The Aadhaar Amendment Bill was pushed through the Lok Sabha on Friday — without any debate and no discussion. Many of the MPs who may have wanted to debate the issue were not even present in the house, following the ruckus and the focus on the Rafale deal controversy.
Since the Aadhaar system has been the subject of extensive debate in the last few years — with two detailed judgments being passed by the Supreme Court (SC) on various aspects and concerns — activists and analysts have pointed out that the new bill may create loopholes through which the government could bypass the SC verdict that had restricted use of Aadhaar authentication.
The fact is that the country still does not have a data protection law, even though the Justice Shrikrishna Committee gave a detailed report on the need for such a law, particularly when dealing with Aadhaar and biometric data.
Here is a short analysis of the proposed Aadhaar Amendment Bill and how it can be interpreted in light of the recent SC judgment.
Alternative virtual identity
In the Aadhaar definition — Section 2 clause (a), also section 3 clause(4), along with the 12-digit Aadhaar enrolment number, an “alternative virtual identity” generated by the UIDAI has been added when the "requesting entity" asks for verification.
Area of concern: Under section 4, clause 5, the Amendment act leaves it to the “Authority” to decide — by framing regulations under section 54 of the Act — “whether a requesting entity shall be permitted the use of the actual Aadhaar number during authentication or only an alternative virtual identity.” The rules of what a "virtual identity" would be or how it would be used, or even who can use it are not defined.
Children can opt out
This was one of the main issues highlighted by the Supreme Court judgment, along with the issue that Aadhaar enrolment could not be made mandatory — even for those who had been enrolled as minors by their parents or guardians. Section 3A introduced in the Amendment allows a person who was enroled in the Aadhaar system as a child to file an application to cancel their Aadhaar enrolment within six months of turning 18.
Area of concern: While the provision allows a child to opt out of Aadhaar on turning 18 years of age, Aadhaar will still be required for those who want to avail any benefit or subsidy from the government. Further, there is no provision to allow an adult to request cancellation of their Aadhaar enrolment.
Instead of a biometric authentication of Aadhaar number, offline verification using the Aadhaar number has been introduced. Under the present Act, only the online biometric or number verification can be done.
After the Supreme Court verdict said that mandatory linking of Aadhaar is unconstitutional, the bill makes using of Aadhaar on a voluntary basis an option — but it has left it to the UIDAI to create regulations on who can conduct Aadhaar authentication or offline verification and how it will be done.
Area of concern: Section 4 clause 4 of the Amendment Bill includes the term “an entity” which can be permitted by the UIDAI to perform Aadhaar authentication if it fulfills certain criteria:
1.) If the “entity” complies with standards of privacy and security as specified — there is no data protection law or regulations in place in the country at this stage.
2.) If permitted to perform Aadhaar authentication under any other law passed by Parliament — this raises concerns since the Supreme Court had specifically struck down mandatory Aadhaar linkage under the Prevention of Money Laundering Act (PMLA) and Telegraph Act for banks and mobile phones, and had specified that the Aadhaar Act is for providing benefits and services from the Consolidated Fund of India. The Court had however allowed Aadhaar linking to Income Tax as “legitimate” due to concerns regarding tax evasion.
3.) If the entity seeks authentication for a purpose prescribed by the central government in consultation with the UIDAI “in the interests of the State” — this is a broad phrase under which rules can be framed. This could lead to the Center and the UIDAI permitting Aadhaar authentication or verification for various services and even by private entities.
Activists and lawyers also point out that “an entity” in this clause can include private companies if the government permits them to authenticate Aadhaar. The earlier provision for allowing private entities to conduct Aadhaar authentication had been struck down by the Supreme Court.
Aadhaar as purely voluntary for KYC under the Telegraph Act and under PMLA for Banking and financial services
Even though the Supreme Court struck down mandatory Aadhaar linking for KYC of mobile phone connections, and under PMLA for Bank accounts, the Aadhaar amendment specifies that customers can choose Aadhaar authentication, offline verification or their passport or any other form of identification that is allowed by the government.
The amendment proposed for the PMLA also recognises that “other reporting entities” that are not banks — i.e., financial institutions — cannot ask for Aadhaar authentication but can use offline verification or other forms of ID.
