Logo

Defender of your Digital Freedom

All Posts | Apr 22,2018

Updates on Aadhaar Final Hearing: Day 29

On day 29 of the final Aadhaar hearing, Senior Advocate, Rakesh Dwivedi resumed his submissions and stated that it is better to tighten the nuts and bolts of Aadhaar than demolishing it completely. He cited Section 8 of the Aadhaar act and argued that individuals’ information is strictly confined to the purpose of authentication and the interplay of sections 8 and 29 mean that core biometrics i.e fingerprints and iris scans are not shared with any third party. He further stated that data shared under section 29 is non biometric data. J. Chandrachud at this point interjected and pointed out that Section 8(3) combined with Section 29(3) means that the requesting entity will know the purpose of the authentication even if UIDAI doesn't, which Mr. Dwivedi vehemently denied. Mr. Dwivedi emphasized that if the bench is unsure whether requesting agencies collect information that they are not supposed to, then they should read down sections 8(3) and 29(3) to make sure that requesting entities (REs) do not know the purpose of the authentication or collect any information.

During a brief discussion on the General Data Protection Legislation (GDPR), Mr. Dwivedi contended that the GDPR provides no curative measures and that the Aadhaar Act provides adequate data protection to citizens. He argued that no data protection law can provide hundred percent protection and the applicable test should be to check if the said law provided “just, fair and reasonable” protection. Mr. Dwivedi then went on to state that aggregation, analysis or transfer of data is not allowed under the Aadhaar Act.

Thereafter, Mr. Dwivedi mentioned that the State can only tackle real apprehensions related to Aadhaar and not the kind of fear mongering that is being perpetrated by a few individuals. To this, J. Chandrachud stated that the real apprehension is that elections are swayed using data analytics in first world countries like the United States and the problems related to technology are symptomatic of the world we live in. In reply, Mr. Dwivedi mentioned that Aadhaar cannot be compared to the Cambridge Analytica data leak scandal. He reiterated that UIDAI does not have learning algorithms as the Aadhaar Act does not authorize it. He highlighted that UIDAI uses simple matching algorithms for the purpose of authentication. He also went on to assert that a powerful Indian media will check any misuse of Aadhaar. He urged the bench to examine the design of the Aadhaar Act and emphasized that the State wants to gain the trust of citizens. Section 28 of the Act also provides protection of information, he stated. He further mentioned that the data collected will be in the control of UIDAI and will be kept secure in the CIDR. Section 57 does not allow just anyone to become a requesting entity. It's a limited exercise and UIDAI will not approve anyone to become an RE unless it is satisfied that the particular entity needs to use the facility of authentication, stated Mr. Dwivedi.

J. Chandrachud questioned why private parties need to be involved in the Aadhaar infrastructure, to which Mr. Dwivedi responded by saying that the divide between public and private sector is narrowing and that the private sector is not exempt from Constitutional norms.

Next, Mr. Dwivedi said that he wants to respond to the submission made by petitioners that the State is numbering human being like Hitler did in Nazi Germany. Mr. Dwivedi emphasized on the importance of numbers and cited George Ifrah’s book “From one to zero: A universal history of numbers” and “God made integers” by Stephen Hawking. He also highlighted that the origin of numbers began in India at the time of Brahmagupta. To this, J. Sikri interjected and said, “Nobody is denying there should be no numbers. But why assign it to individuals?” In reply, Mr. Dwivedi expressed that numbers are beautiful and fascinating and human beings are not numbered just because a number is assigned to them. He gave the example of numbers being present in proximity cards used in courts, airline tickets (PNR), credit cards, among other things.

Furthermore, J. Chandrachud asked why Section 3 of the Aadhaar Act become mandatory since it is an entitlement under the Act. Mr. Dwivedi said that Section 3 is voluntary and Aadhaar was made mandatory for other purposes by way of amendment of other Acts. He stated that the bench can examine these other Acts separately.

J. Chandrachud then remarked that Aadhaar can be made mandatory under a law or through a contract under Section 57 of the Act. Mr. Dwivedi replied that the object of Section 57 is not to expand but to limit the use of Aadhaar. He commented that any paanwalla or chaiwalla cannot become an RE under the Act and that the UIDAI will examine if an entity needs to use the facility of authentication. J, Chandrachud enquired how is “need for authentication” determined to which Mr, Dwivedi answered that there has to be a prior contract and then UIDAI has to be approached for request. Not convinced with that line of argument, J, Sikri remarked that there is no guideline as to what will be considered a “need” for authentication and what will not be. Further, J. Khanwilkar questioned the fact that the prior contract comes before permission to become an RE is taken from UIDAI. He also commented that Section A of the Act that outlined who all can become REs is very wide.

On the security of Aadhaar, Mr. Dwivedi highlighted that the rules of Information Technology Act, 2000 and the punitive measures provided therein are also applicable to Aadhaar data under Section 30 of the Aadhaar Act. While reading some of the provisions of the IT Act, Mr. Dwivedi remarked that anyone who attempts to gain unauthorized access to CIDR will be imprisoned for ten years. He then went on to mention Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 and Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 and the provisions therein. He also highlighted that the CIDR came under critical information Infrastructure.

Therafter, Mr. Dwivedi mentioned the following attributes of biometrics: they are not genetic data; they are not intrusive; they can be used as a mode of identification even without the use of digital technology; instantaneous digital authentication. He commented that other biometrics can be added to the Aadhaar ecosystem only if it enhances accuracy. Mr. Dwivedi next went on to state that Aadhaar is not just an exercise to provide benefits and weed out fakes but also to bring the service providers face to face with the beneficiaries. That's the revolutionary aspect of Aadhaar, he emphasized. He reiterated that none of the other identification cards are universally held in the country. These cards are only for initial identity and address proof. In the case of Aadhaar, no individual would give their wrong name or address since biometrics are involved. He commented that Aaadhaar is not the panacea for all evils but the problems that were occurring on account of fake identity documents will be solved.

