Summary of Aadhar judgement Sep 26

With the introduction of Aadhar Act in 2016, Aadhar usage has increased significantly and so as security concerns associated with Aadhar. Many people have filed petitions in supreme court against government mainly questioning the process of authentication and directives on linking of Aadhar with various services. Here is summary of 1500 pages historic Supreme Court’s Judgement dated Sep 26, 2018 on various aspects of Aadhar.

1)     Aadhar program gives surveillance capability to government

Requesting Entities connect to CIDR through ASA which gives only yes/no information. Further, additional information(eKYC data-demographic information+photo graph) is passed only to AUA/KUA.

           UIDAI collects only ASA/AUA device id but not the ip address and other geo spatial information, thus Supreme court considered that its not possible to do profiling of individual just on the basis of demographic and biometric information. Thus, Aadhar does enable creation of surveillance infrastructure

2)     There was no data protection for the information collected under Aadhar program

Data collection in UK is governed by principle of consent, purpose, storage, transparency (EUGDPR). On the other hand, US follows sectoral privacy principles i.e different standards for different sectors(Healthcare, Banking, Insurance etc). Supreme court opined that even though references to data protection are there in Aadhar act, detailed analysis of provisions of the act to be undertaken in line with global data protection standards being followed across the world

3)     Unchecked powers to collect necessary information

Supreme court believed that demographic information (Name, DOB, Gender, Address) are standard set of attributes collected for any global id card. Non mandatory demographic information, mobile number and email are already available in public domain like telephone directories. Thus UIDAI is following the principle of data minimalisation.

4)     Excessive data retention

 Supreme court suggested changes to the storing of authentication records (which includes collection of meta information) from current retention levels of 5 years 6 months to 6 months. Government was advised to define meta data in the Aadhar Act. Currently, meta data is interpreted as authtentication time stamp, Identity of requesting entity and response received.

5)     Government is using Aadhar to invade privacy of individuals

SC opined that all matters related to an individual don’t qualify being an inherent part of right to privacy. Government argued that Aadhar data collection is done at public places thus there can’t be reasonable expectation of privacy unless collection is done in the private spaces. Though supreme court corrected government stance by saying its responsibility of government to provide adequate security for the data collection, the apex court opined that invasion of privacy is marginal compared the benefits being received by the marginal section

6)     Aadhar is indirectly leading to denial of services for those who can’t get Aadhar

Aadhar institution is set with objective to uniquely identify beneficiaries who are taking either benefit, service or subsidy. SC judgement backed government that its not possible to shelve an entire program on basis of rejection rate for few. In the greater good of society, certain hardships are to be borne.

7)     Aadhar program is violating the rights of children by mandating Aadhar requirement for admissions

a)     Children can have Aadhar only with the consent of parents

b)     Children shall be given right to exit their Aadhar records after attaining majority

c)      Education is neither service/benefit/subsidy but a right of children aged between 4 to 14, thus Aadhar can’t be mandated and thus education can’t be denied on the basis of lack of Aadhar

8)     Aadhar entrusts the security of its citizens with private agencies at every stage like enrollment, database management

UIDAI ensures that the data collected by private entity is immediately get encrypted and stands transferred to CIDR. Further, enrollment agencies were onboard with signed MoU, so that they are bound by set of obligation. SC opined that there was no basis for concerns security expressed

9)     Aadhar is considered a defacto citizenship, leading to increase of illegal immigration

Government is ordered to take necessary action on the same

10) Aadhar allows sharing of information with authorities

Currently Aadhar allows UIDAI to share information only when directed by court of capacity not less than district magistrate or Joint Secretary. SC recommended government to change the approving authority to higher rank than JS

11) Section 57 gives unbridled power for any person to demand Aadhar

Any corporate body or person can make use of Aadhar authentication process as per section 57. Government argued that Aadhar, being identity card issued to a person, can be used for any other service at the discretion of individual. However, petitioners expressed concerns over commercial exploitation of demographic data of individual through Aadhar route. Considering the harmful effects on individual, Supreme court passed judgment that section 57 is found to be unconstitutional. However, if person voluntarily wants to offer Aadhar card as proof of identity, there may not be a problem. Supreme court recommended government to bring data protection regime through enactment of Justice B.N Krishna committee report

12) Aadhar was introduced as Money bill

Money bills are those whose provisions are related to taxations, settlement of debt etc. SC opined that since main provision is part of

13) Mandatory linking of PAN with Aadhar is unconstitutional

Currently deduplication of PAN happens with a probabilistic algorithm (PPAN) which uses only demographic information. Ingesting Aadhar data to PAN database allowed IT department to dedup multiple pans allocated to same individuals. The same has been given legal backing by amendment of IT act (section 139A). Around 33,000 cr financial transactions were reported to have been carried out by submitting Form 61(with requires name and Aadhar). Considering Aadhar linkage with PAN helps country to grow tax base, SC allowed PAN linking with Aadhar

14) Mandatory linking of Bank account with Aadhar is unconstitutional

Rule 9 of Prevention of money laundering rules require individual to give Aadhar and PAN to reporting entities(banks). Apex court opined that nobody keeps black money in bank account. Though there is a possibility of opening an account under assumed name and performing laundering with such accounts is acknowledged by supreme court, considering the number of people involved in such actions are minimal, mandatory linking of Aadhar with bank account is ruled out

15) Mandatory linking of phone number with Aadhar is unconstitutional

As per section 7 of Aadhar Act, authentication is mainly meant for providing subsidy, benefit or service. Mobile phone subscribers need not be consumers of subsidy, benefit or service. The circular from DOT which requires linking of Aadhar is declared intrusive and unconstitutional

 16) Inadequate data protection and security

Unlike AUA and ASA which are required to have their datacenters in India as per Authentication regulation 22(1), CIDR agencies are not explicitly obliged to host their datacenters in India. Government argued that section 54 of Aadhar confers UIDAI with power to specify information security standards in the Aadhar ecosystem. Supreme court opined that there are adequate security standards.

PS: Information expressed above are strictly personal.