Logo

Defender of your Digital Freedom

All Posts | Aug 01,2019

Truecaller automatically retrieved bank account details of its users and registered them for UPI

Reports came out on Tuesday that the Truecaller app had sent SMS messages from phones of unsuspecting users to create UPI IDs with ICICI Bank. A payments feature had been added to the app two years ago in partnership with ICICI Bank. The feature is called Truecaller Pay. After facing criticism on social media, NPCI and Truecaller have issued statements . Truecaller has since issued an app update to stop this automated process.

In February this year, Truecaller stated that they have more than 100 million daily active users in the country. The figure for monthly active users could be higher. While Truecaller said yesterday that all affected users would be deregistered, it is still unclear how many people were affected and what information was shared. Information regarding their existing bank accounts was revealed in the process, and their phone numbers and other information may have been shared with ICICI Bank. Exact details are scant at the moment. It is unclear how Truecaller discovered the identity of Bank(s) with which the user had an account. Annexure IV of NPCI’s Unified Payments Interface – Procedural Guidelines states that a PSP (Payment Service Provider) application has to send an SMS from the mobile device to fetch the mobile number and bind it to the device, but the name of the bank has to be selected manually by the user. After that step, the app can use the mobile number to generate a request with the bank. The bank would then send “ the account details including Account Number & IFSC registered for that mobile Number in a masked format to UPI. UPI sends this to the PSP which in turn passes this information to the PSP App.” It is worth noting that Truecaller is not a PSP as per the list of members on NPCI’s website. The PSP for Truecaller is ICICI Bank.

NPCI has an FAQ on UPI which reads:

How are you getting all my bank A/C information?

This is a feature of the UPI payment platform (built by NPCI - an RBI regulated entity). The UPI platform retrieves the accounts details linked with your mobile number in a masked manner i.e. UPI app can't see all the details. This exchange is done over secure banking networks and we don't store or ever use it.

 

One might assume that since Truecaller has this feature built into their app, that the sharing of this personal information for this purpose would be covered by Truecaller’s Privacy Policy. The privacy policy states the following, among others, about sharing your data:

Truecaller may use the personal information collected to provide, maintain, improve, analyze and personalize the Services to its Users, partners and third party providers. More specifically, Truecaller may use such information to:

f. enable You to use and share Your information in connection with Your registration, login or other use of third party services e.g. payment service providers, online services, social networking sites and other third party API’s; and

 

Note that the words used are ‘enable You to use and share Your information’. It does not grant permission for Truecaller to share your information with payment service providers automatically, as has happened in the present case. This is a clear violation of their own privacy policy, which could allow affected users a route to pursue legal action against the company.

With the current laws in the country, a user hardly gets any protection from such misuse of data. Vague promises to correct one’s actions and to do better in future are insufficient and come with minimal accountability. This issue further highlights the need for a dedicated data protection law in the country. In 2017, a nine-judge bench of the Supreme Court of India recognized that the right to privacy is a fundamental right. Since then, the draft Personal Data Protection Bill, 2018 was published for which public comments were invited. SFLC.in submitted its comments and suggestions on this bill. The bill is expected to be tabled soon in the parliament.

Truecaller is not new to controversy and privacy violations. The very structure of the base service rests on granting itself the permission to collect and share personal information about you that is not publicly available, even if you never signed up for the service and never agreed to their Terms of Service and Privacy Policy. The app collects information from multiple users, and then shares that information with third parties, without consent from or even notice to users to whom that information pertains. Consent is taken from users that provide their address book to Truecaller, and not from users to whom that information pertains.

The service does allow people to opt-out of displaying their information to other users. The Privacy Policy states “If any persons do not wish to have their names and phone numbers made available through the Enhanced Search or Name Search functionalities, they can exclude themselves from further queries by notifying Truecaller via its website at www.truecaller.com or as set forth in the contact details below.” This does not stop them from storing and processing your information or from transferring your information to third parties for other purposes, it only results in delisting your information so that it doesn’t show up in public results anymore.

The Privacy Policy for people in Europe differs significantly from the policy on offer to people in the rest of the world. Thanks to strong data protection laws in Europe, no address book information is collected from users in the region. Information that is collected is held to higher standards of protection, even offering deletion of your personal information, while the privacy policy for the rest of the world offers deletion “When required by applicable law [...]”.

Two years ago, UIDAI had suspended Airtel and Airtel Payments Bank’s eKYC license for automatically creating Airtel Payments Bank accounts for people without their consent or knowledge when they performed eKYC for Airtel’s telecom arm. This resulted in loss for INR 190 crore of subsidies for millions of people. Airtel later offered to return this money, but the harm to affected parties could be irreversible considering that these subsidies are meant for people that would not be able to afford the products without them.

We strongly suggest that you grant only the essential permissions for apps to function as intended. Think before you grant any permission. If a flashlight app, for example, asks for your contact information, do not grant that permission to it. If the app refuses to function without that permission, uninstall that app and do not use it any further. Both Android and iOS allow you to go into your phone’s settings and revoke any permission that you had previously granted to an app, or to grant a permission that you had previously refused. SFLC.in regularly conducts digital security trainings for people of all backgrounds to better educate users on safe usage of communication devices.

In the absence of a data protection law, our privacy and data are being treated as a free-for-all. We must take charge of protecting our own privacy, especially so until we have a data protection law. Yet, a data protection law would not be a magic bullet that would fix all issues. We would have to remain vigilant to protect ourselves, but it would at least create a deterrence and would empower us to act against errants.

