Aadhaar Revisited

The ordinance promulgated by the government on March 2, 2019, has once again brought the focus back on the use of Aadhaar and a possible challenge to it in the Supreme Court.

Aadhaar has become an “Instrument of Identity” similar to the “Social Security Number” and similar national identity instruments prevailing in other countries. Even the Supreme Court has conceded that Aadhaar can play a significant role in efficient and transparent governance, and more importantly, in the prevention of corruption.  However, the use of Aadhaar is being repeatedly challenged by privacy activists, alleging that its widespread use could lead to infringement of privacy—a fundamental right of all citizens.

It would, therefore, not be surprising if some privacy activists again knock at the doors of the Supreme Court with a plea to get the ordinance scrapped, perhaps alleging that it is an attempt to violate the principles of privacy laid out in the Supreme Court judgment of September 2018 on Aadhaar (KS Puttaswamy vs Union of India case).

The Puttaswamy judgment raised serious concerns about the use of Aadhaar by private sector companies which had been permitted under Section 57 of the Aadhaar Act. The majority judgment struck down that part of Section 57. Consequently, Section 57 of the Aadhaar Act stood read down with the following effect:

57. Act not to prevent use of Aadhaar number for other purposes under law.

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force. Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

It must be recognised that the Puttaswamy judgment did not impose a blanket ban on the use of Aadhaar, either by the government or other entities. It only prohibits the use of Aadhaar under any contract not pursuant to any law. The Court therefore suggested that a proper law should be passed to enable the use of Aadhaar.

The citizens of the country are well aware of the fact that Aadhaar is an “Identity Infrastructure” created by two successive governments at enormous cost to the people of the country. Therefore, it is illogical to block the use of this infrastructure to be harnessed fully for the benefit of the citizens.

However, after the Puttaswamy judgment, the private sector stopped using Aadhaar as an identity management tool since the widely used Aadhaar authentication-based e-KYC system was not part of the Aadhaar Act.

The e-KYC system used for Aadhaar was part of the notified rules of the Controller of Certifying Authorities for e-Sign as an electronic signature under Section 3A of the Information Technology Act, which may be considered as an extension of a statutory base for its use in that context. But KYC which was part of many other regulations such as the RBI guidelines was more of an administrative guideline or a best practice adopted by the industry.

Hence, the government was under an obligation to clarify the use of Aadhaar by private sector companies by enacting suitable legislation so that it became part of Section 57 after its partial striking down by the Supreme Court.

Further, the Justice Srikrishna Committee on Data Protection had recommended a full set of amendments to the Aadhaar Act in an appendix to its report. While the government had introduced the Personal Data Protection Bill as recommended by the Srikrishna Committee, it had to introduce the Aadhaar-related amendments recommended by the committee as a separate amendment bill.

The government was therefore correct in introducing the Aadhaar (Amendment) Bill on January 2, 2019. Though this Bill was passed by the Lok Sabha, it could not be passed in the Rajya Sabha during the current tenure and hence lapsed. In order to ensure that the private sector is not inconvenienced due to the lack of a lawful process of using Aadhaar, the government came up with the Aadhaar ordinance.

Hence, sufficient justification can be provided for the need for the ordinance and its promulgation by the government at this point of time.

Key Provisions of the Ordinance

Some of the key provisions of the ordinance which we can take note of are as follows:

  • The ordinance completely removes Section 57 of the Aadhaar Act though only a part of it had been struck down by the Supreme Court. The other changes are meant to offset the adverse effect of the removal of Section 57.

This was an unwarranted overreaction by the government.

  • A distinction is sought to be made between the use of Aadhaar for “Authentication” and “Verification” and the concepts of “Offline Verification” and “Voluntary Permission to use Aadhaar based on an Informed Consent”. However, the distinction made between “Authentication” and “Verification” is very fragile and may require reconsideration.

“Offline Verification” is defined as a “process of verifying the identity of the Aadhaar number holder without authentication, through such offline modes as may be specified by regulations” [Proposed amended section 2(pa)]. On the other hand, “Authentication” is defined as “a process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it” [current section 2(c)]. The distinction made out appears to be merely a play of words and would be difficult to justify.

  • A fairly large civil penalty of up to Rs 1 crore has been introduced for each violation in case any entity in the Aadhaar ecosystem fails to comply with the provisions of the ordinance.

The imposition of the penalty is supported by the proposal for appointment of one of the officers of the UIDAI as an adjudicator and TDSAT as the appellate authority. After a matter is decided by the TDSAT, further appeals would lie directly before the Supreme Court, thus completely eliminating the role of the high courts.

In case of Cyber Appeals, further appeals from TDSAT go to the respective state high courts and a similar provision could have been made in the Aadhaar Act also since many of the members of the Aadhaar ecosystem could be small entities across the country, and a TDSAT with a presence only in Delhi without sittings and benches elsewhere would create a huge financial burden on the litigants.

This provision has been made to make the work of UIDAI easy at the cost of inconveniencing the litigants.

  • The criminal penalty prescribed under Sections 38 and 39 of the Act has been enhanced from imprisonment of 3 years to 10 years and the imprisonment term under other sections has also been enhanced, thus making the law more stringent.

This should please the privacy activists.

  • In a consequential amendment to the Indian Telegraph Act, telecom companies have been permitted to use Aadhaar for identification with options being made available to the public to use alternative modes of identity verification.

This provision comes as a big relief to telecom operators.

  • In a consequential amendment to the Prevention of Money Laundering Act, 2002 (PMLA 2002), the use of Aadhaar has been permitted for banking companies while others may use Offline Verification and other alternatives.

The Fintech industry is not happy with their exclusion. Perhaps those Fintech companies which are not “Banking Companies” but are registered in some regulatory category with RBI or SEBI could be provided the use of Aadhaar.

  • The ordinance includes “Virtual Identity” also as an “Aadhaar number” [Proposed amended section 2(a)].

This has defeated the very purpose of introduction of the Virtual Aadhaar ID, and the government has missed an opportunity to declare it as a derivative service which does not violate the privacy of the Aadhaar holder particularly when it is used without the use of biometrics.

In summary, it can be stated that the “Ordinance” was perhaps justified but some of the provisions of the ordinance must be revisited when the Bill is finally taken up for discussion when the next Parliament meets.

It can also be stated that there is no need for any immediate judicial challenge to the ordinance since its life span is short and it will come up for automatic reconsideration within the next six months.

Naavi

[This is a reproduction of article earlier published in India Legal magazine]

This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.