Centre for Internet & Society

Critics say the Aadhaar Bill does not address concerns over privacy, even as government is rushing the Bill without adequate parliamentary scrutiny.

The blog post by Anumeha Yadav was published in Scroll.in on March 11, 2016. Pranesh Prakash was quoted.


Since it was launched by the United Progressive Alliance government in 2009, the Unique Identification project called Aadhaar has functioned without a legal framework. The project, which aims to assign a biometric-based number to every Indian resident, has been run under an executive order, which means Parliament has no oversight over it.

An Aadhaar Bill was introduced in 2010 but it was rejected by a parliamentary committee over legislative, security, and privacy concerns.

For long, critics have expressed concerns over collecting and centralising citizens' biometric data ‒ such as fingerprints and retina scans ‒ on a mass scale in the absence of a privacy law. The Supreme Court in several orders in 2014 and 2015 affirmed that the government cannot require people to register for an Aadhaar number and no one can be deprived of a government service for not having an Aadhaar number. The Supreme Court is now set to form a constitution bench to examine the contours of the right to privacy flowing from the government's arguments in the Aadhaar case.

Before the bench begins its work, however, the Modi government has introduced a new Bill on Aadhaar, which could override the court's orders.

The Aadhaar (Target Delivery of Financial and Other Subsidies, Benefits and Services) Bill was introduced on March 3 in Lok Sabha. Finance minister Arun Jaitley said the new Bill addresses concerns over privacy and the security and confidentiality of information.

But a close examination of the Bill shows several questions remain.

1. Does the Bill make it mandatory for you to get an Aadhaar number?
Yes, you may have to compulsorily enrol under Aadhaar, despite the privacy concerns explained in the sections below.

Four-time member of the Lok Sabha, Bhartruhari Mahtab of the Biju Janata Dal, was on the parliamentary committee on finance that examined the previous Aadhaar Bill introduced in 2010. He said the new Aadhaar Bill does not specify that it will not be made mandatory.

“There is duplicity over this issue,” said Mahtab. “Nandan Nilekani [the former chairperson of the Unique Identification Authority of India] repeatedly told us in the parliamentary committee that Aadhaar is not mandatory. The Supreme Court also said, 'You cannot make it mandatory.'”

But if a service agent asks for Aadhaar mandatorily, then as a beneficiary, citizens have no option but to get an Aadhaar number, Mahtab explained. “The government, or a private company, cannot force me to get an Aadhaar number," he said. "The government should bring a law that clearly says Aadhaar is not mandatory.”

A committee of experts on privacy, chaired by Justice AP Shah, had recommended in 2012 that the Bill should specify that individuals have the choice to opt-in or out-of providing their Aadhaar number, and a service should not be denied to individuals who do not provide their number. The Unique Identification Authority of India had then stated to the committee that the enrolment in Aadhaar is voluntary.

But the new Aadhaar Bill does not incorporate a categorical clause on opt-in and opt-out. Instead, it broadens the scope of Aadhaar. Jaitley said the Bill will allow the government to ask a citizen to produce an Aadhaar number to avail of any government subsidy. But section 7 of the Bill is phrased more broadly, and refers to not just subsidies but any “subsidy, benefit or service” for which expense is incurred on the Consolidated Fund of India, or the government treasury.

7. The Central Government or, as the case may be, the State Government may, for the purpose of establishing identity of an individual as a condition for receipt of a subsidy, benefit or service for which the expenditure is incurred from, or the receipt therefrom forms part of, the Consolidated Fund of India, require that such individual undergo authentication, or furnish proof of possession of Aadhaar number or in the case of an individual to whom no Aadhaar number has been assigned, such individual makes an application for enrolment: Provided that if an Aadhaar number is not assigned to an individual, the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service.

As noted above, the proviso in section 7 is premised on the phrase: “if an Aadhaar number is not assigned”. This, along with language preceding in the section, indicates that a citizen may be compulsorily required to apply for enrolment.

Section 8 permits a “requesting entity” to utilise identity information for authentication with the Central Identities Data Repository. A “requesting entity” is defined under Section 2(u), and will include private entities.

2. Does the Bill allow Aadhaar authorities to share your personal data?
Yes, in the "interest of national security", a term that remains undefined.

Both legal experts and members of Parliament have flagged the provisions in the Bill on the circumstances in which users' data, including core biometrics information, can be shared.

The debate centres over the interception provisions in section 33.

In a piece in The Indian Express, Nandan Nilekani, the former chairperson of the issuing authority, stated that the Aadhaar Bill provides that no core biometric information can be shared, a principle without exception. “...Clause 29(1) is not overridden by Clause 33(2),” he noted.

However, a closer reading of the Bill shows this is not the case. Clause 33(2), in fact, does provide an exception to clause 29(1)(b):

33(2) Nothing contained in sub-section (2) or sub-section (5) of section 28 and clause (b) of sub-section (1), sub-section (2) or sub-section (3) of section 29 shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security in pursuance of a direction of an officer not below the rank of Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government

where, Section 29(1)(b) states:

29. (1) No core biometric information, collected or created under this Act, shall be — (b) used for any purpose other than generation of Aadhaar numbers and authentication under this Act.

Pranesh Prakash, a lawyer and policy director of the Centre for Internet and Society said: “This implies that the core biometric information, collected or created under the Aadhaar Act, may be used for purposes other than the generation of Aadhaar numbers and authentication 'in the interest of national security.'"

Legal experts point out that the phrase “national security” is undefined in the present bill, as well as the General Clauses Act, and thus the circumstances in which an individual's information may be disclosed remains open to interpretation.