All Posts | Apr 25,2019

Roundtable on ‘Policy Enabling – Information Technology in Healthcare’

We are organising an invite-only round table discussion on 'Policy Enabling - Information Technology in Healthcare' in Bangalore on 27 April 2019 in association with IIM Bangalore and Facebook.

To ask for an invitation, please send an email to: events at sflc.in .

The agenda for the event is mentioned below:

  • 10:00 am to 10:30 am: Registration (Tea and Coffee)
  • 10:30 am to 10:45 am: Introduction and Opening Remarks
  • 10:45 am to 11:00 am: Overview and Applicable Laws and Regulations (A presentation by SFLC.in)
  • 11:00 am to 12:00 pm: Discussion on Technical Aspects of IT use in Healthcare, including topics such as: Image Processing, Code generation/ Training, Testing and Quality Assurance
  • 12:00 pm to 12:15 pm: Tea Break
  • 12:15 pm to 01:00 pm: Open Discussion
  • 01:00 pm to 02:00 pm: Lunch
  • 02:00 pm to 03:00 pm: Discussion on Policy Aspects of IT in Healthcare, including topics such as: Data Protection, Privacy, Data Localisation, Government Regulation etc.
  • 03:00 pm to 03:15 pm: A Brief Survey of Participants on Certain Regulatory Issues
  • 03:15 pm to 03:30 pm: Tea Break
  • 03:30 pm to 04:15 pm: Open Discussion
  • 04:15 pm to 04:30 pm: Closing Remarks

All Posts | Jan 08,2019

What has been changed in the Aadhaar Amendment Bill?

On Wednesday, 02 January 2019, we got our first look at The Aadhaar and Other Laws (Amendment) Bill, 2018. On Friday, 04 January 2019, this Bill was passed by the Lok Sabha. We compared this Bill with the existing provisions under The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and the Supreme Court’s judgment in Justice K.S. Puttaswamy (Retd.) & Anr. vs Union of India & Ors. [W.P. (C) 494/2012], better known as the Aadhaar case.

The word 'Regulation' below refers to the Aadhaar (Authentication) Regulation, 2016.

 

Issue

Supreme Court’s Observations in 

Law before SC's Judgment

Change proposed in the Amendment

Our Comments

Alternate means of establishing identity

To avoid exclusion of deserving beneficiaries, the Court recommended that suitable provisions be made in concerned regulations for establishing identity by alternate means.

Section 2(a) “Aadhaar number” means an identification number issued to an individual under sub-section (3) of section 3;”

 

The proviso to Section 7 reads as "Provided that if an Aadhaar number is not assigned to an individual, the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service."

Amendment to Section 2(a):

Alternative virtual identity included under definition of Aadhaar number.

 

Amendment to Section 3:

Virtual identity will be an alternative to actual Aadhar number.

"The Proviso to Section 7 has been interpreted in the past by the Executive to apply to only those people who have applied for an Aadhaar number but have not yet been assigned a number by UIDAI.

The changes to Sections 2(a) and Section 3 do not solve the issue of deserving beneficiaries being excluded. This is not an alternate means to establish identity. This method still requires the person whose identity needs to be established to be registered in the Aadhaar database. In order to comply with the Supreme Court's judgment, other forms of ID must be made acceptable as an alternative to an Aadhaar number."

Enrolment of children

1. Consent of parents/guardian is essential for enrolment of children under the Aadhaar Act.

2. Enrolled children shall be given the right to exit from Aadhar upon attaining the age of majority.

3. No Child shall be deprived of benefits if Aadhaar number is not produced. In this case verification on identity can be done on the basis of any other documents.

There was no such provision in the earlier law.

Section 3A inserted:

1. Consent of parent/ guardian of child for enrollment will be essential.

2. Application for cancellation of Aadhar number can be made by a child within a period of six months of attaining eighteen years of age.

3. No denial of subsidy or service to any child if Aadhar not produced.

Six month period for exiting the Aadhaar ecosystem is too short. In case where a person misses the six month limitation period there is no option to exit.

Authentication records

Regulation 26(c) of Aadhaar (Authentication) Regulation, 2016 has been struck down as it pertains to authentication transaction related to metadata.

Regulation 26 of 2016 Regulation requires that Authority shall store and maintain authentication transaction data, which shall inter alia contain information on meta-data related to transaction.

 

 

Residents and illegal immigrants

State directed to take suitable measures to ensure illegal immigrants do not avail benefits.

No such provision in the earlier law.

 

Action on this is awaited.

No change has been introduced by the Amendment.

Data retention

Data retention beyond six months is impermissible.

Regulation 27 of Aadhar (Authentication) Regulations, 2016 providing data retention for 5 years stuck down.

Regulation 27: Duration of storage:

(1) Authentication transaction data shall be retained by the Authority for a period of 6 months, and thereafter archived for a period of five years.

(2) Upon expiry of the period of five years specified in sub-regulation (1), the authentication transaction data shall be deleted except when such authentication transaction data are required to be maintained by a court or in connection with any pending dispute.

 

Updated regulation awaited.

Restriction on sharing of information

Presently, Aadhaar (Sharing of Information) Regulations, 2016 has no provision which impinges privacy rights of Aadhar card holders. (Section 29)

 

 

 

Disclosure of information

Read down Section 33(1):

A. Individual whose information is sought to be released to be given an opportunity of hearing.

B.Individual to be given the right to challenge disclosure of his/her information.

