Salient Points in the Aadhaar Bill and Concerns

Use of Aadhaar Number

What the Bill says:

• Used to establish identity: The Aadhaar number can be used by any government or private agency to validate a person’s identity for any lawful purpose, but it cannot be used as a proof of citizenship. (Sections 4, 6, and 57)

• Mandatory for access to government services: The government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service whose expenditure is incurred from the Consolidated Fund of India.

• Those without a number, must apply for one: If someone attempting to access an applicable service does not have an Aadhaar number, he/she should make an application for enrolment, and will be allowed to use an alternative method of identification in the meantime. (Section 7)

• Open to use by public and private bodies: The Bill does not prevent the use of Aadhaar number  to establish identity for other lawful purposes  by the State or other private bodies. (Section 57)

• Aadhaar is not voluntary: Section 7 makes its mandatory to have an Aadhaar number to access services, subsidies and benefits, and stipulates that in case one does not have the Aadhaar number they must apply for it. This is counter to the repeated claims about Aadhaar being purely voluntary, and the Supreme Court order dated August 11, 2015 which prevents making Aadhaar mandatory, barring a few specified services. The Bill does not limit mandatory use of Aadhaar to those services, and leaves the door open for the government to route more benefits, subsidies and services through the Consolidated Fund of India and expand the scope of Aadhaar.

• There are limited and unclear alternatives:  While there is a proviso in the Act which speaks for “viable and alternative” means of identification where Aadhaar number is not issued, the language is not clear and speaks of cases where Aadhaar “is not assigned” rather than simply stating that it is applicable to anyone who does not have an Aadhaar number.

• There is a conflict in the objects and actual scope of the Bill: There is a conflict between the objects of the Bill which is stated as identification of individuals for targeted delivery of entitlements and Section 57 which allows all entities, public or private, to use the Aadhaar number for authentication.

Enrollment Process

What the Bill says:

• Enrolling agencies must provide notice: At the time of enrollment, the enrolling agency will inform the individual of the following details— i) how their information will be used; ii) what type of entities the information will be shared with; and iii) that they have a right to access their information, and also tell them how they can access their information. (Section 3)

• Biometrics and demographics will be collected:  Biometric information and demographic information will be collected at enrollment. Biometric information means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations. Demographic information includes information relating to the name, date of birth, address and other relevant information as specified by regulations. (Section 2)

• Special measures to ensure enrollment for all: The UIDAI will take special measures to issue Aadhaar number to women, children, senior citizens, persons with disability, unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent residence and similar categories of individuals as specified by the regulations. (Section 5)

Concerns:

• The Bill fails to address implementation issues: The Bill does not address issues that have arising during enrolment processes that have already been implemented. These include: the collection of additional and unnecessary information, unclear retention, storage, and destruction standards for data collected by enrollment agencies, abuse of methods used to ensure all have access to the enrollment process, inaccuracy in the collection of data. Detailed procedure and chain of custody for the enrollment process needs to be addressed through provisions in the Bill particularly as this process is undertaken by contracted third party registrars and enrolling agencies.

• Definition of “Biometric Information” is broad and ambiguous: The Bill defines “biometric information” as “photograph, fingerprint, iris scan, or other such biological attributes of an individual.” This definition is broad and gives sweeping discretionary power to the UIDAI / Central Government to determine “other such biological attributes of an individual”. The definition should be precise and exhaustive in its scope. Any modification to this, and other terms in the Bill, should take place only through a legislative act.

Authentication Process

What the Bill says:

• Consent and use limitation during authentication: The Bill states that any requesting entity will— (a) take consent from the individual before collecting his/her Adhaar information; (b) use the information only for authentication with the CIDR.

