Aadhaar Amendment Bill grants broad, vague powers; privacy needs to be priority

A bill to amend the Aadhaar Act, the Aadhaar Amendment Bill, 2018, was introduced in Parliament recently.

A bill to amend the Aadhaar Act, the Aadhaar Amendment Bill, 2018, was introduced in Parliament recently, leading to immediate objections on the lack of prior public consultation as well as questions on its constitutionality. Apart from provisions to bring the Aadhaar Act, 2016, in line with the Supreme Court judgment on Aadhaar, the Bill also introduces several provisions to allow the voluntary use of Aadhaar. This article examines the constitutionality of these provisions. Additionally, changes proposed to Section 33(2), on disclosures based on national security are also discussed here.

Summary of changes introduced through the Bill

The Bill introduces many changes to the Aadhaar Act. Firstly, it legalizes the voluntary use of Aadhaar, offline verification system (such as QR code usage) as well as Virtual ID. The Bill then introduces some changes along the lines of those necessitated by the Aadhaar judgment, such as amending Section 33(1), deleting Section 57, and introducing provisions mandating parental consent for children, and giving children the option to opt out.

In addition, the Bill introduces heavy fines up to Rs 1 crore for failing to comply with the Aadhaar Act or cooperate with the UIDAI. It introduces an adjudicatory mechanism involving adjudicatory officers, an Appellate Tribunal, and a final appeal to the Supreme Court. Lastly, the Supreme Court’s direction to allow even individuals to file a complaint under the Aadhaar Act has been incorporated in Section 47.

Representational image.

Representational image.

New procedures for disclosures based on national security

Before discussing the constitutionality of voluntary use of Aadhaar, an obvious omission of the Bill is with respect to its proposed amendment of Section 33(2) of the Act. This provision deals with the disclosure of information on the grounds of national security, which was required to be done on the basis of an order of the Joint Secretary to the Government of India. The Supreme Court struck down this provision, noting that an order of a higher official, combined with an application of judicial mind was required.

The Bill proposes now to hand this power to the Secretary to the Government of India but omits to associate a judicial officer as required under the judgment. A part of the issue may be due to various statements capable of various interpretations under the judgment itself, a problem that recurs with the voluntary use of Aadhaar as well. Here, Para 424 of the judgment, in dealing with Section 33(2), states that ‘there must be a higher ranking alongwith, preferably, a judicial officer’.

The framing here, seems to indicate that the presence of a judicial officer is optional. However, the matter is cleared in the Summary and Conclusions in the judgment on Page 559, which directs that the higher officer should be accompanied with a judicial officer, and preferably a sitting judge of a High Court. The judgment here, in fact, observed the importance of providing for the application of judicial mind for the determination of whether the disclosure of information is in the interest of national security. The framing here leaves no doubt that judicial oversight is not optional, and is an essential part of determining disclosures justified on the grounds of national security.

The Bill thus, by omitting judicial oversight here goes against the judgment on Aadhaar. The need for judicial oversight for disclosures of information was in fact one of the key developments in the Aadhaar case, and a ruling that has led to the questioning of the adequacy of several other laws on the disclosure of information, such as with Section 69 of the Information Technology Act, 2000, authorizing interception, monitoring and decryption of information.

The Aadhaar judgment on the voluntary use of Aadhaar

Turning to the provisions on voluntary use, a major consequence of the Aadhaar judgment was that it struck down mandatory use of Aadhaar by private parties. An immediate impact was on disallowing eKYC. However, the wording of the judgment made the stand on voluntary use of Aadhaar unclear, leaving scope for arguments to be made both for and against such use.

To recap, the judgment firstly required that any use of Aadhaar be required through a law. Second, it held that contractual use of Aadhaar was not constitutional since it violated the proportionality test under the Puttaswamy judgment. Thirdly, the judgment ruled that allowing any body corporate or person to allow authentication services, that too via a contract, would enable commercial exploitation of an individual’s biometric and demographic information by the private entities.

The use of Section 57 for ‘any purpose’ was thus struck down, and this was limited to use by the State. The judgment, particularly, did not authorize the enactment of a new law, as opposed to contract, allowing private persons to authenticate. An additional point here is that disallowing contractual use of Aadhaar, which is essentially voluntary use (as is argued here), indicates that the voluntary use of Aadhaar is not permissible.

So far the ruling is clear enough that it disallows private use of Aadhaar. The confusion then arises with a comment made in Para 367 of the Aadhaar judgment, which states that ‘if such a person voluntarily wants to offer Aadhaar card as a proof of his/her identity, there may not be a problem’. This statement allows for arguments to be made for and against the intention of the Court with respect to voluntary use of Aadhaar (these issues are argued in detail here).

Changes proposed in the Bill to reinstate eKYC

The Bill shows that the government’s view is that voluntary use of Aadhaar can be permitted via a law. It allows this through a three-fold change, amending the Aadhaar Act, the Indian Telegraph Act, 1885 and the Prevention of Money Laundering Act, 2002. The provisions clearly reinstate the use of eKYC, albeit on a voluntary basis.

