Logo

Defender of your Digital Freedom

All Posts | Jan 08,2019

What has been changed in the Aadhaar Amendment Bill?

On Wednesday, 02 January 2019, we got our first look at The Aadhaar and Other Laws (Amendment) Bill, 2018. On Friday, 04 January 2019, this Bill was passed by the Lok Sabha. We compared this Bill with the existing provisions under The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and the Supreme Court’s judgment in Justice K.S. Puttaswamy (Retd.) & Anr. vs Union of India & Ors. [W.P. (C) 494/2012], better known as the Aadhaar case.

The word 'Regulation' below refers to the Aadhaar (Authentication) Regulation, 2016.

 

Issue

Supreme Court’s Observations in 

Law before SC's Judgment

Change proposed in the Amendment

Our Comments

Alternate means of establishing identity

To avoid exclusion of deserving beneficiaries, the Court recommended that suitable provisions be made in concerned regulations for establishing identity by alternate means.

Section 2(a) “Aadhaar number” means an identification number issued to an individual under sub-section (3) of section 3;”

 

The proviso to Section 7 reads as "Provided that if an Aadhaar number is not assigned to an individual, the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service."

Amendment to Section 2(a):

Alternative virtual identity included under definition of Aadhaar number.

 

Amendment to Section 3:

Virtual identity will be an alternative to actual Aadhar number.

"The Proviso to Section 7 has been interpreted in the past by the Executive to apply to only those people who have applied for an Aadhaar number but have not yet been assigned a number by UIDAI.

The changes to Sections 2(a) and Section 3 do not solve the issue of deserving beneficiaries being excluded. This is not an alternate means to establish identity. This method still requires the person whose identity needs to be established to be registered in the Aadhaar database. In order to comply with the Supreme Court's judgment, other forms of ID must be made acceptable as an alternative to an Aadhaar number."

Enrolment of children

1. Consent of parents/guardian is essential for enrolment of children under the Aadhaar Act.

2. Enrolled children shall be given the right to exit from Aadhar upon attaining the age of majority.

3. No Child shall be deprived of benefits if Aadhaar number is not produced. In this case verification on identity can be done on the basis of any other documents.

There was no such provision in the earlier law.

Section 3A inserted:

1. Consent of parent/ guardian of child for enrollment will be essential.

2. Application for cancellation of Aadhar number can be made by a child within a period of six months of attaining eighteen years of age.

3. No denial of subsidy or service to any child if Aadhar not produced.

Six month period for exiting the Aadhaar ecosystem is too short. In case where a person misses the six month limitation period there is no option to exit.

Authentication records

Regulation 26(c) of Aadhaar (Authentication) Regulation, 2016 has been struck down as it pertains to authentication transaction related to metadata.

Regulation 26 of 2016 Regulation requires that Authority shall store and maintain authentication transaction data, which shall inter alia contain information on meta-data related to transaction.

 

 

Residents and illegal immigrants

State directed to take suitable measures to ensure illegal immigrants do not avail benefits.

No such provision in the earlier law.

 

Action on this is awaited.

No change has been introduced by the Amendment.

Data retention

Data retention beyond six months is impermissible.

Regulation 27 of Aadhar (Authentication) Regulations, 2016 providing data retention for 5 years stuck down.

Regulation 27: Duration of storage:

(1) Authentication transaction data shall be retained by the Authority for a period of 6 months, and thereafter archived for a period of five years.

(2) Upon expiry of the period of five years specified in sub-regulation (1), the authentication transaction data shall be deleted except when such authentication transaction data are required to be maintained by a court or in connection with any pending dispute.

 

Updated regulation awaited.

Restriction on sharing of information

Presently, Aadhaar (Sharing of Information) Regulations, 2016 has no provision which impinges privacy rights of Aadhar card holders. (Section 29)

 

 

 

Disclosure of information

Read down Section 33(1):

A. Individual whose information is sought to be released to be given an opportunity of hearing.

B.Individual to be given the right to challenge disclosure of his/her information.

Sec 33(2) struck down with liberty to enact a suitable provision:

Determining if information disclosure is in the interest of national security will be done by-

a.Officer higher than rank of Joint Secretary

b.Application of judicial mind. (Judicial Officer/preferably sitting judge of High Court)

Section 33(1): Nothing contained in sub-section (2) or sub-section (5) of section 28 or sub-section (2) of section 29 shall apply in respect of any disclosure of information, including identity information or authentication records, made pursuant to an order of a court not inferior to that of a District Judge:

Provided that no order by the court under this sub-section shall be made without giving an opportunity of hearing to the Authority.

