Did SC Re-Affirm that Aadhaar Database Could Be Used for Criminal Investigations?

There will likely be more pressure on the UIDAI to co-operate with investigative agencies.  

The opposition against Aadhaar for the last few years has been primarily based on concerns of surveillance, with the concerns regarding exclusion getting little media space. The surveillance potential of Aadhaar was first flagged by Usha Ramanathan around eight years ago in an article published by the Economic & Political Weekly when few others were giving the UID project a hard look.

In that article, which was the first warning shot fired against Aadhaar, Ramanathan warned that the creation of a unique identifier like Aadhaar would eventually lead to the convergence of different databases that were otherwise maintained in separate silos, thereby giving the Indian state an unprecedented capacity to monitor the lives of its citizens and their activities.

The proponents of Aadhaar, have rejected this portrayal of Aadhaar and have pointed out that Aadhaar’s architecture allows it to collect only very limited information. For example, if an Aadhaar authentication is carried out by a bank to open an account or by a telecom service provider, the Aadhaar centralised database will only collect information regarding the entity which has requested the authentication but will not know the purpose of the authentication, i.e. the details of the transaction at the bank or the telecom service provider.

Also read: Aadhaar Verdict: Does the Mere Collection of Biometrics Violate Bodily Integrity and Privacy?

If an investigation agency wants to collect evidence related to the transactions conducted by the account holder, it will still have to seek a court order under The Bankers’ Books Evidence Act, 1891. The concerns about convergence may thus be overblown because each silo of information is usually governed by an in-built privacy regime.

The second concern with relation to Aadhaar’s surveillance potential was the possibility of its database of a billion biometrics being used for the purposes of criminal investigation. Since Aadhaar is designed in a manner to carry out de-duplication of each set of biometrics, the system can match the fingerprints of one individual against all 1 billion biometrics to check if the person has already been allotted an Aadhaar number. Its ability to carry out de-duplication goes to the heart of the UIDAI’s claim that Aadhaar is unique.

Theoretically, this means that if the police find fingerprints at a crime scene they could run those through the Aadhaar database, matching them against the entire database of citizens in the hope of identifying the culprit.

In fact, there is an actual instance of the Bombay high court directing the UIDAI to match fingerprints, collected by the CBI in a rape case, against its own database. The SC stayed the Bombay high court’s order in 2014 after it was approached by the UIDAI on the grounds that its database was not meant to be used for criminal investigations. Since that stay order of the SC, high-ranking officials such as the chief of the National Crime Records Bureau (NCRB) have made public comments about using the Aadhaar database for the purpose of criminal investigation. The UIDAI has repeatedly rejected such demands. The fear is that such power in the hands of the police is susceptible to misuse.   

Section 33 of the Aadhaar Act, 2016

The main provision of the Aadhaar Act, 2016 meant to curb the state’s potential to conduct surveillance is Section 33 which regulates the manner in which the identity information or the authentication information contained in the Aadhaar database can be shared by the UIDAI. This provision, whose constitutionality was challenged before the Supreme Court, has two parts.

The first part of the provision, S. 33(1), allows the sharing of identity information and authentication information pursuant to the orders made by a district judge. At no point, can a district judge order the sharing of core biometric information i.e. fingerprints or iris scans. The provision isn’t quite clear whether a district judge can order the UIDAI to run fingerprints, provided by an investigating agency, through its database to locate a possible suspect. Technically the UIDAI can conduct the exercise and share the identity information without sharing the biometric information. An additional issue with the wording of this provision is that it gives no guidance to a district judge as to the scenarios in which a request for accessing identity or authentication information may be accepted or denied.  

The second part of the provision, S. 33(2), allows for the sharing of identity information, core biometric information and authentication information, for the purposes of national security pursuant to the orders of a joint secretary to the government of India, whose orders will subject to post-facto review by an oversight committee consisting of the Cabinet Secretary and two other secretaries.

The constitutional challenge against Section 33

The challenge against Section 33 was three-fold.

The first ground of challenge was that the provision violated Article 20(3) which is the fundamental right against self-incrimination i.e. no person can be made to stand witness against oneself when accused of a crime. This was a weak argument because an earlier decision of the Supreme Court in 1962 has ruled that the collection of fingerprints and handwriting samples is only the collection of evidence and that it does not amount to giving testimony against one self and is thus not self-incrimination.

The second ground of challenge, was that ‘national security’ was a vague phrase and that the oversight committee was not independent enough. ‘National security’ is generally seen as a policy issue which is within the realm of the executive and courts rarely interfere with such clauses.

