Centre for Internet and Society

"Will the Magic Number Deliver?" - Roundtable on Aadhaar at CSLG, JNU, April 26

sumandro — 2016-04-20T10:49:58Z

The Centre for the Study of Law and Governance (CSLG), Jawaharlal Nehru University (JNU), will organise a roundtable discussion on Tuesday, April 26, to discuss the Aadhaar project and Act. Along with Rajeev Chandrasekhar, Prasanna S, Apar Gupta, and Chirashree Dasgupta, Sumandro Chattapadhyay will be one of the discussants. It will take place in the CSLG Conference Room at 6 pm.

Discussion Note

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, was enacted by the Parliament on March 16. Thereafter it has been notified on March 26.

The Act empowers the UIDAI (Unique Identification Authority of India) to collect biometric and demographic information of residents to provide them with a unique number. This unique number is to be used for enumeration, identification and targeting of beneficiaries of government subsidies and services.

Since the creation of the UIDAI as an executive authority in 2009, this process of enumeration has been ongoing. Recently, it was announced that more than 100 crore residents have been given their aadhaar cards. Alongside, however, legal challenges have continued in the Supreme Court.

Given this context, this Roundatable Discussion will focus on the following set of questions (among others):

Can the Aadhaar Number enable better delivery of government subsidies and services?
How does the Act ensure data protection?
Is there a right to privacy in India? What are the implications in the context of Aadhaar?
Does the Act ensure public access to statutory remedies in case of violations?
Did the Aadhaar Bill fulfil the requirements of a money bill?

Discussion Format

Setting the Theme - Short Introduction to the Topic by Natasha Goyal

Speakers' comments, 15 minutes each, consecutive, no power points

Rajeev Chandrasekhar, Member of Parliament, Rajya Sabha
Sumandro Chattapadhyay, the Centre for Internet and Society
Prasanna S, Lawyer
Apar Gupta, Advocate, Delhi High Court
Dr. Chirashree Dasgupta, Centre for the Study of Law and Governance

Open Session (Moderated Q and A)

Followed by Tea

Directions to Venue

From JNU main gate, proceed straight until you get to a T-junction. Turn left. Continue until you reach a second T-junction. Turn right. Follow the road for just 0.7 km until you see a bus stop labelled “Paschimmabad.” About 50 m past the bus stop turn right at a sign that reads: “Centre for the Study of Law and Governance”. The CSLG building is on the right. The conference room is on the first floor.

Poster

For more details visit https://cis-india.org/internet-governance/news/will-the-magic-number-deliver-aadhaar-cslg-26042016

The Last Chance for a Welfare State Doesn’t Rest in the Aadhaar System

sumandro — 2016-04-19T13:18:42Z

Boosting welfare is the message, which is how Aadhaar is being presented in India. The Aadhaar system as a medium, however, is one that enables tracking, surveillance, and data monetisation. This piece by Sumandro Chattapadhyay was published in The Wire on April 19, 2016.

Originally published in and cross-posted from The Wire.

Once upon a time, a king desired that his parrot should be taught all the ancient knowledge of the kingdom. The priests started feeding the pages of the great books to the parrot with much enthusiasm. One day, the king asked the priests if the parrot’s education has completed. The priests poked the belly of the parrot but it made no sound. Only the rustle of undigested pages inside the belly could be heard. The priests declared that the parrot is indeed a learned one now.

The fate of the welfare system in our country is quite similar to this parrot from Tagore’s parable. It has been forcefully fed identification cards and other official documents (often four copies of the same) for years, and always with the same justification of making it more effective and fixing the leaks. These identification regimes are in effect killing off the welfare system. And some may say that that has been the actual plan in any case.

The Aadhaar number has been recently offered as the ‘last chance’ for the ailing welfare system – a last identification regime that it needs to gulp down to survive. This argument wilfully overlooks the acute problems with the Aadhaar project.

Firstly, the ‘last chance’ for a welfare state in India is not provided by implementing a new and improved identification regime (Aadhaar numbers or otherwise), but by enabling citizens to effectively track, monitor, and ensure delivery of welfare, services, and benefits. This ‘opening up’ of the welfare bureaucracy has been most effectively initiated by the Right to Information Act. Instead of a centralised biometrics-linked identity verification platform, which gives the privilege of tracking and monitoring welfare flows only to a few expert groups, an effective welfare state requires the devolution of such privilege and responsibility.

We should harness the tracking capabilities of electronic financial systems to disclose how money belonging to the Consolidated Fund of India travel around state agencies and departmental levels. Instead, the Aadhaar system effectively stacks up a range of entry barriers to accessing welfare – from malfunctioning biometric scanners, to connectivity problems, to the burden of keeping one’s fingerprint digitally legible under all labouring and algorithmic circumstances.

Secondly, authentication of welfare recipients by Aadhaar number neither make the welfare delivery process free of techno-bureaucratic hurdles, nor does it exorcise away corruption. Anumeha Yadav has recently documented the emerging ‘unrest at the ration shop’ across Rajasthan, as authentication processes face technical and connectivity delays, people get ‘locked out’ of public services for not having or having Aadhaar number with incorrect demographic details, and no mechanisms exist to provide rapid and definitive recourse.

RTI activists at the Satark Nagrik Sangathan have highlighted that the Delhi ration shops, using Aadhaar-based authentication, maintain only two columns of data to describe people who have come to the shop – those who received their ration, and those who did not (without any indication of the reason). This leads to erasure-by-design of evidence of the number of welfare-seekers who are excluded from welfare services when the Aadhaar-based authentication process fails (for valid reasons, or otherwise).

Reetika Khera has made it very clear that using Aadhaar Payments Bridge to directly transfer cash to a beneficiary’s account, in the best case scenario, may only take care of one form of corruption: deception (a different person claiming to be the beneficiary). But it does not address the other two common forms of public corruption: collusion (government officials approving undue benefits and creating false beneficiaries) and extortion (forceful rent seeking after the cash has been transferred to the beneficiary’s account). Evidently, going after only deception does not make much sense in an environment where collusion and extortion are commonplace.

Thirdly, the ‘relevant privacy question’ for Aadhaar is not limited to how UIDAI protects the data collected by it, but expands to usage of Aadhaar numbers across the public and private sectors. The privacy problem created by the Aadhaar numbers does begin but surely not end with internal data management procedures and responsibilities of the UIDAI.

On one hand, the Aadhaar Bill 2016 has reduced the personal data sharing restrictions of the NIAI Bill 2010, and has allowed for sharing of all data except core biometrics (fingerprints and iris scan) with all agencies involved in authentication of a person through her/his Aadhaar number. These agencies have been asked to seek consent from the person who is being authenticated, and to inform her/him of the ways in which the provided data (by the person, and by UIDAI) will be used by the agency. In careful wording, the Bill only asks the agencies to inform the person about “alternatives to submission of identity information to the requesting entity” (Section 8.3) but not to provide any such alternatives. This facilitates and legalises a much wider collection of personal demographic data for offering of services by public agencies “or any body corporate or person” (Section 57), which is way beyond the scope of data management practices of UIDAI.

On the other hand, the Aadhaar number is being seeded to all government databases – from lists of HIV patients, of rural citizens being offered 100 days of work, of students getting scholarships meant for specific social groups, of people with a bank account. Now in some sectors, such as banking, inter-agency sharing of data about clients is strictly regulated. But we increasingly have non-financial agencies playing crucial roles in the financial sector – from mobile wallets to peer-to-peer transaction to innovative credit ratings. Seeding of Aadhaar into all government and private databases would allow for easy and direct joining up of these databases by anyone who has access to them, and not at all by security agencies only.

When it becomes publicly acceptable that the money bill route was a ‘remedial’ instrument to put the Rajya Sabha ‘back on track’, one cannot not wonder about what was being remedied by avoiding a public debate about the draft bill before it was presented in Lok Sabha. The answer is simple: welfare is the message, surveillance is the medium.

Acceptance and adoption of all medium requires a message, a content. The users are interested in the message. The message, however, is not the business. Think of Free Basics. Facebook wants people with none or limited access to internet to enjoy parts of the internet at zero data cost. Facebook does not provide the content that the users consume on such internet. The content is created by the users themselves, and also provided by other companies. Facebook own and control the medium, and makes money out of all content, including interactions, passing through it.

The UIDAI has set up a biometric data bank and related infrastructure to offer authentication-as-a-service. As the Bill clarifies, almost all agencies (public or private, national or global) can use this service to verify the identity of Indian residents. Unlike Facebook, the content of these services do not flow through the Aadhaar system. Nonetheless, Aadhaar keeps track of all ‘authentication records’, that is records of whose identity was authenticated by whom, when, and where. This database is gold (data) mine for security agencies in India, and elsewhere. Further, as more agencies use authentication based on Aadhaar numbers, it becomes easier for them to combine and compare databases with other agencies doing the same, by linking each line of transaction across databases using Aadhaar numbers.

