Introduction
The Apex Court by and large upheld in its verdict of Justice K. S. Puttaswamy (Retd.) and Anr. vs Union of India And Ors,[1] the constitutionality of the Aadhaar project. On the flip side, it also struck down some of the major provisions of the Aadhaar Act. Since then, there are continuous speculations over the prospective amendments to the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act.
To squarely address concerns of the Court in relation to the unconstitutional part of the Act, the government introduced the Aadhaar and other laws (Amendment) Bill, 2018 (“The Bill”) in the ongoing winter session of the Parliament. However, the introduction of the Bill without any public consultation has attracted a lot of criticism, especially in absence of data protection law, as the Aadhaar Project has been the subject of extensive and serious deliberations last year.
As the Bill has potential to impact on issues like privacy of citizens, working model of private entities, etc., there is a need to understand the mechanism and concerns related to amendments. Such analysis will determine whether the bill is in accordance to the verdict of the Supreme Court or just a premature convoluted effort.
The Aadhaar Judgement, 2018
In its landmark decision, the Supreme Court upheld the constitutionality of the Aadhar Act, validating the route of money bill for its legislative passage. It struck down the mandatory usage of Aadhaar eKYC for authentication by private entities; thereby limiting use of it to the extent of law. However, the wording of judgement left the stance on voluntary use of Aadhaar unclear.[2] Moreover, it laid down that the contractual use of Aadhaar is not constitutional since it violated the proportionality test under the Justice Puttaswamy Judgement.[3] The Judgement also rules that allowing any body-corporate or person to allow authentication services, that too via a contract, would enable commercial exploitation of an individual’s biometric and demographic information by the private entities. To understand the Aadhaar judgement, read our blog about it here.
Justice B.N Srikrishna Committee’s Report
It is pertinent to note highlights of the report on data protection, which have suggested multiple changes in the Aadhaar Act. The report specifically suggested that the draft data protection bill shall require the government to make changes to the Aadhaar Act. It said:
However, it is salient that the data protection regime proposed by the committee will require close introspection by the government on various aspects pertaining to the existing functioning of the UIDAI.”
In the context of surveillance, it observed that “executive review alone is not in tandem with comparative models in democratic nations” quoting examples of Germany, UK, and South Africa. The report has thus endorsed a judicial/independent oversight mechanism.[4]
Analysis: Mechanism and Concerns Related to the Bill
The Aadhar and other laws (Amendment) Bill, 2018, proposes an arrangement in which every client, beneficial owner, or individual is allowed to be identified by private entities. The entities can seek only the identification of such person if he/she voluntarily chooses one of the modes of identification as given in the Bill, i.e. Aadhaar KYC (Know Your Customer) “through such offline modes as may be specified by regulations”, KYC through passport (Issued under Section 4 of the Passports Act, 1967) or other official verification documents, or e-KYC through Aadhaar.
Online Authentication: Voluntary but Still Mandatory?
It is important to note that the e-KYC as mentioned in the Bill is the process of authentication allowed to be done by a banking company (as per the Prevention of Money Laundering Act), and by persons licensed to ‘establish, maintain, or work a telegraph’ (telecom operators and ISPs).
This is included in the proposed Bill despite the fact that Section 57 of the Aadhaar Act has been held partially unconstitutional by the Supreme Court on the premise that it enabled private authentication by entities. The Bill to rectify this concern seeks to delete Section 57, but on the other hand, it is allowing the authentication of users’ identity by amending the Section 4 of the Act. It also introduces Section 5, which says:
“Every Aadhaar number holder to establish his identity, may voluntarily use his Aadhaar number in physical or electronic form by way of authentication or offline verification, or in such other form as may be notified, in such manner as may be specified by regulations.”
Therefore, with the help of the word ‘voluntarily’ the Bill is seeking to continue the process of online authentication which is in violation of the Aadhaar Judgement if not backed by law of Parliament. For this government has introduced Section 5(7) in the Bill says:
“Notwithstanding anything contained in the foregoing provisions, mandatory authentication of an Aadhaar number holder for the provision of any service shall take place if such authentication is required by a law made by Parliament.”
As the wording of judgement is unclear about its stance on voluntary authentication. Taking the cover of such judicial opinion, government is seeking to keep the scope available for mandatory linking of Aadhaar.[5]
This is the reason why government is introducing amendments to the Indian Telegraph Act, 1985 and the Prevention of Money-Laundering Act, 2002; in order to allow the online use of Aadhaar by telcos and banking companies in the garb of law of Parliament.