• Notice during authentication: Further, the entity requesting authentication will also inform the individual of the following— (a) what type of information will be shared for authentication; (b) what will the information be used for; and (c) whether there is any alternative to submitting the Aadhaar information to the requesting entity. (Section 8)

• Retention of authentication records: The UIDAI will maintain the authentication records in the manner and for as long as specified by regulations. (Section 32) The UIDAI will not collect, keep or maintain any information about the purpose of authentication. (Section 32)

• Ability to obtain authentication records: Every Aadhaar number holder may obtain his authentication record as specified by regulations. (Section 32)

• Requirement to update information: The UIDAI has the power to require residents to update their demographic and biometric information from time to time. (Section 6)

Concerns:

• Lack of strong consent mechanism: While the Bill does provide for seeking consent for collecting and using an Aadhaar for authentication, the Bill does not specify that this must be informed consent with an ‘opt out’ mechanism and does not specify the manner in which such consent should be sought. This leaves it it in the hands of the UIDAI and possibly the third requesting entity to determine the form of consent that is to be taken. This could result in ambiguous, misleading, or inconsistent consent mechanisms being used.  

• Lack of strong notice mechanism: While the Bill does provide that individuals should be given notice of the type of information be shared and what the information will be used for, and any alternative identity that will be accepted during  the authentication process this is a minimal notice and does not meet the standards in the (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 which require individuals to be notified of a) the fact that the information is being collected b) the purposes for which the information is being collected c) the intended recipients of the information d) the name and address of the agency collecting the information and the agency that will retain the information. Furthermore, the Bill does not require the UIDAI, contracted bodies, or requesting entities to notify individuals of any changes in organizational privacy policies.  

• “Obtaining” rather than the right to access: Instead of providing the individual with a clear right to access the information that the UIDAI holds about him or her, the Bill waters down this safeguard by giving the individual the ability to obtain only his authentication record. What ‘obtaining’ will entail and how one will go about it is delegated to regulations.  

• Lack of ability to opt out, withdraw consent and/or ‘exit’ Aadhaar: There are no opt-out mechanisms in the Aadhaar Act.This means that individuals cannot:

• Opt out and leave the Aadhaar ‘ecosystem’ once enrolled and their information is not deleted.

• Opt out of sharing of information at the enrollment stage or authentication stage.

• Opt out of any use, disclosure, or retention of their information prescribed by the Act.

Security

What the Bill says:

• Security measures for information with UIDAI: The UIDAI will take measures to ensure that all information with the UIDAI, including CIDR records is secured and protected against access, use or disclosure and against destruction, loss or damage. (Section 28)

• Security measures through contract: The UIDAI will adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. (Section 28)

• Security protocol via regulations:  The UIDAI has the power to prescribe via regulation various processes relating to data management, security protocol and other technology safeguards (Section 54) 

Concerns:

• Undefined security measures: The Bill specifies that appropriate technical and organisational security measures shall be put in place without elaborating upon what those measure should be or defining any standards that they will adhere to. The Bill gives the Authority the power to define broad regulations pertaining to security protocol.

Confidentiality

What the Bill says:

• Restriction on Sharing, Disclosure, and Use: Unless otherwise provided, the UIDAI or its agents will not reveal any information in the CIDR to anyone. (Section 28) The core biometric information collected will not be a) shared with anyone for any reason, and b) used for any purpose other generation of Aadhaar numbers and authentication. (Section 29) Identity information, other than core biometric information, may be shared as per this Act and regulations specified under it. (Section 29) Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual’s consent. (Section 29) Aadhaar numbers or core biometric information will not be made public except as specified by regulations. (Section 30)

• Application of Information Technology Act: All biometric information collected and stored in electronic form will be deemed to be “electronic record” and “sensitive personal data or information” under Information Technology Act, 2000 and its provisions and rules will apply to it in addition to this Act. (Section 30)

Concerns:

• Aadhaar numbers and biometric information to be made public: It is unclear for what purposes it would be necessary for Aadhaar numbers and core biometric information to be made public and it is concerning that such circumstances are left to be defined by regulation. This is different from the Telegraph Act and the IT Act which define the circumstances for interception in the Act and define the procedure for carrying out interception orders in associated Rules. Defining circumstances for such information to be made public is against the disclosure standards in the 43A Rules - which would be applicable to the UIDAI and the disclosure of core biometric information.