Welfare is the message that the Aadhaar system is riding on. The message is only useful for the medium as far as it ensures that the majority of the user population are subscribing to it. Once the users are enrolled, or on-boarded, the medium enables flow of all kinds of messages, and tracking and monetisation (perhaps not so much in the case of UIDAI) of all those flows. It does not matter if the Aadhaar system is being introduced to remedy the broken parliamentary process, or the broken welfare distribution system. What matters is that the UIDAI is establishing the infrastructure for a universal surveillance system in India, and without a formal acknowledgement and legal framework for the same.

For more details visit https://cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system

Aadhaar Act and its Non-compliance with Data Protection Law in India

vanya — 2016-04-18T11:43:02Z

This post compares the provisions of the Aadhaar Act, 2016, with India's data protection regime as articulated in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Download the file: PDF.

Amidst all the hue and cry, the Aadhaar Act 2016, which was introduced with the aim of providing statutory backing to the use of Aadhaar, was passed in the Lok Sabha in its original form on March 16, 2016, after rejecting the recommendations made by Rajya Sabha . Though the Act has been vehemently opposed on several grounds, one of the concerns that has been voiced is regarding privacy and protection of the demographic and biometric information collected for the purpose of issuing the Aadhaar number.

In India, for the purpose of data protection, a body corporate is subject to section 43A of the Information Technology Act, 2000 ("IT Act ") and subsequent Rules, i.e. -The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("IT Rules"). Section 43A of the IT Act, 2000 holds a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, liable to compensate the affected person and pay damages.

Rule 3 of the IT Rules enlists personal information that would amount to Sensitive personal data or information of a person and includes the biometric information. Even the Aadhaar Act states under section 30 that the biometric information collected shall be deemed as "sensitive personal data or information", which shall have the same meaning as assigned to it in clause (iii) of the Explanation to section 43A of the IT Act; this reflects that biometric data collected in the Aadhaar scheme will receive the same level of protection as is provided to other sensitive personal data under Indian law. This implies that, the agencies contracted by the UIDAI (and not the UIDAI itself) to perform functions like collection, authentication, etc. like the Registrars, Enrolling Agencies and Requesting Entities, which meet the criteria of being a 'body corporate' as defined in section 43A, could be held responsible under this provision, as well as the Rules, to ensure security of the data and information of Aadhaar holder and could potentially be held liable for breach of information that results in loss to an individual if it can be proven that they failed to implement reasonable security practices and procedures.

In light of the fact that some actors in the Aadhaar scheme could be held accountable and liable under section 43A and associated Rules, this article compares the regulations regarding data security as found in section 43A and IT Rules 2011 with the provisions of Aadhaar Act 2016, and discusses the implications of the differences, if any.

1. Compensation and Penalty

Section 43A: Section 43A of the IT Act, 2000 (Amended in 2008) provides for compensation for failure to protect data. It states that a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, is liable to compensate the affected person and pay damages not exceeding five crore rupees.

Aadhaar Act : Chapter VII of the Act provides for offences and penalties, but does not talk about damages to the affected party.

Section 37 states that intentional disclosure or dissemination of identity information, to any person not authorised under the Aadhaar Act, or in violation of any agreement entered into under the Act, will be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).
Section 38 prescribes penalty with imprisonment up to three years and a fine not less than ten lakh rupees in case any of the acts listed under the provision are performed without authorisation from the UIDAI.
Section 39 prescribes penalty with imprisonment for a term which may extend to three years and fine which may extend to ten thousand rupees for tampering with data in Central Identities Data Repository.
Section 40 holds a requesting entity liable for penalty for use of identity information in violation of Section 8 (3) with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).
Section 41 holds a requesting entity or enrolling agency liable for penalty for violation of Section 8 (3) or Section 3 (2) with imprisonment up to one year and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).
Section 42 provides general penalty for any offence against the Act or regulations made under it, for which no specific penalty is provided, with imprisonment up to one year and/or a fine up to twenty five thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Though the Aadhaar Act prescribes penalty in case of unauthorised access, use or any other act contravening the Regulations, it fails to guarantee protection to the information and does not provide for compensation in case of violation of the provisions.

2. Privacy Policy

IT Rules: Rule 4 requires a body corporate to provide a privacy policy on their website, which is easily accessible, provides for the type and purpose of personal, sensitive personal information collected and used, and Reasonable security practices and procedures.

Aadhaar Act: Though in practise the contracting agencies (the body corporates under the Aadhaar ecosystem) may maintain a privacy policy on their website, the Aadhaar Act does not require a privacy policy for the UIDAI or other actors.

Implications: Because contracting agencies will be covered by the IT Rules if they are 'body corporates', the requirement to maintain a privacy policy will be applicable to them.

3. Consent

IT Rules: Rule 5 requires that prior to the collection of sensitive personal data, the body corporate must obtain consent, either in writing or through fax regarding the purpose of usage before collection of such information.

Aadhaar Act: The Act is silent regarding consent being acquired in case of the enrolling agency or registrars. However, section 8 provides that any requesting entity will take consent from the individual before collecting his/her Aadhaar information for authentication purposes, though it does not specify the nature (written/through fax).

Implications: If the enrolling agency is a body corporate, they will also be required to take consent prior to collecting and processing biometrics. It is possible that since the Aadhaar Act envisages a scheme which is quasi-compulsory in nature, a consent provision was deliberately left out. This circumstance would give the enrolling agencies an argument against taking consent, by saying that the Aadhaar Act is a specific legislation which is also later in point of time than the IT Rules, and a deliberate omission of consent coupled with the compulsory nature of the Aadhaar scheme would mean that they are not required to take consent of the individuals before enrolment.

4. Collection Limitation

IT Rules: Rule 5 (2) requires that a body corporate should only collect sensitive personal data if it is connected to a lawful purpose and is considered necessary for that purpose.

Aadhaar Act: Section 3(1) of the Act states that every resident shall be entitled to obtain an aadhaar number by submitting his demographic information and biometric information by undergoing the process of enrolment.

5. Notice

IT Rules: Rule 5(3) requires that while collecting information directly from an individual, the body corporate must provide the following information:

The fact that information is being collected
The purpose for which the information is being collected
The intended recipients of the information
The name and address of the agency that is collecting the information
The name and address of the agency that will retain the information

Aadhaar Act: Section 3 of the Act states that at the time of enrolment and collection of information, the enrolling agency shall notify the individual as to how their information will be used; what type of entities the information will be shared with; and that they have a right to see their information and also tell them how they can see their information. However, the Act is silent regarding notice of name and address of the agency collecting and retaining the information.

6. Retention Limitation

IT Rules: Rule 5(4) requires that body corporate must retain sensitive personal data only for as long as it takes to fulfil the stated purpose or otherwise required under law.

Aadhaar Act: The Act is silent regarding this and does not mention the duration for which the personal information of an individual shall be retained by the bodies/organisations contracted by UIDAI.

7. Purpose Limitation

IT Rules: Rule 5(5) requires that information must be used for the purpose that it was collected for.

Aadhaar Act Section 57 contravenes this and states that the Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies. Section 8 of the Act states that for the purpose of authentication, a requesting entity is required to take consent before collection of Aadhaar information and use it only for authentication with the CIDR. Section 29 of the Act states that the core biometric information collected will not be shared with anyone for any reason, and must not be used for any purpose other than generation of Aadhaar numbers and authentication. Also, the Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual's consent.

Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies.

8. Right to Access and Correct

IT Rules : Rule 5(6) requires a body corporate to provide individuals with the ability to review the information they have provided and access and correct their personal or sensitive personal information.

Aadhaar Act : The Act provides under section 3 that at the time of enrolment, the individual needs to be informed about the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made. Section 28 of the Act provides that every aadhaar number holder may access his identity information except core biometric information. Section 32 provides that every Aadhaar number holder may obtain his authentication record. Also, if the demographic or biometric information about any Aadhaar number holder changes, is lost or is found to be incorrect, they may request the UIDAI to make changes to their record in the CIDR.

9. Right to 'Opt Out' and Withdraw Consent

IT Rules: Rule 5(7) requires that the individual must be provided with the option of 'opting out' of providing data or information sought by the body corporate. Also, they must have the right to withdraw consent at any point of time.

Aadhaar Act: The Aadhaar Act does not provide an opt- out provision and also does not provide an option to withdraw consent at any point of time. Section 7 of the Aadhaar Act actually implies that once the Central or State government makes aadhaar authentication mandatory for receiving a benefit then the individual has no other option but to apply for an Aadhaar number. The only concession that is made is that if an Aadhaar number is not assigned to an individual then s/he would be offered some alternative viable means of identification for receiving the benefit.

10. Grievance Officer

IT Rules: Rule 5(9) requires that body corporate must designate a grievance officer for redressal of grievances, details of which must be posted on the body corporate's website and grievances must be addressed within a month of receipt.