Area of concern: Even earlier when the Aadhaar-mobile linking was introduced, telecom companies and the government advertised Aadhaar as "mandatory" and millions of users linked phones with Aadhaar, despite a stay order from the Supreme Court. Most service providers use Aadhaar online authentication as a “faster” way to get a phone connection, while it takes up to 48 hours to get a connection using any other form of identity proof.
The amendment under PMLA is also slightly unclear since it allows banks to conduct Aadhaar authentication in addition to other forms of identity, which goes against the SC verdict that allowed Aadhaar authentication only for access to government subsidies and services. Also, private banks would come under the definition of "banking services".
Further, the PMLA provision says that “other reporting entities” could also be given access to Aadhaar authentication if they comply with privacy and security standards.
This is an area of concern since it could be used to allow private service providers to access Aadhaar authentication.
The Bill also introduces civil penalties for violating Aadhaar norms and illegal access to data under chapter 6A added by the Amendment Act.
The proposed Section 33A says that a civil penalty of up to one crore rupees may be imposed on an entity for violating Aadhaar norms. Also, for each additional violation by the same entity, an additional penalty of up to 10 lakh rupees per day may be imposed if violation of the rules continues.
The inquiry for such violation will be conducted by a Joint Secretary or higher level officer appointed by the UIDAI.
Area of concern: Any person whose identity has been compromised cannot file a civil complaint — only the UIDAI can initiate a complaint about the violation, and the inquiry will be conducted by the UIDAI appointed official. Appeals can be filed before the Telecom Disputes Settlement and Appellate Tribunal by the entity on whom the fine has been imposed. However, only the UIDAI can file an appeal if the adjudicating officer takes a decision in favour of the entity.
Also, no complaint can be filed before a civil court. Only the Supreme Court can hear appeals against the order of the Tribunal.
Enhancement of criminal penalties.
Criminal complaints can be filed by a person whose identity has been violated. Under Section 38 and 39, which prescribed punishment for corrupting data or accessing the central data repository, or for denying services, the punishment has been enhanced from a maximum of three years to a maximum jail term of 10 years. Under Section 42, punishment has been enhanced from a maximum of one year to a maximum of three years.
Also, in what will come as a relief to activists, the amendment in section 47 proposes to allow a person whose identity is violated to approach a criminal court to file a complaint under sections 34 (impersonation), section 35 (appropriation of identity to change information), 36 (unlawful collection of Aadhaar data), 37 (disclosure of identity related information), section 40 (using identity information for other purpose) and 41 (violation by enrolling agency).
Area of concern: All these offences are bailable and carry a jail term of a maximum of three years. Activists had raised concerns about the danger of identity theft and violations. Stricter penalties have been imposed only under sections 38 and 39, for unauthorised access or leaking or distribution of data from the central data repository.
Complaints under 38 and 39 can only be made by the UIDAI.
Surveillance and national security
Disclosure of Aadhaar data under section 33(1), including authentication of records, can now be done only on the orders of a high court judge. The Aadhaar Act had given the power to a district judge to pass such orders. Also, for disclosure on court orders, both the UIDAI and the person whose data is being disclosed will now be given the opportunity for a hearing. Also, the court cannot order disclosure of core biometric information.
Under section 33(2), where the government could order disclosure of Aadhaar data and records “for national security”, the official required to sign off on such a request is now a secretary-level officer, higher than the previous provision of a joint secretary level official.
Area of concern: The Supreme Court had specifically struck down section 33(2) that allowed for disclosure of identity “for national security” and had said there has to be “involvement of a judicial officer, preferably a High Court judge” before such an order could be passed.
This suggestion has been ignored.
The national security provision also does not allow for any hearing from the UIDAI or the person concerned. It also does not include the provision to protect core biometrics, as has been specified under 33(1).
UIDAI to have its own separate Fund
Section 25 of the proposed amendment says all grants, funds, fees, charges, etc., will be kept in a separate "UIDAI fund". Salaries of UIDAI employees, members and any administrative expenses shall be carried out using this fund.
This keeps the UIDAI financially independent and away from direct government control.
Any entity that conducts offline verification of Aadhaar cannot conduct online authentication. The collection, storage or use of Aadhaar number or biometric data cannot be done by an entity that conducts offline verification.
Area of concern: Since the "offline verification" has been introduced by the amendment, how this will actually be conducted is not clear.
Also Read: The BJP's Aadhaar: Minimum governance, maximum subterfuge