The last argument of the day that Mr. Dwivedi tackled was that Aadhaar technology is probabilistic and not deterministic. He argued that probability governs us everywhere and that nothing is certain. He was of the view that just because it is probabilistic, it cannot be discarded. J. Chandrachud responded by highlighting that If the probability leads to deprivation of fundamental rights, then there should be safeguards in place to ensure that this deprivation doesn't happen. There should be an administrative machinery in place to ensure no genuine beneficiary is deprived, he stated. Mr. Dwivedi agreed and mentioned that the State believes in inclusion of all citizens and therefore Section 7 itself provided a fallback mechanism if authentication failure happened.

The bench will resume tomorrow (April 18, 2018).

All Posts | Apr 13,2018

Updates on Aadhaar Final Hearing: Day 26

On Day 26 of the final Aadhaar hearing, Attorney General, Mr. K.K Venugopal resumed his submissions for the State. He began by explaining retrospective saving of Acts/statutes and cited cases to show that past actions can be validated by a subsequent Act. He stated that Section 59 of the Aadhaar Act provided retrospective application of the Act.

Mr. Venugopal, next read out the third version of the Aadhaar enrolment form and asserted that enrolment is free and voluntary and the form has provisions to take informed consent. Justice Chandrachud interjected and said that the first two forms did not have any reference to biometrics and that it was only inserted in the third form, to which Mr. Venugopal replied that the first two forms were hardly used because in the initial phase of enrolment, the government had only mandated enroling one crore individuals. He also stated that the Central Bureau of Investigation (CBI) had gone to Bombay High Court to obtain biomterics from the Aadhaar database in connection of a rape case since UIDAI had refused to part with biometric information of individuals without their consent.

Thereafter, Mr. Venugopal read out Justice Chandrachud’s part of the K.S Puttaswamy judgment about “reasonable expectation of privacy” and emphasized that the State has no interest in collection of biometrics except for the benefit of the individual himself.

Mr. Venugopal contended that before the right to privacy was recognized by the Supreme Court, the government acted in a bonafide manner when they launched the Aadhaar project and such action cannot be said to be void by retrospective action. Justice Chandrachud at this point highlighted that the question of privacy was irrelevant in M.P Sharma as the case concerned Article 20(3). Only the first part of Kharak Singh affirmed the right to privacy and the subsequent judgments that recognized privacy relied on this first part. Mr. Venugopal disagreed with this interpretation. He finished his arguments with a brief discussion on what would constitute as “excessive delegation.” Justice Chandrachud remarked that Section 2(g) of the Aadhaar Act that defines ‘biological attributes’ is not so much a question of delegation of legislative power but proportionality.

Additional Solicitor General, Tushar Mehta, began his arguments on behalf of Unique Identification Authority of India (UIDAI). He mentioned that his contentions would comprise of:

1. Challenge to S. 139AA of the Income Tax Act (IT Act) from the right to privacy angle.

2. How Aadhaar helps in prevent money laundering, black money and tax evasion.

3. Aadhaar- Mobile number linking

4. Scope of judicial review in the area of technology

He submitted that in the case of Binoy Viswam v. Union of India wherein Section 139AA of the Income Tax Act was challenged, the court had examined all aspects of Aadhaar apart from the test of right to privacy. He stated that all nine judges in the case of Puttaswamy affirmed that the right to privacy is not absolute. Mr. Mehta pointed out that a legislation has to pass the three tests laid down under Puttaswamy and also the test of manifest arbitrariness laid down in the Shayara Bano v. Union of India judgment. All four tests were examined in Binoy Viswam although in the context of Article 19, he stated. According to Mr. Mehta, all the demographic information that is required under Aadhaar was already being taken under Section 139A of the Income Tax Act for obtaining PAN along with the left hand thumb impression of individuals who cannot sign. Justice Chandrachud commented that there was no collection of biometrics and there was no authentication taking place. Mr. Mehta remarked that those who have obtained PAN previously do not have any legitimate interest in withholding information that they have already provided.

Mr. Mehta submitted that 11.3 lakh cases of duplicate PAN were found and that PAN can be misused for the purpose of tax evasion, black money, setting up shell companies, among other things. Aadhaar will ensure that one person has only one PAN by interconnecting the PAN-Aadhaar database as recommended by the Shah Committee SIT on black money. He mentioned that even companies require PAN cards and the documents used for obtaining PAN can easily be forged. Biometrics, he stated will prevent that. Mr. Mehta emphasized that India is a largely tax non-compliant country and the burden of people who evade taxes falls on honest tax paying citizens. He also stated that the tax collection is very low with respect to our GDP ratio.

Lastly, Mr. Mehta talked about India’s international obligations under Foreign Account Tax Compliance Act (FATCA) and Common Reporting Standard (CRS). He concluded by saying that Section 139AA has already been tested on the basis of the four tests mentioned earlier, to which Justice Bhushan commented that the Sate will have to prove that there is no violation of privacy under Aadhaar.

All Posts | May 21,2016

Journey of Aadhaar

The Aadhaar scheme has undergone scrutinies and challenges at various levels since its inception as the flagship program of the Unique Identification Authority of India (UIDAI) in 2006. In its journey, there have been two separate Bills aimed at according it a statutory status, an extensive scrutiny by a Standing Committee, multiple challenges in the Supreme Court, and heated debates in the Parliament over the Aadhaar Bill, 2016 (now the Aadhaar Act). The following is a time-line, recording the entire Aadhaar process from 2006-2016.

