The Aadhar ordinance2019, privacy and remedies available in violation thereof.

Through this small write-up, we wish to answer following questions:

  1. What is Aadhar Ordinance of March 2019?
  2. What are the benefits of Aadhar?
  3. How a private entity can use the Aahar information of Individual?
  4. What are the remedies under the law to deal with the theft or misuse of the biometric and other information linked to Aadhar?
  5. Why Aadhar is so important for the government of India?

Discussion:

The Union cabinet recently promulgated the Aadhar Ordinance to negate the long reaching effects of the judgment of the Honorable Supreme Court in the landmark judgment of Justice K.S. Puttaswamy (Retired) v Union of India wherein, the Supreme Court in a over whelming majority of 4:1 upheld the validity of Aadhar Act however, the Court also did put some restrictions on Aadhar and use of the bio metric data gathered thereby. The Act had generated a lot of controversy, primarily for being presented as ‘Money Bill’[1] meaning thereby that it could not be opposed or impended by the Rajya Sabha. In fact the dissenting judge noted in his judgment that introduction of the Aadhar Act as money bill is a fraud upon the constitution.

The ordinance was promulgated on March 2, 2019 and is known as Aadhaar and Other Laws (Amendment) Ordinance, 2019. This Ordinance seeks amendments in a large number of legislations, the most important of them being Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, the Indian Telegraph Act, 1885, and the Prevention of Money Laundering Act, 2002.  The Aadhaar Act was enacted with the motive of being able to provide all citizens with a form of unique identity numbers, called Aadhaar numbers which would function as a universally acceptable Identity Proof and thus, bring uniformity.  However,later it has been linked with targeted delivery of subsidies and benefits to individuals residing in India on the basis of the Aadhar numbers in order, as they claim, to curb corrupt practices of mismanagement, misappropriation etc. Prior to this ordinance, a similar Bill was passed by Lok Sabha on January 4, 2019 which was in toto the ordinance, however since the same could not be passed in the Rajya Sabha within 6 months, therefore, an ordinance was the only option available with government to enforce it. The key features of the ordinance are:

Offline verification of Aadhaar number holder: Under the Aadhaar Act, an individual’s identity may be verified by Aadhaar ‘authentication[2]’.  Under the Act, it provided only for online verification however, the ordinance seeks to devise offline authentication. The Ordinance additionally allows ‘offline verification’ of an individual’s identity, without authentication, through modes specified by the Unique Identification Authority of India (UIDAI) by regulations, however, such guidelines have not been specified and there is a certain level of vagueness which remains and does nothing to assuage concerns for individual’s privacy and security of the biometric data.

The Ordinance provides for Aadhar ecosystem in which private entities are also included as a part of them whereby it would be possible for them to apply for offline verification of individuals.The Ordinance defines the Aadhaar ecosystem to include enrolling agencies, requesting agencies, and offline verification-seeking entities. It allows the UIDAI to issue directions to them if necessary for the discharge of its functions under the Act. The Ordinance furthers says that during offline verification, the agency must:

  • obtain the consent of the individual,
  • inform them of alternatives to sharing information, and
  • not collect, use or store Aadhaar number or biometric information.

THE CONTROVERSY

The Hion’bleSupreme Court in its decisions had straight forwardly refused to allow private entities from using Aadhar data for their services and has opined that in good conscience, they cannot be allowed access to the sensitive information since there are no failsafe measures in law to counter any damage which may be caused if private entities are allowed access. Thus, this particular amendment in the Ordinance can single handedly negate the most far reaching effect of the judgment.

Also, the question remains as to what measures are taken to ensure that the data accessed by private entities would not find its way into the hands of other players or would not be used to any other purposes other than those for which they are purportedly obtained.

Voluntary use:

The Act provides for the use of Aadhaar number as proof of identity of a person, subject to authentication but the Ordinance replaces this provision and provides that an individual may voluntarily use his Aadhaar number to establish his identity, by authentication or offline verification.  The Ordinance also makes it clear that the use of Aadhar as authentication of an individual’s identity can be made mandatory by law made by the Parliament.

The Supreme Court in its decision had provided that the telecom companies cannot compel the Aadhar holders to provide their Aadhar details to them for issuing a telecom connection or any other purpose ancillary or incidental thereto, thereby putting an end to the tyranny of telecoms in pestering the consumers to link their numbers with Aadhar or their connections would be discontinued however, the Ordinance seeks to make amendment to the Telegraph Act, 1885 and the Prevention of Money Laundering Act, 2002 thereby granting authority, to persons with a license to maintain a telegraph, banking institutions, to verify the identity of their clients by:

  • authentication or offline verification of Aadhaar,
  • passport, or 
  • any other documents notified by the central government.

