Aadhaar Judgement-7… Can the Private Sector use Aadhaar for Authentication?

Posted on October 5, 2018 by 98410spice

This is a continuation of the earlier articles on the topic

Continuing our discussion on the Judgement of the three Judges, Dipak Mishra, A K Sikri and A W Khanwilkar, responding to the first issue answered by them namely,

(1) Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground?

Incidental Issues:

(a) What is the magnitude of protection that need to be accorded to collection, storage and usage of biometric data?
(b) Whether the Aadhaar Act and Rules provide such protection, including in respect of data minimisation, purpose limitation, time period for data retention and data protection and security?

the judges have responded….

(v) That portion of Section 57 of the Aadhaar Act which enables body corporate and individual to seek authentication is held to be unconstitutional.

The Section 57 has been one of the widely discussed aspects of the judgement since it has a a direct impact on the industry.

The section states:

57. Act not to prevent use of Aadhaar number for other purposes under law.

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:
Provided that the use of Aadhaar number under this section shall be subject to the
procedure and obligations under section 8 and Chapter VI.

Interesting debate happenned on this section and has been discussed in detail in the body of the judgement. But what is important is to look at this operating part of the judgement.

We can also simultaneously see the clear conclusion that is included in the Justice Ashok Bhushan’s judgement which states,

Section 57, to the extent, which permits use of Aadhaar by the State or any body corporate or person, in pursuant to any contract to this effect is unconstitutional and void. Thus, the last phrase in main provision of Section 57, i.e. “or any contract to this effect” is struck down.

The three member judgement stated that “that part of Section 57 that enables a body corporate and the individual to seek authentication is unconstitutional”. If we interpret that this “that part” relates to the entire section, then it means that Body corporate cannot use the Aadhaar authentication even  “Purusant to any law” .

This would look illogical since even “Privacy” is not an “Absolute Right” under the Constitution and the Parliament cannot be prevented from making a law which it considers suitable if it can justify that it does not violate the principles of fundamental rights subject to reasonable restrictions. Justice Ashok Bhushan has expressed his views with clarity but the three judges have not drafted this part of the judgement properly and left the words “That part” to be interpreted more widely than necessary.

But the same judges in the later part of their Issues-Answers,  in page 560 of the judgement., point 4, answer (h), state as follows:

Insofar as Section 57 in the present form is concerned, it is susceptible to misuse inasmuch as:

(a) It can be used for establishing the identity of an individual ‘for any purpose’. We read down this provision to mean that such a purpose has to be backed by law. Further, whenever any such “law” is made, it would be subject to judicial scrutiny.

(b) Such purpose is not limited pursuant to any law alone but can be done pursuant to ‘any contract to this effect’ as well. This is clearly impermissible
as a contractual provision is not backed by a law and, therefore, first requirement of proportionality test is not met.

(c) Apart from authorising the State, even ‘any body corporate or person’ is
authorised to avail authentication services which can be on the basis of purported agreement between an individual and such body corporate or person. Even if we presume that legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and
demographic information by the private entities. Thus, this part of the provision which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals. This part of the section, thus, is declared unconstitutional.

In this part of the judgement, the judges accept the power of the State to make law though such law also is subject to review. The section 57 is meant for both the State and the Body Corporates and for use both under a law or under a contractual agreement.

The intention of the judges appears to be to say that the individual and a body corporate cannot enter into a contract where by the body corporate can seek Authentication of Aadhaar data. But unlike Justice Ashok Bhushan, the other judges in their combined judgement failed to word their intentions without ambiguity.

As a result of this ambiguity, some are interpreting the judgement as if body corporates are completely barred from using Aadhaar.

We record our serious reservation to this interpretation because the Aadhaar infrastructure has been created out of public funds and it is a national resource. There is therefore no reason to prevent its wide usage as long as the Privacy concerns including Surveillance concerns are addressed.

The Court failed to also consider that the use of Aadhaar by private sector companies with biometric is already restricted only to “Global AUAs” like Banks. Other entities which are licensed as “Local AUAs” are barred from seeking authentication on the basis of Aadhaar number.

However, an Aadhaar number holder can generate a different random ID called “Virtual ID” (VID) which is a 16 digit number  as against the 12 digit Aadhaar number and is issued by UIDAI on request to the Aadhaar holder. This number can be used for purposes such as self identification since a body corporate can verify the correctness of the demographic information provided by an individual with reference to the VID.

When VID is presented to a body corporate along with some demographic parameters that need to be verified, the body corporate can submit the parameters one by one along with the VID and at the other end, UIDAI will provide a service which says whether the parameter as presented is correct or incorrect. For releasing this verification, the UIDAI may use the mobile OTP as a second factor authentication.

In this process, UIDAI does not dump the demographic information to a body corporate nor the body corporate collect the biometric nor the Aadhaar number. UIDAI is the only authority that knows the mapping between the VID and the Aadhaar ID.

This VID is a service that is being offered by UIDAI and has been mandatory from around July 1st 2018.

It is true that not all private sector companies have migrated from the use of Aadhaar number to VID and most of the Aadhaar users are not aware of the VID. But this is a different issue to be resolved by the industry and is not an issue on which Supreme Court should bar the usage .

It was surprising that the Supreme Court in its judgement did not make a special mention of the availability of VID. It completely ignored it as if it is not relevant at all. It is true that VID is not Aadhaar and hence it was not the subject matter of the petiton. But it would have been prudent for the Supreme Court to have made a mention of the VID so that the public would have become aware that there is an alternative which the private sector companies have ignored for some time and can be used now.

The use of VID for verification of demographic information as presented by an Aadhaar user (without populating the form at the user end with a dump of data from the UIDAI) particularly without biometric should have been ideally pointed out by the Court.

Nevertheless the judgement by ignoring to refer to VID has confirmed that VID is not Aadhaar and its use is not affected by any part of this judgement.

It is however better for the Government to include the use of VID as an acceptable method of verification of personal data in the PDPA 2018 draft.

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

This entry was posted in Cyber Law. Bookmark the permalink.

2 Responses to Aadhaar Judgement-7… Can the Private Sector use Aadhaar for Authentication?

  1. Pingback: Aadhaar Judgement-8: Limited use | Naavi.org

  2. Pingback: Recent Developments in PrivacyProtection in India – Privacy Knowledge Center

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.