2006:March 3rd: Department of Information Technology, Ministry of Communications and Information Technology gave an administrative approval for a scheme to issue unique ID for Below Poverty Line (BPL) families.

2006:December 4th: Constitution of an Empowered Group of Ministers (EGoM) to collate two schemes -the National Population Register under the Citizenship Act, 1955 and the UID scheme.

2007: First meeting of the EgoM took place where the need for creating an identity related resident database was recognized, thereby leading to the creation of Aadhaar.

2009: The Unique Identification Authority of India (UIDAI) was constituted for the purpose of issuing unique identification numbers by the Central Government. It was decided that the UIDAI will be executive in nature and function under the Planning Commission. Nandan M. Nilekani was appointed as the first chairman of this Authority.

2010: December 3rd: The National Identification Authority of India Bill, 2010 (NIAI Bill) was introduced in Rajya Sabha by the UPA government.

2010: December 10th: The NIAI Bill, 2010 was referred by the Lok Sabha Speaker to a Standing Committee for examination and a report thereafter

2011:December: The Standing committee on Finance under Yashwant Sinha issued a report on the NIAI Bill and rejected the bill in its initial form. It gave recommendations, including the requirement for an over arching privacy legislation and data protection law before the continuance of the scheme, and expressed concern about private agencies being contracted for the collection of sensitive information.

2012: Justice K.S. Puttaswamy, former Karnataka High Court Judge, filed a petition (W.P.(C) 494/2012) before the Supreme Court contending that Aadhaar does not have any statutory basis, and moreover violates fundamental rights of equality & privacy granted to every individual under the Constitution.

2013: Supreme Court in an interim order stated that no person should suffer for not having an Aadhaar card, even if it has been made mandatory by certain authorities to avail benefits (Order dated 23rd September, 2013)

2014: An order is issued by the Supreme Court in the case of UIDAI v. Central Bureau of Investigation (CBI) (SLP (Crl) 2524/2014), (subsequently tagged with Justice Puttaswamy's petition) asking agencies to revoke any orders made by them making Aadhaar mandatory for availing benefits. Moreover, it also forbid the UIDAI from sharing any information in the Aadhaar database with any agency without the data subject's consent. (Order dated 24th March, 2014)

2015: August: Three-judge bench of Supreme Court in an order restricted the use of Aadhaar to schemes of LPG, and PDS, and held that no one would be denied the benefits rightfully entitled to them for the lack of an Aadhaar card. It also refers the question of right to privacy as a fundamental right to citizens of India to a Constitutional Bench. (Order dated 11th August,2015)

2015: October: A five judge bench constituted for seeking clarifications on the August order, reiterates that Aadhaar is not mandatory for availing any benefits, but in the interim, expands the scope of the scheme to PDS, LPG, MNREGA, National Social Assistance Program, PM's Jan Dhan Yojna, and Employees' Providend Fund Organization. It further asks the CJI to expeditiously constitute a Bench for final hearing of the matter. (Order dated 15th October,2015)

2016: March 3rd: Aadhaar (Targeted Delivery of Financial & Other Subsidies, Benefits & Services)Bill introduced as a money bill in Lok Sabha

2016: March 11th: Aadhaar Bill, 2016 discussed and passed by the Lok Sabha with no amendments, and forwarded to the Rajya Sabha for their consideration

2016: March 16th: Rajya Sabha sends the Bill back to Lok Sabha with its recommendations. Lok Sabha does not consider the recommendations and passes the bill in its original form.

2016: March 25th : President gives assent to the Aadhaar Bill, 2016, according it the status of a law, but the Act will take a few months to come into force.

2016: March 26th: The Aadhaar (Targeted Delivery of Financial & Other Subsidies, Benefits & Services) Act, 2016 is notified in the Gazette of India.

2016: April 7th: Jairam Ramesh, member of Rajya Sabha, moves a petition (W.P. (C) 231/2016) in the Supreme Court challenging the introduction and passing of Aadhaar Act as a money bill.

2016: April 25th: The Supreme Court wishes to hear the Attorney General on 10th May, 2016 before issuing notice in the matter moved by Jairam Ramesh.

2016: May 10th :With respect to Jairam Ramesh's petition, the Attorney General argues in the Supreme Court that decision of the Lok Sabha Speaker to treat a Bill as money bill is not open for judicial review. However, the Supreme Court asks Jairam Ramesh to submit a note of their submissions & case laws and adjourns the hearing till July.

Image Credits: Projet de biométrie. Credit: Benoit Crouzet/Flickr CC BY 2.0

 

All Posts | Mar 21,2016

Without rules, Sahibs may own your data

Now that the inevitable death of Free Basics by Facebook has happened and the dust has settled, the real outlines of the government of India’s Internet and Digital India policies are coming into focus.

The four pillars of the government’s intentions have been declared and are already under construction: a policy to prefer free and open source software in all egovernance software solutions; new guidelines on patenting ‘computer-related inventions’, which will adhere strictly to the prohibition on patenting computer programs; comprehensive reliance on Aadhaar to provide a biometrically-backed digital identity for every Indian citizen; and the ‘India Stack’, a set of software designs that build atop the Aadhaar unified digital identity to provide cashless payment systems available to all Indians, electronic government services and a ‘consent layer’ for transactions exchanging Indians’ personal information in the private market.

This is an immensely ambitious agenda, but how this agenda is fulfilled, and, in particular, what the consequences are for freedom in the world’s largest democracy, will depend on the fifth pillar of the new Digital India. This pillar is protection of all citizens’ right of privacy.