The third ground of challenge was that the oversight committee was not independent enough. There is really no constitutional principle requiring the oversight committee to be independent. As for the composition of the Oversight Committee it should be remembered that it adopts a formula laid down by the Supreme Court in the mid-nineties, in PUCL v. Union of India, where the court ordered the government to setup a review mechanism to monitor phone tapping.

The majority opinion

The majority opinion by Justice Sikri is quite disappointing because of its weak analysis. His honour makes no attempt to engage with the arguments in relation to self-incrimination, instead preferring to dispose the issue by stating that the district judge may consider the issue of Article 20(3) at the time of deciding applications for allowing access to the identity information or authentication information. The only concession made by the judgment is that the person whose information is being sought is required to be given a hearing along with the UIDAI prior to a decision being made by the district judge. But how exactly does this work when an investigating agency wants to run the fingerprints of an unknown person against the Aadhaar database in the hope of tracing an accused or perhaps trace the identity of a John Doe? The judgment is silent on the issue.   

Also read: One Data Protection Legislation and One Regulator for 1.3 Billion People?

On the issue of Section 33(2) and ‘national security’, Justice Sikri refers to relevant precedent to declare that ‘national security’ is a not a question of law but a matter of policy and held that the state could access information held by the UIDAI in the interests of national security. However, with the regard to the person who can order access to be provided in the interest of national security, Justice Sikri declares, at page 424, that joint secretary is too junior a rank and that the power should be granted to a higher ranking official. On this basis he strikes down Section 33(2) of the Aadhaar Act. His honour does not even attempt to explain the legal basis of such a conclusion.

By the time Justice Sikri arrives at the conclusion of his judgment at page 559, where he summarises his holdings, he states that a judicial officer should be associated with process of passing an order to access information.

He states in relevant part:

“However, for determination of such an eventuality, an officer higher than the rank of a Joint Secretary should be given such a power. Further, in order to avoid any possible misuse, a Judicial Officer (preferably a sitting High Court Judge) should also be associated with. We may point out that such provisions of application of judicial mind for arriving at the conclusion that disclosure of information is in the interest of national security, are prevalent in some jurisdictions.”

Like much of this judgment, there is simply no legal reasoning to back this conclusion or engage with the court’s own precedents. The Supreme Court in the PUCL case had rejected a request for phone tapping to be authorised only on the basis of warrants issued by judges rather than bureaucrats.

If Justice Sikri is diverging from this viewpoint, as appears to be the case, it is only reasonable to expect reasons for this conclusion. More puzzling is the formulation that he suggests. What exactly does his honour mean when he states that a judicial mind should be associated with the process of passing such an order? Does it mean that a judge should be sitting with a bureaucrat to pass an order? This would be an extraordinary setup because there is simply no precedent for such an arrangement.   

The concurring opinion

The concurring opinion by Justice Bhushan upholds Section 33 without making any recommendations on the lines made by Justice Sikri. Unlike the majority opinion, Justice Bhushan’s conclusions are backed by cogent reasoning and precedent.  

On the issue of whether Aadhaar violates the right against self-incrimination under Article 20(3), he refers to the precedent of the Supreme Court from 1962, in the case of State of Bombay v. Kathi Kalu Oghad, where the Court drew a distinction between collection of evidence and standing witness against oneself, noting that collection of biometrics fell within the former, which is not the same as self-incrimination.

Also read: Aadhaar and the ‘Least Intrusive Option’: What Did the SC Say About Smart Cards?

On the issue of ‘national security’, Justice Bhushan found in favour of the government because of the precedent that has declared national security to be a policy issue that can be determined by the government and not the judiciary.

In addition, Justice Bhushan also referred to a number of Indian and international judgments where it was held that national security was a valid ground to access personal information.

The dissent

The dissent by Justice Chandrachud does not really analyse the arguments regarding Section 33, and understandably so, because he concludes that the entire Aadhaar project violates the fundamental right to privacy when tested on the proportionality touchstone.

Once he concludes that the Aadhaar project itself is unconstitutional, there is little to be gained by analysing Section 33.

More pressure

As things stand now, Section 33(1) is constitutional, and it is constitutional to use the Aadhaar database for criminal investigation. Neither the majority nor the concurring opinion prohibits such usage.

In fact, the concurring opinion is quite lucid on this point when it concludes as follows:

“Section 33 cannot be said to be unconstitutional as it provides for the use of Aadhaar data base for police investigation nor it can be said to violate protection granted under Article 20(3).”

The implications of this conclusion are significant because there will now be more pressure on the UIDAI to co-operate with investigative agencies.  

While Section 33(2) has been struck down as unconstitutional, the formulation specified by Justice Sikri is so bizarre that it is not possible to implement. It is now up to the government to recommend a new formulation of Section 33(2).

Prashant Reddy T. is an assistant professor at NALSAR University of Law, Hyderabad.