{"id":8257,"date":"2018-10-05T18:49:47","date_gmt":"2018-10-05T13:19:47","guid":{"rendered":"https:\/\/www.naavi.org\/wp\/?p=8257"},"modified":"2018-10-05T18:49:47","modified_gmt":"2018-10-05T13:19:47","slug":"aadhaar-judgement-7-can-the-private-sector-use-aadhaar-for-authentication","status":"publish","type":"post","link":"https:\/\/www.naavi.org\/wp\/aadhaar-judgement-7-can-the-private-sector-use-aadhaar-for-authentication\/","title":{"rendered":"Aadhaar Judgement-7… Can the Private Sector use Aadhaar for Authentication?"},"content":{"rendered":"

This is a continuation of the earlier articles on the topic<\/strong><\/a><\/p>\n

Continuing our discussion on the Judgement of the three Judges, Dipak Mishra, A K Sikri and A W Khanwilkar, responding to the first issue answered by them namely,<\/p>\n

(1) Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground?<\/p>\n

Incidental Issues:<\/strong><\/p>\n

(a) What is the magnitude of protection that need to be accorded to collection, storage and usage of\u00a0biometric data?
\n(b) Whether the Aadhaar Act and Rules provide such protection, including in respect of data minimisation, purpose limitation, time period for data retention and data protection and security?<\/p>\n

the judges have responded\u2026.<\/p>\n

(v) That portion of Section 57 of the Aadhaar Act which enables body corporate and individual to seek\u00a0authentication is held to be unconstitutional.<\/span><\/p>\n

The Section 57 has been one of the widely discussed aspects of the judgement since it has a a direct impact on the industry.<\/p>\n

The section states:<\/p>\n

57. Act not to\u00a0prevent use\u00a0of Aadhaar\u00a0number for\u00a0other\u00a0purposes\u00a0under law.<\/strong><\/p>\n

Nothing contained in this Act shall prevent the use of Aadhaar number for\u00a0establishing the identity of an individual for any purpose, whether by the State or any body\u00a0corporate or person, pursuant to any law, for the time being in force, or any contract to this\u00a0effect:
\nProvided that the use of Aadhaar number under this section shall be subject to the
\nprocedure and obligations under section 8 and Chapter VI.<\/p>\n

Interesting debate happenned on this section and has been discussed in detail in the body of the judgement. But what is important is to look at this operating part of the judgement.<\/p>\n

We can also simultaneously see the clear conclusion that is included in the Justice Ashok Bhushan’s judgement which states,<\/p>\n

Section 57, to the extent, which permits use of\u00a0Aadhaar by the State or any body corporate or\u00a0person, in pursuant to any contract to this\u00a0effect is unconstitutional and void. Thus, the\u00a0last phrase in main provision of Section 57,\u00a0i.e. \u201cor any contract to this effect\u201d is struck\u00a0down.<\/p>\n

The three member judgement stated that “that part of Section 57 that enables a body corporate and the individual to seek authentication is unconstitutional”. If we interpret that this “that part” relates to the entire section, then it means that Body corporate cannot use the Aadhaar authentication even\u00a0 “Purusant to any law” .<\/p>\n

This would look illogical since even “Privacy” is not an “Absolute Right” under the Constitution and the Parliament cannot be prevented from making a law which it considers suitable if it can justify that it does not violate the principles of fundamental rights subject to reasonable restrictions. Justice Ashok Bhushan has expressed his views with clarity but the three judges have not drafted this part of the judgement properly and left the words “That part” to be interpreted more widely than necessary.<\/p>\n

But the same judges in the later part of their Issues-Answers,\u00a0 in page 560 of the judgement., point 4, answer (h), state as follows:<\/p>\n

Insofar as Section 57 in the present form is concerned, it is\u00a0susceptible to misuse inasmuch as:<\/p>\n

(a) It can be used for\u00a0establishing the identity of an individual \u2018for any purpose\u2019. We\u00a0read down this provision to mean that such a purpose has to be\u00a0<\/strong>backed by law.<\/strong> Further, whenever any such \u201claw\u201d is made, it\u00a0would be subject to judicial scrutiny.<\/p>\n

(b) Such purpose is not\u00a0limited pursuant to any law alone but can be done pursuant to\u00a0\u2018any contract to this effect\u2019 as well. This is clearly impermissible
\nas a contractual provision is not backed by a law and, therefore,\u00a0first requirement of proportionality test is not met.<\/p>\n

(c) Apart from\u00a0authorising the State, even \u2018any body corporate or person\u2019 is
\nauthorised to avail authentication services which can be on the\u00a0basis of purported agreement between an individual and such\u00a0body corporate or person. Even if we presume that legislature\u00a0did not intend so, the impact of the aforesaid features would be to\u00a0enable commercial exploitation of an individual biometric and
\ndemographic information by the private entities. Thus, this part of\u00a0the provision which enables body corporate and individuals also\u00a0to seek authentication, that too on the basis of a contract<\/strong> between\u00a0the individual and such body corporate or person, would impinge\u00a0upon the right to privacy of such individuals. This part of the\u00a0section, thus, is declared unconstitutional.<\/p>\n