 

Section 33(2): Nothing contained in sub-section (2) or sub-section (5) of section 28 and clause (b) of sub-section (1), sub-section (2) or sub-section (3) of section 29 shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security in pursuance of a direction of an officer not below the rank of Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government:

Provided that every direction issued under this sub-section, shall be reviewed by an Oversight Committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology, before it takes effect:

Provided further that any direction issued under this sub-section shall be valid for a period of three months from the date of its issue, which may be extended for a further period of three months after the review by the Oversight Committee.

Amendments made to Section 33:

A.Under Section 33(1)(b) provides opportunity of hearing to the Aadhar holder.

B. Under Section 33B an aggrieved individual can appeal to TDSAT within a period of 45 days from the date of receipt of order.

C. Officer not below the rank of a Secretary will determine whether disclosure is in national interest.

D. Section 33A provides for civil penalties in case of in case of failure to comply with provisions of the Act/rules/regulations and directions.

E. Under Section 33B an officer not below the rank of a Joint Secretary shall be the adjudicating officer for holding inquiry.

The court had directed that a higher official in association with application of judicial mind determine the grounds of disclosure under Section 33(2).The Amendment did take cognizance of the judgment and prescribed for officer not below the rank of Joint Secretary. However as directed by the Court, the amendment finds no mention of determination by a judicial authority/officer.

Despite being criticized by the Majority judgment in the Aadhaar matter, the amendment fails to address the issue with respect to concentration of powers that lie with the Executive and lack of accountability.

The proposed amendment inserted a new provision on civil penalties. Even this change does not prescribe for application of judicial mind for the purpose of adjudication in event of failure to comply with the provision of the Act.

Thus, the amendment is not in consonance with the Aadhaar judgment.

Cognizance of complaints

Modification of Section 47: Include provision for filing complaints by an individual/victims.

Section 47:

(1) No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it.

(2) No court inferior to that of a Chief Metropolitan Magistrate or a Chief Judicial Magistrate shall try any offence punishable under this Act.

Proviso has been inserted in Section 47. It enables the court to take cognizance of a complaint made by the Aadhar holder.

Until now, the court could take cognizance of an offence on a complaint made by only the UIDAI or an officer or a person authorised by it. The proviso also empowers an aggrieved individual to file complaints.

Establishing identity of individual for any purpose

There are two aspects to the Court's judgment on Section 57.

 

One part of the Section has been read down:

The provision is susceptible to misuse as it can be used to establish identity of an individual 'for any purpose'.

A. The 'purpose' in this Section has been read down to mean a purpose backed by law.

B. Any law made on this would need to be subjected to judicial scrutiny.

 

Another part of Section 57 has been held to be unconstitutional:

The part of this Section enabling body corporate and individuals to seek authentication is unconstitutional as:

A. Establishing identity for a purpose pursuant to any contract is impermissible as it is not backed by law and therefore does not meet test of proportionality.

B. Authentication services based on contract between individual and body corporate or person would:

B1. Enable commercial exploitation of individual biometric and demographic information by private entities.

B2. Impinge on right to privacy of individual.

Section 57:

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

Section 57 has been omitted.

However, the Act now provides for voluntary use of Aadhaar number for authentication or offline verification.

To enable this, Section 4 (Properties of Aadhaar number) of the Act has been amended to allow verification of the Aadhaar number on voluntary basis with informed consent of the Aadhar number holder.

To facilitate this, the Amendment Bill seeks to amend Section 4 of Telegraph Act, 1885 and insert a new section 11A under PMLA.

The Bill removes section 57 from the Aadhaar Act. This omission is in compliance with the Aadhaar judgment.

However, the prescribed amendments to the PMLA Rules and Telegraph Act are contrary to the ratio of the majority judgement in Justice K.S. Puttaswamy (Retd.) v. Union of India & Ors. [W.P. (C) 494/2012].

In the Aadhaar judgment, J.Sikri in his majority judgment stated that apart from authorising the State, even ‘any body corporate or person’ is authorised to avail authentication services. This can be on the basis of purported agreement between an individual and such body corporate or person. Even if we presume that the legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of individual biometric and demographic information by the private entities.

