Modi Govt’s Aadhaar Amendment Ordinance Violates SC Judgment
The Cabinet on Thursday, 28 February, approved the promulgation of an ordinance to allow voluntary use of Aadhaar as identity proof for opening bank account and procuring mobile phone connection.
The amendments were brought as an ordinance since the Aadhaar Amendment Bill, passed by the Lok Sabha on 4 January but pending in the Rajya Sabha, would have lapsed with the dissolution of the current Lok Sabha. The ordinance will now give effect to the changes in the Aadhaar Act such as giving a child an option to exit from the biometric ID programme on attaining 18 years of age.
Briefing reporters after a meeting of the Cabinet chaired by Prime Minister Narendra Modi, Law and IT Minister Ravi Shankar Prasad said the Cabinet has approved the promulgation of an ordinance to give effect to the Aadhaar and Other Laws (Amendment) Bill.
What Amendments Have Been Introduced?
Earlier on 2 January 2019, Prasad introduced a bill to amend the Aadhaar Act 2016, Indian Telegraph Act 1885 and Prevention of Money Laundering Act 2002. The text of the ordinance is the same as that of the bill, according to a statement by the Press Information Bureau.
The explanatory note for the Aadhaar and Other Laws Amendment Bill 2018 claimed that the amendments are being brought in to comply with changes required by the Supreme Court’s Aadhaar judgment of 26 September 2018, and to empower the UIDAI to take action against “errant entities” so as to protect privacy.
The ordinance includes 13 “salient features,” but the important ones are:
- A specific provision in the Aadhaar Act allowing use of Aadhaar for authentication and offline verification on a voluntary basis (including for private services);
- Explicit prohibition of denial of services for children and others unable to authenticate because of age, infirmity or illness;
- Amendments to Section 33 of the Aadhaar Act, which allows disclosure of Aadhaar information in certain circumstances, ostensibly to comply with the Supreme Court’s directions;
- Specifying a civil penalty of up to Rs 1 crore for contravention of the Aadhaar Act by anyone part of the “Aadhaar ecosystem”;
- Amendment of the Indian Telegraph Act and the PMLA to specify Aadhaar as a mode of verification for clients for mobile services and financial services (banks) respectively.
- Deletion of Section 57 of the Aadhaar Act (the old provision used to link Aadhaar to private services).
On a cursory glance, the amendments could appear to be in compliance with the Supreme Court’s judgment from September 2018. The majority opinion authored by Justice Sikri had upheld Aadhaar as constitutional, and though it had held that it could not be used for authentication for private services, there was some ambiguity as to whether or not this could be done on a voluntary basis.
But do the amendments stand up to further scrutiny? Unfortunately for the government, not all of them do.
Problematic Amendment 1: Aadhaar Authentication for Private Services
Rewind to 2017, and the government appeared to be making Aadhaar mandatory to avail not just welfare schemes, but private services as well, despite the Supreme Court’s interim orders in 2015 which had prohibited this.
The most contentious of these attempts became the mandatory linkage of mobile numbers and bank accounts with Aadhaar, which finally made people who had ignored the warnings about Aadhaar’s linkage to welfare and benefits, sit up and take notice. The Supreme Court finally ordered interim stays on Aadhaar linkage (though these only came after the Centre agreed to postpone the deadlines) and of course in its final judgment in 2018, held this was unconstitutional.
Despite the judgment, private entities like Paytm and banks, continued to ask for Aadhaar, with some continuing to insist it was mandatory, while others claimed this could be on a voluntary basis, seeking to rely on an ambiguity in the judgment. The ambiguity arose from paragraph 367 of Justice Sikri’s majority judgment, which said:
“The respondents may be right in their explanation that it is only an enabling provision which entitles the Aadhaar number holder to take the help of Aadhaar for the purpose of establishing his/her identity. If such a person voluntary wants to offer Aadhaar card as a proof of his/her identity, there may not be a problem.” (sic)(emphasis added)
However, this exception for voluntary usage was not mentioned anywhere in the final conclusions in the judgment, which instead merely said Aadhaar could not be used for authentication by private entities. This was not done on some sort of whim, but because it would not pass the test of proportionality, and the potential misuse of individual biometric and demographic information by private players, which “impinge on the right to privacy.”
Voluntariness and Excessive Delegation
The government will no doubt argue that the way they have structured things in the amendments ensures there is no violation of the right to privacy, since it is on a voluntary basis, requires informed consent, and requires any authenticating entity to satisfy the UIDAI of their privacy and security standards.
But this isn’t how the amendments actually play out, for a number of reasons.
First off, the use of Aadhaar for authentication/offline verification on a voluntary basis is only specified in the new subsections being added to Section 4 of the Aadhaar Act. The specific provisions amending the Telegraph Act (which applies for telecom companies) and the PMLA (which applies for banks) do not make Aadhaar voluntary. Instead, they say that the relevant entity “shall identify” clients (ie, perform KYC) using Aadhaar, passports or other any other form of identification notified by the central government.
The option of a passport is a false choice, since only 5.15 percent or so of Indians have passports, according to MEA data, and the government’s past record on notifying other forms of identification through subordinate legislation for Aadhaar has been consistently terrible.
The problem of excessive delegation to future subordinate legislation (ie regulations or rules) is one that runs throughout the amendments, and scuppers their ability to satisfy privacy concerns. Too many things are left to be notified subsequently by the Centre, including the supposed privacy and security standards, which have to be met before an entity can use Aadhaar for voluntary authentication, and the alternate means of identification for children or ill people which is meant to prevent exclusion from public services.
Lack of Data Protection Law and Privacy
One way to address the privacy concerns would be if there were a strong data protection law in place which could prevent private entities from misusing Aadhaar data. Unfortunately, while the Srikrishna Committee submitted its report and draft data protection bill to the government way back in July 2018, no bill has been introduced in Parliament yet.