Sec 33(2) struck down with liberty to enact a suitable provision:

Determining if information disclosure is in the interest of national security will be done by-

a.Officer higher than rank of Joint Secretary

b.Application of judicial mind. (Judicial Officer/preferably sitting judge of High Court)

Section 33(1): Nothing contained in sub-section (2) or sub-section (5) of section 28 or sub-section (2) of section 29 shall apply in respect of any disclosure of information, including identity information or authentication records, made pursuant to an order of a court not inferior to that of a District Judge:

Provided that no order by the court under this sub-section shall be made without giving an opportunity of hearing to the Authority.

 

Section 33(2): Nothing contained in sub-section (2) or sub-section (5) of section 28 and clause (b) of sub-section (1), sub-section (2) or sub-section (3) of section 29 shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security in pursuance of a direction of an officer not below the rank of Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government:

Provided that every direction issued under this sub-section, shall be reviewed by an Oversight Committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology, before it takes effect:

Provided further that any direction issued under this sub-section shall be valid for a period of three months from the date of its issue, which may be extended for a further period of three months after the review by the Oversight Committee.

Amendments made to Section 33:

A.Under Section 33(1)(b) provides opportunity of hearing to the Aadhar holder.

B. Under Section 33B an aggrieved individual can appeal to TDSAT within a period of 45 days from the date of receipt of order.

C. Officer not below the rank of a Secretary will determine whether disclosure is in national interest.

D. Section 33A provides for civil penalties in case of in case of failure to comply with provisions of the Act/rules/regulations and directions.

E. Under Section 33B an officer not below the rank of a Joint Secretary shall be the adjudicating officer for holding inquiry.

The court had directed that a higher official in association with application of judicial mind determine the grounds of disclosure under Section 33(2).The Amendment did take cognizance of the judgment and prescribed for officer not below the rank of Joint Secretary. However as directed by the Court, the amendment finds no mention of determination by a judicial authority/officer.

Despite being criticized by the Majority judgment in the Aadhaar matter, the amendment fails to address the issue with respect to concentration of powers that lie with the Executive and lack of accountability.

The proposed amendment inserted a new provision on civil penalties. Even this change does not prescribe for application of judicial mind for the purpose of adjudication in event of failure to comply with the provision of the Act.

Thus, the amendment is not in consonance with the Aadhaar judgment.

Cognizance of complaints

Modification of Section 47: Include provision for filing complaints by an individual/victims.

Section 47:

(1) No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it.

(2) No court inferior to that of a Chief Metropolitan Magistrate or a Chief Judicial Magistrate shall try any offence punishable under this Act.

Proviso has been inserted in Section 47. It enables the court to take cognizance of a complaint made by the Aadhar holder.

Until now, the court could take cognizance of an offence on a complaint made by only the UIDAI or an officer or a person authorised by it. The proviso also empowers an aggrieved individual to file complaints.

Establishing identity of individual for any purpose

There are two aspects to the Court's judgment on Section 57.

 

One part of the Section has been read down:

The provision is susceptible to misuse as it can be used to establish identity of an individual 'for any purpose'.

A. The 'purpose' in this Section has been read down to mean a purpose backed by law.

B. Any law made on this would need to be subjected to judicial scrutiny.

 

Another part of Section 57 has been held to be unconstitutional:

The part of this Section enabling body corporate and individuals to seek authentication is unconstitutional as:

A. Establishing identity for a purpose pursuant to any contract is impermissible as it is not backed by law and therefore does not meet test of proportionality.

B. Authentication services based on contract between individual and body corporate or person would:

B1. Enable commercial exploitation of individual biometric and demographic information by private entities.

B2. Impinge on right to privacy of individual.

Section 57:

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:

Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

Section 57 has been omitted.

However, the Act now provides for voluntary use of Aadhaar number for authentication or offline verification.

To enable this, Section 4 (Properties of Aadhaar number) of the Act has been amended to allow verification of the Aadhaar number on voluntary basis with informed consent of the Aadhar number holder.

To facilitate this, the Amendment Bill seeks to amend Section 4 of Telegraph Act, 1885 and insert a new section 11A under PMLA.

The Bill removes section 57 from the Aadhaar Act. This omission is in compliance with the Aadhaar judgment.

However, the prescribed amendments to the PMLA Rules and Telegraph Act are contrary to the ratio of the majority judgement in Justice K.S. Puttaswamy (Retd.) v. Union of India & Ors. [W.P. (C) 494/2012].

In the Aadhaar judgment, J.Sikri in his majority judgment stated that apart from authorising the State, even ‘any body corporate or person’ is authorised to avail authentication services. This can be on the basis of purported agreement between an individual and such body corporate or person. Even if we presume that the legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of individual biometric and demographic information by the private entities.

The part of Section 57 that allowed for people to voluntarily provide their Aadhaar number to body corporates and individuals, especially on the basis of a contract between the person providing the Aadhaar number and the person acquiring / authenticating the Aadhaar number, has been held to be unconstitutional by the Supreme Court of India. The amendment to Section 4 of the Act would re-implement a clause that has already been ruled to be unconstitutional. This would raise the likelihood of fresh litigation on an aspect of law that has already been settled.

 

 

All Posts | Oct 18,2018

FAQs on the Aadhaar Judgment

1. Can Aadhaar be required for getting a new mobile connection? Is linking Aadhaar with mobile number mandatory?

No. The Supreme Court of India in Justice K. S. Puttaswamy (Retd.) and Anr. v. Union Of India And Ors. (CWP 494 of 2012) has held that mobile service companies cannot ask for Aadhaar from subscribers. The majority opinion held that the circular dated March 23, 2017 mandating linking of mobile number with Aadhaar is illegal and unconstitutional as it is not backed by any law.


