In a 4-1 verdict on Wednesday, the Supreme Court upheld the Aadhaar project and the Aadhaar Act as constitutional, with Justice DY Chandrachud dissenting. In a disappointing verdict for those who have been fighting against Aadhaar, the majority judgments have held that the Aadhaar project does not create a surveillance state, and instead, meets the three-part test as laid down in Justice KS Puttaswamy's judgment on invasion of privacy.
However, the ruling provided limited relief as several provisions of the Aadhaar Act, regulations and other notifications were either struck down or read down, and these changes are bound to have implications.
The most important change is the partial striking down of Section 57, which had allowed anyone — the State, a body corporate or even an individual — to mandate the use of Aadhaar. The Supreme Court has struck down the portion of this section as applicable to body corporates and individuals, indicating that private parties will no longer be able to mandate Aadhaar. However, the State may continue to do so, but only when the purpose for which Aadhaar is made compulsory is backed by a law. The five-judge bench also struck down the part of the Section 57 that permitted such use with contracts.
Therefore, apart from the mandatory use of Aadhaar to avail of benefits listed in Section 7 of the Aadhaar Act, the State can mandate the unique ID for other purposes when the use is backed by a law. Furthermore, for the law in question, a mere government notification may not suffice. For instance, the court has struck down the Department of Telecommunications' (DoT) order that had made Aadhaar-SIM linking compulsory.
While it had become clear during the course of the hearing that the DoT order had misinterpreted the Supreme Court direction for a verification in the Lokniti Foundation case, the reasoning the court gave in its verdict was that the DoT notification was not supported by a law. This indicates that a formal, statutory enactment is required to justify making Aadhaar mandatory for any service.
Still compulsory for Section 7 benefits
In relation to Section 7 benefits, however, Aadhaar continues to be mandatory. As a result, the use of Aadhaar for schemes, including the Public Distribution System, scholarships, mid day meals, LPG subsidies and so on, will continue to require Aadhaar. The beneficiaries of such schemes, which include a large and vulnerable section of society, will continue to need the unique ID to avail of the benefits of social schemes.
The majority verdict has made note of the issues of exclusion, but it has placed reliance on the State's claims that suitable measures are in place to address the concern. Again, an indication of the Court's intention to retain Section 7 had arisen in the interim order issued in March, which had, in effect, made Aadhaar mandatory for the beneficiaries of such scheme.
No longer mandatory for school admissions
The majority verdict has gone on to clarify that a Section 7 benefit must be an actual "benefit", the expenditure for which is incurred from the Consolidated Fund of India.
This came as a relief to students and their parents, who have been struggling on account of mandatory Aadhaar for admissions, as the Supreme Court has directed that notifications issued by the Central Board of Secondary Education, National Eligibility-cum-Entrance Test, University Grants Commission and so on, whether in relation to school admissions, examinations and competitions, among others, are no valid.
However, Aadhaar will continue to be required for mid day meals, since this is a Section 7 benefit.
Section 139AA stays, Rule 9 on money laundering out
Additionally, Section 139AA of the Income Tax Act has been upheld, thus making Aadhaar mandatory to file I-T returns. However, Rule 9 of the Prevention of Money Laundering (Maintenance of Records) Rules, which had mandated linking Aadhaar with bank accounts and also the need for Aadhaar to open new bank accounts, has been struck down.
A related effect of this is that the recently issued notification of the Reserve Bank of India mandating Aadhaar for KYC purposes, which was issued in view of PMLA's Rule 9 and subject to the Aadhaar verdict, will need to be withdrawn. Therefore, mandatory Aadhaar for KYC processes will no longer be valid. Another consequence of this is that companies relying on e-KYC as a business model are likely to be affected.
No surveillance state, metadata collection struck down
The majority verdict also held that Aadhaar does not create a surveillance state, accepting the State's arguments that only minimal data reaches the Unique Identification Authority of India (UIDAI), thus disabling the possibility of profiling.