In response to objections to the introduction of the Aadhaar amendments on these lines, the Law & IT minister stated in Parliament that the data protection bill is ready, and will be introduced soon. Introducing the Aadhaar amendments before this would be putting the cart before the horse, as till such time as a data protection law is put in place (or the standards for privacy otherwise specified), the court’s privacy concerns are unlikely to be addressed.
According to Apar Gupta, Supreme Court advocate and Executive Director of the Internet Freedom Foundation, this would mean that,
The Money Bill Question
There is also an argument to be made that it is impossible to amend the Aadhaar Act 2016 to allow usage of Aadhaar by the private sector, because of its designation as a Money Bill. When it was being debated in Parliament, a number of amendments to the then Aadhaar Bill were passed by members of the Rajya Sabha, including prohibition of private sector usage. The government got around these by designating the law as a Money Bill, which meant the Rajya Sabha’s approval wasn’t necessary anymore.
In his dissenting opinion in the Aadhaar judgment, Justice DY Chandrachud had found this to be a “fraud on the Constitution”, and so struck the whole Aadhaar Act down as unconstitutional. The majority opinion didn’t go so far, but as Raman Chima, Policy Director at Access Now says,
“the Supreme Court’s majority ruling also in large part only upheld the Aadhaar Act as a Money Bill because the private sector usage provision was read down – any attempt to add private sector usage back in will undermine this key legal argument the Government used and will likely result in the Aadhaar Act being unconstitutional.”(emphasis added)
Bringing this law in as an ordinance is a dubious fix for this conundrum, as surely it would be a misuse of the ordinance powers to bring through an amendment to a law which would render the law unconstitutional. This could easily open up the ordinance itself to legal challenge.
Problematic Amendment 2: Provisions on Disclosure of Information
The Aadhaar Act contains prohibitions against disclosure of Aadhaar information to anyone, and the UIDAI is supposed to ensure this information is kept secure and confidential.
However, Section 33 of the Aadhaar Act allowed for disclosures in certain circumstances:
- Under Section 33(1), where there was an order from a court not inferior to a District Judge, and the UIDAI had been given an opportunity to be heard by the court.
- Under Section 33(2), where a government officer not below the rank of Joint Secretary directed disclosure in the interests of national security.
The Supreme Court held that Section 33(1) had to include an option for the relevant Aadhaar holder to be heard by the court, not just the UIDAI.
The majority opinion also struck down Section 33(2) as it stood since a determination on national security needed to be made by an officer with a higher rank, and that any such direction could only be made with the involvement of a judicial officer (preferably a sitting high court judge).
While the proposed Aadhaar amendments make the necessary changes to Section 33(1), they fail to do the needful for Section 33(2). The only change proposed to this is for a Secretary rather than Joint Secretary to have the power to issue a direction in the interest of national security – no involvement of a judicial officer is brought in. This means the amendment clearly contravenes the apex court’s judgment, and is unconstitutional.
Will the Amendments Become Permanent Law?
The amendments have been drafted without any public consultation, which is unfortunate given the potential impacts that these amendments could have on the rights of citizens. Now that it has already been introduced as an ordinance, however, this is water under the bridge.
When the amendments were originally introduced in the Lok Sabha, it was passed without any significant debate, despite its introduction being opposed by MPs Shashi Tharoor, NK Premachandran and Sougata Roy. “This bill is in violation of the Supreme Court judgment, the fundamental right to privacy and the doctrine of proportionality,” said Tharoor on 2 December.
There are certainly organisations and private citizens who have taken the same stance, and are likely to challenge the ordinance in the Supreme Court. As described above, there are good grounds to challenge it, since the amendments suffer from the same flaws the Supreme Court had identified with the Aadhaar Act previously. The ordinance cannot change the nature of the Aadhaar Act by allowing private company usage as this was precisely why the Supreme Court read down Section 57 of the Act in the first place.
Of course, this would require the filing of a writ petition challenging the ordinance and for the Supreme Court to hear arguments on this point, which may not take place within the six month lifetime of the ordinance. Once the ordinance lapses, the amendments will have to be brought as a bill again, which will once again run into trouble in the Rajya Sabha.
Did Private Companies in the Aadhaar Ecosystem Know About the Amendments in Advance?
One particularly concerning aspect of these amendments is that private companies seem to have known exactly how things were going to turn out, including that the government would go down the ordinance route if necessary.
While opposition MPs were caught on the wrong foot by the amendments, which were introduced without any notice, a report in Asia Times indicated that private companies involved in the Aadhaar ecosystem may have been aware of government plans to introduce these amendments back in September 2018, in the aftermath of the Supreme Court judgment.
The report includes a leaked audio recording of an alleged conversation between members of the iSpirt lobbying group, including (supposedly), Sharad Sharma, Sanjay Jain (former chief product manager for Aadhaar) and in-house legal counsel for Khosla Labs, a major private player in the industry. The three of them discuss their strategy for addressing the consequences of the apex court’s judgment, including whether or not they consider it to have banned use of Aadhaar for private services altogether.
The position of the speakers is clear: that the judgment doesn’t preclude usage of Aadhaar in the private sector, though this would need a new legislative enactment. During the conversation, one of the speakers seems to indicate he knew what the government’s next steps were, including somehow knowing that an ordinance was in the works. He says:
The subsequent speaker seems to indicate that they are not quite aware what view the government has taken on this matter, and says that the ordinance or amendments are essential to bring the law in consonance with the Supreme Court’s judgment, either which way. He is still confident that things will end up in a way favourable to iSpirt’s interpretation, and that after the law is amended, private players will continue to be allowed to use Aadhaar on a non-mandatory basis.