Thursday, July 21, 2016

Privacy concerns in the Aadhaar Act, 2016

by Vrinda Bhandari and Renuka Sane.

On 23rd March 2016, the Government of India enacted the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 ("Aadhaar Act"), touted as India's biggest welfare legislation. The Act aims at the targeted delivery of subsidies, benefits, and services by providing unique identity numbers based on an individual's demographic and biometric information. The passage of this Act has been controversial, especially since the Lok Sabha rejected the amendments passed by the Rajya Sabha. Given the magnitude of data collection about individuals that would arise under the Aadhaar system, the law needs strong safeguards about privacy. In this article, we review the law from the viewpoint of concerns about privacy.

In this task, we use the conceptual framework that was constructed in our previous three articles: Protecting citizens from the State: The case for a privacy law (16 February 2016), Elements for the proposed privacy law (9 March 2016) and Analysing the Information Technology Act (2000) from the viewpoint of protection of privacy (18 March 2016). In these articles, we have setup an eight-fold path for evaluating laws from the viewpoint of privacy, which (in turn) builds on the nine privacy principles of Notice, Consent, Collection and Purpose Limitations, Access and Correction, Disclosure, Security, Openness, and Accountability. In this article, we use this approach to think about the Aadhaar Act, 2016.

Component 0: Objective of the law

By virtue of the large-scale and centralised collection, storage and use of an individual's demographic (e.g. name, date of birth, address) and biometric (e.g. iris scan, fingerprint, photograph etc.) information, the Aadhaar Act has great privacy implications. However, the Aadhaar Act does not consider privacy as one of its objectives. The word privacy does not even find mention in the Act. In fact, even the government's arguments in the Supreme Court during the challenge to Aadhaar, make it clear that it (and therefore, the Aadhar Act) does not view privacy as a fundamental right. Thus, while the text of this law is better than the UPA's 2010 draft, it is weak on privacy.

Component 1: Value of personal data

While the Aadhaar Act, on first blush, seems to understand the value of the information it collects, it is not underpinned by an understanding of the right to privacy. As discussed before, laws are shaped by the value we place on personal data, and function on an underlying premise of privacy being valuable in and of itself. However, the Aadhaar Act lacks any understanding or articulation of the  importance of privacy of personal data. Privacy considerations in the Act appear to be a minor afterthought, especially when juxtaposed with the needs of 'national security' which is given prominence in the Act.

Component 2: Scope and ambit of the law

The scope of the Aadhaar Act is a bit unclear since the working of key provisions have been left to regulations that are to be notified in the future. For instance, Section 2(g) of the Act defines 'biometric information' to mean photograph, finger print, Iris scan, or such other biological attributes of an individual as may be specified by regulations. It is thus possible that DNA can be included under this definition, and become part of a centralised government database. The consequences of DNA-based  profiling and its potential misuse are terrifying.

The Act oddly defines 'core biometric information' in Section 2(j), which is the same as biometric information, except that it excludes photographs.

Another example of the lack of clarity is found in Section 23(2)(k), which permits the Unique Identification Authority of India ("UIDAI") to share information about individuals in such manner as may be specified by regulations.

Similarly, Section 29(2) permits the sharing of identity information, other than core biometric information, in such manner as may be specified by regulations. Even more worryingly, Section 29(4) permits the publication and display of an individual's core biometric information or Aadhaar number for purposes as may be specified by regulations.

Together, these examples undermine the idea of a watertight database that will be used exclusively by the government for the purposes of giving subsidies, benefits or services. Even if the first wave of subordinate legislation is drafted with thought and care, the Act leaves the possibility of future changes to these rules and regulations in ways that undermine privacy.

Component 3: Coverage

The Aadhaar Act justifies the collection, storage, and use of personal data on the premise that it is a "condition for receipt of a subsidy, benefit or service", as stipulated under Section 7 of the Act. Thus, the Act is portrayed as covering (or regulating) only the interactions between the State and its residents.

However, a closer look reveals that under Section 57, the Act also facilitates interactions between private parties and residents of India by allowing "body corporate" to use the Aadhaar number for their own purpose. This raises concerns about violations of privacy when UIDAI shares data with private entities.

For instance, TrustID is an app that allows the user to verify any individual using their Aadhaar number, and offers a range of services including pre-employment, credit background, tenants, business partners, employers, and property owners' verification. It is not clear that the information access by TrustID is taking place in ways that protect the privacy of individuals. As Usha Ramanathan notes, many private companies have begun the process of trying to expand and leverage the uses of Aadhaar. The use of Aadhaar by a large number of private persons has long been touted as a contribution of the Aadhaar system to the Indian economy. There may be many conflicts about privacy in this process of expansion.

