Part 6: Privacy Rights in Cryptocurrency | CBCL Module 1

6.1 Justice K.S. Puttaswamy v. Union of India (2017): Privacy as Fundamental Right

Landmark Judgment

Justice K.S. Puttaswamy (Retd.) v. Union of India

(2017) 10 SCC 1 | Nine-Judge Bench

Bench: J.S. Khehar CJI, J. Chelameswar, S.A. Bobde, R.K. Agrawal, Rohinton Fali Nariman, A.M. Sapre, D.Y. Chandrachud, S.K. Kaul, S. Abdul Nazeer, JJ.

Date: August 24, 2017

Holding: Privacy is a fundamental right under Article 21 of the Constitution of India

The nine-judge bench decision in Puttaswamy (2017) fundamentally transformed Indian constitutional law by recognizing privacy as a fundamental right under Article 21. This landmark judgment has profound implications for cryptocurrency regulation, particularly regarding KYC requirements, transaction monitoring, and government surveillance of digital asset activities.

The Privacy Right Established

The Court unanimously held that privacy is a fundamental right, overruling the earlier decisions in M.P. Sharma v. Satish Chandra (1954) and Kharak Singh v. State of Uttar Pradesh (1963) that had suggested privacy was not a fundamental right.

"Privacy is the constitutional core of human dignity. Privacy has both a normative and descriptive function. At a normative level privacy sub-serves those eternal values upon which the guarantees of life, liberty and freedom are founded." Justice D.Y. Chandrachud, Puttaswamy (2017)

Components of the Privacy Right

The Court identified multiple dimensions of privacy:

Bodily Privacy: Protection against invasions of physical body - medical procedures, drug testing
Spatial Privacy: Protection of personal spaces - home, property, sanctum
Informational Privacy: Control over personal data and information - most relevant to cryptocurrency
Decisional Privacy: Autonomy to make intimate decisions - reproductive choices, sexual orientation

The Three-Fold Test for Privacy Restrictions

The Court established that any restriction on privacy must satisfy a three-fold test:

Prong 1: Legality

The restriction must be by law. Executive action without statutory basis is insufficient. The law must be validly enacted and within legislative competence.

Prong 2: Legitimate Aim

The restriction must serve a legitimate state aim - national security, prevention of crime, protection of revenue, or other recognized public interests.

Prong 3: Proportionality

The restriction must be proportionate to the aim sought. This involves necessity (no less restrictive alternative), minimal impairment, and balancing of costs and benefits.

*Application to Cryptocurrency

Every government measure that collects, processes, or monitors cryptocurrency transaction data must satisfy the Puttaswamy three-fold test. This includes KYC requirements, transaction reporting obligations, blockchain analytics, and law enforcement access to exchange data.

6.2 Justice K.S. Puttaswamy v. Union of India (2019): The Aadhaar Judgment

Constitutional Bench

Justice K.S. Puttaswamy (Retd.) v. Union of India (Aadhaar)

(2019) 1 SCC 1 | Five-Judge Bench

Bench: A.K. Sikri, A.M. Khanwilkar, D.Y. Chandrachud, Ashok Bhushan, S. Abdul Nazeer, JJ. (4:1 majority)

Date: September 26, 2018

Holding: Aadhaar Act substantially upheld; Section 57 (private entity use) struck down; bank account and mobile linking requirements set aside

The Aadhaar judgment applied the Puttaswamy privacy framework to evaluate a specific data collection regime. Its analysis of proportionality, data minimization, and the limits of mandatory identity verification has direct relevance to cryptocurrency KYC requirements.

Key Holdings Relevant to Cryptocurrency

1. Section 57 Struck Down

The Court struck down Section 57 of the Aadhaar Act, which permitted private entities to use Aadhaar authentication. This has implications for cryptocurrency exchanges using Aadhaar-based eKYC:

!eKYC Implications

Post-Aadhaar judgment, cryptocurrency exchanges cannot mandate Aadhaar-based eKYC as the only verification method. Alternative identity verification mechanisms must be available. Exchanges should offer multiple KYC options.

2. Bank Account Linking Struck Down

The Court held that mandatory Aadhaar-bank account linking was disproportionate. The requirement was set aside except for subsidies and benefits funded from Consolidated Fund of India.

3. Mobile Number Linking Struck Down

Similarly, mandatory Aadhaar-mobile linking was held disproportionate. Private telecom companies cannot mandate Aadhaar verification.

