In 2017, the Supreme Court originated the new fundamental right – right to privacy – by interpreting Article 21 of the Constitution of India.[1] The Supreme Court in its detailed order explains the various facets of privacy, one of which is informational privacy. On the same occasion, the Court laid out a test that can be used to check if any activity of the State violates the right to privacy. In this article, we would delve into one such act of the State.
The Central Government issued a Notification[2] on 31-8-2020 and specified “Scheduled Commercial Banks” as a ‘body’ under Section 138(1)(a)(ii) of the Income Tax Act, 1961[3] that has been empowered to seek any information with regards to an assessee from the data repository of the tax authorities.
It is pertinent to mention that prior to the aforesaid notification, only statutory and governmental authorities like SEBI, MCA and the likes were notified and, in consequence, legally permitted to obtain relevant information in connection with an assessee from taxation authorities. Also, the Government had specified in the notifications the types of information and procedures for request of information and its furnishing by the tax authorities (under certain circumstances). The notifications dictated the broad contours of limitations and mechanism for the exchange of taxation data by the tax authorities.
The term “Scheduled Commercial Banks” is defined under Section 2(e) of the Reserve Bank of India Act, 1934[4] which includes all types of the bank i.e. public, private and international banks. The current number of banks listed under the said Schedule is 225.
Prior to the Notification dated 31st August, the Scheduled Commercial Banks had to take recourse to Section 138(1)(b) of the Income Tax Act which essentially provides for making an application to the income tax authorities for obtaining the particular piece of information from any income tax authorities. Such application was given due consideration on a case-to-case basis.
Now the big question arises as to “Whether the furnishing of tax information of any individual to banks without the consent of individuals concerned, or assessees (in the parlance of the Income Tax Act), violates the right to privacy under Article 21?”
Before analysing the above question, we need to first examine whether the information obtained by the tax authorities is personal enough and ought to receive the protection of the right to privacy that has been recognised as a fundamental right by the Supreme Court in K.S. Puttaswamy v. Union of India [5](Privacy judgment).
There are various examples in both regulations and judicial pronouncements conferring tax information as an intrinsic part of one’s privacy. For the purposes of our inquiry, regulations and judicial pronouncements ought to be looked at and there is sufficient jurisprudence to conclude that tax information forms a part and parcel of one’s privacy. For example, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011[6] which includes ‘financial information’ as part of “sensitive personal data or information” in Rule 3.
As for the judicial pronouncement, R.F Nariman, J. in the Privacy judgment[7] penned “Taxation laws which require the furnishing of information certainly impinge upon the privacy of every individual which ought to receive protection.”
In Girish Ramchandra Deshpande v. Central Information Commr.[8], the Supreme Court held:
“13. The details disclosed by a person in his income tax returns are “personal information” which stand exempted from disclosure under clause (j) of Section 8(1) of the RTI Act”
The abovementioned regulation and judgment beg the point that information furnished to tax authorities falls inside the ambit of private information. However, it must be stressed sufficiently that, there is no explicit mention of “tax information” as part of sensitive personal data in any of the legislation. Also, the Data Protection Bill, 2019[9] introduced in Parliament in the monsoon session does not include tax information as part of financial data or ‘sensitive personal data’. This is a clear omission by the legislators and speaks volumes of the legislative intent. Now prima facie any prudent person can deduce that this is a clear invasion of privacy of the taxpayer.
In the Privacy judgment[10], the Supreme Court of India introduced the three-fold requirement for any law/regulation to invade the right of life and privacy. The three-fold requirement is:
- Legality, which postulates the existence of law – it is clear that no specific legislation has been passed by Parliament on sharing the data with the scheduled commercial banks rather a gazette notification has been published to this effect. The gazette notification is a method of publication and giving effect to the particular Act/ Rule/Order and it cannot, in itself held to be the existence of law. The Supreme Court in T.C. Bhadrachalam Paperboards v. Mandal Revenue Officer[11] held:
“The object of publication in the Gazette is not merely to give information to the public. Official Gazette, as the very name indicates, is an official document. It is published under the authority of the Government. Publication of an order or rule in the Gazette is the official confirmation of the making of such an order or rule. The version as printed in the Gazette is final.”
