A young man balances on a tightrope in Rio de Janeiro. (Photographer: Dado Galdieri/Bloomberg)

Is Government Walking A Thin Line With Proposed Amendments To Aadhaar Law?

The government introduced an amendment legislation in Lok Sabha that will allow private entities to use Aadhaar. The bill, which will pave the way for voluntary use of the biometric database to establish identity, proposes several changes to the Aadhaar Act, the Indian Telegraph Act, 1885 and the Prevention of Money-Laundering Act, 2002.

The government has come up with a creative way to not fall afoul of the Supreme Court’s judgment on Aadhaar while allowing use by private entities, Rahul Matthan, head of technology partner at law firm Trilegal, said. But Supreme Court advocate Vrinda Bhandari argued that the creative way is still aimed at using private data for commercial exploitation, something that the apex court had clearly barred.

Proposed Amendments

Offline Use By Private Entities

The definition of Aadhaar is proposed to not only include an identification number but also ‘any alternative virtual identity’. A new definition—‘Aadhaar ecosystem’—has been introduced and it will include enrolling agencies, registrars, requesting entities, offline verification-seeking entities, etc. Offline verification is proposed to be the process of verifying the identity of the Aadhaar-number holder through specified offline modes.

Read together, the amendments to the definitions would mean that private entities, such as banks and telecom service providers, will be able to do e-KYC using offline authentication tools like a QR Code. In April last year, the UIDAI had updated the QR Code on Aadhaar cards to not only include the demographics of a holder but also her photograph and a UIDAI digital signature. After the apex court struck down use of Aadhaar by private entities, the UIDAI CEO suggested QR Code as a good option for private entities or individuals who wished to continue using Aadhaar.

(Source: UIDAI)

Through the proposed amendment in the Aadhaar Act, the government is giving the offline verification the same level of importance as the Aadhaar number itself, Matthan said. This is important, he explained, to ensure that the access to the Aadhaar infrastructure by private entities is reduced, along the lines of the Supreme Court judgment. But this isn’t foolproof either, Matthan said.

The challenge with offline verification is that a QR Code can be used by anyone. I can pick up someone’s Aadhaar card and the QR Code and use it—there’s no log of the fact that your identity has been authenticated. So, it’s less robust when compared to authentication using UIDAI’s Central Identities Data Repository. 
Rahul Matthan, Partner, Trilegal

But it’s certainly a better form of identification that anything else, he added. For instance, even an original driving licence can be forged but the QR Code is digitally signed which tells the authenticating entity that the information has been encoded by the UIDAI.

The offline QR mechanism is perfectly compliant with the Supreme Court judgment which said it’s unconstitutional for private entities to access the Aadhaar authentication infrastructure. The offline verification, as defined in the proposed amendment, doesn’t give private entities this access. 
Rahul Matthan, Partner, Trilegal

Bhandari, however, emphasised that the proposed amendments to the Telegraph Act and PMLA specify Aadhaar authentication as a means to confirm identity. This would allow telecom companies and reporting entities—banking company, financial institution, intermediary or a person carrying on a designated business or profession—under PMLA to access Aadhaar infrastructure. “One would argue that this is commercial exploitation,” she said.

To be clear, the amendments to the Telegraph Act and PMLA also propose offline verification, passport or any other officially valid document prescribed by the government as means to identify oneself.

Online Use By Private Entities

The amendment bill proposes to delete section 57 from the Aadhaar Act. Section 57 permits the use of Aadhaar number for establishing identity for any purpose by the state or any corporate or person pursuant to any law or contract. It was partially struck down by the Supreme Court as unconstitutional to the extent that it allowed private entities to use Aadhaar for authentication purposes.

The order stated that “any purpose” is susceptible to misuse and can only be a purpose backed by law. It also found that allowing any corporate or person to use Aadhaar for authentication, especially on the basis of a contract between the corporate and an individual, would enable commercial exploitation of private data and hence is unconstitutional.

By deleting section 57 from the principal Aadhaar Act, the government has made all these reflections of the apex court infructuous, Matthan said. He pointed out that by introducing the concept of ‘Aadhaar ecosystem’ which includes private entities and retaining the definition of requesting entity, which again is not limited to government entities, the amendment seeks to allow online use of Aadhaar infrastructure by private entities.

Online use will be allowed as long as it’s backed by law, which is why they have proposed amendments to the Telegraph Act and PMLA, Matthan said.

Complaints By Aadhaar Holders

In line with the apex court’s judgement, the proposed amendments make way for Aadhaar number holders to file a complaint before the court if the provisions of the law are violated. For instance, if the identity information of an individual is intentionally disclosed during enrolment or authentication or if there’s unauthorised use by a requesting entity.

Disclosure of Information: Exceptions

Section 33(1) of the Act allows disclosure of Aadhaar information in certain cases, such as pursuant to a district court’s order and after giving the UIDAI an opportunity to be heard. The amendment proposes to change the approval from a district judge to a high court judge, bar the disclosure of core biometric information and give the Aadhaar number holder an opportunity to be heard as well.

Section 33(2) restricts confidentiality of Aadhaar data in cases of national security if so determined by any officer not below the rank of joint secretary. This is now proposed to be determined by an officer not below the rank of secretary.

Bhandari pointed out that here too, the directions of the apex court in the Aadhaar judgment have not been incorporated since there’s no scope for judicial scrutiny. The Supreme Court had held that any breach of confidentiality can be done only on the orders of a very senior government officer (higher than joint secretary) along with a sitting high court judge.