2. I enrolled for Aadhaar when I was a minor. Can I opt out of it now as I have turned a major?

For the enrolment of children under the Aadhaar Act, it would be essential to have the consent of their parents/guardian. On attaining the age of majority, such children who are enrolled under Aadhaar with the consent of their parents shall be given the option to exit from the Aadhaar project if they so choose in case they do not intend to avail welfare benefits or services.


3. Is Aadhaar mandatory for children under the age of 14 for enrolment in schools?

No. The Supreme Court has held that Aadhaar cannot be made mandatory for securing admission in schools as it is neither a subsidy nor a service. Moreover, Right to Education is a fundamental right under Art 21A and thus cannot be subjected to procedural handicaps.


4. Is Aadhaar mandatory for children under the age of 14 for availing social benefits and schemes?

The Court has held that for the scheme- Sarv Shiksha Abhiyaan, Aadhaar cannot be made mandatory. However, for other social benefits, Aadhaar may be insisted. But, it would be subject to the consent of the parent.

The court has reiterated that no child can be denied social sector benefits for want of Aadhaar.


5. Is Aadhaar mandatory for enrolment in colleges and sitting in competitive entrance exams?

The Court while defining ambit of ‘benefits’ and ‘services’ under section 7 of the Aadhaar Act, held that these would cover only those instances where expenditure has been drawn from the Consolidated Fund of India. On that basis, CBSE, NEET, JEE, UGC, among others cannot mandatorily ask for Aadhaar as they are outside the purview of Section 7 and are not backed by any law.


6. Can private companies demand Aadhaar as a means to verify identity?

The Court has struck down Section 57 of the Aadhaar Act which provided for ‘use of Aadhaar number for establishing the identity of an individual for any purpose’. So, private entities cannot ask for Aadhaar to verify identity.


7. Is linking Aadhaar with bank account mandatory?

No, the Supreme Court has held that Aadhaar cannot be demanded by banks while opening a bank account. Aadhaar linking is not necessary for existing bank accounts as well.


8. Is Aadhaar mandatory for filing Income Tax Returns and allotment of Permanent Account Number (PAN)?

Yes. The Supreme Court has upheld Section 139AA of the Income Tax Act, under which every citizen who is eligible to obtain Aadhaar must quote either their Aadhaar Number or the Enrollment ID while filing ITR or applying for PAN.


9. Is Aadhaar mandatory for insurance policies?

The Insurance Regulatory and Development Authority of India (IRDA) in 2017 had made linkage of Aadhaar number to insurance policies mandatory requirement under the Prevention Of Money Laundering (Maintenance of Records) Second Amendment Rules, 2017. However, since the said rules have been set aside by Supreme Court, linking of Aadhaar for insurance policies is not mandatory.


10. Is Aadhaar mandatory for employment provident fund?

Aadhaar is not mandatory for EPFO since it does not constitute a charge on the Consolidated Fund of India. The court held that the Government cannot take umbrage under Section 7 of the Aadhaar Act to enlarge the scope of subsidies, services and benefits. ‘Benefits’ should be such which are in the nature of welfare schemes for which resources are to be drawn from the Consolidated Fund of India.


11. Can I delete my Aadhaar data?

No, as of now there is no mechanism to delete Aadhaar. However, UIDAI provides a mechanism to lock the biometric information and prevent any misuse. Once the biometric is locked, the Aadhaar holder will not be able to use their Biometrics (fingerprints/iris) for authentications and neither can anyone else.

All Posts | Oct 12,2018

Summary Report: Series of Discussion on Personal Data Protection Bill 2018

We at SFLC.in conducted a series of multi-stakeholder round table discussions on the Data Protection Bill, 2018 submitted by the Expert Committee on Data Protection headed by Justice (Retd.) B.N. Srikrishna. We organized this series of discussions in four different cities of India, namely Delhi(September 4th ,2018), Bangalore(September 25th,,2018), Mumbai (September 26th,2018) and Kochi (September 27th, 2018). Experts from the civil society, academia, independent lawyers, banks, startups, industry bodies and representatives from media, industry and tech companies participated and expressed their views on the Personal Data Protection Bill, 2018.

The round-table events featured three separate panel discussions focusing on data principal rights and data fiduciary obligations; data localization and exemptions; and administration and enforcement which were discussed in detail.

These discussions were aimed to urge leaders and key stakeholders to put forth their views on the draft Personal Data Protection Bill and to urge the Ministry of Electronics and Information Technology (MeitY) to make appropriate amendments in the Bill. MeitY invited comments on the Bill from the public by September 10, 2018, which had been extended to September 30, 2018 at the time of these discussions. The deadline has now been extended to October 10, 2018 in light of the judgment of the Supreme Court of India in the case of Justice K.S. Puttaswamy (Retd.) v. Union of India [W.P. (C) 494 of 2012] delivered on September 26, 2018, thereby allowing more time for stakeholders to submit their research and comments for the Bill. The inputs from these discussions will form a part of the recommendations that we will submit to MeitY.

Session one focused on data principal rights and data fiduciary obligations. Key takeaways from this session were:

  • There are a lot of ambiguities in this Bill. There is no clear definition of phrases such as 'fair and reasonable processing', and ‘sensitive and critical Data’, among others. Furthermore, functions of the State are widely worded, neglecting the test of necessity and proportionality.

  • The rights of Internet users have been severely limited, particularly compared to European Union’s GDPR. The participants agreed that the concept of Right to be Forgotten has been inaccurately borrowed from the GDPR and does not include right to delete/erase your personal data.

  • Concerns were raised with respect to provisions regarding the age to obtain a child’s consent. It was stated that in India, many teenage girls try to protect their data from their parents, who strictly monitor their phone usage. In that light, it would be ironical that parental consent will be needed to protect the data of children. In our country, parents do not wish their daughters to be on certain social media platforms and discourage them to engage with the opposite sex. Therefore, if such a provision is strictly implemented, it will directly impact minors.