Aadhaar Act: The Aadhaar Act does not provide for any such mechanism for grievance redressal by the registrars, enrolling agencies or the requesting entities. However, since the contracting agencies will also get covered by the IT Rules if they are 'body corporates', the requirement to designate a grievance officer would be applicable to them as well due to the IT Rules.

11. Disclosure with Consent, Prohibition on Publishing and Further Disclosure

IT Rules: Rule 6 requires that body corporate must have consent before disclosing sensitive personal data to any third person or party, except in the case with Government agencies for the purpose of verification of identity, prevention, detection, investigation, on receipt of a written request. Also, the body corporate or any person on its behalf shall not publish the sensitive personal information and the third party receiving the sensitive personal information from body corporate or any person on its behalf shall not disclose it further.

Aadhaar Act: Regarding the requesting entities, the Act provides that they shall not disclose the identity information except with the prior consent of the individual to whom the information relates. The Act also states that the Authority shall take necessary measures to ensure confidentiality of information against disclosures. However, as an exception under section 33, the UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. The Act also allows disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. The Act is silent on the issue of obtaining consent of the individual under these exceptions. Additionally, the Act also states that the Aadhaar number or any core biometric information collected or created regarding an individual under the Act shall not be published, displayed or posted publicly, except for the purposes specified by regulations.

12. Requirements for Transfer of Sensitive Personal Data

IT Rules : Rule 7 requires that body corporate may transfer sensitive personal data into another jurisdiction only if the country ensures the same level of protection and may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.

Aadhaar Act : The Act is silent regarding transfer of personal data into another jurisdiction by the any of the contracting bodies like the Registrar, Enrolling agencies or the requesting entities. However, if these agencies satisfy the requirement of being "body corporates" as defined under section 43A, then the above requirement regarding transfer of data to another jurisdiction under IT Rules would be applicable to them. However, considering the sensitive nature of the data involved, the lack of a prohibition of transferring data to another jurisdiction under the Aadhaar Act appears to be a serious lacuna.

13. Security of Information

IT Rules: Rule 8 requires that the body corporate must secure information in accordance with the ISO 27001 standard or any other best practices notified by Central Government. These practices must be audited annually or when the body corporate undertakes a significant up gradation of its process and computer resource.

Aadhaar Act: Section 28 of the Act states that the UIDAI must ensure the security and confidentiality of identity information and authentication records. It also states that the Authority shall adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. However, it does not mention which standards/measures have to be adopted by all the actors in Aadhaar ecosystem for ensuring the security of information, though it can be argued that if the contractors employed by the UIDAI are body corporate then the standards prescribed under the IT Rules would be applicable to them.

Implications of the Differences for Body Corporates in Aadhaar Ecosystem

An analysis of the Rules in comparison to the data protection measures under the Aadhaar Act shows that the requirements regarding protection of personal or sensitive personal information differ and are not completely in line with each other.

Though the Aadhaar Act takes into account the provisions regarding consent of the individual, notice, restriction on sharing, etc., the Act is silent regarding many core measures like sharing of information across jurisdictions, taking consent before collection of information, adoption of security measures for protection of information, etc. which a body corporate in the Aadhaar ecosystem must adopt to be in compliance with section 43A of the IT Act. It is therefore important that the bodies collecting, handling, sharing the personal information and are governed by the Aadhaar Act, must adhere to section 43A and the IT Rules 2011. However, applicability of Aadhaar Act as well as section 43A and IT Rules 2011 would lead to ambiguity regarding interpretation and implementation of the Law. The differences must be duly taken into account and more clarity is required to make all the bodies under this Legislation like the enrolling agencies, Registrars and the Requesting Entities accountable under the correct provisions of Law. However, having two separate legislations governing the data protection standards in the Aadhaar scheme seems to have been overlooked. A harmonized and overarching privacy legislation is critical to avoid unclarity in the applicability of data protection standards and would also address many privacy concerns associated to the scheme.

Appendix I

The Rajya Sabha had proposed five amendments to the Aadhaar Act 2016, which are as follows:

i. Opt-out clause: A provision to allow a person to "opt out" of the Aadhaar system, even if already enrolled.

ii. Voluntary: To ensure that if a person chooses not to be part of the Aadhaar system, he/she would be provided "alternate and viable" means of identification for purposes of delivery of government subsidy, benefit or service.

iii. Amendment restricting the use of Aadhaar numbers only for targeting of government benefits or service and not for any other purpose.

iv. Amendment seeking change of the term "national security" to "public emergency or in the interest of public safety" in the provision specifying situations in which disclosure of identity information of an individual to certain law enforcement agencies can be allowed.

v. Oversight Committee: The oversight committee , which would oversee the possible disclosure of information, should include either the Central Vigilance Commissioner or the Comptroller and Auditor-General.

Sources:

Appendix II - Section 43A: Compensation for Failure to Protect Data

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

For the purposes of this section:

"body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
"reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;
"sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.'.

The term 'body corporate' has been defined under section 43A as "any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities"

For more details visit https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india

FAQ on the Aadhaar Project and the Bill

Elonnai Hickok, Vanya Rakesh, and Vipul Kharbanda — 2016-04-13T14:06:43Z

This FAQ attempts to address the key questions regarding the Aadhaar/UIDAI project and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 (henceforth, Bill). This is neither a comprehensive list of questions, nor does it contain fully developed answers. We will continue to add questions to this list, and edit/expand the answers, based on our ongoing research. We will be grateful to receive your comments, criticisms, evidences, edits, suggestions for new answers, and any other responses. These can either be shared as comments in the document hosted on Google Drive, or via tweets sent to the information policy team at @CIS_InfoPolicy.

To comment on and/or download the file, click here.

For more details visit https://cis-india.org/internet-governance/blog/aadhaar-project-and-bill-faq

Aadhaar Bill 2016 Evaluated against the National Privacy Principles

Pooja Saxena and Amber Sinha — 2016-03-21T08:38:34Z

In this infographic, we evaluate the privacy provisions of the Aadhaar Bill 2016 against the national privacy principles developed by the Group of Experts on Privacy led by the Former Chief Justice A.P. Shah in 2012. The infographic is based on Vipul Kharbanda’s article 'Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles,' and is designed by Pooja Saxena, with inputs from Amber Sinha.

Download the infographic: PDF and PNG.

License: It is shared under Creative Commons Attribution 4.0 International License.

For more details visit https://cis-india.org/internet-governance/aadhaar-bill-2016-evaluated-against-the-national-privacy-principles

Vulnerabilities in the UIDAI Implementation Not Addressed by the Aadhaar Bill, 2016

Pooja Saxena and Amber Sinha — 2016-03-21T08:33:53Z

In this infographic, we document the various issues in the Aadhaar enrolment process implemented by the UIDAI, and highlight the vulnerabilities that the Aadhaar Bill, 2016 does not address. The infographic is based on Vidushi Marda’s article 'Data Flow in the Unique Identification Scheme of India,' and is designed by Pooja Saxena, with inputs from Amber Sinha.

Download the infographic: PDF and PNG.

Credits: The illustration uses the following icons from The Noun Project - Thumpbrint created by Daouna Jeong, Duplicate created by Pham Thi Dieu Linh, Copy created by Mahdi Ehsaei.

License: It is shared under Creative Commons Attribution 4.0 International License.

For more details visit https://cis-india.org/internet-governance/blog/vulnerabilities-in-the-uidai-implementation-not-addressed-by-the-aadhaar-bill-2016

Salient Points in the Aadhaar Bill and Concerns

Amber Sinha and Elonnai Hickok — 2016-03-21T04:37:48Z

Since the release of the Aadhaar Bill, the Centre for Internet and Society has been writing a number of posts analyzing the Bill and calling out problematic areas and the implications of the same. This post is meant to contribute to this growing body of writing and call out our major concerns with the Bill.

Use of Aadhaar Number

What the Bill says:

Used to establish identity: The Aadhaar number can be used by any government or private agency to validate a person’s identity for any lawful purpose, but it cannot be used as a proof of citizenship. (Sections 4, 6, and 57)
Mandatory for access to government services: The government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service whose expenditure is incurred from the Consolidated Fund of India.
Those without a number, must apply for one: If someone attempting to access an applicable service does not have an Aadhaar number, he/she should make an application for enrolment, and will be allowed to use an alternative method of identification in the meantime. (Section 7)
Open to use by public and private bodies: The Bill does not prevent the use of Aadhaar number to establish identity for other lawful purposes by the State or other private bodies. (Section 57)

Concerns:

Aadhaar is not voluntary: Section 7 makes its mandatory to have an Aadhaar number to access services, subsidies and benefits, and stipulates that in case one does not have the Aadhaar number they must apply for it. This is counter to the repeated claims about Aadhaar being purely voluntary, and the Supreme Court order dated August 11, 2015 which prevents making Aadhaar mandatory, barring a few specified services. The Bill does not limit mandatory use of Aadhaar to those services, and leaves the door open for the government to route more benefits, subsidies and services through the Consolidated Fund of India and expand the scope of Aadhaar.
There are limited and unclear alternatives: While there is a proviso in the Act which speaks for “viable and alternative” means of identification where Aadhaar number is not issued, the language is not clear and speaks of cases where Aadhaar “is not assigned” rather than simply stating that it is applicable to anyone who does not have an Aadhaar number.
There is a conflict in the objects and actual scope of the Bill: There is a conflict between the objects of the Bill which is stated as identification of individuals for targeted delivery of entitlements and Section 57 which allows all entities, public or private, to use the Aadhaar number for authentication.