About the role of privacy in the future Digital India, the government is plainly ambivalent. Having announced it would seek a definitive Supreme Court ruling in the ongoing Aadhaar litigation, the government last week chose instead to rush Aadhaar legislation through Parliament under the contentious claim that it represented a money bill insulated from Rajya Sabha consideration, thus avoiding any significant form of public policy debate.

The Aadhaar legislation ensures that there will be a single database, at CIDR, holding fingerprint, retinal scan and, eventually, full genomic information on every Indian, along with name, address, phone number and — in a continuing reminder that every Indian woman is treated as some man’s property—the name of each woman’s husband or father. From this data, the ordinary conduct of the simplified statistics, we call data science, can infer other pieces of sensitive information with almost flawless reliability.

The rules concerning access to and operations on this data — which will be determined by future subordinate legislation — whether the surveillance and control of will be enormously facilitated; whether each Indian’s purchases, savings, gifts and receipts will be trackable, controllable and preventable by anyone with sufficient political power or a stolen set of digital keys.

The Bill accords the government an unrestricted right to access and use CIDR’s database for purposes of "national security", a term nowhere defined in this legislation, or anywhere else in Indian law. Given that this database can be used to identify, locate and control people — and the likelihood that any uses made for "national security" will be kept secret and outside the scope of judicial review —only the declaration by the Supreme Court of the broadest and most powerful individual constitutional right of citizen privacy can prevent the inevitable misuse of this power by some future government.

Ministers of the present government who were jailed under the Emergency declared by a government without such tools, or whose phones were surveilled by a more recent past government with lesser tools, should be among those most concerned by the possible consequences The government’s concern with acquiring free and open-source software and its decision to resist the blandishments and threats of the multinational IT companies speak to the strongly nationalistic quality of the Digital India vision.

But without an equally clear and determined set of policy commitments to protect the privacy of Indian citizens comprehensively, the digitisation of identity and payment threatens to replace foreign "white" owners of Indians’ lives with domestic "brown" ones. Because information is power, such an oligopoly of data, if it is not imperialism, would be tyranny.

This article was written by Eben Moglen and Mishi Choudhary for The Economic Times Blog published on March 21, 2016.

All Posts | Mar 19,2016

How Parliament Debated the Aadhaar Bill, 2016

The Aadhaar (Targeted Delivery of Financial & Other Subsidies, Benefits & Services) Bill, 2016 (hereinafter Aadhaar Bill) was discussed, voted and passed in the Lok Sabha on 11th March, 2016. Many contentions were raised,clarified and debated upon by the Government and the Opposition but the Bill was passed in its original form through voice vote to the Rajya Sabha by the evening. On 16th March, 2016, the Rajya Sabha, discussed this bill for almost five hours and certain amendments were added before the Bill was sent back to the Lok Sabha. The same evening, Lok Sabha rejected the recommendations sent by Rajya Sabha and the Aadhaar Bill was passed in the form it was introduced on 3rd March, 2016. As per Article 109, for a money bill, Lok Sabha is not bound to accept the amendments made to the Bill by the Rajya Sabha. Per Article 111 of the Constitution, the President cannot return a money bill for reconsideration with his/her recommendations to the Lok Sabha. He is mandated, without discretion to give his assent. Therefore, Aadhaar Bill, 2016 could be law in a matter of few days.

Following is a report of the parliamentary proceedings that took place in the two houses in a week on the Aadhaar Bill, 2016

LOK SABHA

During the discussion in Lok Sabha with a quorum of 73 out of 545 members, many from the Opposition believed that the Aadhaar Bill was wrongly introduced as a Money Bill. Article 110 of the Constitution lays down the criteria for bills to be introduced as money bills. For the sake of explanation, clause (1) of the Article says that a bill would be deemed a money bill 'only' if its provisions deal with the criteria specified in sub clauses (a) to (g). In this regard, the Government has explained the money bill status of this Bill by using Article 110(c) that relates to the payment of moneys into or the withdrawal of moneys from Consolidated Fund of India, along with sub clause (g) that includes 'any matter incidental to any of the matters specified in sub clause (a) to (f)'. Rajeev Satav from the Indian National Congress questioned the legitimacy of this Bill as a money bill as in Section 57, it permits private entities to use Aadhaar for the purposes of establishing identity, thereby extending the scope from only expenditure incurred from Consolidated Fund of India. In response, justifying the money bill, Arun Jaitley, described Aadhaar as an 'enforcement mechanism' and only 'incidental' to the entire process of incurring expenditure from Consolidated Fund of India. He argued that the expenditure for subsidies and other government welfare schemes formed the core of the Bill proposed; thereby, making it a money bill.

Tatagatha Satpathy, Minister of Parliament from Odisha for Biju Janata Dal raised concerns regarding lack of privacy protection, introduction of Aadhaar as a money bill, and the loopholes in outsourcing the collection of data to private contractors. He argued that collection of such data, along with its linking to everyday activities like banking, and health makes it a medium to construct or de-construct a citizen. He further linked this with the menace of mass surveillance and issues of profiling with the example of NSA revelations in the United States by Edward Snowden. In a candid statement, Satpathy said that leaving room for other biological attributes to be added to the list of biometrics (as per Section 2(g)), could mean the future collection of DNA of the population, and a possibility for ethnic and racial cleansing. In addition, he cited a report of 20,000 fake Aadhaar cards being issued in a state and linked that with the manipulation that can happen in the entire database if the outside contractors, responsible for collection of personal information are influenced. Satpathy argued that the exception for disclosure of sensitive biometric information in interest of 'national security' was a vague and open ended provision. He ended with a statement to the filling in Speaker, "Sir, you know it, and I know it, this is not a Money Bill, Full Stop."

