You and your Aadhaar : Explained

Wednesday’s Supreme Court Aadhaar ruling has highlighted two main aspects of the unique identification project — one, Aadhaar as digital identity infrastructure and, two, its application as public infrastructure for various purposes. On the first aspect, the majority judgment has upheld the validity of the project and stated that the architecture of Aadhaar, and the provisions of the Aadhaar Act, do not tend to create a surveillance state. However, the judgment has also red-flagged several applications of Aadhaar that do not meet the test of proportionality, such as the linking of Aadhaar with mobile number and bank accounts, and declared them unconstitutional.

Fears have been expressed that Aadhaar had created, or could create a surveillance state. What has the court said?

The majority verdict of four judges says the manner in which the Aadhaar project operates, ensures that the provisions of the Aadhaar Act “do not tend to create a surveillance state”. During the enrolment process, “minimal biometric data in the form of iris and fingerprints are collected”, and the Unique Identification Authority of India (UIDAI) — which oversees the Aadhaar enrolment exercise — “does not collect purpose, location or details of the transaction”. The suggestion that Aadhaar would create a surveillance state was “not well founded”, the judgment says, “and in any case, taken care of by the diffluence exercise carried out with the striking down certain offending provisions in their present form”.

In his minority judgment, Justice D Y Chandrachud said that from the verification log, it was possible to locate the places of transactions carried out by an individual over the past five years. The majority verdict has, however, said that authentication logs should be deleted after six months, instead of the five years required under the existing regulations. Justice Chandrachud also noted that it was possible to track an individual’s location through the Aadhaar database, even without the verification log. “The architecture of Aadhaar poses a risk of potential surveillance activities through the Aadhaar database,” he said.

The second big concern has been about the security of the biometric data. What view has the court taken on the magnitude of protection accorded to the collection, storage and use of such data?

The majority judgment underlines that UIDAI has mandated only registered devices to conduct biometric-based authentication transactions. With the use of these registered devices, the biometric data is encrypted within the device using a key, and is, therefore, captured live. Before returning to the application being used by the service provider, the registered device blocks the personal identity data by encrypting it. This creates a unidirectional relationship between the host application and the UIDAI. The use of registered devices in Aadhaar authentication, therefore, rules out any possibility of the use of stored biometric, or the replay of biometrics captured from another source. Further, as per the regulations, authentication agencies are not allowed to store the biometrics captured for Aadhaar authentication.

What about the argument that the Aadhaar Act violates the right to privacy and is, therefore, unconstitutional?

Not all matters pertaining to an individual were an inherent part of the right to privacy — only those matters in which there was a reasonable expectation of privacy were protected by Article 21 of the Constitution, the court has said. The Aadhaar scheme, which is backed by the Aadhaar Act, passes the triple test laid down in the Puttaswamy (Privacy) judgment to determine the reasonableness of the invasion of privacy.

The court also noted that the failure to establish the identity of an individual had proved to be a major hindrance to the successful implementation of programmes — in the absence of a credible system to authenticate identity, it was becoming difficult to ensure that subsidies, benefits and services reached their intended beneficiaries. Also, given that the use of Aadhaar had increased over time, necessary measures were taken to ensure security of information provided by individuals while enrolling.

However, the judgment has questioned certain provisions of the Act on the grounds of privacy. Section 57 is one example — it has said that the provision which enables corporate bodies and individuals to also seek authentication, that too on the basis of a contract between the individual and such bodies or persons, would impinge upon the right to privacy of the individual.

The judgment has looked at Section 139AA of the Income Tax Act, 1961 — which made Aadhaar mandatory for filing returns and applying for PAN — in the context of the right to privacy, and said that the provision satisfied the triple test: (i) existence of a law, (ii) a legitimate state interest, (iii) test of proportionality. The court also said that if in the regulations, a provision was made that impinged upon the right to privacy, it could be challenged.

What has the court said about Aadhaar for children? Will it be essential for admission to school?

The consent of parents/guardians will be essential for the enrolment of children under the Aadhaar Act, and “on attaining the age of majority, such children… shall be given the option to exit from the Aadhaar project if they so choose in case they do not intend to avail the benefits of the scheme”.

With regard to school admissions, the court has ruled that the requirement of Aadhaar would not be compulsory, because “it is neither a service nor subsidy”. Also, given that a child between ages 6 and 14 has the fundamental right to education under Article 21A of the Constitution, school admission cannot be treated as a ‘benefit’ either. The court clarified that “no child shall be denied benefit of any of these schemes if, for some reasons, she is not able to produce the Aadhaar number, and the benefit shall be given by verifying the identity on the basis of any other documents”.

The government had made it mandatory to link Aadhaar to PAN, and to provide Aadhaar while filing income-tax returns. Following the Supreme Court judgment, does this provision stay?

The petitions made pertaining to the Section 139AA of the Income Tax Act, which mandates linking of Aadhaar to PAN and providing Aadhaar while filing income-tax returns, were in the context of the provisions violating privacy rights of individuals. As mentioned, the provision stood the triple test and the court held that it did not violate the right to privacy. Therefore, linking of PAN with Aadhaar will be mandatory. However, there was no indication in the court order about the deadline for doing so.

And yet, linking of Aadhaar with bank accounts is no longer mandatory?

