The Rajya Sabha has listed The Aadhaar and Other Laws (Amendment) Bill, 2018 for consideration and passage in the budget session of February 2019. Whether it will indeed be taken up, or whether it will merely lapse and require reintroduction in the next Parliamentary session hosted by the new government remains to be seen, but in any case this is a law, developments related to which have been closely watched by banking entities, telecom companies, fintech businesses and activists.
So, why have amendments to the bill been such a contentious issue and how does it really impact us as citizens?
The main grouse regarding the bill was that the changes proposed in the bill were not discussed with clarity in the Parliament. Many sections that are in conflict with the Supreme Court’s Aadhaar judgment needed to be discussed in a joint parliamentary panel. However, such a panel was never constituted, and the bill was passed in the Lower House as the government enjoyed absolute majority.
Amendments: Offline verification, opting out and more
The original Aadhaar bill has now been modified to reflect the addition of definition of entities associated with Aadhaar, and the terms previously not clarified by the Act. The amended bill introduces the concept of ‘offline verification’ which will help those who cannot authenticate by biometrics. It is defined as the process of verifying the identity of the Aadhaar number holder without authentication, through such offline modes as may be specified by regulations.
Another addition is that of the “Aadhaar ecosystem” – which includes “enrolling agencies, Registrars, requesting entities, offline verification-seeking entities and any other entity or group of entities as may be specified by regulations;…”
The amendment enables the Unique Identity Authority if India (UIDAI) to issue other forms of virtual identities. Under Section 3, in addition to existing three clauses, a fourth clause has been added. It reads:
(4) The Aadhaar number issued to an individual under sub-section (3) shall be a twelve-digit identification number and any alternative virtual identity as an alternative to the actual Aadhaar number of an individual that shall be generated by the Authority in such manner as may be specified by regulations. (emphasis added)
With the amendment, a child attaining majority can opt out of Aadhaar. Newly added Section 3A says that the consent of parents or the guardian is necessary for the enrollment of a child. A child, within a period of six months of attaining the age of eighteen years, can give an application to the Authority for cancellation of his Aadhaar number. A child cannot be denied subsidies, benefit or service in case of failure to establish his identity by undergoing authentication, or furnishing proof of possession of Aadhaar number, or for not having an Aadhaar number.
The amendment also lays down the procedure for resolution of civil disputes related to the issue, through an Appellate Authority and Adjudicating Officers. Impersonation or disclosure of their identity or other cases can be now heard by the courts.
All of the above appear to be steps in the positive direction and yet, there are many clauses that have created concern among sections of people. Primary among them are the clauses related to disclosure of information, privacy and security concerns.
Power to control and change rules
In section 4 of the principal Act, sub-section (3) has been substituted by the following sub-sections:
(3) Every Aadhaar number holder to establish his identity, may voluntarily use his Aadhaar number in physical or electronic form by way of authentication or offline verification, or in such other form as may be notified, in such manner as may be specified by regulations.
Explanation.—For the purposes of this Section, voluntary use of the Aadhaar number by way of authentication means the use of such Aadhaar number only with the informed consent of the Aadhaar number holder.
(4) An entity may be allowed to perform authentication, if the Authority is satisfied that the requesting entity is—
– (a) compliant with such standards of privacy and security as may be specified by regulations; and
– (b) (i) permitted to offer authentication services under the provisions of any other law made by Parliament; or (ii) seeking authentication for such purpose, as the Central Government in consultation with the Authority, and in the interest of State, may prescribe.
(5) The Authority may, by regulations, decide whether a requesting entity shall be permitted the use of the actual Aadhaar number during authentication or only an alternative virtual identity.
(6) Every requesting entity to whom an authentication request is made by an Aadhaar number holder under sub-section (3) shall inform to the Aadhaar number holder of alternate and viable means of identification and shall not deny any service to him for refusing to, or being unable to, undergo authentication.
(7) Notwithstanding anything contained in the foregoing provisions, mandatory authentication of an Aadhaar number holder for the provision of any service shall take place if such authentication is required by a law made by Parliament.”
