Why Amend the Aadhaar Act Without First Passing a Data Protection Bill?

Re-introducing Aadhaar as a voluntary measure is patently unconstitutional.

While India still awaits the introduction of a draft privacy or data protection law, the Modi government this week introduced the Aadhaar and Other Laws (Amendment) Bill, 2018.

Although the Supreme Court’s judgment in the Aadhaar case probably necessitated an amendment to the Aadhaar Act, it is the suddenness with which the Bill was introduced, coupled with the lack of any public or stakeholder consultation, that has surprised many people.

Especially because the manner in which it was introduced runs contrary to the government’s own pre-legislative consultative policy.

That apart, the Bill does make some welcome changes, in line with the apex court’s directions. For example, the provisions made for children, the introduction of an appellate forum for newly-introduced civil penalties and the amendment to section 33(1) and 47 of the Act.

However, some of the provisions are contrary to the court’s directions. In fact, some of them are downright controversial.

Firstly, although the Bill deletes section 57 of the Act relating to private party authentication, it re-introduces private sector involvement in the Aadhaar Act through the back door. It does this by amending the Telegraph Act and the Prevention of Money Laundering Act (“PMLA”) to allow the use of Aadhaar number for authentication on a voluntary basis as acceptable KYC documents. Through section 4(4), the Bill also permits “an entity” to perform authentication if it is compliant with privacy and security standards “as may be specified by regulations” or it is permitted to do so by a law made by parliament.

As I have argued previously here, a holistic reading of the apex court judgment reveals that all five judges held even the voluntary use of Aadhaar authentication by private entities as unconstitutional.

Justice Sikri, speaking for the majority, ruled “that portion of section 57…which enables body corporate and individual to seek authentication is held to be unconstitutional” (paras 219(e) and 447(1)(d)) and held that a part of section 57 has already been declared unconstitutional, “whereby even a body corporate in private sector or person may seek authentication from the Authority for establishing the identity of an individual” (para 412).

It is thus clear that re-introducing Aadhaar as a voluntary measure is patently unconstitutional.

Second, on the issue of surveillance and national security, Justice Sikri, speaking for the majority in the Aadhaar case, struck down section 33(2) of the Aadhaar Act authorising the disclosure of identity information and authentication records of the Aadhaar number holder based on the decision made by the joint secretary by noting (at page 559):

“However, for determination of such an eventuality, an officer higher than the rank of a Joint Secretary should be given such a power. Further, in order to avoid any possible misuse, a Judicial Officer (preferably a sitting High Court Judge) should also be associated with. We may point out that such provisions of application of judicial mind for arriving at the conclusion that disclosure of information is in the interest of national security, are prevalent in some jurisdictions”.

In fact, in the context of surveillance, even the recent Justice Srikrishna report on data protection took notice of examples from Germany, UK and South Africa and observed that that “executive review alone is not in tandem with comparative models in democratic nations.” The report has thus endorsed a judicial/independent oversight mechanism.

Also read: Why Modi Government is Amending the Aadhaar Act and What it Means for You

However, contrary to the spirit of the court’s order, and without introducing a data protection law that was strongly encouraged in the Aadhaar judgment, the government has simply amended section 33(2) by replacing the word “Joint Secretary” with “Secretary”. It has thus kept the executive model of decision-making intact, thus making the amendment susceptible to a new challenge. This is particularly notable since it follows on the heels of the recent MHA notification authorising ten security and intelligence agencies to conduct electronic surveillance under the Information Technology Act and the Draft Intermediary Guidelines 2018.

Third, the amendment introduces the concept of offline verification as an alternative virtual identity generated “through such offline modes as may be specified by regulations”. However, the amendment does not provide any details of this offline verification and leaves the manner of offline verification to also be specified by regulations. It is unclear how offline verification will work and how it will ensure/improve the security of the Aadhaar infrastructure. More importantly, it is unclear why offline verification is even considered necessary, inasmuch as the constitutionality of Aadhaar was upheld by the Supreme Court based on the unique nature of biometrics.

Fourth, the problem of excessive delegation and leaving important details to be specified by the executive through regulations (at some unforeseeable future), is also demonstrated by the insertion of a proviso to section 8(2)(b), which states that in case of an authentication failure, the requesting entity shall “provide such alternate and viable means of identification of the individual, as may be specified by regulations.”

Also read: Is the Modi Govt Snooping on You? Here Are Five Questions You Should Be Asking

The issue of exclusion was vigorously argued before the Supreme Court, and the constitutionality of section 7 was upheld partly due to this promise by the government. Thus, the government should have specified these alternate and viable means of identification in the primary law itself, instead of leaving it to be specified by some future regulation.

Finally, the Bill has increased the powers of the UIDAI (by giving it the power under section 23A to issue binding directions), while doing little to improve its accountability. UIDAI plays a unique role inasmuch it functions both as a data fiduciary (when it generates and stores the biometric information of the Aadhaar number holder in the CIDR) and as a grievance redressal authority, even though these roles can be in conflict.

To conclude, while the government has accepted most of the recommendations made by the Justice Srikrishna committee, it has ignored probably the most important recommendation of them all – that “it is thus critical that these changes [amendments to the Aadhaar Act] be made hand-in-hand with a new data protection legislation.”

Thus, instead of focusing on the passage of this amendment Bill – whose status as a money bill or ordinary bill is still unclear – the government would do well to first bring in a strong data protection law.

Vrinda Bhandari is a lawyer in Delhi. She appeared for some of the petitioners in the Aadhaar case before the Supreme Court.