On day 33 of the final Aadhaar hearing, Senior Advocate, Rakesh Dwivedi appearing for the State/UIDAI resumed his submission on Aadhaar by stating that the standard of control exercised by UIDAI on requesting entities is “fair and reasonable” as laid down under Article 21. He further pointed out that the data collected by REs is segregated and there is no way to aggregate it as there are over three hundred REs. J. Chandrachud asked about misuse of data by individual REs, to which Mr. Dwivedi gave the example of Vodafone and mentioned that Vodafone can indulge in targeted advertising without Aadhaar data as it collects far more demographic data about an individual than UIDAI does. He emphasized that at least in the case of UIDAI, there are so many regulations and penal consequences that do not apply to Vodafone. Mr. Dwivedi then showed the bench a credit card statement to put across the point that banks have a record of all transactions made by an individual including information such as the place of transaction. He remarked that no one is questioning the data collection activities of banks and telecoms and that Aadhaar is the single target. Mr. Dwivedi also gave the example of the food delivery app “bigbasket” and highlighted that the app knows the food habits of the users.
On the technology of Aadhaar, Mr. Dwivedi contended that UIDAI needs to have big data, processing power and statistical knowhow to do big data analysis on the data that is colllected. He explained how companies like Google and Facebook process tremendous data on a daily basis while UIDAI does not have such algorithms. Mr. Dwivedi also mentioned that the data collected by REs does not have any value as no authentication records are stored with them. Next, he showed a list of entities that require one time authentication and those that require authentication each time there is a transaction and pointed out that most entities require authentication once, and therefore there is no way to surveil people.
With respect to exercising control over REs by UIDAI, Mr. Dwivedi submitted that an RE procures the fingerprint device from a vendor and UIDAI controls the vendor with respect to the hardware and software of the device. He explained that UIDAI puts a key in the device so that data is encrypted and sent to CIDR. The device is then taken to Standardisation Testing and Quality Certification (STQC) to check whether it meets all the requirements. The whole process of device preparation and certification happens without the knowledge of the requesting entity. An information systems operator then conducts an audit of the RE and the report is submitted to UIDAI. If the report is approved, then the particular RE gets a license from UIDAI in order to operate as an RE. In this regard, Mr. Dwivedi asserted that metadata is important for validation that the data is coming from a particular RE with which UIDAI has an agreement. Further, the metadata is important for fraud management and verification, stated Mr. Dwivedi.
As an additional security measure, Mr. Dwivedi highlighted that REs have a data vault as well which is controlled by trusted people. Apart from these procedures, there are two more audits conducted on REs: annual audit and random audits by UIDAI.
Further, Mr. Dwivedi submitted that the information held by REs is not of any commercial value. He stated that UIDAI has device control, there are double pairs of keys, encryption is immediate and time stamped, transmission of data requires a digital signature with a private key, there is complete prohibition of storing PID block and finally there are penal consequences if any provision of the Aadhaar Act or Regulations is violated. Mr. Dwivedi alsiosubmitted that the central government has no access to UIDAI’s data as UIDAI is an autonomous body. He mentioned that while examining the problem of smart cards, even the EU has said that having a centralized database is important since decentralization leads to fakes and duplicates.
Mr. Dwivedi’s next contention was on Aadhaar-SIM linking. He began by citing the Lok Niti Foundation judgment and TRAI’s recommendation to link Aadhaar with SIM card. Mr. Dwivedi next read out the DoT notification that talked about re-verification of mobile numbers using e-KYC process. On the legality of such measure, Mr. Dwivedi said that the proviso to Section 4 of the Telegraph Act gives exclusive power to the Central government to decide license conditions. As regards proportionality, he mentioned that the measure to verify one’s SIM card using Aadhaar is not excessive at all and proportional to the object sought to be achieved. At this point, J. Chandrachud remarked that the Supreme Court never directed in the Lok Niti Foundation order to carry out e-KYC of mobile numbers using Aadhaar. In reply, Mr. Dwivedi stated that Aadhaar-SIM linking was done on the recommendation of TRAI before the Lok Niti order had even come out. Further, he said that the measure is reasonable in the interest of national security.
Mr. Dwivedi contended that the entire architecture of Aadhaar is such that there is no aggregation of data. The system stands the test of Article 21 on its own and there is no infringement of privacy.
Additional Solicitor General, Tushar Mehta, intervened to make a short submission on whether Aadhaar passes the muster of Article 300A of the Constitution and whether Article 300A encompassed ‘Rules’ also. The phrase “authority of law” gives power to the legislature to link Aadhaar with bank account under the Prevention of Money Laundering Act (PMLA) and the PMLA Rules have the backing of the PMLA. He stated that a statutory rule is akin to law under Article 300A of the Constitution. The parliament cannot every time amend the law (PMLA) for example in respect of money laundering. Therefore a wide statutory network is provided and power is given to the rule making authority.
Senior Advocate, Jayant Bhushan then commenced his submission on the master circular issued by the Reserve Bank of India on April 20, 2018 and stated that RBI issued the master circular by virtue of its power under the Banking Regulation Act and Rule 9 of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 that provides that Aadhaar has to be submitted to a reporting entity. He also highlighted Rule 9(14) which provides that the regulator (RBI in this case) shall provide guidelines incorporating the requirements of sub rules (1) to (13) above and may prescribe enhanced or simplified measures to verify identity. Requirements under Rule 9(1)-(130 is made mandatory under Rule 9(14). Mr. Bhushan asserted that the RBI master circular is now in conformity with PMLA rules and RBI had no option but to amend the master circular.
Next, Advocate Gopal Sankarnarayanan began his submissions. He stated that he is going to argue the following contentions:
- Aadhaar Act is valid subject to three specific provisions that have to be wither read down or struck down
- Conflict between Aadhaar Act and Right to Information Act, 2005
- Manifest arbitrariness with respect to Section 139AA of the Income Tax Act and its relation with Article 21
Mr. Sanakarnarayanan will continue his submissions tomorrow (April 26, 2018).