Enrollment Process

What the Bill says:

Enrolling agencies must provide notice: At the time of enrollment, the enrolling agency will inform the individual of the following details— i) how their information will be used; ii) what type of entities the information will be shared with; and iii) that they have a right to access their information, and also tell them how they can access their information. (Section 3)
Biometrics and demographics will be collected: Biometric information and demographic information will be collected at enrollment. Biometric information means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations. Demographic information includes information relating to the name, date of birth, address and other relevant information as specified by regulations. (Section 2)
Special measures to ensure enrollment for all: The UIDAI will take special measures to issue Aadhaar number to women, children, senior citizens, persons with disability, unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent residence and similar categories of individuals as specified by the regulations. (Section 5)

Concerns:

The Bill fails to address implementation issues: The Bill does not address issues that have arising during enrolment processes that have already been implemented. These include: the collection of additional and unnecessary information, unclear retention, storage, and destruction standards for data collected by enrollment agencies, abuse of methods used to ensure all have access to the enrollment process, inaccuracy in the collection of data. Detailed procedure and chain of custody for the enrollment process needs to be addressed through provisions in the Bill particularly as this process is undertaken by contracted third party registrars and enrolling agencies.
Definition of “Biometric Information” is broad and ambiguous: The Bill defines “biometric information” as “photograph, fingerprint, iris scan, or other such biological attributes of an individual.” This definition is broad and gives sweeping discretionary power to the UIDAI / Central Government to determine “other such biological attributes of an individual”. The definition should be precise and exhaustive in its scope. Any modification to this, and other terms in the Bill, should take place only through a legislative act.

Authentication Process

What the Bill says:

Consent and use limitation during authentication: The Bill states that any requesting entity will— (a) take consent from the individual before collecting his/her Adhaar information; (b) use the information only for authentication with the CIDR.
Notice during authentication: Further, the entity requesting authentication will also inform the individual of the following— (a) what type of information will be shared for authentication; (b) what will the information be used for; and (c) whether there is any alternative to submitting the Aadhaar information to the requesting entity. (Section 8)
Retention of authentication records: The UIDAI will maintain the authentication records in the manner and for as long as specified by regulations. (Section 32) The UIDAI will not collect, keep or maintain any information about the purpose of authentication. (Section 32)
Ability to obtain authentication records: Every Aadhaar number holder may obtain his authentication record as specified by regulations. (Section 32)
Requirement to update information: The UIDAI has the power to require residents to update their demographic and biometric information from time to time. (Section 6)

Concerns:

Lack of strong consent mechanism: While the Bill does provide for seeking consent for collecting and using an Aadhaar for authentication, the Bill does not specify that this must be informed consent with an ‘opt out’ mechanism and does not specify the manner in which such consent should be sought. This leaves it it in the hands of the UIDAI and possibly the third requesting entity to determine the form of consent that is to be taken. This could result in ambiguous, misleading, or inconsistent consent mechanisms being used.
Lack of strong notice mechanism: While the Bill does provide that individuals should be given notice of the type of information be shared and what the information will be used for, and any alternative identity that will be accepted during the authentication process this is a minimal notice and does not meet the standards in the (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 which require individuals to be notified of a) the fact that the information is being collected b) the purposes for which the information is being collected c) the intended recipients of the information d) the name and address of the agency collecting the information and the agency that will retain the information. Furthermore, the Bill does not require the UIDAI, contracted bodies, or requesting entities to notify individuals of any changes in organizational privacy policies.
“Obtaining” rather than the right to access: Instead of providing the individual with a clear right to access the information that the UIDAI holds about him or her, the Bill waters down this safeguard by giving the individual the ability to obtain only his authentication record. What ‘obtaining’ will entail and how one will go about it is delegated to regulations.
Lack of ability to opt out, withdraw consent and/or ‘exit’ Aadhaar: There are no opt-out mechanisms in the Aadhaar Act.This means that individuals cannot:

Opt out and leave the Aadhaar ‘ecosystem’ once enrolled and their information is not deleted.
Opt out of sharing of information at the enrollment stage or authentication stage.
Opt out of any use, disclosure, or retention of their information prescribed by the Act.

Security

What the Bill says:

Security measures for information with UIDAI: The UIDAI will take measures to ensure that all information with the UIDAI, including CIDR records is secured and protected against access, use or disclosure and against destruction, loss or damage. (Section 28)
Security measures through contract: The UIDAI will adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. (Section 28)
Security protocol via regulations: The UIDAI has the power to prescribe via regulation various processes relating to data management, security protocol and other technology safeguards (Section 54)

Concerns:

Undefined security measures: The Bill specifies that appropriate technical and organisational security measures shall be put in place without elaborating upon what those measure should be or defining any standards that they will adhere to. The Bill gives the Authority the power to define broad regulations pertaining to security protocol.

Confidentiality

What the Bill says:

Restriction on Sharing, Disclosure, and Use: Unless otherwise provided, the UIDAI or its agents will not reveal any information in the CIDR to anyone. (Section 28) The core biometric information collected will not be a) shared with anyone for any reason, and b) used for any purpose other generation of Aadhaar numbers and authentication. (Section 29) Identity information, other than core biometric information, may be shared as per this Act and regulations specified under it. (Section 29) Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual’s consent. (Section 29) Aadhaar numbers or core biometric information will not be made public except as specified by regulations. (Section 30)
Application of Information Technology Act: All biometric information collected and stored in electronic form will be deemed to be “electronic record” and “sensitive personal data or information” under Information Technology Act, 2000 and its provisions and rules will apply to it in addition to this Act. (Section 30)

Concerns:

Aadhaar numbers and biometric information to be made public: It is unclear for what purposes it would be necessary for Aadhaar numbers and core biometric information to be made public and it is concerning that such circumstances are left to be defined by regulation. This is different from the Telegraph Act and the IT Act which define the circumstances for interception in the Act and define the procedure for carrying out interception orders in associated Rules. Defining circumstances for such information to be made public is against the disclosure standards in the 43A Rules - which would be applicable to the UIDAI and the disclosure of core biometric information.
Unclear application of Section 43 A Rules: The Bill characterises biometric information collected as ‘sensitive personal data or information’ under the Information Technology Act, 2000 and Section 43A Rules and states that the Act and Rules would be applicable to biometric information. If this is the case, than any body corporate (including the UIDAI) collecting, processing, or storing biometric information would need to follow the standards established in the Rules - including standards for collection, consent, disclosure, sharing, retention, and security. Yet, the Bill allows the UIDAI to make regulations for collection, disclosure, security etc.

Disclosure

What the Bill says:

Disclosure during authentication: During authentication, the UIDAI will respond to the authentication request with yes, no, or other appropriate response and share identity information about the Aadhaar number holder, but not share any biometric information. (Section 8)
Exceptions to confidentiality provisions: The UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. Any such order may only be made after UIDAI is allowed to appear in a hearing. (Section 33) The confidentiality provisions in Sections 28 and 29 will not apply with respect to disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. (Section 33)
Oversight Committee: An Oversight Committee comprising Cabinet Secretary, and Secretaries of two departments — Department of Legal Affairs and DeitY— will review every direction under 33 B above. Any directions in the interest of national security above are valid for 3 months, after which they may be extended following a review by the Oversight Committee. (Section 33)

Concerns:

Unnecessary disclosure during authentication: Usually authentication would be a binary process leading to a yes or no result, however, Section 8 also allows sharing of identity information in certain cases. It is unclear why any additional information would need to be shared in the authentication process.
Lack of opportunity to data subject: In case of a court order identity information and authentication records of an individual can be revealed without any notice or opportunity of hearing to the individual affected. Aside from allowing the UIDAI a right to be heard, the Bill does not provide any means by which an individual can contest such an order or challenge it after it has been passed.
Lack of defined functions and responsibilities of oversight mechanisms: Section 33 currently specifies a procedure for oversight by a committee, however, there are no substantive provisions laid down as the guiding principles establishing the responsibilities and powers of the oversight mechanism.
Low standards for disclosure order: Though a court order from a District Judge is required to authorize disclosure of information, the Bill fails to define important standards that such an order must meeting including that the order is necessary and proportionate.
Sweeping exception of National Security: Disclosures that are made ‘in the interest of national security’ do not require authorization by a judge and instead can be authorized by the Joint Secretary of the Government of India - a standard lower than that established in the Telegraph Act and IT Act for the interception of communications.

