Introduction
On March 26, 2016, the Indian government introduced the Aadhar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Act”). The Act’s objective was, inter alia, to provide good governance, and an efficient and transparent delivery of subsidies, benefits and services to individuals residing in India by assigning a 12-digit unique identity number (“Aadhar”) issued by the Unique Identification Authority of India (the “Authority”).
Due to widespread privacy concerns and increased risk of government surveillance, various petitions were filed challenging the Act’s constitutional validity. On September 26, 2018, a five (5) member Constitution Bench of India’s Supreme Court (in a majority 4:1 verdict) upheld the constitutional validity of the Act, except for certain provisions, which the Supreme Court deemed unconstitutional.
Pursuant to this judicial ruling, the Indian government has recently amended the Act by way of the Aadhar and Other Laws (Amendment) Ordinance, 2019 (the “Ordinance”). This update discusses the implications of the Ordinance.
Use of Aadhar made voluntary
The Ordinance allows for the use of Aadhar to verify an individual’s identity if the Aadhar holder consents to such use. The identity of the Aadhar holder may be verified by authentication with the Authority if Aadhar is used in its electronic form or by way of offline verification if it is used in its physical form. Further, the Ordinance permits entities, including private entities, to perform such verification only if they comply with the standards of privacy and security notified by the Authority. Furthermore, entities are required to disclose the purpose of the authentication and obtain the Aadhar holder’s consent before pursuing such authentication for only the disclosed purpose. At the same time, the Ordinance disallows entities from denying any service to any individual due to such individual’s inability or unwillingness to furnish Aadhar as a proof of identity.
However, the Ordinance also states that an individual can be compelled to provide his/her Aadhar for establishing his/her identity if the use of Aadhar is mandated by any law passed by the Indian parliament.
In our view, the Ordinance has watered down the Supreme Court’s decision to make the Aadhar a voluntary proof of identity. In truth, the Ordinance appears to be walking a confusing tightrope as to whether the use of Aadhar is truly voluntary. Further, it is unclear how a balance will be achieved, as on the one hand private entities have been permitted to seek Aadhar as a proof of identity, but they are also mandated not to deny services to individuals who do not want to provide their Aadhar as a proof of identity. While the Ordinance seeks to assuage privacy concerns by providing that requesting entities must adhere to certain privacy standards, no such standards have been notified by the Authority. Moreover, once notified, it remains to be seen whether such standards will be sufficient to ensure the privacy of Aadhar holders.
Introduction of alternative virtual identity to Aadhar
In addition to Aadhar, the Ordinance envisions the generation of an alternative virtual identity which can be used by certain notified entities as an alternative mode of authentication to Aadhar. This alternative identity has been introduced to assuage security and privacy concerns raised against Aadhar as this alternative identity will allow users to conceal their actual Aadhar number and the data associated with it. While the intent behind generating an alternative virtual identity to protect the Aadhar number and associated data of Aadhar holders is admirable, the costs of issuing such a virtual identity to a population of 1.3 billion Indian people and in maintaining the security thereof may make it unviable. Further, this virtual identity number may only result in an increased compliance burden for individuals as they will have to maintain two (2) separate identities.
Option for minors to opt out of Aadhar upon attaining majority
In line with the Supreme Court’s decision, the Ordinance allows minors to opt out of the Aadhar scheme by surrendering their Aadhar within six (6) months of attaining majority. Further, the Ordinance also mandates the need to obtain the consent of a minor’s parents or guardians when getting Aadhar in the first instance. In our view, although this allows minors to decide for themselves whether they are comfortable with providing their data to the Authority, it goes against the concept of a universal social security system that the Indian government had envisaged for all Indian citizens.
Other key changes
The Ordinance provides greater autonomy to the Authority by allowing the Authority to independently appoint its officers and employees. Moreover, it provides for the creation of the Unique Identification Authority of India Fund in which all grants, fees, charges and sums received by the Authority are to be deposited. Previously, such funds were directed to be deposited in the Consolidated Fund of India. Additionally, the Ordinance empowers the Authority to make directions and regulations in respect of all entities forming a part of the Aadhar ecosystem without any consultation with the Indian government. Further, the Ordinance provides for numerous civil penalties which may be imposed upon entities or individuals for any misuse of the Aadhar of another person. Lastly, the Ordinance also lays down the procedure to adjudicate any complaint of misuse and for any appeal against such adjudication.
The Ordinance has sought to reduce the involvement of the Indian government in matters concerning Aadhar to allay privacy concerns and fears of mass surveillance. However, in granting the Authority greater autonomy and refusing to allow its decisions to be subject to judicial review (as had been directed by the Supreme Court), the Ordinance raises several new security concerns. In our view, this raises the age-old question in all matters of privacy and security, i.e., who will watch the watchers?