These applications suggest that the Aadhaar system will not be narrowly limited to the applications described in Section 7. The Act potentially covers everyone. It can include all the transactions conducted between an individual and the State in relation to benefits and subsidies; and the transactions between an individual and a corporate entity, where the private entity uses the Aadhaar number for identification and authentication.

The expanded scope of coverage, along with the absence of protection privacy, implies that this Act has reduced the overall privacy protections enjoyed by residents in India - whether in their interactions with the State to access subsidies/benefits or in their interactions with corporate entities.

Component 4: Collection and retention of personal data

With regard to data collection and its retention, it is important to provide an opt-in/opt-out clause to users, as this is consistent with the 'Choice and Consent' principle. This is particularly important in the Aadhaar Act, given our ownership over our own personal (demographic and biometric) data and the pervasiveness of our biometric data (e.g. we leave our fingerprints wherever we go).

The Aadhaar Act does not provide an opt-out clause, wherein Aadhaar number holders can choose to leave the system (and forego all its benefits) and ensure that their identity information is permanently removed from the Central Identities Data Repository.

Mr. Jairam Ramesh proposed an amendment to Clause 3 of the Bill in the Rajya Sabha, allowing a person to 'opt out' even if they had already enrolled, with the consequence that their authentication, biometric, and demographic information would be deleted from the system within 15 days. Although passed by the Rajya Sabha, the amendment was rejected by the Lok Sabha.

The absence of an opt-out clause is closely related to the issue of retention of personal information inasmuch as there are no time limits for the retention of data. This is unwelcome in light of the inherent non-revocability of biometric information and the fact that traces of our biometric data, for instance fingerprints, are left everywhere.

Component 5: Use and processing of data

The principle of 'Purpose/Use Limitation' is lacking in the Act. For instance, Section 33(2) carves out an express exception to Section 29(1)(b)'s stipulation of "using" core biometric information for any purpose other than generation of Aadhaar numbers and authentication under this Act if it is in the interest of [undefined] `national security'.

Section 3(2) and Sections 8(2)(b) and 8(3) of the Act require the enrolling agencies to inform the individual about the manner in which their information shall be used and shared and ensure that their identity information is only used for submission to the Central Identities Data Repository.

At first blush, thus, the Act seems to incorporate principles of 'Purpose Limitation', especially since Section 41 imposes a penalty on the requesting entity for non-compliance. However, the lack of an effective enforcement mechanism, as discussed later, undermines these provisions. For instance, the Act does not detail how an Aadhaar number holder can escalate the issue (since only the UIDAI can file a complaint) or what standard will be used to determine whether the requesting entity has provided the information in a clear and suitable manner.

Further, the Aadhaar number holder's identity information can be used both by the State and body corporates, without any further regulation governing the use by third parties.

Component 6: Sharing and transferring of data

This component of privacy design focuses on the 'Disclosure' principle, namely the sharing of personal data with third parties. In the case of Aadhaar,  this entails the identity information of the Aadhaar number holder. One of the most controversial sections of the Aadhaar Act is Section 33, which provides for the disclosure of information, including identity information or authentication records, under certain circumstances.

Section 33(1) permits the disclosure of such information pursuant to a judicial order by a Court not inferior to that of a District Judge. Nevertheless, the proviso only requires a hearing to be given to the UIDAI, and not to the Aadhaar card holder, whose information is being disclosed. Consequently, this deprives the individual of their essential right to be heard.

Section 33(2) is even more controversial because it makes an exception to the security, confidentiality and disclosure provisions on the direction of the Joint Secretary in the interest of national security. Such a direction has to be reviewed by a three member 'Oversight Committee', consisting of the Cabinet Secretary, the Secretary of the Department of Legal Affairs and the Secretary of the Department of Electronics and Information Technology. The second proviso further provides that such a direction shall be valid for three months, after which it can be reviewed and extended every three months. This is problematic for various reasons.

  1. As Mr. Jairam Ramesh and Mr. Sitaram Yechury noted while moving an amendment to Section 33(2), "national security" is an undefined term, and thus there is no transparency concerning covert surveillance. Consequently, the Rajya Sabha passed an amendment to replace the phrase "national security" with "public emergency or in the interest of public safety" (as is present in the Telegraph Act dealing with wiretapping). Unfortunately, this amendment was rejected by the Lok Sabha, and Section 33 remained as is.
  2. The scope of Section 33 is vague and it seemingly permits, and even facilitates, the furnishing of personal information to any third party, if it is in the interest of `national security'.
  3. The Oversight Committee is basically a committee of three Executive nominees. Thus, the possibility of effective oversight remains low. 

