PDPA 2018 and Aadhaar-2

Posted on August 29, 2018 by Vijayashankar Na

Continuing our discussion on the draft PDPA 2018 (proposed by the Srikrishna Panel) and the proposed amendments to the Aadhaar Act embedded in the report under the Appendix, the following observations can be made.

  1. Offline Verification

One of the proposed changes is the introduction of the concept of “offline verification” which is defined as

“a process of verifying the identity of the Aadhaar number holder without authentication through such offline modes as may be specified by the regulations”.

We had a brief discussion on the possibilities of how an “Offline Verification System” can be used as a substitute to the present system where the authentication is based on the provision of biometric (Finger prints and/or Face recognition) at the service provider’s end and a direct connection to the CIDR for real time verification.

More discussions on the way the offline verification system can be designed will be required and hopefully UIDAI will come up with some innovative ideas of its own. For the time being we shall take this as a suggestion of the Srikrishna Committee to be further explored and developed. But this should be an alternative to the current system of authentication (both through global AUAs and Local AUAs with the use of the real Aadhar number and the virtual aadhaar number) and reduce the risk of leakage of biometrics during the billions of authentications that will be happening on the system on a daily basis.

2. Consent before Verification

Srikrishna Committee has proposed introduction of Section 8A to the Aadhaar Act which specifies that

(1) Any offline verification of Aadhaar number holder shall take place on the basis of consent provided to such verification by the Aadhaar umber holder

(2) Any offline verification-seeking entity shall,

(a) obtain the consent of an individual before verifying him offline, in such manner as may be specified by regulations; and
(b) ensure that the demographic information or any other information collected from the individual for offline verification, if any, is only used for the purpose of such verification.

(3) An offline verification-seeking entity shall inform the individual undergoing offline verification the following details with respect to offline verification, in such manner as may be specified by the regulations, namely: —

(a) the nature of information that may be shared upon offline verification;
(b) the uses to which the information received during offline verification may be put by the offline verification requesting entity;
(c) alternatives to submission of information requested for, if any.

(4) An offline verification-seeking entity shall not:

(a) subject an Aadhaar number holder to authentication;
(b) collect, use or store an Aadhaar number or biometric information of any individual for any purpose;
(c) take any action contrary to any obligations on it, specified by regulations.

It can therefore be observed that the entity seeking authentication through the off-line process has been mandated to obtain an informed consent. This is anyway covered under the PDPA 2018 also since the person receiving the information would be a data fiduciary even before he tries to verify the data.

There is need to recognize one anomaly here. The Aadhaar comes into the picture only for “Verification” of the “Data already provided by the data principal to the service provider (eg SIM card provider). It is at the time of providing his personal information to the service provider that he is obligated under PDPA2018 to obtain the necessary consent. Subsequently the interaction with UIDAI is not “Collection of Information”. It is only “Verification” of information already collected. So we may argue that no consent would be required to be taken from the data principal for the service provider to verify the data with the UIDAI. As long as the verification is the binary answer to the parameters submitted “Correct” or “Incorrect”, there is no information collection beyond what the data principal has already given.

The consent suggested therefore may be considered as a means of abundant caution. It may be relevant when the service provider just provides an Aadhaar number and the UIDAI send out the demographic data. This is being followed now but should perhaps be discouraged. The proposed amendment to Aadhaar Act will perhaps provide the backing to this system where data is thrown out of UIDAI to the service provider when a form is populated automatically with the data to be used by the service provider.

3. Purpose Limitation

Aadhaar service providers would be bound by the terms of the consent to use the data only for a specified purpose. This is also reiterated under the amended section 29 (4) which states

No Aadhaar number, demographic information or photograph collected or created under this Act in respect of an Aadhaar number holder shall be published, displayed or posted publicly, except for purposes, if any, as may be specified Provided, nothing in this sub-section shall apply to core biometric information which shall only be governed by sub-section (1).”

The amendment under 29(4) on restrictions on sharing the information addresses the many cases of aadhaar leakage that we have observed in the past.

4. Civil Penalties

It is proposed that an entire new chapter VIA on Civil Penalties along with Chapter VIB on appeals is proposed to be added. The civil penalty can extend upto Rs 1 crore and in the case of continued failure can extend to Rs 10 lakhs for each day of failure. Civil Courts will not have jurisdiction and the appeal from the Adjudication authority (to be appointed) goes to the Appellate Tribunal and then directly to the Supreme Court.

5. Criminal Penalties

Under Sections 38 and 39 it is suggested that the term of imprisonment can be increased from 3 years to 10 years.

Not obtaining a proper consent or unauthroized publication of data or unauthrorized use of biometric is considered as a criminal offence that can attract an imprisonment of 3 to 10 years with fine upto fifty lakhs. (Section 40, 41A, 41B,41C and 41D)

Punishments under  section 42 (residual penalty) has also been increased from 1 year to 3 year making it possibly a cognizable offence.

In view of the above, it can be stated that the Srikrishna Committee has suggested a substantial hardening of the Aadhaar act which should be welcomed.

However it is strange that we see some objections on the propositions including the dissent note from one of the members that suggestions on Aadhaar was beyond the scope of the committee’s terms.

While we are open to further suggestions and refinements regarding the controls that can be suggested for preventing misuse of the Aadhaar system, it is necessary to record that the recommendations are welcome.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

2 Responses to PDPA 2018 and Aadhaar-2

  1. Pingback: Aadhaar Judgement….2.. The Answers and Conclusions of the majority | Naavi.org

  2. Pingback: Personal Data protection and Data Localization-1 | Naavi.org

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.