Aadhaar for KYC under the Telegraph Act and under the PMLA for Banking and Financial Services
The government through Section 4(a) of the Bill is also keeping the windows open for other types of private ‘entities’ to use Aadhaar eKYC by putting one single check to it i.e. if they will meet the required standards of privacy and security as specified. The proposed amendments also recognise a new term “other reporting entities” that are not only banking companies but in broader sense also includes financial institutions, intermediary or an individual carrying out a designated profession. The inclusion of “reporting entities” under PMLA is a vague term which can result in commercial exploitation of Aadhaar infrastructure.
It gives opportunity to private service providers to access Aadhaar authentication by merely complying with ‘standards of privacy and security’. The major loophole related to the clause is that as there is no comprehensive data protection law or regulation in the country, at present, it is difficult to determine the standards of privacy and security.
Further, even if government satisfies the requirement of ‘standards of privacy and security’, the amendment under PMLA remains unclear as the SC verdict allows Aadhaar authentication for government and subsidiaries whereas the Bill has allowed it for “Banking” services.
Offline Verification
By usage of the term ‘voluntarily’, the government has given the same level of importance to the offline identification using QR code on Aadhaar Card or any other offline mode ‘subject to regulations that are yet to be notified’.The bill allows offline verification of an individual’s identity, without authentication (submission of biometric or demographic information to data servers) through modes that will be specified by UIDAI by further regulations.
But this is in contradiction to the stand of UIDAI itself which has maintained that Aadhaar is only for authentication. As the offline verification is different from authentication, it is a concern that why government and UIDAI are not on same page. Otherwise the offline verification through usage of QR code is a mechanism that is well compliant with the Apex Court’s Judgement as the Bill has proposed Section 5 and 24 that provides the voluntary option to customers.
Last year UIDAI updated such QR codes with photograph and UIDAI digital signature in addition to demographic details of an Aadhaar card holder, but still the problems persist with its usage. As the UIDAI doesn’t certifies the demographic data associated with Aadhar number holder there is no assertion regarding the uniqueness of identity. As the Aadhaar database has never been audited after the enrolments, there is high probability of it being polluted with unauthorised duplicates.
Aadhaar: Not Mandatory for ‘Services’ offered and the Section 7
The Bill emphatically states that no individual can be denied any ‘service’ for not having an Aadhaar number.[6]. There is no clarity at this particular moment whether the ‘service’ in question is one for which the expenditure is incurred from, or the receipt therefrom forms part of, the Consolidated Fund of India, as described in Section 7 of the Aadhaar Act. As the Bill does not amend Section 7 of the Act, a provision that is at the heart of Aadhaar’s overreach, the government has failed to comply with a significant observation of the Court.
To support the theme additionally, it has proposed an amendment to Section 8 in the Aadhaar Act which provides alternative means of identification if a person fails to authenticate due to any suffering (illness, injury or infirmity). The Bill further asserts that a child shall not be denied any subsidy, benefit or service if his Aadhaar authentication fails.
The Bill introduces Section 3A that allows a person who was enrolled in the Aadhaar infrastructure as a child to opt out within six months of turning eighteen. However, there is no provision to allow an adult to request cancellation of their Aadhaar enrolment, which is specifically given in the Judgement.
Aadhaar Ecosystem and the Overarching Authority of UIDAI
In this line a new definition has been added- ‘Aadhaar Ecosystem’- comprising of enrolled agencies, registrars, verification requesting entities etc. The ‘Aadhaar Ecosystem’ now includes private entities specifically, as earlier there was no oversight over the use, retention, or processing of Aadhaar eKYC data by private entities. The Bill has vested power in UIDAI to appoint employees and officials to discharge its functions, to direct entities in the ‘Aadhaar Ecosystem’ and further impost hefty penalties.[7] These modifications can result in greater compliance by body-entities that are included in ‘Aadhaar Ecosystem’.
The Bill doesn’t provide any opportunity to the Aadhaar card holder to initiate a complaint against any erring ‘Aadhaar Ecosystem’ entity. [8] It has particularly limited such power to take action to the UIDAI under Section 33A(1) of the Act. By being both the regulator and the custodian of data, the UIDAI’s two roles invite conflict. It is illusory to expect the UIDAI to self-report vulnerabilities in the database or lapses in its functioning.
National Security and Surveillance
The Section 33(1) of the Bill provides that the disclosure of information related to Aadhaar data can only be done on the orders of a High Court judge. By the order of HC judge, a district court judge may ask for such disclosure from the Aadhaar Central Identities Data Repository (CIDR). For disclosure upon such orders, UIDAI and the aggrieved person will be given equal opportunity for presenting the case so that the court does not order the release of core biometric details for the purposes of hearing.