The two takeaways from the above judgment are that gazette notification is to provide information to the public about the Act/Rule and secondly, it acts as an official document, nothing more nothing less.
Thus, the requirement of the existence of law is not met.
- Need, defined in terms of the legitimate State aim or larger public interest. Section 138(1)(a) provides the sharing of information to enable officers, authorities, and bodies to perform his/her duties under that law. The officers, authorities, and bodies are notified by the Central Government which in its opinion is necessary for “public interest”.
The notification in question does not specify any “public interest” that it aims to achieve, nor does it point out how to achieve that public interest.
As for any duties to be performed under law, the commercial banks are governed by the Reserve Bank of India Act, 1934, and the Banking Regulation Act, 1949[12]. Both these statutes do not cast any correspondent duty or requirement on the bank to collect or gather data from the tax authorities.
Generally, the objects and aim of any Act are mentioned before the starting of any Act/statute. The object and aims show the intention of the legislature in passing that Act. Since no specific legislation has been passed in this case, it cannot be found out what the actual aim is.
We can draw a logical analogy provided by Union of India in Aadhar case[13] where the Attorney General contended that the Aadhar Act aims to provide subsidies to the real beneficiary directly into their bank accounts – the public interest – which is provided under Section 7 of the Act.
Thus, it is quite clear that both Section 138 and the Notification dated 31st August do not provide any legitimate State aim to provide the information to scheduled commercial banks. The section and notification are vague and ambiguous as to what to achieve.
- Proportionality, which ensures a rational nexus between the objects and the means adopted to achieve them – since in the present case the ‘object’ (legitimate State aim) is absent, it will be pretty tedious to observe any rational nexus between the object and means adopted to achieve them.
In my opinion, the first two requirements are not met, therefore the question as to proportionality does not arise in this case.
From the above discussion, the Notification dated 31st August does not meet the three-fold requirement that is laid down in Privacy judgment[14].
The Supreme Court in Aadhar judgment[15] had specifically struck down Section 57 of the Aadhaar Act, 2016 which provides any ‘body corporate’ to use Aadhaar for establishing identity. The Court held:
“(c) Apart from authorising the State, even ‘anybody corporate or person’ is authorised to avail authentication services which can be based on the purported agreement between an individual and such body corporate or person. Even if we presume that the legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and demographic information by the private entities.”
Similarly, the notification in question will provide tax information to banks which then can be used for commercial exploitation and data mining. The information revealed in one’s tax return is at the heart of informational privacy; the sharing of such information will amount in all certainty to the violation of the right to privacy. The other important thing that betrays fairness is that all the data sharing is done behind the curtains. Therefore, from all the reasons stated above, Section 138 of the IT Act and the notification allowing sharing of information with commercial banks is in violation of Article 21 of the Constitution of India.
*Author is an advocate practising in Punjab and Haryana High Court and is an alumnus of Jindal Global Law School.
[1] K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1
[2] F. No. 22S/136/2020-IT A.II Notification No. 71 /2020 dated 31.08.2020
[4] Reserve Bank of India Act, 1934
[6] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
[7] K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1
[8]Girish Ramchandra Deshpande v. Central Information Commr., (2013) 1 SCC 212 on p. 217
[9] Personal Data Protection Bill, 2019. The Bill has been referred to a Joint Parliamentary Committee of both the Houses.
[10] K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1
[11] I.T.C. Bhadrachalam Paperboards v. Mandal Revenue Officer, (1996) 6 SCC 634 on p. 645
[12] Banking Regulation Act, 1949
[13] K.S. Puttaswamy v. Union of India, (2019) 1 SCC 1
[14] K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1
[15]Ibid.