Power of UIDAI to make rules and regulations

What the Bill says:

The matters on which the UIDAI may frame rules include:

The process of collecting information,
Verification of information,
Individual access to information,
Sharing and disclosure of information,
Alteration of information,
Request and response for authentication,
Defining use of Aadhaar numbers,
Defining privacy and security processes,
Specifying processes relating to data management, security protocols and other technology safeguards under this Act
Establishing redressal mechanisms.

Concerns:

Over delegation of powers to the UIDAI: This Bill follows in the tradition of laws like the Information Technology Act, which allows the executive a very high degree of discretionary power. As mentioned above, a number of important powers which should ideally be within the purview of the legislature are delegated to the UIDAI. The UIDAI has been administrating the project since its inception, and a number of problems have already been documented in process such as collection, verification, sharing of information, privacy and security processes. Rather than addressing these problems, the Bill allows the UIDAI to continue to have similar powers.
Lack of independence of grievance redressal mechanism: Within the text of the Bill there are no grievance redressal mechanism created under the Bill. The power to set up such a mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However, making the entity administering a project, also responsible for providing for the frameworks to address the grievances arising from the project, severely compromises the independence of the grievance redressal body.

For more details visit https://cis-india.org/internet-governance/salient-points-in-the-aadhaar-bill-and-concerns

Pratap Vikram Singh - Why Aadhaar is Baseless?

praskrishna — 2016-04-02T05:31:30Z

This article by Pratap Vikram Singh, Governance Now, discusses the problems emerging out of the UIDAI project due to its lack of mechanisms for informed and granular consent, and for seeking recourse in the case of denial of service. The article quotes Sumandro Chattapadhyay and mentions Hans Varghese Mathew's work on the biometric basis of UIDAI. It was written before the Aadhaar bill was passed in Lok Sabha.

Cross-posted from Governance Now.

It was no less than a roller-coaster ride for Aadhaar, a programme formulated by the UPA government to assign a 12-digit unique number to every Indian resident. From the time it came into being in 2009, Aadhaar drew a volley of criticism, thanks to the misgivings and apprehensions that various critics and civil society organisations had. It was criticised for lack of a clear purpose, degree of effectiveness and absence of a privacy law and was virtually thrown into the bin by a parliamentary panel headed by BJP’s Yashwant Sinha in December 2011.

When the finance minister Arun Jaitley, in his budget speech, announced that the government would introduce the Aadhaar bill during the budget session, expectations were already set high. The bill, giving statutory backing to the unique identification authority of India (UIDAI), the implementing authority, was passed by the Lok Sabha on March 11. While the privacy and voluntary versus mandatory provisions are under the consideration of the supreme court, the bill makes way for linking Aadhaar with all government subsidies, benefits and services. The law on Aadhaar, former UIIDAI chairman Nandan Nilekani wrote in the Indian Express, will help the government in going paperless, presence-less and cashless. The legislation, however, fails to deliver on several counts.

However, prior to evaluating the bill (yet to be passed by the Rajya Sabha at the time of this writing though it is a money bill), let us take a look at its major aspects. For those, who always wondered whether Aadhaar is mandatory or voluntary, the bill 2016 makes it mandatory to avail subsidy, benefit or a service from the government.

The bill has provisions related to information security and confidentiality (section 28) which not only extend to employees of the UIDAI but also consultants and external agencies working with the authority.

The proposed law restricts information sharing. It bars UIDAI from sharing core biometric information – the bill defines it as fingerprints and iris scan – with “anyone for any reason whatsoever” or “used for any purpose other than generation of Aadhaar numbers and authentication under this Act”. The section 32 of the bill entitles Aadhaar number holders to access her or his authentication record. It also bars the authority from collecting, keeping or maintaining information about the purpose of authentication.

Odd Drives the Bill

While the intent is clear and is aimed at streamlining welfare schemes to ensure it reaches the bottom of the pyramid, cutting through the long chain of pilferage and subversion, the bill, however, has several shortcomings. To begin with, the government should not have taken the money bill route to pass the legislation – tactfully avoiding any conclusive discussion and debate in the Rajya Sabha, where it is in minority.

The bill assumes that the technology and the biometric system used by the UIDAI are flawless and it doesn’t provide any recourse in case of denial of a service. “If your fingerprint is not matching and you lose out on service, then what is the alternative mechanism you have,” asks Sumandro Chattapadhyay, research director, centre for internet and society (CIS). The bill doesn’t provide for recourse. “What if the scanning machine fails? What if the identifiers of two people match?”

Based on experiments conducted in the initial days of the Aadhaar programme, Hans Verghese Mathews, another CIS researcher, did a study on the probability of matching of identifiers of two persons. “For the current population of 1.2 billion the expected proportion of duplicands (users whose identifiers match) is 1/121, a ratio which is far too high,” Mathews wrote in the Economic and Political Weekly in February.

“It is like putting the technology in a black box – which can’t be reviewed,” says Chattapadhyay. The bill doesn’t talk about setting up an independent body to review the logs and keep an eye on wrong and duplicate matches.

Who Defines National Security?

According to public policy experts, it is an attempt to seek “minimal legitimacy” from parliament and further adds to the unbridled power of the executive.

Although the bill restricts information sharing in section 29, sections 33 and 48 provide exemption in cases of national security and public emergency, respectively. The legislation, nevertheless, doesn’t elaborate on what constitutes national security and public emergency, leaving it to the executives. The section 33 reads: “Nothing contained in… shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security….”

Similarly, section 48 states that if, at any time, the central government is of the opinion that a public emergency exists, “the central government may, by notification, supersede the Authority for such period, not exceeding six months, as may be specified in the notification and appoint a person or persons as the president may direct to exercise powers and discharge functions under this Act”.

Says Jayati Ghosh, professor, centre for economic studies and planning, Jawaharlal Nehru University, “National security is a very opaque term. Who decides what national security is? Today, the whole JNU is being projected as a threat to national security.” Swagato Sarkar, associate professor and executive director, Jindal school of government and public policy, OP Jindal Global University, says, “The bill has provisions for oversight on the use of Aadhaar, but then it suspends those provisions in case of emergency in the later sections, giving the state the power to use biometric information for whatever it deems fit.”

Sarkar adds, “It seems the bill is simply an instrument for seeking minimum legitimacy from parliament. The bill tries to address the concern of privacy minimally and it hardly serves any purpose.” He believes that there is a need to define the broader contours of democratic control of the state and reassess the changing state-citizen relationship, instead of rejecting the whole idea on the basis of surveillance and privacy. In other words, there is a need for strong parliamentary oversight, and that the Aadhaar related matters shouldn’t be completely delegated to the executive.

In its recommendations on formulating Privacy Act, the justice AP Shah committee in 2012 provided for establishing the office of privacy commissioner at the regional and central levels, defining the role of self-regulating organisations and co-regulation, and creating a system of complaints and redressal for aggrieved individuals. Since the country still doesn’t have any legislation on privacy, people are left on their own in case of an infringement or violation of privacy. Moreover, section 47 states, “No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it.”

In its report, the parliamentary committee headed by Yashwant Sinha notes that “enactment of national data protection law… is a prerequisite for any law that deals with large scale collection of information from individuals and its linkages across separate databases”. The committee notes that in absence of data protection legislation, it would be difficult to deal with issues of access, misuse of personal information, surveillance, profiling, linking and matching of databases and securing confidentiality of information.

Subsidy-Aadhaar Linkage

The Sinha committee also takes a cautious view of the role of Aadhaar in curbing leakages in subsidy distribution, as beneficiary identification is done by states. It notes, “Even if the Aadhaar number links entitlements to targeted beneficiaries, it may not even ensure that beneficiaries have been correctly identified. Thus, the present problem of proper identification would persist.”

According to Ghosh, the biggest danger in using Aadhaar for social welfare programmes is that the fingerprints of the rural working class is not always in good shape and hence Aadhaar will not be the best way of identification. “If I am misidentified, I can go to so many places for recourse. But what if a labourer in a remote Jharkhand village is misidentified? Where and whether he would go?” the economist asks. Besides, the bill doesn’t limit the use of Aadhaar and defines areas where it can be used. Section 57 says that the law will not prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, “whether by the state or anybody corporate or person, pursuant to any law, for the time being in force or any contract to this effect.”

According to a PRS Legislative review, since the bill also allows private persons to use Aadhaar as a proof of identity for any purpose, the provision will open a floodgate and enable private entities such as airlines, telecom, insurance and real estate companies to mandate Aadhaar as a proof of identity for availing their services.

Since the bill doesn’t restrict its application, people will not have a choice to identify themselves other than using Aadhaar when corporate organisations make it mandatory, says Chattapadhyay of the CIS. Adds Sarkar, “The bill should clearly mention sectors or services where Aadhaar will be potentially used (or made mandatory). Every time a new sector or service is added to the list, it is done after parliamentary approval.”

So far, 98 crore people have been assigned Aadhaar number. So far the project has costed Rs 8,000 crore.

