The Aadhaar conundrum

Representational Image.


After more than seven decades of our independence, we finally saw a moment when our right to privacy culminated against the State exigencies.

Inter-alia several path-breaking rulings, through Justice K. S. Puttaswamy (Retd) vs. Union of India, the Supreme Court preserved our right to privacy and placed it within the four walls of Article 21 of the Constitution.

The right to privacy was read to be subsumed in the expanded interpretation of the inalienable right to life and liberty guaranteed to every person in India.

No sooner had we begun to celebrate this remarkable win of the people of India, the State-sponsored ghost of ‘Aadhaar’ started to threaten our right to privacy in numerous ways.

Since then we have witnessed a nation-wide debate concerning the various aspects of Aadhaar Act. However, we still lack clarity and are left with only a complex socio-legal problem to deal with.

Therefore, let us put this in perspective and investigate the issue. Firstly, whether the instrument of ‘Aadhaar’ as alleged really poses a perceivable threat to our right to privacy, or has it already made a beginning of sorts? Secondly, is identity theft real or merely a camouflage created by the opponents of Aadhaar, many of whom are staunch adversaries of the incumbent Modi government.

Perhaps the tussle over ‘Aadhaar’ has greater political than legal or Constitutional undertones. The investigation of Aadhaar’s sanctity and Constitutional validity will determine this.

Hence, the attempt is to demystify the virtual as well as real issues concerning ‘Aadhaar’ which have divided our opinions and coloured our vision either in favour or against it.

The matter is sub-judice and the judgment will probably tell us that whether ‘Aadhaar’ will empower the intended beneficiaries or it will in fact disempower many of us if sensitive personal data of our identities gets shared with external private agencies for various extraneous reasons.

The judgment may perhaps also decide the fate of Aadhaar law and could indicate if aam aadmi will actually be empowered or rendered powerless. In this context, let us tackle the basic question first. What is the structure and philosophy of ‘Aadhaar’?

Nuances of Aadhaar

In 2016, the Government of India enacted the ‘Aadhaar Act’. The Act was mainly designed to provide good governance, efficient, transparent, and targeted delivery of subsidies, benefits and services to individuals by assigning them unique identification number.

Although the aim of ‘Aadhaar’ was originally limited, after considering the use and effect of the unique identification number, the Government of India has gradually enlarged its scope to make it compulsory in claiming routine services like banking, gas connection, landline telephone connection, mobile connection, PAN card, etc.

To the extent it was meant to streamline numerous customer services and ensure that the due entitlement of government schemes like widow pension, old age pension, etc. was claimed only by rightful beneficiaries, the intent and purpose of Aadhaar Act seemed plausible.

However, the problem arose when various investigations and reports revealed that the vital personal information of ‘Aadhaar’ card holders was being compromised by sharing it with private agencies in lieu of benefits seemingly difficult to predict.

Such vital information includes personal details of an individual like finger impressions, contact details, blood group and so on. If shared with one or more private agencies, it may brood fraudulent transactions on behalf of the ‘Aadhaar’ card holder, who may be oblivious of such activities.

It therefore appears to be no less than a well orchestrated conspiracy to exploit the identity of individuals. In fact, if not scrutinised properly it may result in a giant ‘data theft scam’.

When reports of data leak began to pour in, several informed citizenry groups acted swiftly and hence, we have the case pending before the Apex Court of the country contesting the Constitutional validity of ‘Aadhaar Act’ and also establishing the ‘data theft’ story.

Unreported it remains though but today the people have begun to suspect the entire exercise of Aadhaar which appears to be well thought of and designed to steal their identity in the garb of making it mandatory.

Five judges (Constitution bench) of the Supreme Court are presently hearing the public interest litigation in this case.

While the case hearing was underway, recently in addition to the existing modes like fingerprints, iris and OTP (one-time-password) for identification of Aadhaar, the Government of India also announced face authentication technique projecting it as an advanced security feature.

For this identification, one has to record his face impression with the repository of Aadhaar agencies.

Similar to the existing modes of identity detection which are already a bone of contention for being susceptible of exploitation by virtue of data theft, face recognition feature has also received similar criticism and is being viewed with grave suspicion.

Identity & Data Theft

To cut a long story short, we must succinctly examine as to what is identity and data theft. Generally speaking, it is nothing but stealing the identity of a person by hijacking his or her personal details. In today’s digitised era our data and personal information has become vulnerable to spyware and malware.