Proportionality Analysis Applied

The majority applied structured proportionality analysis:

Aspect	Government Position	Court Finding
Legitimate Goal	Prevent fraud, ensure benefits reach intended recipients	Accepted as legitimate
Suitability	Biometric authentication ensures unique identity	Accepted - rational connection exists
Necessity	No alternative achieves same accuracy	Accepted for government benefits; rejected for private use
Balancing	Benefits outweigh privacy costs	Accepted for targeted uses; rejected for universal mandate

Data Protection Principles Articulated

The Aadhaar judgment articulated important data protection principles:

Purpose Limitation: Data collected for one purpose cannot be used for unrelated purposes
Data Minimization: Only necessary data should be collected
Storage Limitation: Data should not be retained indefinitely
Security Safeguards: Adequate measures to prevent unauthorized access
Accountability: Clear responsibility for data handling

!Advising Crypto Exchanges

Cryptocurrency exchanges should implement: (1) Data minimization - collect only what's legally required; (2) Purpose limitation - don't use KYC data for marketing; (3) Retention policies - delete data when no longer needed; (4) Security measures - encryption, access controls; (5) Alternative KYC methods - don't mandate only Aadhaar.

6.3 Informational Privacy in the Digital Age

Informational privacy - the right to control personal data - is the dimension of privacy most relevant to cryptocurrency. Understanding its scope and limits is essential for evaluating KYC requirements, transaction monitoring, and data sharing obligations.

Scope of Informational Privacy

Informational privacy encompasses:

Collection: Right not to have personal information collected without consent or legal authority
Processing: Right to control how collected information is used
Disclosure: Right to prevent unauthorized sharing of personal information
Retention: Right not to have information retained indefinitely
Access: Right to know what information is held about you
Correction: Right to correct inaccurate information

Cryptocurrency-Specific Information

In the cryptocurrency context, informational privacy covers:

Data Type	Privacy Implication	Typical Collection Point
Identity Information	Core informational privacy	Exchange KYC
Wallet Addresses	Transaction linkability	Exchange accounts, blockchain
Transaction History	Financial privacy	Blockchain, exchange records
Holdings/Balance	Financial privacy	Exchange accounts
Trading Patterns	Behavioral profiling	Exchange analytics
IP Addresses	Location, identity	Exchange logs, node connections

The Metadata Problem

Even where transaction content is protected, metadata can reveal significant information:

Transaction Timing: Reveals activity patterns
Transaction Amounts: Even without knowing parties, amounts reveal financial behavior
Transaction Frequency: Indicates commercial vs. personal use
Counterparty Patterns: Network analysis reveals relationships

*Metadata is Data

Courts increasingly recognize that metadata deserves privacy protection. Collection and analysis of cryptocurrency transaction metadata - even without identity linkage - implicates informational privacy. Any mandatory metadata reporting requirement must satisfy the Puttaswamy test.

6.4 KYC Requirements vs. Privacy: Balancing Framework

Know Your Customer (KYC) requirements are the most significant privacy-impacting regulation in the cryptocurrency space. Understanding how to evaluate KYC requirements against privacy rights is essential for both compliance advice and constitutional challenge.

The AML/KYC Regulatory Framework

KYC requirements derive from multiple sources:

PMLA 2002: Prevention of Money Laundering Act requires reporting entities to verify customer identity
PMLA Rules: Specify documentation and verification requirements
RBI KYC Master Direction: Detailed KYC norms for regulated entities
FATF Recommendations: International AML standards

Current KYC Requirements for Cryptocurrency

While cryptocurrency exchanges are not explicitly listed as PMLA reporting entities, many implement KYC voluntarily or based on general AML obligations:

KYC Level	Documentation	Transaction Limit
Basic/Simplified	ID proof, address proof, photograph	Limited transactions
Full KYC	PAN, Aadhaar or equivalent, address verification	Unlimited
Enhanced Due Diligence	Source of funds, purpose of transaction	High-value transactions

Privacy Proportionality Analysis of KYC

Applying the Puttaswamy framework to KYC requirements:

Legality

PMLA provides statutory basis for KYC for reporting entities
Question: Are cryptocurrency exchanges covered as "reporting entities"?
If not explicitly covered, KYC mandates lack legal basis

Legitimate Aim

Preventing money laundering - legitimate
Counter-terrorist financing - legitimate
Tax compliance - legitimate

Proportionality

Necessity: Are there less privacy-invasive alternatives? Risk-based approach rather than universal full KYC?
Minimal Impairment: Can AML objectives be achieved with less data collection?
Balancing: Do AML benefits justify comprehensive identity disclosure for all transactions?

!Risk-Based KYC

FATF itself recommends risk-based approach - not one-size-fits-all. Small transactions present lower AML risk. Proportionate approach might involve: (1) No KYC for small, one-off transactions; (2) Simplified KYC for moderate activity; (3) Full KYC only for high-value or high-risk transactions.

Challenging Disproportionate KYC

KYC requirements may be challenged when:

Applied without clear statutory mandate to cryptocurrency
More extensive than required for stated AML purpose
Applied uniformly without risk differentiation
Data retained longer than necessary
Data used for purposes beyond AML (marketing, profiling)

6.5 Blockchain Analytics and Transaction Surveillance

Blockchain analytics - the use of sophisticated tools to trace and analyze cryptocurrency transactions - represents a growing form of surveillance that implicates privacy rights. Understanding this technology and its legal implications is essential for cryptocurrency lawyers.