For more details visit https://cis-india.org/internet-governance/news/gov-now-pratap-vikram-singh-17032016-why-aadhaar-is-baseless

Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles

Vipul Kharbanda — 2016-03-17T19:43:53Z

Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.

Introduction

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Aadhaar Act”) was introduced in the Lok Sabha (lower house of the Parliament) by Minister of Finance, Mr. Arun Jaitley, in on March 3, 2016, and was passed by the Lok Sabha on March 11, 2016. It was sent back by the Rajya Sabha with suggestions but the Lok Sabha rejected those suggestions, which means that the Act is now deemed to have been passed by both houses as it was originally introduced as a Money Bill. Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.

In order for the reader to better understand the frame of reference on which we shall analyse the Aadhaar Act, the nine principles contained in the report of the Group of Experts on Privacy are explained in brief below:

Principle 1: Notice - Does the legislation/regulation require that entities governed by the Act give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them.
Principle 2: Choice and Consent - Does the legislation/regulation require that entities governed under the Act provide the individual with the option to opt in/opt out of providing their personal information.
Principle 3: Collection Limitation - Does the legislation/regulation require that entities governed under the Act collect personal information from individuals only as is necessary for a purpose identified.
Principle 4: Purpose Limitation - Does the legislation/regulation require that personal data collected and processed by entities governed by the Act be adequate and relevant to the purposes for which they are processed.
Principle 5: Access and Correction - Does the legislation/regulation allow individuals: access to personal information about them held by an entity governed by the Act; the ability to seek correction, amendments, or deletion of such information where it is inaccurate, etc.
Principle 6: Disclosure - Does the legislation ensure that information is only disclosed to third parties after notice and informed consent is obtained. Is disclosure allowed for law enforcement purposes done in accordance with laws in force.
Principle 7: Security - Does the legislation/regulation ensure that information that is collected and processed under that Act, is done so in a manner that protects against loss, unauthorized access, destruction, etc.
Principle 8: Openness - Does the legislation/regulation require that any entity processing data take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data that is collected and processed and is this information made available to all individuals in an intelligible form, using clear and plain language?
Principle 9: Accountability - Does the legislation/regulation provide for measures that ensure compliance of the privacy principles? This would include measures such as mechanisms to implement privacy policies; including tools, training, and education; and external and internal audits.

Analysis of the Aadhaar Act

The Aadhaar Act has been brought about to give legislative backing to the most ambitious individual identity programme in the world which aims to provide a unique identity number to the entire population of India. The rationale behind this scheme is to correctly identify the beneficiaries of government schemes and subsidies so that leakages in government subsidies may be reduced. In furtherance of this rationale the Aadhaar Act gives the Unique Identification Authority of India (“UIDAI”) the power to enroll individuals by collecting their demographic and biometric information and issuing an Aadhaar number to them. Below is an analysis of the Act based on the privacy principles enumerated I the A.P. Shah Committee Report.

Collection Limitation

Collection of Biometric and Demographic Information: The Aadhaar Act entitles every “resident” [1] to obtain an Aadhaar number by submitting his/her biometric (photograph, finger print, Iris scan) and demographic information (name, date of birth, address [2]) [3]. It must be noted that the Act leaves scope for further information to be included in the collection process if so specified by regulations. It must be noted that although the Act specifically provides what information can be collected, it does not specifically prohibit the collection of further information. This becomes relevant because it makes it possible for enrolling agencies to collect extra information relating to individuals without any legal implications of such act.

Authentication Records: The UIDAI is mandated to maintain authentication records for a period which is yet to be specified (and shall be specified in the regulations) but it cannot collect or keep any information regarding the purpose for which the authentication request was made [4].

Unauthorized Collection: Any person who in not authorized to collect information under the Act, and pretends that he is authorized to do so, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [5]. It must be noted that the section, as it is currently worded seems to criminalize the act of impersonation of authorized individuals and the actual collection of information is not required to complete this offence. It is not clear if this section will apply if a person who is authorized to collect information under the Act in general, collects some information that he/she is not authorized to collect.

Notice

Notice during Collection: The Aadhaar Act requires that the agencies enrolling people for distribution of Aadhaar numbers should give people notice regarding: (a) the manner in which the information shall be used; (b) the nature of recipients with whom the information is intended to be shared during authentication; and (c) the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made [6]. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [7]. It must be noted that the Act leaves the manner of giving such notice in the realm of regulations and does not specify how this notice is to be provided, which leaves important specifics to the realm of the executive.

Notice during Authentication: The Aadhaar Act requires that authenticating agencies shall give information to the individuals whose information is to be authenticated regarding (a) the nature of information that may be shared upon authentication; (b) the uses to which the information received during authentication may be put by the requesting entity; and (c) alternatives to submission of identity information to the requesting entity [8]. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [9]. Just as in the case of notice during collection, the manner in which the notice is required to be given is left to regulations leaving an unclear picture as to how comprehensive, accessible, and frequent this notice must be.

Access and Correction

Updating Information: The Aadhaar Act give the UIDAI the power to require residents to update their demographic and biometric information from time to time so as to maintain its accuracy [10].

Access to Information: The Aadhaar Act provides that Aadhaar number holders may request the UIDAI to provide access to their identity information expect their core biometric information [11]. It is not clear why access to the core biometric information [12] is not provided to an individual. Further, since section 6 seems to place the responsibility of updation and accuracy of biometric information on the individual, it is not clear how a person is supposed to know that the biometric information contained in the database has changed if he/she does not have access to the same. It may also be noted that the Aadhaar Act provides only for a request to the UIDAI for access to the information and does not make access to the information a right of the individual, this would mean that it would be entirely upon the discretion of the UIDAI to refuse to grant access to the information once a request has been made.

Alteration of Information: The Aadhaar Act gives individuals the right to request the UIDAI to alter their demographic if the same is incorrect or has changed and biometric information if it is lost or has changed. Upon receipt of such a request, if the UIDAI is satisfied, then it may make the necessary alteration and inform the individual accordingly. The Act also provides that no identity information in the Central database shall be altered except as provided in the regulations [13]. This section provides for alteration of identity information but only in the circumstances given in the section, for example demographic information cannot be changed if it has been lost, similarly biometric information cannot be changed if it is inaccurate. Further, the section does not give a right to the individual to get the information altered but only entitles him/her to request the UIDAI to make a change and the final decision is left to the “satisfaction” of the UIDAI.

Access to Authentication Record: Every individual is given the right to obtain his/her authentication record in a manner to be specified by regulations. [14]

Disclosure

Sharing during Authentication: The UIDAI is entitled to reply to any authentication query with a positive, negative or any other response which may be appropriate and may share identity information except core biometric information with the requesting entity [15]. The language in this provision is ambiguous and it is unclear what 'identity information' may be shared and why it would be necessary to share such information as Aadhaar is meant to be only a means of authentication so as to remove duplication.

Potential Disclosure during Maintenance of CIDR: The UIDAI has been given the power to appoint any one or more entities to establish and maintain the Central Identities Data Repository (CIDR) [16]. If a private entity is involved in the maintenance and establishment of the CIDR it can be presumed that there is the possibilty that they would, to some degree, have access to the information stored in the CIDR, yet there are no clear standards in the Act regarding this potential access. And the process for appointing such entities. The fact that the UIDAI has been given the freedom to appoint an outside entity to maintain a sensitive asset such as the CIDR raises security concerns.

Restriction on Sharing Information: The Aadhaar Act creates a blanket prohibition on the usage of core biometric information for any purpose other than generation of Aadhaar numbers and also prohibits its sharing for any reason whatsoever [17]. Other identity information is allowed to be shared in the manner specified under the Act or as may be specified in the regulations [18]. The Act further provides that the requesting entities shall not disclose the identity information except with the prior consent of the individual to whom the information relates [19]. There is also a prohibition on publicly displaying Aadhaar number or core biometric information except as specified by regulations [20]. Officers or the UIDAI or the employees of the agencies employed to maintain the CIDR are prohibited from revealing the information stored in the CIDR or authentication record to anyone [21]. It is not clear why an exception has been carved out and what circumstances would require publicly displaying Aadhaar numbers and core biometric information, especially since the reasons for which such important information may be displayed has been left up to regulations which have relatively less oversight. The section also provides the requesting entities with an option to further disclose information if they take consent of the individuals. This may lead to a situation where a requesting entity, perhaps the of an essential service, may take the consent of the individual to disclose his/her information in a standard form contract, without the option of saying no to such a request. It may lead to situations where the option is between giving consent to disclosure or denial or service altogether. For this reason it is necessary that there should be an opt in and opt out provision wherever a requesting entity has the power to ask for disclosure of information, so that people are not coerced into giving consent.

