On Day 33 of the Aadhaar hearings on Wednesday, senior counsel Rakesh Dwivedi completed his arguments for the UIDAI. In an important turn of events, he admitted that the Supreme Court had never directed the mandatory verification of mobile phones via Aadhaar.
He also argued extensively on the security of the data with Requesting Entities. After this, Additional Solicitor General Tushar Mehta made a submission w.r.t Aadhaar-Bank account linking. Senior counsel Jayant Bhushan then directed the Court’s attention to the new KYC norms issued by the RBI. Lastly, counsel Gopal Sankarnarayan commenced his arguments.
On the collection of authentication data by REs
Rakesh Dwivedi commenced with arguing that the UIDAI had adequate control over the Requesting Entities (REs). He argued that the data with the REs was segregated, with no means of aggregating the data, since there are over 300 REs. When questioned by the Bench on the collection of data by an individual RE, Dwivedi cited Vodafone as an example. He argued that Vodafone wouldn’t be able to make much use of the authentication data, and further would be unable to track any individual.
Vodafone, for instance, could conduct targeted advertising via this data, but this was already being done even without Aadhaar based data. Further, he argued that Vodafone would have a lot more demographic data on an individual than the UIDAI, and moreover, it was not subject to the many regulations and penal consequences as applicable to Aadhaar.
Aadhaar being solely targeted for data collection
Next, he cited the example of data collection by banks, showing a credit card statement to indicate the extent of information a bank has on an individual. He argued that this data being collected by banks and telecom companies was not being questioned, and Aadhaar was the sole target.
He further argued that there is no difficulty in getting information on a person from Google. He also cited the example of BigBasket, arguing that the company was aware of a person’s food habits based on what he buys. Google and Facebook, he argued, processed a tremendous amount of data on individuals, but Aadhaar did not use algorithms of that nature.
No way to surveil people via Aadhaar based authentication
He further argued that the collection and transfer of data by REs was doubtful, and further these do not have authentication records. He quoted Regulation 18 of the Aadhaar (Authentication) Regulations, 2016, which require an RE to maintain logs of authentication transactions, but do not allow the retention of the PID Block, or the Personal Identity Data element, which includes biometric, demographic and OTP information. He, further, pointed to a list of entities which require one time authentication and those that require authentication for each transaction. Based on this, he argued that there was no way to conduct 24x7 surveillance of people.
Licensing of an RE
On the issuing of control over the RE, Dwivedi argued that the RE was required to buy the authentication device from a vendor, who was under the control of the UIDAI w.r.t both the hardware and the software. The data on the device is also encrypted and then sent to the CIDR. Further, the device is STQC certified. Lastly, the RE itself is audited by an information systems operator. On clearing all these parameters, an RE is licensed.
The metadata collected, he argued, was to validate that the data is coming in from a proper, UIDAI licensed RE. Thus, the metadata enables fraud management and verification.
The REs, further, themselves had a data vault, which is only under the control of trusted people. Apart from the audit prior to licensing, the REs are also audited annually, as well as on a random basis by the UIDAI. Authentication Service Agencies are also similarly audited.
Authentication data with REs is encrypted
Returning again to the issue of security, he argued that the encryption by the authentication device was immediate, time-stamped, and required two sets of keys. Transmission itself, required signing by a private key. Moreover, storage of the PID block was prohibited, and further, there was no permission to transmit demographic information.
He also pointed to the penal consequences under Aadhaar for violation of any of the provisions. Further, he asserted that the Central government had no access to Aadhaar information, since the UIDAI was an autonomous body.
Aadhaar-SIM linking founded on Telegraph Act
Lastly, Dwivedi turned to the issue of Aadhaar SIM linking, citing the Supreme Court’s Lokniti Foundation judgment, and the recommendation of the TRAI to link Aadhaar with SIM cards. He also cited the notification of the Department of Telecom, which ordered the re-verification process through eKYC. Section 4 of the Telegraph Act, he argued, gave the Central government the exclusive power to stipulate such license conditions to the licensees (such as the TSPs). Further, he argued that Aadhaar-SIM linking was essential to ensure that the SIM card was given to the person who actually applied for it.
The Bench, here pointed out that the Supreme Court in the Lokniti Foundation case never ordered that the reverification be carried out via Aadhaar based ekYC. Dwivedi agreed to this, admitting that the eKYC process had been adopted on the recommendation of TRAI, which had been made even before the Lokniti order came out. He further submitted that the legal basis to link Aadhaar with SIM cards arose from the government’s power under Section 4 of the Telegraph Act. Further, the measure was reasonable in the interest of national security.
Aadhaar system has the support of two governments
Dwivedi then summed up his arguments, arguing that there was no possibility of surveillance via the CIDR, and instead the CIDR was completely necessary in order to avoid fake and duplicate entities. The Aadhaar system, he argued, stood the test of Article 21, and did not involve the violation of the right to privacy. Further, the Aadhaar project had the support of two governments, since it had been commenced when the Congress was in power.
Aadhaar-bank linking passes Article 300A test
Additional Solicitor General Tushar Mehta then made a submission that Aadhaar passed the muster of Article 300A, or the right to property, w.r.t Aadhaar-Bank account linking. This is because as per this article, no person can be deprived of his property except by the ‘authority of law’, and the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (PML Rules) which directed the linking, amounted to the ‘authority of law’.
A statutory rule, he argued, was akin to ‘law’ for the purposes of Article 300A. Further, it was not possible to amend the parent Act, the Prevention of Money Laundering Act (PMLA), each time a new rule is to be put in place, because of which rule making powers were granted.
New KYC norms
Senior counsel Jayant Bhushan then commenced his arguments, drawing the attention of the Court to the KYC Directions of the Reserve Bank of India, now amended to mandate Aadhaar based identification. He argued that under the PMLA as well as the PML Rules, REs were required to follow certain customer identification procedures while undertaking transactions. The RBI, in exercise of its powers under the Banking Regulation Act, 1949, saw it fit to amend and issue the new directions.
Lastly, counsel Gopal Sankarnarayan commenced his submissions on the validity of the Aadhaar Act.
The author is a lawyer and author specializing in technology laws. She is also a certified information privacy professional.