Another speaker, Asaduddin Owaisi from AIMIM argued that the Aadhaar bill did not comply with the Privacy principles recommended in the Justice A.P. Shah Committee Report of 2012; for example, the lack of notification to an individual if there is a breach of his personal data. He also raised issues of the absence of a right to be heard by the data subject when as per Section 33(1), the District Judge decides upon the disclosure of personal information of the individual concerned. He added that the prohibition on a court to take cognizance of an individual's complaint as per Section 47, thereby limiting an individual's recourse mechanism against the UIDAI is also troublesome. Furthermore, he expressed anguish with Section 7 of the Bill that gives an option to Central & State governments to make Aadhaar mandatory for availing subsidies, thereby moving away from the concept of Aadhaar being a mere entitlement as stated in Section 3(1). He also referred to the technical incapability of the biometric machinery to register accurate fingerprints of workers involved in mining and beedi manufacturing. Both, Asaduddin Owaisi and Tatagatha Satpathy raised a point about categorizing the subsidies that could be availed (and subsequently mandated) with Aadhaar; if these would be limited to the schemes eligible for Below Poverty Line (BPL) families, or even general government welfare schemes could be enveloped under this definition.

The Finance Minister gave a speech right before the voting on the Bill answering the doubts raised previously. He compared the present bill with the earlier National Identification Authority of India Bill, 2010 that was introduced by the UPA Government and reflected that the UPA bill had formulated the authority and the idea of biometric database, but the 2016 Bill improves upon it and instills in it the purpose of targeted delivery of benefits and subsidies. He said he would refrain from commenting on the issues of privacy, because the matter was still pending in the Supreme Court and it was upon the Hon'ble Court to decide on the constitutionality of this right. He added that Chapter VI of the Bill that details the clauses on security and protection of data are sufficient safeguards for an individual's personal information. On the point of the exception in Section 33(2) that allows for disclosure of an individual's core biometric and other information in the interest of 'national security', Mr. Jaitely remarked that no legislation, including the National Security Act defines this term. Its definition is contingent on the situation and if need be, it is upon the courts to decide its applicable scope.

During the proceedings, a considerable amount of members present in the Lok Sabha asked that the Bill be sent for further scrutiny to a Standing Committee. Nevertheless, the suggestion was not considered. At the closing of the discussion, the Aadhaar Bill was passed in its original form as a money bill through a voice vote in the Lok Sabha.

RAJYA SABHA

The Rajya Sabha experienced a heated discussion over this bill on 16th March, 2016. It was mentioned by many members that a challenge to the constitutional validity of Aadhaar was pending in the Supreme Court and hence sub judice. The Finance Minister at the very outset clarified that the doctrine of sub judice applies only to matters of 'individual culpability', and not to parliament's power to legislate. If such power of the legislature could be suspended, it would be against the principle of separation of powers enshrined in the Indian Constitution. On the point of privacy, Arun Jaitley remarked that 'probably, privacy is a Fundamental Right; it is too late in the day to say it is not.' With this, he further exclaimed that this right is not absolute and can be restricted based on fair, just, and reasonable procedure established by law. Moving on his speech, he defended the status of the money bill by stating that the test to be applied is to analyze if the pith and substance of the proposed legislation is expenditure from the Consolidated Fund of India; and merely because an authority is created for administrative purposes, does not obviate the status of a money bill.

Jairam Ramesh from the Indian National Congress suggested many amendments to the proposed Bill, beginning with a letter from a former Attorney General who confirmed Jairam's point that in 'pith and substance', the Aadhaar Bill was not a money bill. He asserted that his fundamental departure from the present bill is based on the fact that Aadhaar not be made mandatory, but remain voluntary. Moreover, calling it a 'Subsidy Sudhaar Program', Jairam contended that Aadhaar will not decide entitlement for the subsidy, but will merely be a proof of identity. Similar to the concern raised by Tatagatha Satpathy, he was also worried that the power given under delegated legislation to include other biological attributes in Section 2(g) at a later stage might cause greater problems. While making reference to a report that held that 40% Jan Dhan accounts were facing problems when being authenticated/used with Aadhaar, Jairam Ramesh raised concern over depending on an untested technology at a large scale. He ended his speech by urging the Finance Minister to send the Bill to a Standing Committee to produce an improved version for the law on Aadhaar.

Although many concerns raised in this house overlapped with those already debated upon in Lok Sabha, a few members sought clarification on issues not mentioned in the other House. Nadimul Haque of AITC reminded the house of the report from the Standing Committee of Finance that analysed the earlier Bill had held that a national data protection regime is a per-requisite for Aadhaar's operation. Satish Mishra from BSP reiterated the absence of a right to be heard in Section 33(1) and the lack of appellate mechanism in that regard. Rajeev Chandrashekhar, an independent Member had concerns about the extension of this scheme to residents and not just citizens of the country. He asserted that 'Aadhaar cannot distinguish between citizens and residents, non-citizens will be able to avail subsidies as a part of this scheme.' In addition, he feared that this method could be misused by miscreants and non-citizens for the purposes of identity laundering, and therefore adamantly opposed the use of Aadhaar for establishing identity as has been permitted in Section 57 of the Bill. Chandrashekhar insisted on judicial oversight while deciding the disclosure of personal information for purposes of national security as in Section 33(2).