Amendments to Aadhaar Act

The amendments to the Aadhaar Act are the most extensive, amending Section 4, firstly, to allow any individual to use Aadhaar voluntarily in various forms – physical, electronic, offline, or any other as notified. Next, an entity may perform authentication under two circumstances: if there is a law permitting it do so, or if the purpose for which the authentication is being done is prescribed by the Central Government with the UIDAI. In both cases, the UIDAI must be satisfied that the entity satisfies regulations on privacy and security (to be prescribed). The UIDAI, further, will decide if the entity can use the actual Aadhaar number or an alternative virtual identity.

An important point here establishing the voluntary nature of this requirement is that the Section goes on to mandate that for all such services, a viable and alternative means of identification must be offered. Further, no person should be denied services for refusing to or failing to authenticate.

Amendments to the Indian Telegraph Act

Next, the amendments to the Indian Telegraph Act permit licensees (such as a telecom service provider) to use Aadhaar on a voluntary basis. This similarly keeps the authentication voluntary, offering 4 options: Aadhaar based biometric authentication, offline verification of Aadhaar, passport or any other Officially Valid Document. Again, no person should be denied any service for not having an Aadhaar number. It also mandates that where Aadhaar-based biometric information is used, the person’s core biometric information and Aadhaar number should not be stored.

Amendments to the PMLA

Lastly, the PMLA is amended to allow the voluntary use of Aadhaar. This applies to reporting entities, which, as per the definition, encompasses banking companies (which includes payment banks), financial institutions (such as insurance companies, chit funds and NBFCs), intermediaries (like stock brokers and depositories) and persons carrying on ‘designated businesses’. The provisions for the Indian Telegraph Act are repeated here, with the additional provision that for entities other than banking companies, biometric authentication may be done only if they are authorized to do so by a Central government notification.

Constitutionality of the voluntary use

As discussed previously, the issue of whether the judgment permits voluntary use of Aadhaar is unclear. Any new use of Aadhaar or the biometric database reopens the privacy and security risks for the people, including the concerns expressed in the judgment on commercial exploitation of this data.

The complete stop of private use through judgment was a significant step towards mitigating the privacy risks with rampant Aadhaar use. Another important factor is that this step played an important role in upholding the passing of Aadhaar as a money bill, despite the presence of Section 57 (discussed in more detail here). Reinstating private use definitely reopens the question of Aadhaar privacy as well as the passing of Aadhaar as a money bill.

Assuming voluntary use is permitted

Even if it is used on a voluntary basis, any use of Aadhaar and Aadhaar based biometric authentication creates a privacy risk for the people. Since the issue is open to interpretation, assuming that the judgment does permit voluntary use, it is thus essential that any such law permitting voluntary use must pass the privacy test laid down in the Puttaswamy judgment. To recall, the three-part test required that there must be a law, the law must be for a legitimate state aim, and the means used to achieve the aim must be proportional.

The clauses as drawn out in the Amendment Bill, however, are too broad to meet this requirement. Firstly, they grant authorization to a wide range of entities (as listed above), and for purposes that have not been specified. The result is a law that is of vague scope, and further, the government with the UIDAI are granted very broad powers to identify entities and purposes for which this can be done. There is no clarity on the basis on which such entities or purposes will be identified, and what consideration will be given to privacy for such identification of entities or purposes.

In order to meet the privacy test, a law permitting the invasion of privacy, in this case for the voluntary use of Aadhaar, should be more narrowly tailored, bringing out the state aim that is being attempted to be met, and that the means used are proportional. In addition to being broad and vague, the proposed amendments do not clarify what is the state aim sought to be met.

Specific uses considered under the Aadhaar judgment

Further, the Aadhaar judgment’s examination of three specific uses of Aadhaar apart from Section 57 can also be considered here – of Aadhaar-PAN linkage, Aadhaar-SIM card linkage and Aadhaar-bank account linkage. The judgment laid down certain rules for considering such uses, for instance, it required that there be an application of mind as to the impact the act in question will have on privacy.

In the case of Aadhaar-SIM linkage, therefore, an additional reason why the Lokniti Foundation case was not considered to provide a legal basis for the linkage was that the case had not considered the privacy impact of such use. While it is true that these instances dealt with mandatory use of Aadhaar, it can be argued that these requirements apply to any use of Aadhaar that is invasive of privacy. This will include voluntary use. The Amendment Bill does not clarify what considerations were given to the impact such large-scale private use of Aadhaar and Aadhaar based authentication will have on privacy.

Similarly, when dealing with Aadhaar-bank account linkage, the Court had ruled that mere ritualistic incantations of ‘money laundering’ and ‘black money’ do not satisfy the test. Similarly, the mere fact that the use of Aadhaar is voluntary does not satisfy that there is no threat to privacy. Further, under the Amendment Bill, the privacy and security standards to which such entities will be put has been left to regulations, which are to be developed at a later stage.

Voluntary use does not imply privacy compliance

Thus, even assuming that the Aadhaar judgment allows voluntary use of Aadhaar, the Amendment Bill grants powers that are too broad and too vague. In order to be constitutional, it is essential that the law passes the threshold that has been laid out by the Supreme Court. The Bill in its current form does not meet the three part-test laid down by the Puttaswamy judgment. Voluntary use cannot ipso facto be considered to meet privacy requirements and privacy needs to be a top consideration for any law allowing the use of Aadhaar.

The author is a lawyer specializing in technology, privacy and cyber laws.

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.