Section 33(2) gives the power to order such disclosure of identity to the central government also in the context of ‘national security’ for which the official of secretary-level officer has to merely sign off such request. It is significant to ensure that the ‘national security’ doesn’t become a pretext for absolute power to access such sensitive information.[9] This was observed by the majority bench in the Aadhaar Judgement and the Justice Srikrishna report on data protection.[10]. However, the Bill has absolutely ignored the observation, and thus the absence of judicial involvement remains a concern.
Introduction of Stricter Punishments
Another amendment, most reflective on the Bill is Chapter 6A which introduces civil “penalty for failure to comply with provisions” of the Act. Further, criminal complaints can be filed by an individual whose identity and privacy has been breached.
It is important to note that the penalties were available before as well in the Aadhaar Act. But the Act failed to keep an oversight authority that could have prevent data leaks. The amendment has not provided anything innovative to propose safeguards that report or plug the leaks.
Significant Recommendations
With the amendments introduced to the Aadhaar Act, the Aadhaar identification has given a unique meaning to the eKYC (electronic know your customer), offline and virtual Aadhaar authentication. The amendments will ensure better safety and security.
However, the problems ensue with implementation, and the efforts of the government to improve in this area are underwhelming in the Bill. Without any public consultation, the Bill is now under strict scrutiny of transparency. Due to skipping of the Public Consultation the government has failed to ponder upon the following significant recommendations that it could have incorporated in the Bill:
The government should emphasise more on the voluntary aspect of Aadhaar authentication rather than asserting its mandatory usage on the pretext of ‘backed by law’. The government should draw a clear line between the voluntary aspect and Section 5(7) of the Bill.
The passing of Bill in the absence of standard data protection law or regulations casts light upon the legislative priorities of the government- unclear roadmap for data protection or any informational privacy legislation.
The Bill should also provide adequate provisions to differentiate between a whistle-blower and an offender, and hence the power to file complaints related to breach in Aadhaar records punishable with strict punishment under Section 38 and 39 shouldn’t be limited to the UIDAI.
The government should obliterate the possibilities of excessive delegation that runs throughout the amendments.
The Centre should issue a clarity upon issues subject to further notifications including the supposed ‘privacy and security standards’, which are required to be met before an entity can use Aadhaar for voluntary authentication, and the alternate means of identification.
Conclusion
Reading together all the provisions of Bill, it is certain that government is aware of concerns of the Apex Court from the Aadhaar judgment. It has taken proper consideration of observations of the Court relevant to the Stricter Punishments, UIDAI authority, Aadhaar Eco-System and Offline modes of Verification. But its emphasis on Online Authentication, in acquaint of law, throughout the Bill has weaken its stand. There are multiple provisions which evince that government is adamant to make Aadhaar infrastructure accessible to private entities. Therefore, the next step for government is that it shall issue adequate regulations and notification explicitly and quickly, relevant to all these provisions.
To conclude, while the government has accepted most of the recommendations made by the Justice Srikrishna committee and the SC it has ignored probably the most important recommendation of them all and that is to keep making vital changes [amendments to the Aadhaar Act] hand-in-hand with a new data protection legislation.
[1] Justice K.S. Puttaswamy v. Union of India, WP (CIVIL) NO. 494 OF 2012.
[2] Id. 1, Para 367.
[3] Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
[4] A Free and Fair Digital Economy Protecting Privacy, Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, http://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf. (2018)
[5] Suprita Anupam, Does Aadhaar Amendment Bill Violate The Supreme Court’s Verdict ?, Inc42, https://inc42.com/features/does-aadhaar-amendment-bill-violate-the-supreme-courts-verdict/
[6] One of the main issues highlighted by the SC Judgement, along with the issue that Aadhaar enrolment cannot be mandatory. See Supra note 1, Para 220,
[7] Penalties ranging from Rs. 1 crore to additional fines of up to Rs. 10 lakhs per day of an uncorrected violation. See Supra note 1, Para 198.
[8] See Supra note 1, Para 220,
[9] Ananth Padmanabhan, What the Aadhaar Amendment Bill fails to address, The Print, https://theprint.in/opinion/what-the-aadhaar-amendment-bill-fails-to-address/173958/. (2019)
[10] The Justice B.N. Srikrishna Report specifically recommended to provide such power to an official along with a directive authority of a judicial officer, preferably a High Court judge. See Supra note 3.
By Aryan Babele, Executive Editor, RSRR Editorial Board