In closing, while clarifying and responding to the questions raised, Arun Jaitley maintained that the exception for disclosure for reasons of national security corresponded to the reasonable restrictions of 'security of state' in the fundamental right guaranteeing free speech and in legislations like Official Secrets Act. It was recommended by Jairam Ramesh that the phrases 'public emergency', and 'public safety' be transposed from the provision for interception of electronic communication in the Telegraph Act. The Finance Minister replied that these expressions would import a wider meaning and larger room for interpretation as compared to the phrase 'national security'. On the mandatory nature of Aadhaar, he clarified that if one wants to avail a benefit or subsidy, enrolling in Aadhaar is mandatory. He drew parallels between the Social Security Number in the United States and the Aadhaar to maintain that both apply to residents, but do not imply citizenship of the country. While responding on the question of a right to be heard in Section 33(1), Jaitley remarked that in statutory interpretation, when the law is silent, it is general practice to read the right to be heard into the provision. Though, Sitaram Yechury from CPI (M) expressed dissatisfaction with the Finance Minister's explanations, the moving and voting on amendments and provisions of the bill proceeded.

During the voting, most of the clauses passed without any changes, but Jairam Ramesh insisted for the process of division of votes (and not just a voice vote) for four of his amendments. All these amendments were passed in the division process with extremely close calls. The first amendment amongst these was on Section 3 of the Bill and demanded that residents not be included for the purposes of Aadhaar. This amendment was passed with 76-64 votes. The amendment to Section 7 that permits Aadhaar to be made mandatory for securing benefits and subsidies of Government related schemes also passed the division process with the same margin of 76-64 votes. The third amendment pressed by Jairam Ramesh was the replacement of the phrase 'national security' to 'public emergency or public safety' in Section 33(2) and have an independent member like CVC or CAG in the Oversight Committee that reviews such directions for disclosure. This amendment passed with 77 Ayes and 64 Noes. The last amendment by him on the grounds of limiting the use of Aadhaar to only government schemes and not for other purposes as stated in Section 57 also passed with majority in the house by 76-65 votes. Subsequently, with the recommendations, the Aadhaar Bill was returned to the Lok Sabha for its perusal.

The Lok Sabha did not consider the recommendations on the Aadhaar Bill as given by th Rajya Sabha and passed it in its original form as had been released on 3rd March, 2016.

Please note that this report is a first hand account of observing the proceedings of both houses and hence, may not be substantiated by secondary references.

All Posts | Mar 11,2016

Evaluating the Aadhaar Bill against the National Privacy Principles

The Aadhaar scheme originated as an operation of the Unique Identification Authority of India that was established in 2009 as an executive body under the Planning Commission. This scheme was meant to ensure better transfer of benefits of Government welfare schemes through a biometric and demographic identity number and card. From its inception, Aadhaar has been under the fire for a number of reasons, including the absence of a governing legislation and concerns surrounding privacy and data protection. The Aadhaar scheme's lack of statutory foundation was also highlighted by several petitions that challenged its constitutional validity before the Supreme Court. In an apparent effort to remedy this state of affairs, The Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits & Services) Bill, 2016 was introduced in the Lok Sabha on 3rd March, 2016, with the stated object of providing efficient, transparent and targeted delivery of subsidies, benefits and services.

In light of the enduring concerns around this Bill relating to privacy and data protection, this blog-post contrasts the provisions of the Bill against the nine National Privacy Principles contained in the "Report of the Group of Experts on Privacy", headed by Justice A.P. Shah, and published by the Planning Commission of India in 2012. This report served as a comprehensive analysis of India's constitutional journey of the right to privacy, the global landscape of privacy and data protection legislations. The National Privacy Principles in particular seek to establish safeguards vis-a-vis initiatives dealing in personal information, and rights of data subjects in connection with such information, thereby serving as an excellent frame of reference for any legislation such as the Aadhaar Bill 2016 that raise substantive privacy and data protection concerns. On 11th March, 2016, the Aadhaar Bill was passed by the Lok Sabha as a money bill.

Important Definitions from Aadhaar Bill, 2016

  • Core biometric: Fingerprint, Iris scans or other biological attribute as may be specified (Leaves room for possibility that other biological attribute like DNA can be included in future)

  • Identity information: Aadhaar number, biometric information, and demographic information

  • Biometric Information: Photograph, finger print, Iris scan, or other such biological attribute as may be specified.

  • Authority: Universal Identification Authority of India (UIDAI)

  • Central Identities Data Repository (CIDR): a centralized database in one or more locations containing all Aadhaar numbers issued to Aadhaar holders along with the demographic information and other information.

  • Enrolling Agency (EA): Appointed/contracted for collecting demographic and biometric information for the enrollment into Aadhaar.

  • Requesting Entity (RE): any agency or person that submits the Aadhaar number, and demographic information or biometric information to the Central Repository for authentication.

  • Authentication: Verification process of sending biometric and demographic information to the CIDR and CIDR verifies the correctness, or the lack thereof on the basis of the information available with it.

Comparing provisions in Aadhaar Bill with Principles of A.P. Shah Committee Report

A PDF version of the comparison table is available here.

Principle in A.P. Shah Report

Description of Principle

Corresponding provision in Aadhaar Bill

Comments/Concerns

Enrolling Agency (EA)

Requesting Entity (RE)

Notice (During collection & Other notices)

Both, EAs & REs 'collect' information for their specific purposes of enrollment & authentication respectively.

What information is being collected

No mention

Section 8(2)(a): Obtain consent for the purposes of authentication

No itemized declaration of contents and nature of information being collected is provided to the individual. This is crucial considering the Authority retains the right to include other biological attributes as biometric information through regulations.

Purposes of collecting

No mention

Section 8(2)(a): obtain consent for the purposes of authentication

Proper counseling needs to be given of where Aadhaar can be used, and if alternative measures are also in place.

