Aadhaar Amendments Violate SC Verdict – Were Pvt Cos in the Know?
On 2 January 2019, Law Minister Ravi Shankar Prasad introduced a bill to amend the Aadhaar Act 2016, Indian Telegraph Act 1885 and Prevention of Money Laundering Act 2002.
The explanatory note for the Aadhaar and Other Laws Amendment Bill 2018 claims that the amendments are being brought in to comply with changes required by the Supreme Court’s Aadhaar judgment of 26 September 2018, and to empower the UIDAI to take action against “errant entities” so as to protect privacy.
The bill includes 13 “salient features,” but the important ones are:
- A specific provision in the Aadhaar Act allowing use of Aadhaar for authentication and offline verification on a voluntary basis (including for private services);
- Explicit prohibition of denial of services for children and others unable to authenticate because of age, infirmity or illness;
- Amendments to Section 33 of the Aadhaar Act, which allows disclosure of Aadhaar information in certain circumstances, ostensibly to comply with the Supreme Court’s directions;
- Specifying a civil penalty of up to Rs 1 crore for contravention of the Aadhaar Act by anyone part of the “Aadhaar ecosystem”;
- Amendment of the Indian Telegraph Act and the PMLA to specify Aadhaar as a mode of verification for clients for mobile services and financial services (banks) respectively.
- Deletion of Section 57 of the Aadhaar Act (the old provision used to link Aadhaar to private services).
On a cursory glance, the amendments could appear to be in compliance with the Supreme Court’s judgment from September 2018. The majority opinion authored by Justice Sikri had upheld Aadhaar as constitutional, and though it had held that it could not be used for authentication for private services, there was some ambiguity as to whether or not this could be done on a voluntary basis.
But do the amendments stand up to further scrutiny? Unfortunately for the government, not all of them do.
Did Private Companies in the Aadhaar Ecosystem Know About the Amendments in Advance?
But first, an update on some new developments which raise questions about how these amendments came to be.
While opposition MPs were caught on the wrong foot by the amendments, which were introduced without any notice, a new report in Asia Times indicates that private companies involved in the Aadhaar ecosystem may have been aware of government plans to introduce these amendments back in September 2018, in the aftermath of the Supreme Court judgment.
The report includes a leaked audio recording of an alleged conversation between members of the iSpirt lobbying group, including (supposedly), Sharad Sharma, Sanjay Jain (former chief product manager for Aadhaar) and in-house legal counsel for Khosla Labs, a major private player in the industry. The three of them discuss their strategy for addressing the consequences of the apex court’s judgment, including whether or not they consider it to have banned use of Aadhaar for private services altogether.
The position of the speakers is clear: that the judgment doesn’t preclude usage of Aadhaar in the private sector, though this would need a new legislative enactment. During the conversation, one of the speakers seems to indicate he knew what the government’s next steps were, including somehow knowing that an ordinance was in the works. He says:
The subsequent speaker seems to indicate that they are not quite aware what view the government has taken on this matter, and says that the ordinance or amendments are essential to bring the law in consonance with the Supreme Court’s judgment, either which way. He is still confident that things will end up in a way favourable to iSpirt’s interpretation, and that after the law is amended, private players will continue to be allowed to use Aadhaar on a non-mandatory basis.
Problematic Amendment 1: Aadhaar Authentication for Private Services
Rewind to 2017, and the government appeared to be making Aadhaar mandatory to avail not just welfare schemes, but private services as well, despite the Supreme Court’s interim orders in 2015 which had prohibited this.
The most contentious of these attempts became the mandatory linkage of mobile numbers and bank accounts with Aadhaar, which finally made people who had ignored the warnings about Aadhaar’s linkage to welfare and benefits, sit up and take notice. The Supreme Court finally ordered interim stays on Aadhaar linkage (though these only came after the Centre agreed to postpone the deadlines) and of course in its final judgment in 2018, held this was unconstitutional.
Despite the judgment, private entities like Paytm and banks, continued to ask for Aadhaar, with some continuing to insist it was mandatory, while others claimed this could be on a voluntary basis, seeking to rely on an ambiguity in the judgment. The ambiguity arose from paragraph 367 of Justice Sikri’s majority judgment, which said:
“The respondents may be right in their explanation that it is only an enabling provision which entitles the Aadhaar number holder to take the help of Aadhaar for the purpose of establishing his/her identity. If such a person voluntary wants to offer Aadhaar card as a proof of his/her identity, there may not be a problem." (sic)(emphasis added)
However, this exception for voluntary usage was not mentioned anywhere in the final conclusions in the judgment, which instead merely said Aadhaar could not be used for authentication by private entities. This was not done on some sort of whim, but because it would not pass the test of proportionality, and the potential misuse of individual biometric and demographic information by private players, which “impinge on the right to privacy.”
Voluntariness and Excessive Delegation
The government will no doubt argue that the way they have structured things in the amendments ensures there is no violation of the right to privacy, since it is on a voluntary basis, requires informed consent, and requires any authenticating entity to satisfy the UIDAI of their privacy and security standards.
But this isn’t how the amendments actually play out, for a number of reasons.