How Blockchain Analytics Works

Blockchain analytics companies use various techniques:

Cluster Analysis: Grouping addresses controlled by same entity based on transaction patterns
Heuristics: Using common spending patterns to infer ownership
Exchange Tagging: Identifying addresses belonging to known exchanges
Entity Attribution: Linking clusters to real-world identities through various means
Transaction Tracing: Following flow of funds across the blockchain

Privacy Implications

Blockchain analytics can effectively de-anonymize cryptocurrency transactions:

Address Re-identification: Linking pseudonymous addresses to real identities
Transaction Profiling: Building complete financial profiles from transaction history
Network Analysis: Mapping relationships between users
Behavioral Analysis: Inferring activities, interests, associations from transaction patterns

!The Transparency Paradox

Public blockchains are transparent by design - all transactions are visible. Combined with blockchain analytics and mandatory KYC at exchanges, this creates a system more surveilled than traditional banking. Every transaction is permanently recorded and potentially linkable to real identity.

Government Use of Blockchain Analytics

Law enforcement and tax authorities increasingly use blockchain analytics:

ED/FIU: Tracing proceeds of crime in cryptocurrency
Income Tax: Identifying unreported cryptocurrency holdings
State Police: Investigating cryptocurrency-related crimes
NIA: Counter-terrorism investigations involving cryptocurrency

Constitutional Constraints on Blockchain Surveillance

Government blockchain surveillance must satisfy Puttaswamy:

Legality Requirement

What statute authorizes blockchain transaction surveillance?
Is mere analysis of public blockchain data "collection" requiring authorization?
When does analysis become "search" requiring warrant?

Proportionality Requirement

Mass surveillance of all blockchain transactions vs. targeted investigation
Retroactive analysis of years of transaction history
Sharing of surveillance data between agencies without specific authorization

Third-Party Doctrine Question

Unresolved in Indian Law

The Issue

US courts have applied "third-party doctrine" - information voluntarily disclosed to third parties loses privacy protection. Blockchain transactions are broadcast to network nodes (third parties).

Indian Position

Puttaswamy suggests privacy protection extends to information shared with third parties. The right is against unauthorized government intrusion, not limited to secret information. A person does not forfeit privacy by using public blockchain.

6.6 Privacy Advocacy in Cryptocurrency Cases

This section provides practical guidance on raising privacy arguments in cryptocurrency litigation, whether challenging KYC mandates, data retention requirements, or government surveillance.

Structuring Privacy Arguments

Identify the Privacy Interest: What specific informational privacy is at stake? Identity? Transaction history? Holdings? Behavior patterns?
Characterize the Intrusion: What government action intrudes on this privacy? Collection? Processing? Disclosure? Surveillance?
Apply Puttaswamy Test: Does the intrusion satisfy legality, legitimate aim, and proportionality?
Propose Alternatives: What less privacy-invasive measures could achieve the same objective?

Common Privacy Challenges

Challenge 1: Excessive KYC Requirements

Argument: Full KYC for all transactions is disproportionate; risk-based approach required
Evidence: Low-value transactions present minimal AML risk
Alternative: Tiered KYC based on transaction value/frequency

Challenge 2: Indefinite Data Retention

Argument: Retaining KYC data indefinitely violates storage limitation principle
Evidence: PMLA requires 5-year retention; indefinite retention exceeds statutory mandate
Remedy: Data deletion after statutory period

Challenge 3: Warrantless Blockchain Surveillance

Argument: Government analysis linking blockchain transactions to identities is a "search"
Standard: Should require judicial authorization for non-public information
Analogy: Like requiring warrant for cell-site location data (US Carpenter principle)

!Litigation Strategy

When bringing privacy challenges: (1) Build factual record of privacy impact; (2) Present expert evidence on blockchain analytics capabilities; (3) Cite Puttaswamy extensively; (4) Propose specific, workable alternatives; (5) Use international comparisons showing less invasive approaches.

Defensive Privacy Counseling

Advising clients on protecting privacy within legal bounds:

Understand Data Practices: Know what data exchanges collect and how long retained
Exercise Rights: Request data access and deletion where legally permitted
Minimize Footprint: Use privacy-preserving practices (multiple wallets, privacy coins where legal)
Secure Communications: Use encrypted communications for sensitive matters
Challenge Overreach: Don't accept KYC demands beyond legal requirements

Key Takeaways from Part 6

Puttaswamy (2017) established privacy as fundamental right under Article 21
Three-fold test: Legality, legitimate aim, proportionality for all privacy restrictions
Puttaswamy (2019) struck down private sector Aadhaar use - implications for exchange KYC
Informational privacy covers cryptocurrency transaction data, holdings, and patterns
KYC requirements must be proportionate - risk-based approach, not universal full KYC
Blockchain analytics raises significant privacy concerns requiring constitutional scrutiny
Government surveillance of blockchain transactions must satisfy Puttaswamy test