Uses of such information

Section 3(2)(a): Inform the data subject about the manner in which information shall be used

Section 8(3)(b): Inform the individual about the uses to which information received during authentication may be put to.

Security safeguard established by Data Controller

No mention

No mention

No notice of the security standards followed at the CIDR, or the measures used by the EA & RE to safeguard the data

Ability of Data subjects to access & correct information

Partially. Section 3(2)(c) only provides a notice for the means to access their information.

N/A (information given at enrollment)

Correction of information and its procedure is provided under Section 31. But, no notice is given regarding such information at the time of enrollment.

Contact details of privacy officers & ombudsmen to file complaints.

No mention

No mention

There is no mention of a complaint mechanism against the EA& RE, or any medium to approach in case of misuse/breach of data held by the Authority.

It is clearly stated that the court can only take cognizance when the complaint is filed by the Authority.

Notification of data breaches to data subject and commissioner

No mention

No mention

Data subject should be aware for the sake of his safety and securing other social and economic connections linked with his Aadhaar number.

Notification to data subject of any legal access to their information

No mention

No mention

Highlights the need for a privacy legislation that lays down the groundwork for accountability of the Government and its agencies as well as enumerates the privacy rights of citizens.

Notification of changes in Data controller's privacy policy

No mention

No mention

Linking/using of Aadhaar is not limited to solely the welfare schemes. Section 57 allows other body corporate or person to use the Aadhaar number for the purposes of establishing identity of an individual after following provisions in Section 8 (Procedure for authentication by requesting entity), and Chapter VI (Security & Protection of Data) of the Bill.

It is important that changes in the privacy policies of such body corporates/ anybody else also be notified.

Any other information deemed necessary

Section 3(2)(b): Nature of recipients with whom the information is intended to be shared during authentication

N/A

Choice & Consent

Choice to Opt in/Opt out of providing PI

Not mandatory to get an Aadhaar, but under Section 7, the State/Central Government is allowed to make Aadhaar a condition for availing benefits of welfare schemes.

Effectively, if one wants to avail those benefits that have a mandatory Aadhaar requirement, there is no choice to opt in/opt out.

Consent only after providing information practices

EA: Section 3(2) provides the information practices for an enrolling agency.

RE: Section 8(3) states Provisions where RE informs the individual about purposes and use of the data

After consent has been taken will the data controller collect, process, use, or disclose such information to third parties, except in case of authorized agencies

Section 8(2)(a): Take consent of individual before collecting his identity information for the purposes of authentication.

An option to withdraw his/her consent given to the data controller

No mention

There should be an option to have the information deleted from the CIDR respecting a person's right to choice, and that Aadhaar is an entitlement and not a compulsion.

Information collected on a mandatory basis should be anonymized, if published in public databases

Section 29(4): No Aadhaar number, or information collected under this number shall be disclosed, published publicly.

Collection Limitation

Only collect PI from data subjects as is necessary for the purposes identified for such collection, regarding which notice has been provided and consent of the individual taken

N/A

Aadhaar is only valid with all the components of the Personal Information that include, photograph, demographic information, fingerprints, iris scans, or other biological attributes as may be specified.

Purpose Limitation

PI collected should be adequate and relevant to the purposes for which they are processed

The caption of the bill provides an insight into its purpose states that it for 'efficient, transparent, and targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from the Consolidated Fund of India...'

Contrary to the said purpose, as per Section 57, Aadhaar can be used to establish identity of a person by State or any body corporate or person, by following the obligations in Section 8 (procedures for authentication by Requesting Entity) and Chapter VI (protection & sharing of data).

Therefore, the bill is not limiting itself to the delivery of benefits, for which expenditure is incurred from Consolidated Fund of India.

Data controller shall collect, process, disclose, make available, or otherwise use PI only for the purposes stated in the notice after taking consent. If there is a change in purpose, must notify the data subject.

Section 8(2)(b): Requesting Entity ensures information is used only for the purposes of authentication

Section 29(1)(b): Core biometrics only to be for the purpose of generation of Aadhaar numbers and authentication under this Act

Section 29(3) (a): Identity information with Requesting entity only to be used for the purpose specified to the individual at the time of submitting his information for authentication

Section 29(3)(b): Requesting entity shall not disclose Identity information further without prior consent of the individual

After PI has been used in accordance with the identified purpose, it should be destroyed as per the identified procedures

No mention

-PI stored for perpetuity

-No mention if any data is retained by RE & EA or if it gets transferred directly to the CIDR servers.

-Section 32(1) provides that UIDAI will keep a record of all authentication records, but does not specify retention time of these records.

It is important to note that such records make it easy for tracking activities of the person concerned, and with no notification given to the data subject of when their information was accessed by law enforcement, this would be an easy means of surveillance by the Government.

It has also been mentioned that this would be a violation against the right guaranteed in Article 20(3). This article includes the right against compulsory extraction of information from a person. Having enough information to profile and track a person would be a serious infringement of this right. (Usha Ramanathan's comment on P22 of the Standing Committee's Report)

Data retention mandates by Government should be in compliance with the National Privacy Principles

N/A

Not in compliance with the National Privacy Principles

No option for deletion of data even at the choice of the data subject, personal data as well as the authentication record do not specify time limit for retention

Access & Correction

Data subject shall have access, be able to seek correction, amendments, or deletion of such information where it is inaccurate

Section 28(5) proviso: Data subjects can request access to identity information, but not core biometrics

Section 32(2): Data subject entitled to obtain authentication record in such manner as specified in Regulations.

Section 6: Authority may require the data subject to update their demographic and biometric information as may be specified in further regulations.