It provides that the client has choice to use either of the modes to verify his identity and will not denied for not having Aadhar number, however, it has made no provisions to deal with situations which may arise where the telecoms or the banking institutions pointedly refuse to cater to clients who do not have Aadhar or who choose to opt out of giving their Aadhar details to these companies.

Entities using Aadhaar:

Under the Act, usage of Aadhaar number for establishing the identity of an individual, by the State or a body corporate under any law, is permitted but the ordinance has removed this provision and now usage of Aadhar as a means to perform authentication by any authority is subjected to satisfaction of the UIDAI when it is satisfied as to the following requirement as to an entity:

  • compliant with certain standards of privacy and security, or
  • permitted by law, or
  • seeking authentication for a purpose specified by the central government in the interest of the State.

Aadhaar number of children:

The Ordinance mandates that in the process of enrolling a child for an Aadhar, prior permission of the guardian of the child is necessary and that the agency must inform the parent or guardian of the manner in which the information will be used, the recipients with whom it will be shared, and of their right to access the information. However, it does not take account of the fact no such permission is ever obtained but arbitrarily students have been subjected to enrolling for Aadhar and in fact, schools were asked to hold camps for enrolling children for Aadhar.

It further provides that a child can, within 6 months of attaining majority may choose to cancel his Aadhar, however in doing so, he would be rescinding any benefits which he may have been deriving under any Government run scheme or plan which mandates for Aadhar verification.

Disclosure of information in certain cases:

The provisions relating to secrecy and confidentiality of data and biometric details of individuals has been considerably loosened and the Ordinance seeks to disclose any such details on the orders of a District Court or any court higher than them.

It further provides that disclosure of such information in national security can be done on the orders of an officer not below the rank of Joint Secretary thus, elevating the rank of officer from Secretary (as was originally provided under the Act).

However, these provisions seek to put the secrecy and confidentiality of the individuals in danger by a mere order of the executive on its self aggrandisement that doing so is required in national interest.

Alternate Identity proof:

The government has proposed alternative identity proof which can be used in lieu of Aadhar for ensuring access to subsidy based schemes and for child welfare schemes such as midday meals, scholarships, disability support etc, however, no notifications have been issued by the government to ensure use of the alternative identity proofs.

UIDAI Fund:

Prior to the ordinance, all the fees and revenue generated was sought to be in the consolidated fund but the ordinance proposes a new fund known as Unique Identification Authority of India Fund which would exclusively be used to pay salaries and allowances to the employees of the Authority and for other expenses, however, a new fund would mean that the government control over the money coming in would be loosened and it can be used to any purposes which may or may not have the executive sanction. Furthermore, it would make is hard to track the fund so that any mismanagement or misuse of the money can be prevented.

Complaints:

Under the Act, courts can take cognizance of an offence only if the UIDAI registers a complaint; however, the ordinance tends to negate it by allowing individuals to register complaints in certain cases, including impersonation or disclosure of their identity.

Penalties: Under the Ordinance, the UIDAI may initiate a complaint against an entity in the Aadhaar ecosystem for failure to

  • comply with the Act or the UIDAI’s directions, and
  • furnish information required by the UIDAI.

Adjudicating Officers appointed by the UIDAI shall decide such matters, and may impose penalties up to one crore rupees on such entities.  The Telecom Disputes Settlement and Appellate Tribunal (TDSAT) shall be the appellate authority against decisions of the Adjudicating Officer.

By this provision, the ordinance seeks to keep the judicial interference in matters of the Aadhar authority to the minimum and therefore, has made the TDSAT to be the appellate authority against any orders of the adjudicating officers.

REMEDY AVAILABLE TO THE INDIVIDUAL IN CASE OF MISUSE OF HIS PERSONAL DATA BY A PRIVATE PERSON/ ENTITY.

The Indian Penal Code in itself is a complete code for dealing with most of the offences that can be apprehended to be committed by a private entity in case of misuse of the biometric details of an individual. The Biometric data connected to Aadhar number is a property of the individual. It is shared with the private entity with prior understanding and agreement that it shall be used for a particular specified purpose. In case the information is used by the private entity for any other purpose other than the defined purpose then, in my opinion, the act shall amount to criminal breach of trust punishable under section 406 of I.P.C. read with section 72 of Information Technology Act2000 and the individual will have right to get FIR registered against the person having control over the entity or the person who actually wrongfully utilized the data.


[1]Article 110, Constitution of India

[2]Authentication involves submitting the Aadhaar number, and their biometric or demographic information to the Central Identities Data Repository for verification.

please share your comments or questions...