• Unclear application of Section 43 A Rules: The Bill characterises biometric information collected as ‘sensitive personal data or information’ under the Information Technology Act, 2000 and Section 43A Rules and states that the Act and Rules would be applicable to biometric information. If this is the case, than any body corporate (including the UIDAI) collecting, processing, or storing biometric information would need to follow the standards established in the Rules - including standards for collection, consent, disclosure, sharing, retention, and security. Yet, the Bill allows the UIDAI to make regulations for collection, disclosure, security etc.

Disclosure

What the Bill says:

• Disclosure during authentication: During authentication, the UIDAI will respond to the authentication request with yes, no, or other appropriate response and share identity information about the Aadhaar number holder, but not share any biometric information. (Section 8)

• Exceptions to confidentiality provisions: The UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. Any such order may only be made after UIDAI is allowed to appear in a hearing. (Section 33) The confidentiality provisions in Sections 28 and 29 will not apply with respect to disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. (Section 33)

• Oversight Committee: An Oversight Committee comprising Cabinet Secretary, and Secretaries of two departments — Department of Legal Affairs and DeitY— will review every direction under 33 B above. Any directions in the interest of national security above are valid for 3 months, after which they may be extended following a review by the Oversight Committee. (Section 33) 

Concerns:

• Unnecessary disclosure during authentication: Usually authentication would be a binary process leading to a yes or no result, however, Section 8 also allows sharing of identity information in certain cases. It is unclear why any additional information would need to be shared in the authentication process.

• Lack of opportunity to data subject: In case of a court order identity information and authentication records of an individual can be revealed without any notice or opportunity of hearing to the individual affected. Aside from allowing the UIDAI a right to be heard, the Bill does not provide any means by which an individual can contest such an order or challenge it after it has been passed.

• Lack of defined functions and responsibilities of oversight mechanisms: Section 33 currently specifies a procedure for oversight by a committee, however, there are no substantive provisions laid down as the guiding principles establishing the responsibilities and powers of the oversight mechanism.

• Low standards for disclosure order: Though a court order from a District Judge is required to authorize disclosure of information, the Bill fails to define important standards that such an order must meeting including that the order is necessary and proportionate.

• Sweeping exception of National Security:  Disclosures that are made ‘in the interest of national security’ do not require authorization by a judge and instead can be authorized by the Joint Secretary of the Government of India - a standard lower than that established in the Telegraph Act and IT Act for the interception of communications.

Power of UIDAI to make rules and regulations

What the Bill says:

The matters on which the UIDAI may frame rules include:

• The process of collecting information,

• Verification of information,

• Individual access to information,

• Sharing and disclosure of information,

• Alteration of information,

• Request and response for authentication,

• Defining use of Aadhaar numbers,

• Defining privacy and security processes,

• Specifying processes relating to data management, security protocols and other technology safeguards under this Act

• Establishing redressal mechanisms.

Concerns:

• Over delegation of powers to the UIDAI: This Bill follows in the tradition of laws like the Information Technology Act, which allows the executive a very high degree of discretionary power. As mentioned above, a number of important powers which should ideally be within the purview of the legislature are delegated to the UIDAI. The UIDAI has been administrating the project since its inception, and a number of problems have already been documented in process such as collection, verification, sharing of information, privacy and security processes. Rather than addressing these problems, the Bill allows the UIDAI to continue to have similar powers.

• Lack of independence of grievance redressal mechanism: Within the text of the Bill there are no grievance redressal mechanism created under the Bill. The power to set up such a mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However, making the entity administering a project, also responsible for providing for the frameworks to address the grievances arising from the project, severely compromises the independence of the grievance redressal body.