First off, the use of Aadhaar for authentication/offline verification on a voluntary basis is only specified in the new subsections being added to Section 4 of the Aadhaar Act. The specific provisions amending the Telegraph Act (which applies for telecom companies) and the PMLA (which applies for banks) do not make Aadhaar voluntary. Instead, they say that the relevant entity “shall identify” clients (ie, perform KYC) using Aadhaar, passports or other any other form of identification notified by the central government.
The option of a passport is a false choice, since only 5.15 percent or so of Indians have passports, according to MEA data, and the government’s past record on notifying other forms of identification through subordinate legislation for Aadhaar has been consistently terrible.
The problem of excessive delegation to future subordinate legislation (ie regulations or rules) is one that runs throughout the amendments, and scuppers their ability to satisfy privacy concerns. Too many things are left to be notified subsequently by the Centre, including the supposed privacy and security standards, which have to be met before an entity can use Aadhaar for voluntary authentication, and the alternate means of identification for children or ill people which is meant to prevent exclusion from public services.
Lack of Data Protection Law and Privacy
One way to address the privacy concerns would be if there were a strong data protection law in place which could prevent private entities from misusing Aadhaar data. Unfortunately, while the Srikrishna Committee submitted its report and draft data protection bill to the government way back in July 2018, no bill has been introduced in Parliament yet.
In response to objections to the introduction of the Aadhaar amendments on these lines, the Law & IT minister stated in Parliament that the data protection bill is ready, and will be introduced soon. Introducing the Aadhaar amendments before this would be putting the cart before the horse, as till such time as a data protection law is put in place (or the standards for privacy otherwise specified), the court’s privacy concerns are unlikely to be addressed.
According to Apar Gupta, Supreme Court advocate and Executive Director of the Internet Freedom Foundation, this would mean that,
The Money Bill Question
There is also an argument to be made that it is impossible to amend the Aadhaar Act 2016 to allow usage of Aadhaar by the private sector, because of its designation as a Money Bill. When it was being debated in Parliament, a number of amendments to the then Aadhaar Bill were passed by members of the Rajya Sabha, including prohibition of private sector usage. The government got around these by designating the law as a Money Bill, which meant the Rajya Sabha’s approval wasn’t necessary anymore.
In his dissenting opinion in the Aadhaar judgment, Justice DY Chandrachud had found this to be a “fraud on the Constitution”, and so struck the whole Aadhaar Act down as unconstitutional. The majority opinion didn’t go so far, but as Raman Chima, Policy Director at Access Now says,
“the Supreme Court’s majority ruling also in large part only upheld the Aadhaar Act as a Money Bill because the private sector usage provision was read down – any attempt to add private sector usage back in will undermine this key legal argument the Government used and will likely result in the Aadhaar Act being unconstitutional.”(emphasis added)
Problematic Amendment 2: Provisions on Disclosure of Information
The Aadhaar Act contains prohibitions against disclosure of Aadhaar information to anyone, and the UIDAI is supposed to ensure this information is kept secure and confidential.
However, Section 33 of the Aadhaar Act allowed for disclosures in certain circumstances:
- Under Section 33(1), where there was an order from a court not inferior to a District Judge, and the UIDAI had been given an opportunity to be heard by the court.
- Under Section 33(2), where a government officer not below the rank of Joint Secretary directed disclosure in the interests of national security.
The Supreme Court held that Section 33(1) had to include an option for the relevant Aadhaar holder to be heard by the court, not just the UIDAI.
The majority opinion also struck down Section 33(2) as it stood since a determination on national security needed to be made by an officer with a higher rank, and that any such direction could only be made with the involvement of a judicial officer (preferably a sitting high court judge).
While the proposed Aadhaar amendments make the necessary changes to Section 33(1), they fail to do the needful for Section 33(2). The only change proposed to this is for a Secretary rather than Joint Secretary to have the power to issue a direction in the interest of national security – no involvement of a judicial officer is brought in. This means the amendment clearly contravenes the apex court’s judgment, and is unconstitutional.
Will the Amendments Become Law?
The amendments have been drafted without any public consultation, which is unfortunate given the potential impacts that these amendments could have on the rights of citizens. Now that it has been introduced in Parliament, however, this is water under the bridge.
The matter now moves to the Rajya Sabha, after the Lok Sabha passed the bill without any significant debate, despite its introduction being opposed by MPs Shashi Tharoor, NK Premachandran and Sougata Roy. “This bill is in violation of the Supreme Court judgment, the fundamental right to privacy and the doctrine of proportionality,” said Tharoor on 2 December.
Even though the bill has been passed in the Lok Sabha, it has not been presented as a Money Bill, which means it will need to be debated in the Rajya Sabha as well (though this could be changed like last time). In this event, it is unlikely to pass without significant amendments, given what happened when the original Aadhaar Act was passed.
If it is again railroaded through Parliament as a Money Bill or somehow gets past the Upper House, the amendments sought here do seem liable to be struck down for violating the SC’s judgment.
(The Quint is now on WhatsApp. To receive handpicked stories on topics you care about, subscribe to our WhatsApp services. Just go to TheQuint.com/WhatsApp and hit the Subscribe button.)