Common examples and frequently reported cases of such data theft include bank frauds through net banking and credit card payment services.

These cases squarely fall under the domain of criminal law and there are already laws to deal with them. However, a larger issue of a data protection law is yet unanswered in our country.

Similarly, identity theft which leads to data theft by commercial exploitation of our vital information is also virgin legislative territory in our country and we do not have any clear legal framework in place till date.

In this respect it must be noted that the subject of data theft and identity misuse is governed by criminal law but in a limited sphere. That is under the Indian Penal Code (IPC), an act of ‘Personation’ is defined as a crime.

Various forms and aspects of this offence include Personation in election (section 171 D), personation in case of suit or prosecution in court (section 205) and personation for cheating (section 416).

All these are well defined under IPC. However, personation is different from identity theft. In case of personation one pretends to be another person, but in case of identity theft, total identity of a person is stolen.

This is far more alarming and serious. Personation is generally short-lived but identity theft generates scope of exploitation in perpetuity. Unfortunately, under Indian Law, ‘identity theft’ is not defined.

Hence, we are grappling with this new age crime which is mostly operated by virtual means and with sophisticated technology.

Surprisingly, while we are fast embracing use of technology in our daily life, including the vision of a cash less society, we still do not have fundamental legislation to deal with ensuing digital crimes and identity theft. Aren’t we caught in a very distressed legal situation?

Data Protection Concern

Under the existing system, when we enrol for Aadhaar, our demographic and biometric information is deposited with the Central Identities Data Repository (CIDR).

Pursuant to the Aadhaar Act, CIDR is governed and controlled by the Unique Identification Authority of India (UIDAI). The Act also provides that the UIDAI shall ensure that information collected shall be stored properly as well as secured and protected against access, use or disclosure.

The Aadhaar Act mentions that the biographic information shall be deemed to be sensitive personal data or information as per section 43A of Information Technology Act, 2000.

Furthermore, as per the Central Government’s notification, such sensitive personal data or information includes passwords, financial information such as bank accounts, credit card, debit card etc., physical, psychological information, sexual orientation, medical records and biometric information.

Thus, according to section 29 (4) of the Aadhaar Act, the biometric information shall not be published, displayed or posted publicly, except for the purposes as may be specified by regulations.

The legislative intent is quite clear that the Act does not permit sharing of information but the absolute control to make use of information lies in the hands of the Government.

At the same time, the law empowers the Government to publish the information by issuing a simple regulation. This is quite alarming simply because when such vital information of millions of persons is at stake, a rule of prudence does not permit it to be shared by way of publication through a simple procedure sans accountability.

Hence, such a proposition under the Aadhaar law doesn’t seem to stand the test of accountability and procedural safeguards. Therefore, there are chances of such data being compromised if the government turns autocratic someday.

Perhaps that is one of the strong undertones of the opposition of Aadhaar both inside and outside the court. It becomes all the more a matter of concern when India does not have a strong and exclusive data protection law.

Only recourse at present is the procedure-less safeguard enumerated under the Aadhaar law. Consequently, the safety and management of data is at stake. Reports which have already exposed data theft and sharing in the past few months testify to this weakness of the existing system.

Legally speaking, for the want of a robust data protection law, the Aadhaar law will fall flat especially when it empowers the Government to share information collected under its umbrella without any procedural safety valves in place.

It would continue to raise many more relevant concerns, for example that sensitive personal data is susceptible to being misused by the Government for surveillance of individuals.

It may, in turn, open a floodgate of petitions challenging arbitrary surveillance of individuals by the government which may thereby infringe upon their right to privacy.

At present, the government’s policy and plan seems far from providing any relief to a common man in his enjoyment of the fundamental right to privacy.

It is a testing time for the entire country to protect the individuality, autonomy and privacy of millions of persons who have and are still enrolling themselves under the Aadhaar scheme.

Majority of them are unaware of inherent loopholes in the Aadhaar law which are being negated under the garb of promising easy facilitation of various governmental services.

The law will not change its course abruptly, instead, the need is to save the country from the mounting digital dictatorship by modification of the Aadhaar scheme from its basic purpose of empowering individuals.

Undeniably we are caught in a strange socio-legal situation which has a strong political undercurrent.

Hence, when the situation turns so complex and the State itself is being alleged to compromise the fundamental rights of the people, the highest court of the land can alone help us to come out of this multifaceted legal problem.

The writers are, respectively, an Advocate, Supreme Court of India and Assistant Registrar (Research), Supreme Court of India.