Linking of bank accounts and all other financial instruments such as mutual funds, credit cards, insurance policies, etc with Aadhaar were mandatory as part of the 2017 amendment brought to Rule 9 of the Prevention of Money Laundering Act (Maintenance of Records) Rules, 2005. The Supreme Court has now declared the amendment unconstitutional. It did so because the amendment did not stand the proportionality test in the triple test, thus violating the right to privacy of a person which extends to banking details. The court cited Ram Jethmalani & Ors vs Union of India & Ors (2012), in which it held that revelation of bank details without prima facie grounds of wrongdoing would violate the right to privacy. It also noted that under the garb of prevention of money laundering or black money, there cannot be such a sweeping provision which targets every resident of the country as a suspicious person. “Presumption of criminality is treated as disproportionate and arbitrary,” the judgment said, declaring the amendment unconstitutional.

But what happens to all the Aadhaar details that people have already given to banks?

The issue of the right to be forgotten, in case of Aadhaar data that have been collected, remains a grey area. The judgment does not clearly state that entities such as banks and mobile companies will have to delete the collected information. On a similar issue, the court has upheld the validity of Section 59 that also validates all Aadhaar enrolment done prior to the enactment of the Aadhaar Act, 2016. The court has said that since enrolment was voluntary in nature, those who specifically refuse to give consent would be allowed to exit the Aadhaar scheme.

Mobile phone companies and mobile wallets have been constantly insisting that customers link their phone numbers with Aadhaar. What has the court ruled on this?

The March 23, 2017, circular of the Department of Telecommunications, which mandated Aadhaar-based reverification of mobile numbers, has been held illegal and unconstitutional given that it was not backed by any law. In effect, the court has barred telecom companies from insisting that their customers furnish their Aadhaar details for the customer identification process. The provision in the Aadhaar Act that allowed private entities to conduct authentications, too has been held illegal, due to which corporate bodies including banks, telecom operators, mobile wallets, etc will not be able to press any customer for his or her Aadhaar number.

There was an argument that the passage of the Aadhaar Act as a Money Bill — in order to bypass Rajya Sabha where the government was in a minority — was unconstitutional. What has the Supreme Court ruled?

All the avenues where furnishing Aadhaar has remained mandatory pertain to Section 7 of the Aadhaar Act, which makes receipt of a subsidy, benefit or service subject to establishing identity by the process of authentication under Aadhaar or furnishing proof of Aadhaar, etc. It is very clearly declared in this provision that the expenditure incurred in respect of such a subsidy, benefit or service would be from the Consolidated Fund of India. Section 7 being the main provision of the Act, the Supreme Court has upheld the validity of the Aadhaar Act being passed as a Money Bill.

However, in the minority judgment, Justice Chandrachud said: “Passing of a Bill as a Money Bill, when it does not qualify for it, damages the delicate balance of bicameralism which is a part of the basic structure of the Constitution. The ruling party in power may not command a majority in the Rajya Sabha. But the legislative role of that legislative body cannot be obviated by legislating a Bill which is not a Money Bill as a Money Bill. That would constitute a subterfuge, something which a constitutional court cannot countenance.”

 

Provisions the Supreme Court retained, read down, or struck down


Retained

Section 7, Aadhaar Act
Provides for the government seeking Aadhaar number, or proof of application for enrolment, in order to receive various benefits. Noting that it is aimed at offering benefits to the marginalised section, court said this becomes an aspect of social justice.

Section 139AA, Income Tax Act
Made Aadhaar mandatory for filing I-T returns and applying for PAN from July 1, 2017 onward. In Binoy Viswam (June 9, 2017), Supreme Court upheld the constitutional validity of Section 139AA, repelling contentions based on Articles 14 and 19, but partially stayed its operation in view of the ongoing main Aadhaar case. The Supreme Court also left the privacy question, which was then linked to Article 21, open. The majority order Wednesday upheld Section 139AA, ruling that it passed the privacy test laid down by the court in the Puttaswamy (Privacy) judgment of August 2017.

Read down, struck down

Section 33(1), Aadhaar Act
Prohibits disclosure of information, including identity and authentication information, except when it is by an order of a district judge or higher court. This was read down by the court, with the clarification that an individual, whose information is sought, shall be afforded an opportunity of hearing; the individual shall also have right to challenge such an order passed by approaching the higher court.

Section 33(2)
Provides for disclosure of information in the interest of national security, on the direction of an officer of Jt Secretary or higher rank, or officer specially authorised by the Centre. The court held that an officer higher than this rank should be given such a power, and a Judicial Officer (preferably an HC judge) should also be associated with it. Struck down in present form, with liberty to enact new provision.

Section 47
Provides for cognisance of offence only on complaint by UIDAI (or any person authorised by it). Court ruled this needed suitable amendment to provide for filing of complaints also by an individual/victim whose right was violated.

Section 57
Provides for use of Aadhaar number for establishing the identity of an individual for any purpose, by the state or any corporate or person. Read down as susceptible to misuse. Regulation also provides that such purpose is pursuant to any law or to “any contract to this effect”. Court observed that it would enable commercial exploitation of biometric and demographic information by private entities.

Regulation 26(c), Aadhaar Regulations
Allows UIDAI to store metadata relating to transactions. Struck down in present form.

Regulation 27
Provides for archiving transaction data for five years. Struck down; court ruled that retention of data beyond six months not permissible.