Section 33(1) permits the disclosure of an individual's demographic information (but not biometrics) following an order by a district judge. It says that no such order shall be made without giving an opportunity of hearing to the UIDAI , but not to the person whose data is being disclosed.

3. Does the Bill protect you from interception and surveillance?
No, the Bill does not provide for transparency concerning covert surveillance.

Section 33(2), which permits disclosure of demographic and biometric pursuant to directions of the joint secretary in interest of national security, says such disclosures will be for three months initially, and a fresh renewal can be granted for another three months, without a limitation on the number of such renewals.

This can lead to a user being under continuous surveillance, and without any notification to the user even after the surveillance ceases, violating one of necessary and proportionate principles on communications surveillance related to user notification and right to effective remedy. In some countries, this principle has been incorporated in law. For example, in Canada, the law limits the time of wiretapping surveillance, and imposes an obligation to notify the person under surveillance within 90 days of the end of the surveillance, extendable to a maximum of three years at a time.

“The interception provisions are severely problematic," said Apar Gupta, a technology lawyer. "They are not open to independent scrutiny and even derogate from the already deficient practices which relate to phone tapping (Rule 419-A of the Telegraph Rules) and interception of data (Interception Rules, 2011).”

Legal scholar Usha Ramanathan pointed out that the Bill lacks provisions on giving notice to a person in case of breach of information, in case of third party use of data, or change in purpose of use of data – which were among provisions recommended by the Justice Shah Committee on Privacy in 2012.

4. Does the Bill allow you to seek redress in case of breach of information?
Yes, but the provisions are weak.

Government officials overseeing the project said that the 2016 Bill is an improvement over the 2010 Bill as it safeguards the information of those enrolled as per sections of the Information Technology Act, 2000.

But technology law experts say the adjudicatory system for disclosure of sensitive personal data under the IT Act has structural flaws and is not functional.

“Initial complaints against the disclosure of sensitive personal data go to an adjudicating officer who is usually the IT Secretary of the state government and may not be trained in law,” said Gupta, the technology lawyer. “There is no court infrastructure and no permanent seat for such cases. The appellate body, the Cyber Appellate Tribunal, has not been made operational in the last three years. Hence, the civil remedies offered [in the Aadhaar Bill] are at best illusionary and unenforceable.”

5. Does the Bill give you the right to alter your information?
No, it leaves you to the mercy of the Unique Identification Authority of India.

Imagine a situation where a user simply wants to change their first or last name, or say, not use their caste name. Under Section 31 of the Bill, individuals can only request the UID authority, which may do so “if it is satisfied”. There is no penalty on the authority if it fails to respond. The Bill does not provide for a user to even be able to approach a court to ask for their information relating to Aadhaar to be corrected.

International norms for data protection give individuals the right to correct and alter information, if their demographic data changes. They provide for individuals to have a copy of their information, and to approach courts for an order to rectify, block, erase inaccurate information.

In an interview to Mint, Sunil Abraham, director of the Centre for Internet and Society, compared the rights of Aadhaar users to the rights we now take for granted as internet users. “Authentication factors [biometrics in the case of Aadhaar], commonly known as passwords, should always be revocable,” noted Abraham. “That means if the password is compromised, you should be able to change the password or at least say that this password is no longer valid.” In its current form, the Aadhaar Bill gives users no such rights.

6. Is the current Bill an improvement over the previous one?
Not really.

The Aadhaar Bill 2016 provides that the renewals of requests for disclosure of data will be reviewed by an oversight committee consisting of the cabinet secretary and the secretaries in the department of legal affairs and the department of electronics and information technology.

This is a watered down version of the provisions in the previous Unique Identification Authority of India 2010 Bill, said Chinmayi Arun, executive director, Centre for Communication Governance at the National Law University Delhi.

“The previous version or the 2010 Bill provided for a three-member review committee, consisting of the nominees of the prime minister, the leader of the opposition, and a third nominee of a union cabinet minister, with the restriction that these nominees could not be a member of parliament or a member of a political party,” Arun said. “This would be a more independent committee than the one proposed now, wherein there will be executive oversight for executive orders."

Regarding penalties, the previous 2010 Bill made copying, deleting, stealing, or altering information in the Central Identities Data Repository, punishable with a jail term of upto three years and a fine not less than Rs 1 crore.

Section 38 of the new Aadhaar Bill now makes the same offence punishable with a jail term of upto three years and reduces the upper limit of the fine to “not less than ten lakh rupees”.

7. Finally, does the Aadhaar Bill have enough parliamentary scrutiny?
The government has introduced the legislation on Aadhaar in the form of a Money Bill, which means the power of the Rajya Sabha to review and amend the Bill is curtailed ‒ if the Speaker Sumitra Mahajan certifies that this is a Money Bill.

The parliamentary committee on finance under Bharatiya Janata Party MP Yashwant Sinha had rejected the previous Bill in December 2011 citing legislative, security, and privacy concerns. Despite this, two successive Prime Ministers – Manmohan Singh and Narendra Modi – have pushed ahead with Aadhaar project.

A common refrain has been that the unique biometric identity will resolve the problem of the poor in India to prove identity and overcome "one of the biggest barriers preventing the poor from accessing benefits and subsidies." But last April, the UIDAI in response to an RTI application revealed that of 83.5 crore Aadhaar numbers issued till then, 99.97% were issued to people who already had at least two existing identification documents, only 0.21 million (0.03%) used the "introducer system" that provides an exception to those lacking identity proof.

More recently, there has been no public consultation by the government over the latest Bill.