Centre for Internet & Society

The 12-digit Aadhaar number is now out of bounds for fintech companies in India.

The article by Nishant Sharma was published in Bloomberg Quint on September 27, 2018. Pranesh Prakash was quoted.


Video


With the Supreme Court on Wednesday terming Aadhaar authentication by private companies as “unconstitutional”, companies such as online wallets and e-tailers, among others, will now have to make changes to how they onboard and verify customers, in addition to how they transact.

In a 567-page majority judgment authored by Justice Sikri and concurred upon by two other judges—Chief Justice Dipak Misra and Justice AM Khanwilkar—it said that Section 57 of the Aadhaar Act, which allows private companies to use Aadhaar for authentication services based on a contract between the corporate and an individual, would enable commercial exploitation of private data and hence is unconstitutional.

“What it essentially means is that the private bodies, such as lending platforms, wallets, or any private entity, cannot use Aadhaar for authentication,” said Anirudh Rastogi founder at Ikigai Law (formerly TRA), a law firm that specialises in representing businesses on data privacy.

The decision is set to impact private companies right from Flipkart-owned PhonePe, Paytm, Reliance Jio and Amazon, among others, which rely on Aadhaar for e-verification. Amazon recently launched cardless equated monthly installments on Amazon Pay through the digital finance platform Capital Float and asked customers to provide Aadhaar numbers or virtual ID and PAN details on the Amazon app for verification.

'Aadhaar Is Just Another ID'

Pranesh Prakash, fellow, Centre for Internet and Society, said that with this judgment Aadhaar is no longer an identity infrastructure as its creators have dreamt of. “It is now just another ID.”

For those opposed to Aadhaar, on privacy and security grounds, this may be a part victory. But for the Fintech industry it stymies the use of quick Aadhaar-based e-KYC (know your customer norms) to onboard customers. “The fintech industry thrives on the instant paperless mantra, and this move will curb its rapid growth, ” Amrish Rau, co-founder of PayU, said in a text message.

The verdict is also set to push up costs for the industry. Rau said: “Conducting physical KYC would be a costly affair, with every physical KYC costing about Rs 100 per person.”

Companies like PhonePe await more clarity. “We are waiting to hear from bodies like the Reserve Bank of India, UIDAI on what KYC that will be required for wallets moving ahead," Sameer Nigam, cofounder of PhonePe, said. "Whether we go to no KYC, lower limit environment or go to the physical KYC environment."

The judgment also stated that the identification number will not be mandatory for opening bank accounts, mobile-phone connections or for admissions into educational institutions. However, Aadhaar will continue to be mandatory for the distribution of state-sponsored welfare schemes including direct benefit transfers and the public distribution system. Taxpayers will have to link their Permanent Account Numbers to the biometric database.

Aadhaar-Based KYC: Allowed With Consent?

The Supreme Court has concluded that the part of section 57 which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals.

Prasanna S, a Supreme Court advocate and lawyer for one of the petitioners in the Aadhaar matter interpreted it to mean that even if a customer voluntarily wants to use Aadhaar for e-KYC, businesses cannot accept it.

They have struck down the part of Section 57 that allows use of Aadhaar based on a contract. A contract, by nature is voluntary, But since the court has struck down this part, even voluntary use won’t be permitted.

Prasanna S, Advocate, Supreme Court

Jaitley Hints At Legal Backing

Meanwhile, Finance Minister Arun Jaitley on Wednesday hinted that the Centre is likely to examine whether separate legal backing is needed for Section 57 of the Aadhaar Act, the newswire PTI reported. “So, let us first read the judgement. There are two-three prohibited areas. Are they because they are totally prohibited or are they because they need legal backing,” Jaitley was quoted as saying.

Rastogi of Ikigai Law said that the court has left open for the government to promulgate a law to enable private parties to use Aadhaar that can withstand judicial scrutiny.

Rahul Matthan, a technology partner at law firm Trilegal differed with this view. He said that since the apex court has ruled that private entities cannot access the Aadhaar infrastructure, it means that even if the government brings a specific law to allow for that, it would be unconstitutional.

Prasanna agreed with this interpretation.

The court has hinted that commercial exploitation of personal information will fail the proportionality test laid down by it in the Right to Privacy judgment. This is one of the grounds for them to conclude that Section 57 is unconstitutional. So even a law is introduced, private access will be impermissible.

Prasanna S, Advocate, Supreme Court

Are Aadhaar-Based KYCs Tainted?

Since the use of Aadhaar by private entities has been struck down, does it mean entities who have used it for KYC so far have to re-do that exercise? And data that was collected as part of Aadhaar-based KYC- does that need to be deleted?

The majority order hasn’t specifically addressed these questions, Matthan pointed out. But went on to explain that his reading of the judgment is that the court wants things to remain as they are.

The Supreme Court has said that collection of data before the Aadhaar Act was introduced is valid. If you follow that sentiment, may be we can argue that there’s no requirement to delete the data.

Rahul Matthan, Partner, Trilegal


Whatever has been done without the authority of law has to go, Prasanna said. But this outcome may not be practical and another hearing before the Supreme Court may be required to clear these questions, he added.

Private entities such as the online cab aggregator Ola have already removed eKYC from its e-wallet when BloombergQuint last checked. Others may follow suit.