Disclosure in Specific Cases: The prohibition on disclosure of information (except for core biometric information) does not apply in case of any disclosure made pursuant to an order of a court not below that of a District Judge [22]. There is another exception to the prohibition on disclosure of information (including core biometric information) in the interest of national security if so directed by an officer not below the rank of a Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government. Before any such direction can take effect, it will be reviewed by an oversight committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology. Any such direction shall be valid for a period of three months and may be extended by another three months after the review by the Oversight Committee [23]. Although this provision has been criticized, and rightly so, for the lack of accountability since the entire process is being handled within the executive and there is no independent oversight, however it must be mentioned that the level of oversight provided here is similar to that provided to interception requests, which involve a much graver if not the same level of invasion of privacy.

Penalty for Disclosure: Any person who intentionally and in an unauthorized manner discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication shall be punishable with imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ [24]. Further any person who intentionally and in an unathorised manner, accesses information in the CIDR [25], downloads, copies or extracts any data from the CIDR [26], or reveals or shares or distributes any identity information, shall be punishable with imprisonment of upto 3 years and a fine of not less than Rs. 10,00,000/-.

Consent

Consent for Authentication: A requesting entity has to take the consent of the individual before collecting his/her identity information for the purposes of authentication and also has to inform the individual of the alternatives to submission of the identity information [27]. Although this provision requires entities to take consent from the individuals before collecting information for authentication, however how useful this requirement of consent would be, still remains to be seen. There may be instances where a requesting entity may take the consent of the individual in a standard form contract, without the individual realizing what he/she is consenting to.

Note: The Aadhaar Act provides no requirement or standard for the form of consent that must be taken during enrollment. This is significant as it is the point at which individuals are providing raw biometric material and during previous enrollment, has been a point of weakness as the consent taken is an enabler to function creep as it allows the UIDAI to share information with engaged in delivery of welfare services [28].

Purpose

Use of Information: The authenticating entities are allowed to use the identity information only for the purpose of submission to the CIDR for authentication [29]. Further, the Act specifies that identity information available with a requesting entity shall not be used for any purpose other than that specified to the individual at the time of submitting the information for authentication [30]. The Act also provides that any authentication entity which uses the information for any purpose not already specified will be liable to punishment of imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ [31].

Security

Security and Confidentiality of Information: It is the responsibility of the UIDAI to ensure the security and confidentiality of the identity and authentication information and it is required to take all necessary action to ensure that the information in the CIDR is protected against unauthorized access, use or disclosure and against accidental or intentional destruction, loss or damage [32]. The UIDAI is required to adopt and implement appropriate technical and organisational security measures and also ensure that its contractors do the same [33]. It is also required to ensure that the agreements entered into with its contractors impose the same conditions as are imposed on the UIDAI under the Act and that they shall act only upon the instructions of the UIDAI [34].

Biometric Information to be Electronic Record: The biometric information collected by the UIDAI has been deemed to be an “electronic record” as well as “sensitive personal data or information”, which would mean that in addition to the provisions of the Aadhaar Act, the provisions contained in the Information Technology Act, 2000 will also apply to such information [35]. It must be noted that while the Act lays down the principle that UIDAI is required to ensure the saecurity of the information, it does not lay down any guidelines as to the minimum security standards to be implemented by the Authority. However, through this section the legislature has linked the security standards contained in the IT Act to the information contained in this Act. While this is a clean way of dealing with the issue, some people may argue that the extremely sensitive nature of the information contained in the CIDR requires the standards for security to be much stricter than those provided in the IT Act. However, a perusal of Rule 8 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 shows that the Rules themselves provide that the standard of security must be commensurate with the information assets being protected. It would thus seem that the Act provides enough room to protect such important information, but perhaps leaves too much room for interpretation for such an important issue.

Penalty for Unauthorised Access: Apart from the security provisions included in the legislation, the Aadhaar Act also provides for punishment of imprisonment of upto 3 years and a fine which shall not be less than Rs. 10,00,000/-, in case of the following offences:

introduction of any virus or other computer contaminant in the CIDR [36];
causing damage to the data in the CIDR [37];
disruption of access to the CIDR [38];
denial of access to any person who is authorised to access the CIDR [39];
destruction, deletion or alteration of any information stored in any removable storage media or in the CIDR or diminishing its value or utility or affecting it injuriously by any means [40];
stealing, concealing, destroying or altering any computer source code used by the Authority with an intention to cause damage [41].

Further, unauthorized usage or tampering with the data in the CIDR or in any removable storage medium with the intent of modifying information relating to Aadhaar number holder or discovering any information thereof, is also punishable with imprisonment for a term which may extend to 3 years and also a fine which may extend to Rs. 10,000/- [42].

Accountability

Inspections and Audits: One of the functions listed in the powers and functions of the UIDAI is the power to call for information and records, conduct inspections, inquiries and audit of the operations of the CIDR, Registrars, enrolling agencies and other agencies appointed under the Aadhaar Act [43].

Grievance Redressal: Another function of the UIDAI is to set up facilitation centres and grievance redressal mechanisms for redressal of grievances of individuals, Registrars, enrolling agencies and other service providers [44]. It must be said here that considering the importance that the government has given to and intends to give to Aadhaar in the future, an essential task such as grievance redressal should not be left entirely to the discretion of the UIDAI and some grievance redressal mechanism should be incorporated into the Act itself.

Openness

There does not seem to be any provision in the Aadhaar Act which requires the UIDAI to make its privacy policies and procedure available to the public in general even though the UIDAI has the responsibility to maintain the security and confidentiality of the information.

Endnotes

[1] A resident is defined as any person who has resided in India for a period of atleasy 182 days in the previous 12 months.

[2] It has been specified that demographic information will not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.

[3] Section 3(1) of the Aadhaar Act.

[4] Section 32(1) and 32(3) of the Aadhaar Act.

[5] Section 36 of the Aadhaar Act.

[6] Section 3(2) of the Aadhaar Act.

[7] Section 41 of the Aadhaar Act.

[8] Section 8(3) of the Aadhaar Act.

[9] Section 41 of the Aadhaar Act.

[10] Section 6 of the Aadhaar Act.

[11] Section 28, proviso of the Aadhaar Act.

[12] Core biometric information is defined as fingerprints, iris scan or other biological attributes which may be specified by regulations.

[13] Section 31 of the Aadhaar Act.

[14] Section 32(2) of the Aadhaar Act.

[15] Section 8(4) of the Aadhaar Act.

[16] Section 10 of the Aadhaar Act.

[17] Section 29(1) of the Aadhaar Act.

[18] Section 29(2) of the Aadhaar Act.

[19] Section 29(3)(b) of the Aadhaar Act.

[20] Section 29(4) of the Aadhaar Act.

[21] Section 28(5) of the Aadhaar Act.

[22] Section 33(1) of the Aadhaar Act.

[23] Section 33(2) of the Aadhaar Act.

[24] Section 37 of the Aadhaar Act.

[25] Section 38(a) of the Aadhaar Act.

[26] Section 38(b) of the Aadhaar Act.

[27] Section 8(2)(a) and (c) of the Aadhaar Act.

[28] For example, see: http://www.karnataka.gov.in/aadhaar/Downloads /Application%20form%20-%20English.pdf.

[29] Section 8(2)(b) of the Aadhaar Act.

[30] Section 29(3)(a) of the Aadhaar Act.

[31] Section 37 of the Aadhaar Act.

[32] Section 28(1), (2) and (3) of the Aadhaar Act.

[33] Section 28(4)(a) and (b) of the Aadhaar Act.

[34] Section 28(4)(c) of the Aadhaar Act.

[35] Section 30 of the Aadhaar Act.

[36] Section 38(c) of the Aadhaar Act.

[37] Section 38(d) of the Aadhaar Act.

[38] Section 38(e) of the Aadhaar Act.

[39] Section 38(f) of the Aadhaar Act.

[40] Section 38(h) of the Aadhaar Act.

[41] Section 38(i) of the Aadhaar Act.

[42] Section 39 of the Aadhaar Act.

[43] Section 23(2)(l) of the Aadhaar Act.

[44] Section 23(2)(s) of the Aadhaar Act.

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-aadhaar-act-in-context-of-shah-committee-principles

List of Recommendations on the Aadhaar Bill, 2016 - Letter Submitted to the Members of Parliament

Amber Sinha, Sumandro Chattapadhyay, Sunil Abraham, and Vanya Rakesh — 2016-03-21T08:50:09Z

On Friday, March 11, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. Based on these concerns, and numerous others, we submitted an initial list of recommendations to the Members of Parliaments to highlight the aspects of the Bill that require immediate attention.

Download the submission letter: PDF.

