Aadhaar Bill introduced in Parliament

Posted on March 4, 2016 by Vijayashankar Na

Realizing the need to bring legal legitimacy to the Aadhaar scheme and to counter the disruptive behaviour of the opposition parties, the Government has introduced the Aadhaar Bill as a money Bill in the Loksabha. It will therefore not require the mandatory passage in Rajyasabha and hence will go through despite the opposition.

Leaving the political issues aside, the professionals were objecting to the scheme on the grounds that it does not protect the privacy of the individuals.  Now that Aadhaar number has already been issued to a very large section of the population, whatever privacy violations have taken place are a thing of the past. It is not possible to repair this.

Indian citizens therefore have to live with the identity issues associated with the current status  in which the Privacy of people might have been leaked at various user ends such as the LPG gas dealers and Banks.

Naavi has envisaged a separate service that can still protect the Indian citizens from the identity leakage of Aadhaar but it is too large a project for Naavi to bring it out as a pilot project and hence has been kept in the background.

Considering the inevitability of the Aadhaar Bill becoming an Act, let us briefly see what the Bill contains.

The Aadhaar Bill has been named as  “The Aadhaar (targeted Delivery of Financial and other Subsidies, benefits and services) Bill, 2016.

Copy of the Bill is available here

Salient features of the bill are:

  1. As regards the Jurisdiction, it extends to whole of India except the State of Jammu and Kashmir. As regards “Offences” it will be applicable for any offence or contravention committed outside India by any person including foreign nationals.P.S: Since Aadhaar is an electronic document, all aspects of ITA 2000/8 also apply  to aadhaar administration. It is noted that in all the Aadhaar guidance notes, it has been unequivocally indicated that the agencies involved in offering Aadhaar services and dealing with UIDAI on contractual basis will be “Compliant with ITA 2000/8”. Hence all the agencies such as ASAs, ASUAs, AUPs, AUSPs etc need to work on ITA 2008 compliance.
  2. Aadhaar is an “entitlement” of every “Resident” through the process of enrolment by submission of the biometric and demographic environment. Government has retained the option to notify”Other categories”  for enrolment. However what this “Other category” means is unclear. But it can be interpreted that “Citizenship” is not a criteria for issue of Aadhaar and hence even Bangladeshi migrants can get Aadhaar by entitlement. When Aadhaar is further linked to other services such as Bank accounts, any person who has aadhaar can easily merge his identity to that of other citizens. Government is justifying this by declaring that aadhaar is only a scheme meant for distribution of financial benefits . However in due course it will become the primary identification document for Residents (and by extension, the Citizens) and the national security issue remains.
  3. The Aadhar data will be required to be updated by the subjects so that the information( including biometric) remains updated.
  4. The UIDAI may collect service charges for the authentication services that it may provide.
  5. The consent for collection of information will be obtained by the authentication requesting authority.
  6. The requesting authority is responsible to inform the data subject about what information would be used and for what purpose etc. This means that  “Consent” and “Privacy Statement” needs to be exchanged at the time a user submits his information to the requesting authority.
  7. The UIDAI will respond to an authentication query with a positive, negative or any other appropriate response sharing such identity information excluding any core biometric information. In this provision, “Any other information” could mean the address, gender etc where the original concept of UIDAI only providing “Yes” or “No” response could be violated. This could cause certain information security issues.
  8. The biometric information collected is deemed to be “Sensitive Personal Information” under ITA 2008 and will be subject to “Reasonable Security practice” as mentioned under Secion 43A of the Act whether or not UIDAI is considered a “Body Corporate” or not.
  9. The manner and period for which information would be stored would be specified.
  10. Information may be disclosed to a Court  not below the District Judge. Such orders may be issued only after hearing the authority. Information may however be disclosed for reasons of national security without Judicial intervention pursuant to the direction of an officer not below the rank of Joint Secretary. There will be an oversight committee for review and such direction would be valid for a period of 3 months which may be extended by the review committee.
  11. “Impersonation” may be punished with imprisonment of 3 years and fine of Rs 10000/- (Far less than ITA 2008 where an attempt to steal or stealing the identity of a person can carry imprisonment of 3 years plus a fine of Rs 1 lakhs)
  12. An unauthorized modification or an attempt to modify the demographic information is liable for 3 years imprisonment and Rs 10000/- fine. (This also overlaps with ITA 2008 where the imprisonment of 3 years and fine of Rs 5 lakhs is provided.
  13. Unauthorized collection of identity information is punishable with imprisonment of upto 3 years and fine upto Rs 1 lakh.
  14. 14. Unauthorized dissemination of identity information is punishable with imprisonment of 3 years and fine of Rs 10000/- which may extend to Rs 1 lakh for Companies.
  15. Unauthorized access to the CIDR (Central identifies Data Repository), downloading deleting, stealing, disclosing,damaging, denying access, introducing computer contaminant etc of information is liable for imprisonment upto 3 years and fine of Rs 10 lakhs.
  16. Any person tampering with the data in any removable storage medium is also punishable with 3 year imprisonment and Rs 10000/- fine.
  17. Any misuse of information by a requesting authroity is punishable with an imprisonment of 3 years and a fine of Rs 10000/-
  18. Any enrolment agency failing in their duties will be punishable with imprisonment upto 1 year and fine upto Rs 10000/- which may extend to rs 1 lakh for companies.
  19. Residual penalty for offences not specified would be 1 year imprisonment and fine of Rs 1 lakh.
  20. When the offence is committed by a Company the officials may be held guilty unless they prove due diligence.
  21. For enforcing extra territorial jurisdiction the requirement is that act or conduct constituting the offence or contravention involves any data in the CIDR.
  22. The offences will be investigated by Police not below the rank of an Inspector of Police.
  23. No Court will take cognizance of any offence except with the complaint made by the Authority (UIDAI).
  24. No Court inferior to that of a Chief Metropolitan Magistrate or a Chief judicial Magistrate shall try any offence punishable under  this Act.
  25. Government retains the power to supersede the authority in emergent conditions for a period of 6 months.

The Bill being a money bill is signed by Mr Arun Jaitely himself.

The above is a quick overview of the bill and would be discussed in more detail in due course.

Naavi

Some of the earlier articles on the subject published on this website are available here:

Search on the term : UIDAI in posts since 12/12/12  
Search for the term UIDAI in Old Posts

arbitration_logo4

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.