Component 7: Rights of users

As discussed previously, the right to access and correct one's own information, the right to data breach notification, and the right to data portability are extremely important from the perspective of the user.

Unfortunately, the Aadhaar Act does not grant these rights to the Aadhaar number holder. With respect to the right of access, it is instructive to examine the proviso to Section 28(5) of the Act, which states that an Aadhaar number holder may "request" (not demand) the UIDAI to provide access to her identity information. Nevertheless, the proviso excludes requests for her core biometric information.

It is unclear what the powers of the UIDAI are to accept or deny such a request or why a carve out has been made to restrict access to one's own finger print/iris scan, especially considering they can be wrongly entered in the system, as has been documented in Rajasthan (where the biometric information of potential food ration beneficiaries did not match the data stored on the Aadhaar servers).

Correction or change of demographic information (e.g. on getting married) or biometric information is governed by Section 31 of the Act, which requires the Aadhaar number holder to "request" (not demand) the UIDAI to alter such information in their records. The section states that the UIDAI, on the receipt of such a request, "may, if it is satisfied" make such changes. It is unclear what the standard for such "satisfaction" is, and the Act does not prescribe any statutory penalty or means for judicial redress for the delay/failure to act. Given the centrality of the Aadhaar number in linking various databases and services, such truncated rights of access and correction are worrying.

The Aadhaar Act also fails to prescribe 'data breach notification' requirements, mandating the UIDAI to inform an individual, the Aadhaar number holder, that their identity (biomentric and demographic) information has been shared or used without their knowledge or consent. Similarly, there is no concept of 'data portability' since information cannot freely be transferred amongst different service providers, since there are no alternatives to the UIDAI.

Component 8: Supervision and redress mechanisms

Effective supervision and redress mechanisms require individuals to be informed when there is a breach of confidentiality or disclosure of their personal information.

Section 47 of the Act prescribes that only the UIDAI or its authorised officer can file a criminal complaint under the Act. Thus, all the criminal penalties prescribed under the Act (e.g. for disclosing identity information under Section 37 or for unauthorised access to the Central Identities Data Repository under Section 38) can only be initiated by the UIDAI, and not the aggrieved Aadhaar number holder.

Consequently, even though the Act prescribes civil and criminal remedies for unauthorised access, use, or disclosure by the prescribed authority, the criminal remedy is not available to the aggrieved Aadhaar number holder. Such a person only has recourse to civil law, and the fines prescribed under the Act.

Unfortunately, a conjoint reading of Sections 28 and 47 of the Act disclose the possibility of conflict of interest since it may be in UIDAI's interest to cover up breaches of privacy. Without the UIDAI's proactive action, an individual Aadhaar number holder is left without remedy.

Section 30 of the Act treats biometric information as "sensitive personal data or information", as understood in Section 43A of the Information Technology Act. The treatment of such information under the IT Act has been dealt with in detail in our previous post. The IT Act itself fails to handle sensitive personal data or information in ways that embed privacy concerns.

Finally, as discussed in the sections above, the supervision mechanism for one of the Aadhaar Act's most controversial sections (Section 33), is the constitution of an 'Oversight Committee'. This Committee is tasked with reviewing the disclosures made in the interest of `national security', and thus serves to fulfill the 'Accountability' and 'Security' principles of privacy law. However, this three member Committee comprises of three government bureaucrats, especially after the Lok Sabha rejected the Rajya Sabha amendment to include either the CVC or the CAG as part of the Committee.


In this group of four articles, we have established a systematic eight-fold path for analysing laws from the viewpoint of concerns of privacy. We have used this framework to analyse two laws: The IT Act, 2000, and the Aadhaar Act, 2016. Both these laws have important failures in enshrining privacy. These laws thus hamper India's emergence as a mature democracy.

Vrinda Bhandari is a practicing advocate in Delhi. Renuka Sane is a researcher at the Indian Statistical Institute, Delhi.

1 comment:

  1. Sadly, I'm writing this after signing up for aadhar at my office. There's a company EGSol who's facilitating Aadhar process today. The pressure for creating an Aadhar card is just about everywhere. I hope you get the privacy issues amended in Section 33. All of this is very creepy.


Please note: Comments are moderated. Only civilised conversation is permitted on this blog. Criticising me is perfectly okay; uncivilised language is not. I delete any comment which is spam, has personal attacks against anyone, or uses foul language. I delete any comment which does not contribute to the intellectual discussion about the blog article in question.

Please note: LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.