An Aadhaar biometric identity card, issued by the Unique Identification Authority of India. Photographer: Dhiraj Singh/Bloomberg

Aadhaar Ordinance: Will Voluntary Use End Up Becoming A Myth?

It’s a partial victory for private companies and organisations which intend to use Aadhaar to simplify the verification and identification process. Partial since their access to Aadhaar infrastructure relies on individuals permitting it voluntarily. But experts feel that the ease of using Aadhaar for know-your-customer (KYC) purposes may trump the procedural requirement now warranted under the recently passed ordinance—the need to inform individuals that use of Aadhaar is only voluntary; not mandatory.

After the Supreme Court’s judgment on Aadhaar, the government introduced several amendments to the law which received Lok Sabha’s approval in January this year. But the amendment Bill did not receive the assent of the upper house and lapsed. This prompted the government to take the ordinance route and in doing so, it has amended three legislations—the Aadhaar Act, the Prevention of Money Laundering Act and the Telegraph Act. The key purpose of the ordinance is to make the use of Aadhaar voluntary and allow certain entities in the private sector to establish identities by using Aadhaar details.

The government's decision to choose the ordinance route and allow private access to Aadhaar raises three key questions:

  1. Is passing the amendments via an ordinance constitutional?
  2. Can all private entities use Aadhaar for authentication?
  3. If yes, are there adequate checks and balances to ensure data protection and individual privacy?

Ordinance Route: Constitutional?

The question of constitutionality of this ordinance stems from two issues—first, are there legitimate grounds for the government to have taken this route; and second, is the ordinance designed to overrule something that the apex court has barred.

Legitimate Grounds?

The Constitution gives the executive branch of the government power to make laws under Article 123 but it comes with certain limitations. For instance, such ordinances can be promulgated if circumstances exist which render it necessary for the President to take immediate action. Once the parliament is in session, the ordinance has to be laid before both houses for approval within six weeks of it being reassembled, else it will lapse.

There was no overwhelming hurry to pass this law as an ordinance. Parliament has been in session twice after that, but the bill hasn’t been passed. To use the ordinance making provision in this fashion, in this case, where there was time to take it to parliament, is a fraud on the Constitution of India.
Sanjay Hegde, Senior Advocate, Supreme Court of India 

Among other reasons, an ordinance can be challenged on grounds that it was passed in bad faith. For instance, if it can be demonstrated that it was to the benefit of an individual or entity, Girish Godbole, senior advocate at Bombay High Court, told Bloomberg Quint. In the past, ordinances have been challenged on grounds that there was no grave urgency but usually, there is a prima facie presumption that the legislation is valid, he added.

Very often, the ordinance converts into an Act in the midst of a challenge, which makes the process infructuous, he said.

Design Of The Ordinance?

In September last year, the Supreme Court held parts of the Aadhaar Act as unconstitutional. The most controversial among them was section 57 which allowed the use of Aadhaar number for establishing identity for any purpose by the state or any corporate or person pursuant to any law or contract.

The Supreme Court struck down a part of this provision that gave private persons and entities access to Aadhaar pursuant to a contract. The order stated that “any purpose” is susceptible to misuse and can only be a purpose backed by law. It also found that allowing any corporate or person to use Aadhaar for authentication, especially on the basis of a contract between the corporate and an individual, would enable commercial exploitation of private data and hence is unconstitutional.

Since the ordinance now makes way for "commercial exploitation", can its constitutionality be challenged on grounds that the government is allowing something that the apex court had barred?

Hegde said that this ordinance directly undoes the prior ruling of the Supreme Court and there are great doubts whether legislative power can be used to undo a judicial finding. There are many precedents to say that when there is a direct judgement on the line, you cannot use your legislative powers to undo it, he added.

But not everyone is convinced that the apex court had put an absolute bar on use of Aadhaar by private entities.

It could be argued that Section 57 was only an enabling provision, Sajai Singh, a technology law partner at law firm J Sagar Associates, told Bloomberg Quint. The definition of "requesting entity"—the entity which can access Aadhaar data—is all-encompassing and includes private companies and individuals. This, read with Section 8, the primary provision which allows parties to authenticate data through Aadhaar number, provides the authority to private companies to access Aadhaar data, he said.