The part of Section 57 that allowed for people to voluntarily provide their Aadhaar number to body corporates and individuals, especially on the basis of a contract between the person providing the Aadhaar number and the person acquiring / authenticating the Aadhaar number, has been held to be unconstitutional by the Supreme Court of India. The amendment to Section 4 of the Act would re-implement a clause that has already been ruled to be unconstitutional. This would raise the likelihood of fresh litigation on an aspect of law that has already been settled.

 

 

All Posts | Jan 08,2019

FAQ on Draft Amendment of Intermediary Guidelines Rules in India

The Central Government notified the Information Technology (Intermediaries Guidelines) Rules, 2011 in April, 2011. A draft amendment of these Rules has been issued by the Ministry of Electronics and Information Technology (MeitY), ostensibly for dealing with the fake news and misinformation problem. However, the Rules could result in weakening the security and privacy of apps and websites and erode the safe harbour protection available to intermediaries. MeitY is seeking comments to the Draft Rules by 15 January 2019.

This FAQ aims at making these Draft Rules easy to understand and at making various stakeholders aware of the problems with the draft Rules.

Who are Intermediaries?

Intermediaries are entities that provide services enabling the delivery of online content to the end user. Let us look at the players involved in this chain:

Internet Service Providers (ISPs) – ISPs like Airtel and MTNL help users to get connected to the Internet by means of wired or wireless connections.

Search engines – These are websites like Google and Bing that help users to search for specific information on the web. They provide links to websites that have content relevant to the search terms given by the user.

DNS providers – These service providers translate the domain names (eg. www.sflc.in) to addresses (e.g. 13.126.242.41) that can be understood by computers.

Web hosts – These are service providers like GoDaddy.com that provide space on servers to place files for various websites so that these sites can be accessed by users.

Interactive websites – This includes social media sites like Facebook and Twitter that act as platforms to store and retrieve content, blogging platforms like Blogspot and Wordpress, auction sites like eBay, and payment gateways like PayPal. The pictorial representation gives an overview of the intermediaries involved in a common Internet transaction.

Cyber Cafes – It means any facility from where access to the Internet is offered by any person in the ordinary course of business to the members of the public. The Information Technology Act, 2000 includes cyber cafes also under the ambit of the definition of intermediaries.

Internet flow chart

What is Intermediary Liability?

Interactive websites like blogging platforms, messaging apps, social media and e-auction sites host / transmit user-generated content. Cyber cafes, free WiFi providers and telecom companies such as providers of broadband and mobile data act as a mere pipeline for people to access the Internet. Sometimes content posted by users could be illegal, like content infringing on someone's copyright or pornographic content. The intermediaries who host / transmit this content could also be held liable for the content if they do not satisfy the conditions for gaining immunity from such liability laid down by the law.

What is meant by ‘Safe Harbour Protection’?

The intermediaries like telecom service providers, cyber cafes, web hosts, social networking sites and blogging platforms provide important tools and platforms that allow users to access the Internet, host content, share files and transact business. Websites like Blogspot, Youtube and Facebook only provide a platform for users to post their content, and do not have any editorial control over this content.

Governments across the world realised that these intermediaries must be given protection from legal liability that could arise out of illegal content posted by users, considering the importance of these intermediaries in the online space and the fact that their mode of operation was quite different from the traditional brick-and-mortar businesses. Countries like the USA, members of the European Union and India provide protection to intermediaries from such user generated content. Such protection is often termed as a 'safe harbour' protection.

Do Intermediaries enjoy Safe-Harbour Protection in India?

Yes, Section 79 of the Information Technology Act, 2000 gives the intermediaries protection from liabilities that could arise out of any legal action initiated on the basis of user generated content.

The safe harbour protection available to intermediaries is conditional upon their observing “due diligence” while discharging their duties and observing guidelines issued by the Government in this regard.

These guidelines have been issued in the form of the Information Technology (Intermediary Guidelines) Rules, 2011. The Ministry of Electronics and Information Technology is now proposing an amendment of these Rules by issuing the Draft Rules. Under the new draft, the roles and responsibilities of intermediaries will be widened, and in turn, the rights of users will be reduced.

How do the Draft Intermediary Rules Operate?

The new intermediary guidelines, mandate the intermediaries to impose a set of rules and regulations on users like you and me. The terms of such regulations include a broad list of categories of content which should not be posted by users.

Up until March 2015, any person aggrieved by any content on the Internet could ask the intermediaries to take down such content. Intermediaries were obliged to remove access to such content within a period of 36 hours from the time of receipt of the complaint. These provisions were read down by the Hon’ble Supreme Court in Shreya Singhal v Union of India and it was held that content needs to be taken down only when directed by a Court order or by the appropriate Government.