Session two, was on topic of Data Localisation. Key takeaways from this session were:

  • Many startup founders expressed that the interest of small and medium enterprises has not been considered. They raised concerns that data localization would harm small businesses and startups with compliance burden and raised costs.

  • The Bill would heavily impact the BPO, AI and IoT industries as they thrive on huge amount of data that is generally crowd sourced. Data mirroring/localization requirements would limit the possibilities of business and research. The Bill could benefit from additional clarity with regard to the classification of data, what data must be stored within the country and what may be transferred outside as these provisions are ambiguous at best.

  • India requires significant investment in data center infrastructure, multiple Optic Fiber backbones and enhanced power generation and grid capacity before we mandate data localization/mirroring. Data storage, cloud computing and bandwidth costs in US are a fraction of the current costs in India, making it economically infeasible to mandate storage of data within India at this point in time. The increased costs would pose a tremendous deterrent to the viability, sustainability and competitiveness of startups in India. This would be detrimental for the government’s efforts to promote a startup ecosystem within the country.

Session Three covered the issues with respect to Administration and Enforcement of this Bill. Key takeaways from this session were:

  • It was pointed out that the Data Protection Authority of India (DPAI), the proposed body for enforcement and administration of the Bill is not completely independent considering the critical responsibilities bestowed upon it. Attendees were of the view that excessive governmental control exists via power to make appointments and remove members of the DPAI, power to determine salaries and allowances, and power to notify certain categories of personal data that can be processed only in India, among other provisions in the Bill.

  • The Bill provides for criminal liability in cases of breach, it was opined that if employees of the companies will be held liable on the charge of data theft done at much higher level in the company then government employees working with the state should also be held accountable. Thus, it was opined that the law should be drafted and executed without any bias.

  • The Bill provides for data mirroring and creation of data centers. All these provisions lead to nationalization of data. It provides for data that is generated in India to be stored in India in order to create jobs in India and revenue for India. But at the same time the Bill requires damages of Companies with foreign presence to be calculated on the basis of their global revenue. Some companies found it unfair to calculate damages from their global revenues.

  • The shortcomings of the Bill were highlighted in the light of privacy and Aadhaar judgments. It was opined that this Bill does not address the concerns regarding profiling and targeted advertising deployed by state and non state actors. Participants highlighted the manner in which the Bill fails to stand the test of proportionality under the nine judge bench Right to Privacy judgment.

The panels across three cities unanimously recommended that there should be adequate sensitization, training and compliance certification for the people and businesses to be able to understand the implications of this Bill. It was agreed that the Data Protection Authority of India (DPAI) has been overburdened with roles and responsibilities. Many participants expressed that the draft law is heavily tilted towards the Central Government and is not a balanced law that considers the interests of all stakeholders.

 

All Posts | Sep 26,2018

Key Highlights of the Aadhaar Judgment

The Supreme Court has delivered its much awaited judgment in the Aadhaar case, wherein the majority view, comprised of - Dipak Misra CJI., AK Sikri J., AM Khanwilkar, J. and Ashok Bhushan J. (though Bhushan J. dissented with the majority on certain points) upheld the constitutionality of the Aadhaar Act, 2016 barring a few provisions on disclosure of personal information, cognizance of offences and use of the Aadhaar ecosystem by private corporations. DY Chandrachud J. delivered a dissenting opinion debasing the entire Aadhaar scheme along with the Act. The full text of the judgment is available here.

A summary of the three opinions as delivered by AK Sikri J., DY Chandrachud J. and Ashok Bhushan J. are as follows:

Majority Opinion by Dipak Misra CJI., AK Sikri J. and AM Khanwilkar J.

  • ‘Benefits’ and ‘services’ as mentioned in Section 7 should be those which have the colour of some kind of subsidies etc., namely, welfare schemes of the Government whereby Government is doling out such benefits which are targeted at a particular deprived class. It would cover only those ‘benefits’ etc. The expenditure thereof has to be drawn from the Consolidated Fund of India.

  • Section 33(1) of the Act prohibits disclosure of information, including identity information or authentication records, except when it is by an order of a court not inferior to that of a District Judge. We have held that this provision is to be read down with the clarification that an individual, whose information is sought to be released, shall be afforded an opportunity of hearing. If such, an order is passed, in that eventuality, he shall also have right to challenge such an order passed by approaching the higher court. During the hearing before the concerned court, the said individual can always object to the disclosure of information on accepted grounds in law, including Article 20(3) of the Constitution or the privacy rights etc.

  • Insofar as Section 33(2) is concerned, it is held that disclosure of information in the interest of national security cannot be faulted with. However, for determination of such an eventuality, an officer higher than the rank of a Joint Secretary should be given such a power. Further, in order to avoid any possible misuse, a Judicial Officer (preferably a sitting High Court Judge) should also be associated with. We may point out that such provisions of application of judicial mind for arriving at the conclusion that disclosure of information is in the interest of national security, are prevalent in some jurisdictions. In view thereof, Section 33(2) of the Act in the present form is struck down with liberty to enact a suitable provision on the lines suggested above.

  • Insofar as Section 47 of the Act which provides for the cognizance of offence only on a complaint made by the Authority or any officer or person authorised by it is concerned, it needs a suitable amendment to include the provision for filing of such a complaint by an individual/victim as well whose right is violated.