The issue of whether private companies may obtain, use and process Aadhaar data by virtue of Section 8 is still open to constitutional challenge.
Sajai Singh, Partner, J Sagar Associates

Private Entities: Who will benefit?

This challenge is for another day. For now, the ordinance paves the way for use of Aadhaar by private entities as long as it’s voluntary. This voluntary use could either be for authentication or offline verification.

Allowing voluntary use of Aadhaar is perhaps the best way forward to balance the needs of business and ensuring an individual’s constitutional freedoms, Anand Bhushan, partner at law firm Shardul Amarchand Mangaldas, told Bloomberg Quint. This development is crucial since identification and KYC norms are the regulatory foundations of the new digital India and they key is to balance this access with privacy protections, he said.

Stephen Mathias, Partner, Kochhar & Co. pointed out that this is only an interim solution.

While this Ordinance would act as a breather for the banking and payments industry, the issue is still not settled because ultimately, the law must be passed by the Parliament.  Doing so as a money bill could lead to another Constitutional challenge.  So this is really only a stop-gap measure.
Stephen Mathias, Partner, Kochhar & Co.

One which has been achieved by changes to the Indian Telegraph Act and Prevention of Money Laundering Act. This would allow telecom companies and reporting entities-banking company, financial institution, intermediary or a person carrying on a designated business or profession—under the act to access Aadhaar infrastructure.

To further distinguish the access, only banks can authenticate identities using Aadhaar. The rest can only use the offline verification system which includes offline e-KYC and systems like QR code. According to Unique Identification Authority of India, information which companies can access through offline verification route includes name, address, photo, gender, date of birth, mobile number and email ID.

According to the ordinance, all ‘reporting entities’ apart from banks can avail authentication services only if they are permitted by the central government. The list of ‘reporting entities’ under the PMLA is quite broad and extensive and therefore a large number of private entities will be entitled to avail offline verification services and, if permitted by the Central Government, authentication services as well.
Ganesh Prasad, Partner, Khaitan & Co

However, in both instances neither the core biometric information nor Aadhaar number in respect of an individual can be stored by such entities.

But experts point out that at present there is only one alternative to Aadhaar, which is passport. Since a small fraction of Indian citizens actually own passport- as little as 5.5 percent by some estimates- the fact that Aadhaar is ‘voluntary’ is ironical.

Adequate Safeguards?

The ordinance states that a ‘requesting entity’ can perform authentication if:

  • It complies with standards of privacy and security issued by the Aadhaar regulator UIDAI
  • It's permitted under other laws made by the parliament- now under PMLA and Telegraph Act.
  • It seeks authentication for the purposes determined by the central government.

To safeguard interests of individual citizens, such entity—private or public—must inform the Aadhaar number holder of alternate and viable means of identification. Services cannot be denied for refusing to or being unable to undergo authentication by Aadhaar. An individual will have the option to voluntarily establish his identity by using Aadhaar number but only after an informed consent.

Mandatory Aadhaar number authentication can only be undertaken pursuant to any law made by the parliament.

Since the ordinance sets out conditions such as ensuring that all demographic information or photographs collected may be utilised only for the purposes under the original Act, this increases the responsibility on companies collecting data but some concerns still remain, Singh said.

The ordinance also envisages offline verification by means of a QR Code. There is potential of a conflict with data protection and privacy here; especially since a QR Code may be used by persons other than the Aadhaar holder.
Sajai Singh, Partner, J Sagar Associates

In addition to safeguards listed above, Bushan added that an extensive chapter on civil penalties, its adjudication, appeal process regarding violations of Aadhaar Act by entities in the Aadhaar ecosystem will go far to achieve adequate protection from misuse of data. The fact that draft data privacy bill has made substantial progress will further bolster the ecosystem once enacted, he said.

The stiff penalties put in place by the ordinance are likely to be a deterrent as well. For instance, failure of an entity to comply with the Aadhaar Act would attract a penalty of Rs 1 crore in addition of up to Rs 10 lakh per day in case of continuous contravention.

Offences like tampering with data, destroying, deleting or revealing relevant information would attract imprisonment of up to 10 years as opposed to earlier 3 years.