Section 31(2): In case any biometric info is lost or changes, the data subject should ask the authority to make necessary alterations

In Section 31(2), there is an option to update the biometric information if it has 'changed'. This is an acceptance of a possibility that biometric information is vulnerable to change and hence not an infallible identity proof as has been claimed in the Supreme Court by many.

Be able to confirm that a data controller holds or is processing information about them

Section 32(2): Data subject entitled to obtain authentication record in such manner as specified in Regulations.

Be able to obtain from the data controller a copy of the personal data

Partially. As per Section 28(5), cannot get a copy of their core biometrics. i.e. fingerprints, iris scans, any other biological attribute as may be specified.

Access and correction to any PI may not be given by the Data controller if it is not possible to do so without affecting the privacy rights of another person, unless the person has explicitly consented to disclosure.

No mention

This principle is not possible without initially demarcating what are the privacy rights granted to a person by the Indian legislature

Disclosure of Information

Data controller shall not disclose PI to third parties, except after providing notice and seeking informed consent from the individual for such disclosure

Section 29(1) (a): No sharing of core biometrics

Section 29(2): Identity information shared as per the rules provided

Section 29(3)(b): Requesting entity shall not disclose Identity information further without prior consent of the individual

Clarification required on sharing of data amongst government departments, and sharing of data between third parties, not government departments.

Third parties are bound to adhere to relevant and applicable privacy principles

Section 28(4)(c): the Authority shall ensure that arrangements entered into with any third parties enforce equivalent security obligations on data protection.

Disclosure for law enforcement purposes must be in accordance with the laws in force

Section 33(1): By way of order of nothing lower than a District Judge, identity information or authentication records can be disclosed. This does not apply to core biometric information.

Section 33(2): Any disclosure of information , including core biometrics can be done in the interest of National Security in pursuance of a direction of an officer not below the rank of Join Secretary to the Government of India, specially authorised in this behalf by an order of the Central Government.

Every such direction will be reviewed before it takes effect by an Oversight Committee consisting of Cabinet Secretary and the Secretaries to the GOI, Department of Legal Affairs and the DEITY.

Direction valid for 3 months, extend for another 3 months after a review.

The procedure established for disclosure for national security purposes is not reasonable, just, or fair. Where even core biometrics can be shared and disclosed, the term 'national security' is vague and has a wide scope of misuse.

Huge differences when compared with Section 69 of IT Act and Rules for Interception. Section 69 (1) criteria for interception is similar to that of article 19(2) reasonable restrictions, and not simply national security. Also, Section 69(1) states that the act be necessary, and reasons be recorded in writing. The rules provide that such direction be issued after considering the option of acquiring such data by alternative means, and the destruction of such records of interception.

Comparing it with the Telegraph Act, which has a provision for interception of telecommunication, but is limited to situations of public emergency and public safety and not simply national security. It is also interesting to note, that under the Telegraph Act, the direction for such interception can be given by a Home Secretary and only in urgent situations can a Joint Secretary issue such order.

Both these Acts that include provisions for interception have reasonable safeguards in place with narrowly tailored criteria for interception.

Data controllers shall not publish or in any other way make public PI, including personal sensitive information

Section 29(4): No Aadhaar number or other information will be displayed, published, or posted publicly, except for the purposes specified in regulations.

Security

Secure PI that they have either collected or have in their custody, by reasonable security safeguards against loss, unauthorized access, destruction, use, processing, storage, modification, de-anonymisation, unauthorized disclosure (either accidental or incidental) or other reasonably foreseeable risks.

Section 28(3): The Authority shall take necessary measures to ensure that information in possession or control of the Authority, including information stored in the CIDR, is secured and protected against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.

Openness

Take all necessary steps to implement practices, procedures, policies, and systems in a manner proportional to the scale, scope, and sensitivity to the data they collect, in order to ensure compliance with the privacy principles, information regarding which shall be made in an intelligible form, using clear and plain language, available to all individuals.

Not satisfactory

Lack of transparency and openness in the following areas:

- Criteria for entities and agencies to qualify for the purposes of management of CIDR or enrollment in Aadhaar is crucial information that should not be delegated for regulations made by the UIDAI.

- Clarification on retention/storage policies of these entities, or if they would be storing any data whatsoever in relation to Aadhaar enrollment or authentication.

- Clarity on if data sharing between government departments would also qualify as third party disclosures.

- When sensitive information is handed to law enforcement agencies without a legislation on privacy and data protection, such an action can be dangerous with no boundaries set for law enforcement to use this data. It is pertinent that the use of such sensitive data be limited by certain safeguards.

Accountability

Data Controller shall be accountable for complying with measures which give effect to the privacy principles

In the process of Aadhaar, there are different data controllers at various steps. At the time of enrollment, it is the enrollment agency, the time of using the Aadhaar card for certain service, the requesting agency uses the Aadhaar identity information for the purposes of authentication; and the UIDAI is the data controller when the data is stored in the CIDR and during the process of authentication for a Requesting entity.

In this bill, there is no provision for complaining against any data controller, the EA, RE or UIDAI. It creates a conflict of interest where the Authority is the custodian of this data and Section 47 states that the Courts will only take cognizance of complaints that have been made by the UIDAI or any officer authorized on its behalf.

Does this mean that a person cannot approach the police if they find that their PI has been stolen or misused?

Such measures should include mechanisms to implement privacy policies; including tools, training, and education, external and internal audits, and requiring organization or overseeing bodies extend all necessary support to Privacy commissioner and comply with the specific and general orders of the Privacy Commissioner

No Mention

No mention of capacity building or trainings for entities that may be authorized for enrollment or authentication.