  • In so far as Section 57 in the present form is concerned, it is susceptible to misuse inasmuch as: (a) It can be used for establishing the identity of an individual ‘for any purpose’. We read down this provision to mean that such a purpose has to be backed by law. Further, whenever any such “law” is made, it would be subject to judicial scrutiny. (b) Such purpose is not limited pursuant to any law alone but can be done pursuant to ‘any contract to this effect’ as well. This is clearly impermissible as a contractual provision is not backed by a law and, therefore, first requirement of proportionality test is not met. (c) Apart from authorising the State, even ‘any body corporate or person’ is authorised to avail authentication services which can be on the basis of purported agreement between an individual and such body corporate or person. Even if we presume that legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and demographic information by the private entities. Thus, this part of the provision which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals. This part of the section, thus, is declared unconstitutional.

  • Section 2(d) which pertains to authentication records, such records would not include metadata as mentioned in Regulation 26(c) of the Aadhaar (Authentication) Regulations, 2016. Therefore, this provision in the present form is struck down. Liberty, however, is given to reframe the regulation, keeping in view the parameters stated by the Court.

  • Retention of data beyond the period of six months is impermissible. Therefore, Regulation 27 of Aadhaar (Authentication) Regulations, 2016 which provides archiving a data for a period of five years is struck down.

  • Metabase (Metadata) relating to transaction, as provided in Regulation 26 of the aforesaid Regulations in the present form, is held to be impermissible, which needs suitable amendment.

  • On that basis, CBSE, NEET, JEE, UGC etc. cannot make the requirement of Aadhaar mandatory as they are outside the purview of Section 7 and are not backed by any law.

  • We hold that the provision in the present form does not meet the test of proportionality and, therefore, violates the right to privacy of a person which extends to banking details. This amounts to depriving a person of his property. We find that this move of mandatory linking of Aadhaar with bank account does not satisfy the test of proportionality.

  • Circular dated March 23, 2017 mandating linking of mobile number with Aadhaar is held to be illegal and unconstitutional as it is not backed by any law and is hereby quashed.

  • When it comes to obtaining Aadhaar card, there is no possibility of obtaining duplicate card. Once the biometric information is stored and on that basis Aadhaar card is issued, it remains in the system with the UIDAI. Wherever there would be a second attempt for enrolling for Aadhaar and same person gives his biometric information, it would immediately get matched with the same biometric information already in the system and the second request would stand rejected. It is for this reason the Aadhaar card is known as a Unique Identification (UID).

  • While examining the validity of a particular law that allegedly infringes right to privacy -The question is as to whether the Court is to apply ‘strict scrutiny’ standard or the ‘just, fair and reasonableness’ standard. In the privacy judgment this Court preferred to adopt a ‘just, fair and reasonableness’ standard. Even otherwise, this is in consonance with the judicial approach adopted by this Court while construing ‘reasonable restrictions’ that the State can impose in public interest, as provided in Article 19 of the Constitution.

  • A very important feature which the present case has brought into focus is another dimension of human dignity, namely, in the form of ‘common good’ or ‘public good’. Thus, our endeavour here is to give richer and more nuanced understanding to the concept of human dignity. We, therefore, have to keep in mind humanistic concept of Human Dignity which is to be accorded to a particular segment of the society and, in fact, a large segment. Their human dignity is based on the socio-economic rights that are read in to the fundamental rights.

  • When we read socio-economic rights into human dignity, the community approach also assumes importance along with individualistic approach to human dignity. It has now been well recognised that at its core, human dignity contains three elements, namely, Intrinsic Value, Autonomy and Community Value. These are known as core values of human dignity. These three elements can assist in structuring legal reasoning and justifying judicial choices in ‘hard cases’.

  • When it comes to dignity as a community value, it emphasises the role of the community in establishing collective goals and restrictions on individual freedoms and rights on behalf of a certain idea of good life.

  • There needs to be a balancing of two facets of dignity of the same individual whereas, on the one hand, right of personal autonomy is a part of dignity (and right to privacy), another part of dignity of the same individual is to lead a dignified life as well (which is again a facet of Article 21 of the Constitution). Therefore, in a scenario where the State is coming out with welfare schemes, which strive at giving dignified life in harmony with human dignity and in the process some aspect of autonomy is sacrificed, the balancing of the two becomes an important task which is to be achieved by the Courts. For, there cannot be undue intrusion into the autonomy on the pretext of conferment of economic benefits.

  • The architecture of Aadhaar as well as the provisions of the Aadhaar Act do not tend to create a surveillance state. This is ensured by the manner in which the Aadhaar project operates. During the enrolment process, minimal biometric data in the form of iris and fingerprints is collected. The UIDAI does not collect purpose, location or details of transaction. Thus, it is purpose blind. The information collected, as aforesaid, remains in silos. Merging of silos is prohibited.

  • After going through the Aadhaar structure, as demonstrated by the respondents in the powerpoint presentation (as given during the hearing by the CEO of the UIDAI – Mr. AB Pandey) from the provisions of the Aadhaar Act and the machinery which the Authority has created for data protection, we are of the view that it is very difficult to create profile of a person simply on the basis of biometric and demographic information stored in CIDR.

  • After detailed discussion, it is held that all matters pertaining to an individual do not qualify as being an inherent part of right to privacy. Only those matters over which there would be a reasonable expectation of privacy are protected by Article 21.

  • The Court is also of the opinion that the triple test laid down in order to adjudge the reasonableness of the invasion to privacy has been made. The Aadhaar scheme is backed by the statute, i.e. the Aadhaar Act. It also serves legitimate State aim, which can be discerned from the Introduction to the Act as well as the Statement of Objects and Reasons which reflect that the aim in passing the Act was to ensure that social benefit schemes reach

  • Right to receive these benefits, from the point of view of those who deserve the same, has now attained the status of fundamental right based on the same concept of human dignity, which the petitioners seek to bank upon.