To assuage the concerns of the petitioners, the court has taken a few steps: First, it has struck down Rule 27 of the Aadhaar Authentication Regulations on archiving authentication transaction data for five years, as well as Rule 26 of the same on storage of metadata. Instead, it held that authentication transaction data can be recorded for six months only, and also read down Section 2(d) to exclude metadata from the definition of authentication records.
The petitioners had raised collection of metadata during authentication as a key concern as it enabled real-time tracking of the authenticator. The petitioners had demonstrated how this was possible through data, such as the location data, collected and stored when a transaction is carried out. The removal of these requirements addresses surveillance concerns to this extent (only).
Moreover, the removal of metadata from the definition of authentication records also means that if a court order under Section 33(1) of the Aadhaar Act requires authentication records to be shared, the metadata related to the transaction will not be shared.
Limitations to sharing Aadhaar data
Further changes include reading down Section 33(1) of the Aadhaar Act, which allowed information, including identity data and authentication records such as biometric and demographic information, to be disclosed in pursuance of a court order. This was read down to allow the individual whose data is to be shared to be given an opportunity to be heard. This means that before such an order is passed, or even after it is passed, the individual will have the right to present his arguments on why he details should not be disclosed.
Furthermore, Section 33(2), which allowed the same data to be shared for national security purposes, has been struck down. This is a welcome move, considering that the term "national security" has broad and vague scope and could be used to justify any activity including surveillance. Considering recent reports of the police using Aadhaar data for purposes like dealing with first-time offenders or identifying dead bodies, to name a few, these cannot be justified in the name of "national security".
Right to file a complaint and data protection
In another welcome move, the Supreme Court has directed the Centre to amend Section 47 of the Aadhaar Act. Earlier, this provision restricted the right to file complaints for violations of the law only to the UIDAI, but it will not allow individuals to file complaints, as well. This will also necessitate changes to the amendments suggested for the Aadhaar Act through the report accompanying the Personal Data Protection Bill, 2018, which had retained the exclusive right to file complaints with the UIDAI.
The majority verdict also refers to the Supreme Court's directions for a "robust data protection regime" to be in place as one of the safeguards against privacy violations, surveillance concerns and the lack of adequate data protection requirements in relation to Aadhaar. This indicates that unlike the approach set out in the report accompanying the Personal Data Protection Bill, the court intends for the new data protection law — as and when it is enacted — to be applicable to the Aadhaar process, as well.
Aadhaar as a money bill
Lastly, the court, in the majority verdict, was satisfied that the Aadhaar Act met the requirements of a money bill, and thus, upheld the Centre's move to pass the law, as such. Justice Chandrachud, however, differed with this stand and held that bypassing the Rajya Sabha to pass the Aadhaar Act betrayed the Constitution and was akin to fraud.
By and large, the Aadhaar verdict is a disappointment for those arguing against the system, particularly as several concerns — be it surveillance, the unreliability of Aadhaar's identification system, its passing as a money bill in circumvention of constitutional processes, inadequacy of informed consent, the lack of adequate safeguards for exclusion, the huge security compromises in terms of data leaks and so on — have not been addressed adequately in the majority verdict. Relief, if any, is from Justice Chandrachud's strong dissenting verdict, which is unfortunately in the minority.
Overall, the impact of the verdict is to retain Aadhaar; the mandatory requirement to avail of Section 7 benefits and to file I-T returns indicate that for the majority of the Indian population, Aadhaar will continue to be mandatory, and the State has the power to make it compulsory for new purposes. In some relief, the rampant mandating of Aadhaar for multiple purposes and by multiple persons — both public and private— has come to a halt. The requirement of a law, which is itself subject to judicial scrutiny, adds to the fact that Aadhaar cannot be made mandatory for all purposes. Further, subjecting Aadhaar to a data protection law as well as granting people the right to file complaints does reduce some of the UIDAI's sole power over the Aadhaar system.
The author is a lawyer specialising in technology, privacy and cyber laws
Firstpost is now on WhatsApp. For the latest analysis, commentary and news updates, sign up for our WhatsApp services. Just go to Firstpost.com/Whatsapp and hit the Subscribe button.
Updated Date: Sep 26, 2018 23:03:26 IST