On 26 September, by a 4-1 vote, a bench led by the retiring Honourable Chief Justice affirmed the constitutionality of the Aadhaar Act. With an analysis spanning 1,448 pages, it puts an end to the ever-expanding "mission creep" of the Aadhaar project but paves the way for a flurry of further litigation.
The majority opinion of the Court joined by a concurrence spans around 1,000 pages, yet leaves us with a labyrinth that raises more questions than it attempts to answer.
Voluntary or Mandatory?
Through the length of the opinion, the court observes that enrollment in the Aadhar scheme is of voluntary nature. This voluntary nature of enrollment in the Court's opinion makes it imperative to have the consent of an "individual" for enrollment. Yet, the Court goes on to opine that it becomes compulsory for those who seek to receive any subsidy, benefit or service under the welfare scheme of the government expenditure, whereof is to be met from the Consolidated Fund of India.
A few paragraphs later, the Court says, "Since we have held that enrollment is voluntary in nature, those who specifically refuse to give the consent, they would be allowed to exit from Aadhaar scheme."
A rational conclusion one would be tempted to draw is that unless you are receiving any subsidies or benefits of a welfare scheme, you don't need an Aadhaaar number and if you specifically refuse to give consent, you will be allowed to exit from the scheme. But lo and behold! A double bind is volleyed your way. The Court upholds the validity of Section 139AA of Income Tax Act, 1961 that makes the linking of Aadhaar Card to the Permanent Account Number (PAN) mandatory. The result is that to get a PAN or file an Income Tax Return, one needs Aadhaar.
We can safely assume that most Indians would fall in either of these two categories: either they receive some subsidy, benefit or service under the welfare scheme of the government or they are within the tax network and pay income taxes and/or have a PAN and would, therefore, need to get an Aadhaar. Thereby banishing the "voluntary' nature of Aadhaar to law books or into the fantasies of privacy activists and establishing a de facto"mandatory" scheme for almost the entirety of the population.
This is especially confusing because the Court holds that linking of SIM cards with Aadhaar impinges upon the voluntary nature of the Aadhaar scheme, yet fails to deal coherently with the same argument while considering the mandatory linking of PAN. Leaving us all to wonder is it mandatory or voluntary or both, thus failing the law of non-contradiction and defying classical logic.
The Court correctly expresses concern for kids who may have been enrolled into the Aadhaar scheme by their parents and directs that they be given an option to exit from the Aadhaar project if they so choose on attaining the age of maturity. But this thought process is abandoned midway as having made these observations, nowhere in the judgment does the Court directs the legislature to establish a process for exiting or opting out from the scheme or destruction of data that has already been collected.
A clarification petition to resolve these inconsistencies is ripe for consideration to resolve the matter clearly and to provide much-needed respite to the general public.
Technology and security
The Court seems to have been in total awe of the technology that is Aadhaar as represented by the constantly-praised but little-comprehended slide deck of UIDAI's CEO inserted like four-colour Microsoft advertisements throughout the endlessly-stolid prose of the judgments. Despite this enchantment, while the dissent by Justice Chandrachud makes an honest attempt at understanding the new form of social science that advances in technology have brought, the majority barely registers the hurricane of technological advancement and the change it's affecting on the relationship between the State with its citizens.
The price at which parties can buy access to Aadhaar numbers in bulk has dropped low enough, according to press reports, to prove that leakage is occurring on a significant scale. Reports of false Aadhaar card scams are so frequent they no longer make the front page.
Yet, the Court somehow relies heavily on the assurances offered by the CEO of UIDAI and the "very high profile officers" who constitute an oversight of Technology and Architecture Review Board (TARB) and Security Review Committee.
On 28 September, Facebook reported that an attack on its computer network had exposed the personal information of nearly 50 million users. In 2016 Yahoo! had been a subject of a security breach affecting 500 million users. We don't even know how many people were impacted by the Equifax breach. Yet the Court seems to have brought into the plan for perfect security, operating flawlessly forever, for Aadhaar. No “platform” company, with all the immense profits earned from processing the data of hundreds of millions of customers, can claim to guarantee perfect security of customer data. No government can, at present, promise perfect security for even its most critical personal data. But all of us have been asked to trust a story in which Aadhaar data security is never breached.
For those of us who had approached the Court, we had firm belief that only the Supreme Court’s clarity and willingness to back its order with enforcement will ensure that law stands between our society and the consequences of hubris. For us, that clarity seems elusive or perhaps a few cases away.
The author is a technology lawyer and managing partner at Mishi Choudhary & Associates