In this part of the judgement, the judges accept the power of the State to make law though such law also is subject to review. The section 57 is meant for both the State and the Body Corporates and for use both under a law or under a contractual agreement.<\/p>\n

The intention of the judges appears to be to say that the individual and a body corporate cannot enter into a contract where by the body corporate can seek Authentication of Aadhaar data. But unlike Justice Ashok Bhushan, the other judges in their combined judgement failed to word their intentions without ambiguity.<\/p>\n

As a result of this ambiguity, some are interpreting the judgement as if body corporates are completely barred from using Aadhaar.<\/p>\n

We record our serious reservation to this interpretation because the Aadhaar infrastructure has been created out of public funds and it is a national resource. There is therefore no reason to prevent its wide usage as long as the Privacy concerns including Surveillance concerns are addressed.<\/p>\n

The Court failed to also consider that the use of Aadhaar by private sector companies with biometric is already restricted only to “Global AUAs” like Banks. Other entities which are licensed as “Local AUAs” are barred from seeking authentication on the basis of Aadhaar number.<\/p>\n

However, an Aadhaar number holder can generate a different random ID called “Virtual ID” (VID) which is a 16 digit number\u00a0 as against the 12 digit Aadhaar number and is issued by UIDAI on request to the Aadhaar holder. This number can be used for purposes such as self identification since a body corporate can verify the correctness of the demographic information provided by an individual with reference to the VID.<\/p>\n

When VID is presented to a body corporate along with some demographic parameters that need to be verified, the body corporate can submit the parameters one by one along with the VID and at the other end, UIDAI will provide a service which says whether the parameter as presented is correct or incorrect. For releasing this verification, the UIDAI may use the mobile OTP as a second factor authentication.<\/p>\n

In this process, UIDAI does not dump the demographic information to a body corporate nor the body corporate collect the biometric nor the Aadhaar number. UIDAI is the only authority that knows the mapping between the VID and the Aadhaar ID.<\/p>\n

This VID is a service that is being offered by UIDAI and has been mandatory from around July 1st 2018.<\/p>\n

It is true that not all private sector companies have migrated from the use of Aadhaar number to VID and most of the Aadhaar users are not aware of the VID. But this is a different issue to be resolved by the industry and is not an issue on which Supreme Court should bar the usage .<\/p>\n

It was surprising that the Supreme Court in its judgement did not make a special mention of the availability of VID. It completely ignored it as if it is not relevant at all. It is true that VID is not Aadhaar and hence it was not the subject matter of the petiton. But it would have been prudent for the Supreme Court to have made a mention of the VID so that the public would have become aware that there is an alternative which the private sector companies have ignored for some time and can be used now.<\/p>\n

The use of VID for verification of demographic information as presented by an Aadhaar user (without populating the form at the user end with a dump of data from the UIDAI) particularly without biometric should have been ideally pointed out by the Court.<\/p>\n

Nevertheless the judgement by ignoring to refer to VID has confirmed that VID is not Aadhaar and its use is not affected by any part of this judgement.<\/p>\n

It is however better for the Government to include the use of VID as an acceptable method of verification of personal data in the PDPA 2018 draft.<\/strong><\/p>\n

Naavi<\/p>\n

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.<\/strong><\/em><\/p>\n

\n

\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

This is a continuation of the earlier articles on the topic Continuing our discussion on the Judgement of the three Judges, Dipak Mishra, A K Sikri and A W Khanwilkar, responding to the first issue answered by them namely, (1) … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_editorskit_title_hidden":false,"_editorskit_reading_time":0,"_editorskit_is_block_options_detached":false,"_editorskit_block_options_position":"{}","_uag_custom_page_level_css":"","footnotes":""},"categories":[7],"tags":[],"class_list":["post-8257","post","type-post","status-publish","format-standard","hentry","category-cyber-law"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false,"post-thumbnail":false},"uagb_author_info":{"display_name":"98410spice","author_link":"https:\/\/www.naavi.org\/wp\/author\/98410spice\/"},"uagb_comment_info":2,"uagb_excerpt":"This is a continuation of the earlier articles on the topic Continuing our discussion on the Judgement of the three Judges, Dipak Mishra, A K Sikri and A W Khanwilkar, responding to the first issue answered by them namely, (1) … Continue reading →","_links":{"self":[{"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/posts\/8257","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/comments?post=8257"}],"version-history":[{"count":1,"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/posts\/8257\/revisions"}],"predecessor-version":[{"id":8258,"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/posts\/8257\/revisions\/8258"}],"wp:attachment":[{"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/media?parent=8257"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/categories?post=8257"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.naavi.org\/wp\/wp-json\/wp\/v2\/tags?post=8257"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}