a Data Protection Impact Assessment
   GDPR Art 35 requires a DPIA for high-risk biometric processing. The DPIA should cover data flows, identified risks, proportionality analysis, and safeguards. R (Bridges) found the absence of adequate demographic-bias assessment in the AFR DPIA to be a legal defect.
5. Build an independent oversight mechanism
   Designate an oversight body with authority to audit queries, investigate complaints, and impose remediation. The UIDAI model (a statutory authority with its own grievance redress mechanism) is one approach. GDPR's Data Protection Officer requirement (Art 37-39) is another. The key criterion from Puttaswamy is independence from the operational authority.