  • The Constitution does not exist for a few or minority of the people of India, but “We the people”.

  • We again emphasise that no person rightfully entitled to the benefits shall be denied the same on such grounds. It would be appropriate if a suitable provision be made in the concerned regulations for establishing an identity by alternate means, in such situations.

  • For the enrolment of children under the Aadhaar Act, it would be essential to have the consent of their parents/guardian.

  • On attaining the age of majority, such children who are enrolled under Aadhaar with the consent of their parents, shall be given the option to exit from the Aadhaar project if they so choose in case they do not intend to avail the benefits of the scheme.

  • In so far as the school admission of children is concerned, requirement of Aadhaar would not be compulsory as it is neither a service nor subsidy. Further, having regard to the fact that a child between the age of 6 to 14 years has the fundamental right to education under Article 21A of the Constitution, school admission cannot be treated as ‘benefit’ as well.

  • In so far as Section 2(b) is concerned, which defines ‘resident’, the apprehension expressed by the petitioners was that it should not lead to giving Aadhaar card to illegal immigrants. We direct the respondent to take suitable measures to ensure that illegal immigrants are not able to take such benefits.

  • However, apprehension of the petitioners is that this provision entitles Government to share the information ‘for the purposes of as may be specified by regulations’. The Aadhaar (Sharing of Information) Regulations, 2016, as of now, do not contain any such provision. If a provision is made in the regulations which impinges upon the privacy rights of the Aadhaar card holders that can always be challenged.

  • Therefore, Section 7 is the core provision of the Aadhaar Act and this provision satisfies the conditions of Article 110 of the Constitution. Upto this stage, there is no quarrel between the parties. In any case, a part of Section 57 has already been declared unconstitutional. We, thus, hold that the Aadhaar Act is validly passed as a ‘Money Bill’.

  • Even after judging the matter in the context of permissible limits for invasion of privacy, namely: (i) the existence of a law; (ii) a ‘legitimate State interest’; and (iii) such law should pass the ‘test of proportionality’, we come to the conclusion that all these tests are satisfied.

 

Dissenting Opinion by Chandrachud J.

  • The Aadhaar Act, 2016 is declared unconstitutional for failing to meet the necessary requirements to have been certified as a Money Bill under Article 110(1).

  • Adequate norms must be laid down for each step from the collection to retention of biometric data based on informed consent, along with specifying the time period for retention. Individuals must be given the right to access, correct and delete data. An opt-out option should be necessarily provided. The Aadhaar Act is bereft of these provisions.

  • Section 29(4)is over-broad as it gives wide discretionary power to UIDAI to publish, display or post core biometric information of an individual for purposes specified by the regulations.

  • Sections 2(g), (j), (k) and (t) suffer from overbreadth, as the phrase “such other biological attributes” can be expanded.

  • The proviso to Section 28(5) of the Aadhaar Act, which disallows an individual access to the biometric information that forms the core of his or her unique ID, is violative of a fundamental principle that ownership of an individual’s data must at all times vest with the individual.

  • This judgment concludes that the Aadhaar programme violates essential norms pertaining to informational privacy, self-determination and data protection.

  • The measures adopted by the respondents fail to satisfy the test of necessity and proportionality.

  • The architecture of Aadhaar enables surveillance activities through the Aadhaar database. Any leakage in the verification log poses an additional risk of an individual’s biometric data being vulnerable to unauthorised exploitation by third parties.

  • Before the enactment of the Aadhaar Act, MOUs signed between UIDAI and Registrars were not contracts within the purview of Article 299 of the Constitution, and therefore, do not cover the acts done by the private entities engaged by the Registrars for enrolment

  • The Aadhaar Act is also silent on the liability of UIDAI and its personnel in case of their non-compliance of the provisions of the Act or the regulations.

  • Section 47 of the Act violates citizens’ right to seek remedies. Under Section 47(1), a court can take cognizance of an offence punishable under the Act only on a complaint made by UIDAI or any officer or person authorised by it. Section 47 is arbitrary as it fails to provide a mechanism to individuals to seek efficacious remedies for violation of their right to privacy.

  • Making UIDAI which is administering the Aadhaar project, also responsible for providing a grievance redressal mechanism for grievances arising from the project severely compromises the independence of the grievance redressal body [ Section 23(2)(s) ]

  • In the absence of an independent regulatory and monitoring framework which provides robust safeguards for data protection, the Aadhaar Act cannot pass muster against a challenge on the ground of reasonableness under Article 14.

  • No substantive provisions, such as those providing data minimization, have been laid down as guiding principles for the oversight mechanism provided under Section 33(2), which permits disclosure of identity information and authentication records in the interest of national security

  • Section 57 violates Articles 14 and 21. it is manifestly arbitrary, it suffers from overbreadth and violates Article 14.

  • Section 7 suffers from overbreadth since the broad definitions of the expressions ‘services and ‘benefits’ enable the government to regulate almost every facet of its engagement with citizens under the Aadhaar platform. The inclusion of services and benefits in Section 7 is a pre-cursor to the kind of function creep which is inconsistent with the right to informational self-determination. Section 7 is therefore arbitrary and violative of Article 14 in relation to the inclusion of services and benefits as defined.

  • Section 59 does not validate actions of the state governments or of private entities. Section 59 fails to meet the test of a validating law since the complete absence of a regulatory framework and safeguards cannot be cured merely by validating what was done under the notifications of 2009 and 2016.

