On Day 13 of the Aadhaar hearings yesterday, senior counsel Gopal Subramaniam concluded his arguments for the petitioners. The petitioners discussed the risks of profiling and private party access to this data in the Aadhaar system.
The intervention applications from companies stating that their business models needed Aadhaar to function were pointed to in this regard. The conflict of a filed authentication being assumed to be a fake profile, and the discretionary powers of the UIDAI to deactivate Aadhaar were also raised.
Lastly, the petitioners sought compensation for those who suffered due to the system and requested an extension of the March 31st deadline for Aadhaar linkages.
Collection of fingerprints and ‘purification’ of electoral rolls
Discussing various issues with the Aadhaar system, the petitioner’s first contention was that without criminality or proof of any offence being committed, people cannot be asked to give their biometrics. The case of Selvi v. State of Karnataka was quoted, wherein the Supreme Court had ruled on tests like brain fingerprinting and narco analysis without consent and had also discussed the collection of fingerprints.
Next, the National Electoral Roll Purification and Authentication Programme, which had required Aadhaar to be linked with electoral rolls for their ‘purification’, was raised. On the directions of the Supreme Court in 2015 order in the Puttaswamy case, this linkage was suspended, and the Election Commission clarified that linking Aadhaar to voter cards was optional.
Risks of profiling via SRDH, etc and access by Pvt parties
Further discussing the invasive nature of data collection in the Aadhaar system, the petitioners argued that while Aadhaar was being linked to bank accounts for prevention of money laundering, the NPCI was making this data available to third parties. Also, access to individual profiles was possible through the State Resident Data Hubs, which had no restriction on the data collected on an individual. Rakesh Dwivedi, the senior counsel on behalf of the State of Gujarat, interjected at this point arguing that all data in SRDH had been erased after the enactment of the Aadhaar Act.
The intervention application from the Digital Lenders Association and others, stating that they needed Aadhaar for their businesses to function, was also raised.
The Bench, at this point, asked for credible information on exactly how much access private parties had to the information in the database. The Bench also pointed to Section 57, which allows private parties to use Aadhaar for authentication purposes only, asking how then do private parties gain access to data. The petitioners responded that the seeding of Aadhaar with multiple databases allowed such entities to gain access to information on people.
Inadequate safeguards for biometric updates and failed authentication
The petitioners also pointed to the fact that related definitions under the Aadhaar Act, such as of ‘biometric information’ and ‘core biometric information’ were open-ended definitions, allowing the addition of new forms of data via regulations. On being asked by the Bench if this allowed the inclusion of DNA in the future, the petitioners answered in the affirmative. The petitioners also pointed to the proposed creation of DNA databanks.
The Aadhaar Enrolment and Update Regulations were also raised, on the fact that the burden of updating data was on the individuals, and that unlike with updating demographic data such as address and phone numbers, people couldn’t know when to update their biometric data. On the Bench suggesting that people could do so upon authentication failure, the Petitioners argued that the issue with this was that failed authentication led to the person being seen as a ghost or fake profile. It is simply assumed that biometrics were captured properly at the time of enrolment and the failed authentication is an attempt by the person to duplicate.
The provisions of Regulation 27-29 under the Aadhaar Enrolment Regulations, particularly the clause which allowed deactivation or cancellation of an Aadhaar number at the discretion of the UIDAI (See Regulations 27(1)(iv) and 28(1)(f)), were argued to be completely inadequate. The lack of a prescribed procedure to safeguard this power or the need for substantive reasonableness was pointed to.
Section 33 of the Aadhaar Act, which allows the disclosure of information on an individual, including identity information and authentication records, pursuant to a Court order, was also pointed to. This is because this section requires the UIDAI to be heard prior to passing an order on such a disclosure, but doesn’t give the same opportunity to the individual whose data is being disclosed.
In summary, a failed authentication could lead to entitlements being annulled, thus resulting in permanent disablement.
Data retention must be within reasonable limits
Points raised previously were also summarized, that in the absence of a data protection law, the injury to people through the dangers of profiling, metadata collection and big data analytics were heightened. Data retention, it was argued, must be reasonable and subject to limits, and data retention of an entire population is extremely risky.
The uncertainty and probabilistic nature of biometric systems were reasserted. The L1 Identity Solutions contracts were also referred to, which indicate that a foreign entity had possession of the algorithm and that the data was with L1 even if the UIDAI had ownership over it. This data, which includes personal data of the UID holder, could be subject to collection, use and analysis as required.
Compensation for those excluded and extension of deadlines
Gopal Subramaniam concluded his arguments with two main prayers, firstly that the Court grant compensation to those who were excluded, with exemplary damages in the case of starvation deaths. Secondly, he requested the Court to extend the March 31st deadline. To the second prayer, the Bench stated that appropriate interim orders would be passed at the time.
Read our past coverage of the on-going Aadhaar Supreme court hearing:
The author is lawyer and author specialising in technology laws. She is also a certified information privacy professional.