As per the Draft Rules, intermediaries are obliged to take down the content on receipt of a court order or a direction from the Government or an agency of the Government within a period of 24 hours. The intermediaries which do not comply with a take-down order lose safe harbour under the Information Technology Act, 2000.

Rules in a nutshell for Intermediaries:

Do’s

  1. Publish Rules / Privacy Policy.

  2. Inform users monthly that their services could be terminated if they don’t comply with the Rules and Privacy Policy.

  3. Assist Government agencies within 72 hours of receiving request and enable tracing out the originator of unlawful information. An originator is the person that first sent a message, image, audio, video or file.

  4. Follow reasonable security practices as prescribed in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011.

  5. For an intermediary with more than 50 lakh users:

    1. Incorporate as a Company in India

    2. Have a permanent office in India

    3. Appoint a nodal person for coordination with Law Enforcement

  6. On receiving court order/ notification from a Government agency, remove unlawful information within 24 hours.

  7. Preserve unlawful information for 180 days or a longer period as required.

  8. Deploy automated tools to remove unlawful information.

  9. Report cyber security incidents to CERT.IN.

  10. Publish name of Grievance Officer.

  11. Strictly follow provisions of the IT Act or any other laws in force.

Dont’s

  1. Don't knowingly host prohibited content.

  2. Don’t initiate transmission, select receiver or modify information.

  3. Don’t deploy or install or modify the technical configuration of computer resource which may change or has the potential to change the normal course of operation of the computer resource.

What is the kind of content that is restricted under the Rules?

You cannot host information that is a

  • grossly harmful,

  • harassing,

  • blasphemous,

  • defamatory,

  • obscene,

  • pornographic,

  • paedophilic,

  • libellous,

  • invasive of another's privacy,

  • hateful, or racially, ethnically objectionable,

  • disparaging,

  • relating or encouraging money laundering or gambling,

  • or otherwise unlawful in any manner whatever,

  • harm minors in any way or

  • infringes any patent, trademark, copyright or other proprietary right.

  • violates any law for the time being in force;

  • deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;

  • threatens public health or safety; promotion of cigarettes or any other tobacco products or consumption of intoxicant including alcohol and Electronic Nicotine Delivery System (ENDS) & like products that enable nicotine delivery except for the purpose & in the manner and to the extent, as may be approved under the Drugs and Cosmetics Act, 1940 and Rules made thereunder;

  • threatens critical information infrastructure.

These terms are so confusing. Are they defined anywhere?

That's a little complicated! The terms describing unlawful content are very ambiguous and most of these are not defined either in the Rules or in the IT Act, 2000. In fact many of these terms are not defined in any statute.

So, you are saying that we do not know what these terms mean? Doesn't the normal English language meaning apply to them?

The basic principle of law is that it requires certainty. We need to be told exactly what is allowed and what is prohibited in our country. In fact, the Hon’ble Supreme Court had struck down Section 66A of the Information Technology Act, 2000, as the terms used in the provisions were ambiguous and vague. This prohibited list includes terms like defamatory, obscene, harassing or infringes any patent, trademark, copyright or other proprietary right amongst others. These terms can mean different things to different people. What is obscene to a certain set of persons may be art to another. What is defamatory for one person may be political satire for others. Proving infringement of proprietary rights is to be done by the Judiciary with the help of experts and businesses cannot be closed down merely on the basis of suspicion or whims.

We are running a start-up which provides an interactive service to users using a website and an app. Do these Rules affect us?

The Rules will bind all intermediaries as defined by the IT Act, 2000, once it is notified. Rule 3(7) of the Draft Rules mandates that the intermediary shall be a company incorporated under the Companies Act. This is applicable only to those intermediaries that have more than 50 lakh users in India or is in the list specifically notified by the Government. Such companies should also have a permanent registered office in India with a physical address and should appoint a nodal person of contact and an alternate senior functionary for 24 X 7 coordination with law enforcement agencies.

O.K. I am bored and I am not sure if these Rules affect me anyway.

Well! Watch out what you post next time as your status update, as it might offend someone or the automated tool deployed by the intermediary could find the content to be illegal resulting in the intermediary terminating your services. In addition to regulating content the Rules also deal with government's power to access user information from the intermediary.