These clauses are akin to a wild card entry for the government — it gives enormous power to the Parliament to make any law in future to make Aadhaar compulsory for anything as desired by the State. A majority government can easily manipulate the laws without consulting anyone or putting it for consideration before joint parliamentary committees.
It lets the UIDAI decide who can authenticate the services and whether or not that agency can be given access to one’s original Aadhaar number. This brings back the fear of exploitation of Aadhaar data by private entities for commercial and other purposes.
Though there is a clause on “privacy and security” in this section, India doesn’t have a data protection bill yet, therefore illegalities can take place before that law comes into effect, especially since a large majority of Indians already have Aadhaar.
Ground rules for offline verification
Newly added Section 8A in the amendment bill lays down ground rules for offline verification, where biometric authentication is excluded. The verifying agency must obtain consent and seek documents to verify the person, but shall not take biometric data or misuse the data collected for other purposes.
This addition however does not rule out verification through OTP during the process, as the definition of authentication in the entire bill is limited to biometric authentication.
Sharing of Aadhaar information in ‘certain cases’
Section 29 of the bill prohibits the use of Aadhaar data for other purposes. It stipulates that no Aadhaar number or core biometric information can be published, displayed or posted publicly. But it does not stop sharing of other information. There is nothing in the amendment to address this issue.
In contrast, Section 33 makes it mandatory to share the information including Aadhaar number and core biometric information, upon an order by a judge equal to or above the rank of High Court judge, issued after hearing the concerned Aadhaar number holder. This gives scope for the aggrieved a chance to defend himself/herself, which wasn’t there in the original bill.
But, none of the rules in Section 29 will apply to the disclosure of information, including identity information or authentication records, in cases related to national security. A direction by an officer, not below the rank of a Secretary to the Government of India, authorised by the central government is needed for such disclosure. An article by The Quint points that it would be unconstitutional in the absence of judicial oversight, and is likely to be struck down by the courts.
Such directions are subject to be reviewed by the Oversight Committee. This Committee will have the Cabinet Secretary, Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology. But, core biometric information shall not be disclosed under this sub-section, says the new amendment.
Enabling banks and telecom companies to seek Aadhaar
The original act had a contentious Section 57, which allowed mobile phones and banking entities to seek Aadhaar for verification. While that has been struck down, the amendments to the Indian Telegraph Act, 1885 and Prevention of Money-laundering Act, 2002 make Aadhaar the only alternative that can be given to telecom and banking companies. This is because the amendment in both the above acts stipulates Aadhaar, passport or “use of any other officially valid document or modes of identification as may be notified by the Central Government in this behalf.”
In 2017 there were only 5.5% of Indians who had passports, while Aadhaar penetration in India is above 90%. This makes Aadhaar the most easily available mode of authentication, in this case for private telecom and banking entities. There is no clarity on whether they can accept voter identity card, PAN card etc to verify a person. This is being seen by the activists as legalising use of Aadhaar by private entities, as a response to the points objected to by the Supreme Court.
Basic flaws and concerns around Aadhaar remain unaddressed
A comparison of the original bill with the Amendment bill reveals more changes done during the amendment. However, the main concern of privacy and security of data around Aadhaar remains unaddressed in the amendment. In an event held in January 2019 in Bengaluru organised by the Alternative Law Forum, Dr. Usha Ramanathan, an activist who has been highlighting the problem with the Aadhaar bill, shared her concerns.
She explained how an entire fintech ecosystem was built around Aadhaar data. Personal data is now being treated as a national resource and is becoming part of national economy. The fine for failing to comply with Aadhaar act norms is Rs 1 crore, she pointed.
She also explained the conflicts of interest that are seen everywhere in Aadhaar-based systems and their architects. The bill says that “The Chairperson or a Member on ceasing to hold office for any reason, shall not, without previous approval of the Central Government,—(a) accept any employment in, or be connected with the management of any organisation, company or any other entity which has been associated with any work done or contracted out by the Authority, whether directly or indirectly, during his tenure as Chairperson or Member, as the case may be, for a period of three years from the date on which he ceases to hold office.” However in reality the system is marred with conflicts of interest, she pointed out.