  • The judgment accepts that there is a legitimate state aim but the existence of a legitimate aim is insufficient to uphold the validity of the law, which must also meet the other parameters of proportionality spelt out in Puttaswamy.

  • Since the Aadhaar Act itself is now held to be unconstitutional for having been enacted as a Money Bill and on the touchstone of proportionality, the seeding of Aadhaar to PAN under Article 139AA does not stand independently

  • The 2017 amendments to the PMLA Rules fail to satisfy the test of proportionality. The imposition of a uniform requirement of linking Aadhaar numbers with all account based relationships proceeds on the presumption that all existing account holders as well as every individual who seeks to open an account in future is a potential money-launderer.

  • The conflation of biometric information with SIM cards poses grave threats to individual privacy, liberty and autonomy. Having due regard to the test of proportionality which has been propounded in Puttaswamy and as elaborated in this judgment, the decision to link Aadhaar numbers with mobile SIM cards is neither valid nor constitutional.

  • It is directed under Article 142 that the existing data which has been collected shall not be destroyed for a period of one year. During this period, the data shall not be used for any purpose whatsoever. At the end of one year, if no fresh legislation has been enacted by the Union government in conformity with the principles which have been enunciated in this judgment, the data shall be destroyed.

 

Partially Concurring Opinion of Ashok Bhushan J.

  • The requirement of demographic and biometric information under Aadhaar Act, 2016 does not violate fundamental right to privacy. It passes the three fold test as laid down in Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors(Privacy Judgement).

  • Moreover, safeguards are available in Aadhaar Act, 2016 and there is no architecture for pervasive surveillance.

  • There should be a balance between social benefits disbursal by state with right to privacy.

  • Sec 7 of Aadhaar Act, 2016, making Aadhaar number necessary for receipt of certain subsidies, benefits and services etc. is held as constitutional. J. Bhushan observed that some cases of authentication failure should not nullify the entire provision.

  • Sec 29 which deals with restriction on sharing information, is upheld.

  • Sec 33 which provides for the use of Aadhaar data-base for police investigation, is upheld and found not violative of Art 20(3).

  • Sec 47 which disallows an individual to file a complaint for an offence under the Act, was upheld.

  • The last part of Sec 57 which permits use of Aadhaar by the State or any body corporate or person, in pursuant to any contract is held unconstitutional.

  • Parental consent for providing biometric information under Regulation 3 & demographic information under Regulation 4 of Aadhaar (Enrolment and Update) Regulations, 2016 is made necessary.

  • Rule 9 as amended by PMLA (Second Amendment) Rules, 2017 making linkages of Aadhaar with bank accounts necessary is upheld and found not to violate Articles 14, 19(1)(g), 21 & 300A of the Constitution.

  • Circular dated 23.03.2017 by Department of Telecommunications, seeking Aadhaar-SIM linking is held unconstitutional.

  • Passing of Aadhaar Act as Money Bill is found to be valid but decision of Speaker certifying a Bill as Money Bill is not immune from Judicial Review.

  • Section 139AA of IT Act, 1961 which provides for linking of Aadhaar for filing of income tax returns is upheld and found not to violate Right to Privacy.

All Posts | Sep 26,2018

Full text of the 1448-page Aadhaar Judgement

The Supreme Court has delivered its much awaited judgment in the Aadhaar case, wherein the majoirty view, comprised of -  Dipak Misra CJI., AK Sikri J., AM Khanwilkar, J. and Ashok Bhushan J. (though Bhushan J. dissented with the majority on certain points) upheld the constitutionality of the Aadhaar Act, 2016 barring a few provisions on disclosure of personal information, cognizance of offences and use of the Aadhaar ecosystem by private corporations. DY Chandrachud J. delivered a dissenting opinion debasing the entire Aadhaar scheme along with the Act. The entire text of the judgment is available here.

All Posts | Sep 23,2018

Round Table Discussion on the Personal Data Protection Bill: 27th September (Thursday) at Cochin

The Ministry of Electronics and Information Technology has sought comments on the Draft Personal Data Protection Bill, 2018 by the 30th of September 2018. We are holding a Round Table discussion on the draft Bill on 27 September 2018 (Thursday) at the Abad Plaza, MG Road, Cochin from 4.30pm to 8.00pm with GTech (GTech is the collaborative of IT companies in Kerala) as our partner. This is an invite only event with experts from Civil Society, Government, Academia, Industry and Media. The idea is to bring forward the perspectives of all stakeholders in order to build a comprehensive understanding of the issues in the Draft Personal Data Protection Bill, 2018.

If you are interested in joining the discussion, tell us by filling the form at https://sflc.in/round-table-data-protection and we will get back to you at the earliest.

The Detailed Agenda for the Round Table is as follows:

All Posts | Sep 23,2018

Round Table Discussion on the Personal Data Protection Bill: 26th September (Wednesday) at Mumbai

The Ministry of Electronics and Information Technology has sought comments on the Draft Personal Data Protection Bill, 2018 by the 30th of September 2018. We are holding a Round Table discussion on the draft Bill on 26 September 2018 (Wednesday) at the Taj Lands End, Bandra West, Mumbai from10.30am to 5.30pm. This is an invite only event with experts from Civil Society, Government, Academia, Industry and Media. The idea is to bring forward the perspectives of all stakeholders in order to build a comprehensive understanding of the issues in the Draft Personal Data Protection Bill, 2018.

If you are interested in joining the discussion, tell us by filling the form at https://sflc.in/round-table-data-protection and we will get back to you at the earliest.

The Detailed Agenda for the Round Table is as follows: