Barely three months after the Supreme Court (SC) judgment, which struck down sections 57, 47 and 33(2) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016, the Ministry of Electronics and Information Technology (MeitY) has quietly introduced an Aadhaar amendment Bill in the ongoing winter session of the Parliament.
While the Supreme Court struck down Section 57 of the Act, which earlier permitted private companies to use Aadhaar numbers to authenticate users’ identity, the newly-introduced Aadhaar Amendment Bill, in its Section 5, proposes an amendment to Section 4 of the Act. The Section 5 of the Bill says: “Every Aadhaar number holder to establish his identity, may voluntarily use his Aadhaar number in physical or electronic form by way of authentication or offline verification, or in such other form as may be notified, in such manner as may be specified by regulations.”
While the Amendment Bill does use the word “voluntarily”, Shashi Tharoor, a parliamentarian from the Opposition Indian National Congress party, termed the Bill, “a violation of Supreme Court judgment and the fundamental right to privacy.”
Tharoor said that the Bill is premature because India first needs to have a data protection law in place, as recognised by the Supreme Court in its nine-member bench judgment on the right to privacy on August 24, 2017.
“This Bill enables the government, in the acquaint of law, to make Aadhaar mandatory for authentication processes. The Bill even proposes Aadhaar use for identification as well as for the authentication processes which contradicts the UIDAI’s stand that Aadhaar is only for authentication. The government must withdraw the Bill and must introduce a data protection bill instead which would set the framework for privacy,” added Tharoor.
According to Section 5.4 of the Amendment Bill, an entity that obtains a necessary permit from their authority can carry out Aadhaar authentication. Section 5.7 states: “Notwithstanding anything contained in the foregoing provisions, mandatory authentication of an Aadhaar number holder for the provision of any service shall take place if such authentication is required by a law made by Parliament.”
Responding to the Tharoor’s allegations, minister of electronics and information technology Ravi Shankar Prasad said in the Lok Sabha, “The Bill does not invade users’ privacy. The Supreme Court itself had recognised that Aadhaar has safeguarded the privacy.”
Prasad also informed the Lok Sabha that the draft Personal Data Protection Bill is ready and will soon be introduced in the floor of the House.
So, what is exactly in the Bill? Does it or does it not violate the Supreme Court’s Aadhaar verdict?
To this, speaking to Inc42, Namita Viswanath, Partner, Indus Law, said, “It’s not a violation of the Supreme Court’s judgment. The judgment essentially says that private companies can use Aadhaar for authentication purposes only if it is backed by law. Sections 5 and 24 of the Bill provide the voluntary option to customers.”
The introduced Bill simply does that by amending the Prevention of Money Laundering Act and The Indian Telegraph Act, she said, adding, “This allows banks and telecom operators to provide Aadhaar authentication as an option to the customers. Again it’s voluntary for the users.”
Bill Introduces Offline And Virtual Aadhaar Authentication
Apart from the controversial Section 5 explained earlier, the Aadhaar Amendment Bill broadly paves the way for offline and virtual Aadhaar number to be used as an alternate medium for Aadhaar authentication.
The Bill also enforces the Supreme Court’s verdict in the Justice K S Puttaswamy case regarding Aadhaar. The Bill proposes, “Notwithstanding anything, a child shall not be denied any subsidy, benefit or service under that section in case of failure to establish his identity by
undergoing authentication, or furnishing proof of possession of Aadhaar number, or in
the case of a child to whom no Aadhaar number has been assigned, producing an
application for enrolment.”
In case of offline verification, it says that every offline verification-seeking entity will obtain the consent of an individual, or in the case of a child, his/her parent or guardian, in such manner as
may be specified by regulations. The entity will also ensure that the demographic information or any other information collected from the individual for offline verification is only used for the purpose of such verification.
Further, no offline verification-seeking entity shall collect, use, or store an Aadhaar number or biometric information of any individual for any purpose.
The Aadhaar Amendment Bill incorporates some of the main points of draft Personal Data Protection Bill as well. While user consent has been given priority, the Bill also seeks heavy penalty be levied on entities/fiduciaries who fail to comply with the Act. Such entities will be liable to a civil penalty that may extend to INR 1 Cr ($142.46K) for each contravention and, in case of continuing failure, with additional penalty that may extend to INR 10 Lakh ($14.25K) per day during which the failure continues after the first contravention, says the Bill.
The amount of any penalty imposed under this section, if not paid, may be recovered as if it were an arrear of land revenue, the Bill adds.
How does it affect the fintech startups? To this, Vishwanath said that the scope of this Bill seeks amendments to Prevention of Money Laundering Act and The Indian Telegraph Act. Hence, the scope of the impact will be limited to the banking companies and telecom operators. The amendment will still not be helpful for payments companies such Paytm and others which are governed by Payments And Settlement Systems Act.
While many have largely welcomed the Bill, internet freedom crusaders view it as counterproductive to the ongoing data protection war in India. Lawyer and executive director of the Internet Freedom Foundation Apar Gupta said, “This bill did not have any public consultation and will restore the ability of private entities to utilise Aadhaar (which was struck down by the Supreme Court).”
“This speaks of the legislative priorities of the government, which has still not laid out any clear roadmap for data protection or any informational privacy legislation. It’s fairly clear that Aadhaar protection comes first and the government is unwilling to compromise,” he added.
Why Skip Public Consultation On Aadhaar Amendment Bill?
In its judgment dated September 26, 2018, the SC had struck down Section 57 of the Aadhaar Act. It took away private companies’ authority to demand people’s Aadhaar IDs. In his judgment, Justice Dhananjaya Y Chandrachud had instructed telecom operators to delete all data they had collected from users.
In November 2018, then UIDAI CEO Dr Ajay Bhushan Pandey had even informed that the authority had started the process of deleting authentication logs and that by December end, it would delete all the authentication logs. He added that the SC order to delete logs applies only to the UIDAI and not to service providers.
Aadhaar authentication has definitely given a new meaning to the eKYC (electronic know your customer) process, and offline and virtual Aadhaar authentication will bring it back to life while ensuring better safety and security.
However, there have always been problems with Aadhaar implementation, the way it was introduced in the Parliament, and, now, the way the Aadhaar Amendment Bill has been introduced as well — without any consultation with stakeholders — is questionable. Consultation on the Bill is of prime importance. While the government has been quite transparent, asking for comments and feedback on most draft bills of importance, Aadhaar has been an exception.
Also, why add dubious Section 5.7 (Aadhaar Amendment Bill) at all if the government promises Aadhaar authentication will be voluntary?