The Rules mandate intermediaries to cooperate with government agencies and provide information to them for the purpose of verification of identity, or for prevention, detection, investigation, prosecution etc when a request has been made by the agency in writing. This power granted to the Government agencies does not have any system of checks and balances to safeguard the interests of users.

The Rules also mandate the intermediaries to inform the users that their services can be terminated if they violate the terms of service. So you are left to the mercy of the intermediaries. Whether they want you to access the Internet or not is their prerogative, not yours! This provision could have far more serious consequences than the three strikes legislation that has been introduced in countries like France, South Korea and Taiwan.

In short, this will lead to:

  • censorship of content.

  • curtailment of your freedom to express opinions

  • violation of your right to privacy as the intermediaries could be forced to part with user information without any checks and balances.

  • a right for intermediaries to arbitrarily disconnect services of users.

Enough of this technical and legal jargon. Just tell me what can I do.

The Government is accepting comments on these draft Rules till January 15th and Counter comments are accepted till January 28th, 2019. Comments / suggestions may be sent to gccyberlaw[at]meity[dot]gov[dot]in, pkumar[at]meity[dot]gov[dot]in or dhawal[at]gov[dot]in

You could also blog about the Rules, write articles in media and be involved in activities that would raise awareness about the issue.

All Posts | Mar 28,2017

No Aadhaar, no service- Notifications making Aadhaar mandatory

In Aadhaar news, in the first few months of 2017, the Central Government has issued a spur of notifications making Aadhaar mandatory for various schemes that provide essentials and basic amenities. These notifications are issued under Section 7 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits, and Services) Act (hereinafter the Aadhaar Act), by several Union Ministries responsible for the roll out and implementation of these schemes. These new notifications have made Aadhaar mandatory for programs like mid day meals, scholarships for disabled students, availing insurance for crop failure, rehabilitation of bonded labour, and welfare scheme aimed at journalists, to name a few.

Apart from these, recently, the Department of Telecommunication issued a notification on 23rd March, 2017 that orders Aadhaar based e-KYC for re-verification of all mobile subscribers, and the amendments made to the Finance Bill, 2017 make Aadhaar mandatory for filing income tax returns and when applying for allotment of permanent account number (PAN).

Per the notifications available on the E-Gazette as of 27th March, 2017, we have collated a list of 52 such notifications that make Aadhaar mandatory despite the Hon’ble Supreme Court’s orders restricting not only the use of Aadhaar, but stating its voluntary nature, and prohibiting denial of service to anyone due to the lack of an Aadhaar card.

The legal foundations of the Aadhaar scheme, and its current legal status are complicated. The Supreme Court in its orders dated 11th August, and 15th October, 2015 had restricted the voluntary usage of Aadhaar to only six government schemes, and maintained that no person would be denied access to any service due to lack of an Aadhaar card. These six government schemes were, LPG, Public Distribution System (PDS), MNREGA, Prime Minister’s Jan Dhan Yojna, Employees’ Providend Fund, and National Social Assistance Programme. However, on the legislative side of things, the Aadhaar Act was passed in March 2016 as a money bill in the Parliament, but the Supreme Court’s orders of 2015 putting limitations on the operation of this scheme until the pending matters are decided with finality are still in effect.

The notifications by various Union Ministries issued since January, 2017 are under Section 7 of the Aadhaar Act. Section 7 gives Central and State governments power to make Aadhaar or enrollment into the scheme as a condition for availing benefits of schemes that incur expenditure from the Consolidated Fund of India. The notifications issued by the various Ministries make Aadhaar mandatory for ‘beneficiaries’ of these schemes, which may vary from individuals receiving the entitlements under these welfare programs, or even employees’, contractual staff, Anganwadi workers getting an honorarium or remuneration while working in departments providing these services.

Majority of these notifications have a designated deadline before which “Any individual desirous of availing benefit under the [said] Scheme, who does not possess the Aadhaar number or has not yet enrolled for Aadhaar shall have to apply for Aadhaar enrolment by [a set date], provided he or she is entitled to obtain Aadhaar as per the provisions of section 3 of the said Act and such individuals may visit any Aadhaar Enrolment Centre (list available at UIDAI website (www.uidai.gov.in) for Aadhaar enrolment.” This date is an indication of a time period until which claims under these schemes can be made sans Aadhaar or its enrolment.

A consolidated list of these notifications updated till 27th March, 2017 can be found below.

[SFLC.in's resources on Aadhaar can be accessed here]

Image Credits: Projet de biométrie. Credit: Benoit Crouzet/Flickr CC BY 2.0