Text of the Submission

On Friday, March 11, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for all Indian to enroll for Aadhaar in order to receive any subsidy, benefit, or service from the Government whose expenditure is incurred from the Consolidate Fund of India. Apart from the issue of centralisation of the national biometric database leading to a deep national vulnerability, the Bill also keeps unaddressed two serious concerns regarding the technological framework concerned:

Identification without Consent: Before the Aadhaar project it was not possible for the Indian government or any private entity to identify citizens (and all residents) without their consent. But biometrics allow for non-consensual and covert identification and authentication. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used to correct the problems in the technological design of the project.
Fallible Technology: The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. The technology has been tested and found feasible only for a population of 200 million. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population. For the current Indian population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. [1]

Based on these concerns, and numerous others, we sincerely request you to ensure that the Bill is rigorously discussed in Rajya Sabha, in public, and, if needed, also by a Parliamentary Standing Committee, before considering its approval and implementation. Towards this, we humbly submit an initial list of recommendations to highlight the aspects of the Bill that require immediate attention:

Implement the Recommendations of the Shah and Sinha Committees: The report by the Group of Experts on Privacy chaired by the Former Chief Justice A P Shah [2] and the report by the Parliamentary Standing Committee on Finance (2011-2012) chaired by Shri Yashwant Sinha [3] have suggested a rigorous and extensive range of recommendations on the Aadhaar / UIDAI / NIAI project and the National Identification Authority of India Bill, 2010 from which the majority sections of the Aadhaar Bill, 2016, are drawn. We request that these recommendations are seriously considered and incorporated into the Aadhaar Bill, 2016.
Authentication using the Aadhaar number for receiving government subsidies, benefits, and services cannot be made mandatory: Section 7 of the Aadhaar Bill, 2016, states that authentication of the person using her/his Aadhaar number can be made mandatory for the purpose of disbursement of government subsidies, benefits, and services; and in case the person does not have an Aadhaar number, s/he will have to apply for Aadhaar enrolment. This sharply contradicts the claims made by UIDAI earlier that the Aadhaar number is “optional, and not mandatory”, and more importantly the directive given by the Supreme Court (via order dated August 11, 2015). The Bill must explicitly state that the Aadhaar number is only optional, and not mandatory, and a person without an Aadhaar number cannot be denied any democratic rights, and public subsidies, benefits, and services, and any private services.
Vulnerabilities in the Enrolment Process: The Bill does not address already documented issues in the enrolment process. In the absence of an exhaustive list of information to be collected, some Registrars are permitted to collect extra and unnecessary information. Also, storage of data for elongated periods with Enrollment agencies creates security risks. These vulnerabilities need to be prevented through specific provisions. It should also be mandated for all entities including the Enrolment Agencies, Registrars, CIDR and the requesting entities to shift to secure system like PKI based cryptography to ensure secure method of data transfer.
Precisely Define and Provide Legal Framework for Collection and Sharing of Biometric Data of Citizens: The Bill defines “biometric information” is defined to include within its scope “photograph, fingerprint, iris scan, or other such biological attributes of an individual.” This definition gives broad and sweeping discretionary power to the UIDAI / Central Government to increase the scope of the term. The definition should be exhaustive in its scope so that a legislative act is required to modify it in any way.
Prohibit Central Storage of Biometrics Data: The presence of central storage of sensitive personal information of all residents in one place creates a grave security risk. Even with the most enhanced security measures in place, the quantum of damage in case of a breach is extremely high. Therefore, storage of biometrics must be allowed only on the smart cards that are issued to the residents.
Chain of Trust Model and Audit Trail: As one of the objects of the legislation is to provide targeted services to beneficiaries and reduce corruption, there should be more accountability measures in place. A chain of trust model must be incorporated in the process of enrolment where individuals and organisations vouch for individuals so that when a ghost is introduced someone has can be held accountable blame is not placed simply on the technology. This is especially important in light of the questions already raised about the deduplication technology. Further, there should be a transparent audit trail made available that allows public access to use of Aadhaar for combating corruption in the supply chain.
Rights of Residents: There should be specific provisions dealing with cases where an individual is not issued an Aadhaar number or denied access to benefits due to any other factor. Additionally, the Bill should make provisions for residents to access and correct information collected from them, to be notified of data breaches and legal access to information by the Government or its agencies, as matter of right. Further, along with the obligations in Section 8, it should also be mandatory for all requesting entities to notify the individuals of any changes in privacy policy, and providing a mechanism to opt-out.
Establish Appropriate Oversight Mechanisms: Section 33 currently specifies a procedure for oversight by a committee, however, there are no substantive provisions laid down that shall act as the guiding principles for such oversight mechanisms. The provision should include data minimisation, and “necessity and proportionality” principles as guiding principles for any exceptions to Section 29.
Establish Grievance Redressal and Review Mechanisms: Currently, there are no grievance redressal mechanism created under the Bill. The power to set up such a mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However, making the entity administering a project, also responsible for providing for the frameworks to address the grievances arising from the project, severely compromises the independence of the grievance redressal body. An independent national grievance redressal body with state and district level bodies under it, should be set up. Further, the NIAI Bill, 2010, provided for establishing an Identity Review Committee to monitor the usage pattern of Aadhaar numbers. This has been removed in the Aadhaar Bill 2016, and must be restored.

Endnotes

[1] See: http://cis-india.org/internet-governance/blog/Flaws_in_the_UIDAI_Process_0.pdf.

[2] See: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf.

[3] See: http://164.100.47.134/lsscommittee/Finance/15_Finance_42.pdf.

For more details visit https://cis-india.org/internet-governance/blog/list-of-recommendations-on-the-aadhaar-bill-2016

Press Release, March 15, 2016: The New Bill Makes Aadhaar Compulsory!

Amber Sinha — 2016-03-16T10:11:32Z

We published and circulated the following press release on March 15, 2016, to highlight the fact that the Section 7 of the Aadhaar Bill, 2016 states that authentication of the person using her/his Aadhaar number can be made mandatory for the purpose of disbursement of government subsidies, benefits, and services; and in case the person does not have an Aadhaar number, s/he will have to apply for Aadhaar enrolment.

Nandan Nilekani, the former chairperson of the Unique Identification Authority of India had repeatedly stated that Aadhaar is not mandatory. However, in the last few years various agencies and departments of the government, both at the central and state level, had made it mandatory in order to be able to avail beneficiary schemes or for the arrangement of salary, provident fund disbursals, promotion, scholarship, opening bank account, marriages and property registrations. In August 2015, the Supreme Court passed an order mandating that the Aadhaar number shall remain optional for welfare schemes, stating that no person should be denied any benefit for reason of not having an Aadhaar number, barring a few specified services.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, however, has not followed this mandate. Section 7 of the Bill states that “a person should be authenticated or give proof of the Aadhaar number to establish his/her identity” “as a condition for receiving subsidy, benefit or service”. Further, it reads, “In the case a person does not have an Aadhaar number, he/she should make an application for enrollment.” The language of the provision is very clear in making enrollment in Aadhaar mandatory, in order to be entitled for welfare services. Section 7 also says that “the person will be offered viable and alternate means of identification for receiving the subsidy, benefit or service. However, these unspecified alternate means will be made available in the event “an Aadhaar number is not assigned”. This language is vague and it is not clear whether it mandates alternate means of identification for those who choose not to apply for an Aadhaar number for any reason. The fact that it does make it mandatory to apply for an Aadhaar number for persons without it, may lead to the presumption that the alternate means are to be made available for those who may have applied for an Aadhaar number but it has not been assigned for any reason. It is also noteworthy that draft legislation is silent on what the “viable and alternate means of identification” could be. There are a number of means of identification, which are recognised by the state, and a schedule with an inclusive list could have gone a long way in reducing the ambiguity in this provision.

Another aspect of Section 7 which is at odds with the Supreme Court order is that it allows making an Aadhaar number mandatory for “for receipt of a subsidy, benefit or service for which the expenditure is incurred” from the Consolidated Fund of India. The Supreme Court had been very specific in articulating that having an Aadhaar number could not be made compulsory except for “any purpose other than the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene” or for the purpose of the LPG scheme. The restriction in the Supreme Court order was with respect to the welfare schemes, however, instead of specifying the schemes, Section 7 specified the source of expenditure from which subsidies, benefits and services can be funded, making the scope much broader. Section 7, in effect, allows the Central Government to circumvent the Supreme Court order if they choose to tie more subsidies, benefits and services to the Consolidated Fund of India.

These provisions run counter to the repeated claims of the government for the last six years that Aadhaar is not compulsory, nor is the specification by the Supreme Court for restricting use of Aadhaar to a few services only, reflected anywhere in the Bill. The “viable and alternate means” clause is too vague and inadequate to prevent denial of benefits to those without an Aadhaar number. The sum effect of these factors is to give the Central Government powers to make Aadhaar mandatory, for all practical purposes.

For more details visit https://cis-india.org/internet-governance/blog/press-release-aadhaar-15032016-the-new-bill-makes-aadhaar-compulsory

Press Release, March 11, 2016: The Law cannot Fix what Technology has Broken!

Japreet Grewal and Sunil Abraham — 2016-03-16T10:10:40Z

We published and circulated the following press release on March 11, 2016, as the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).

The Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 today. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).

The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for an individual to enrol under Aadhaar in order to receive any subsidy, benefit or service from the Government. Biometric information that is required for the purpose of enrolment has been deemed "sensitive personal information" and restrictions have been imposed on use, disclosure and sharing of such information for purposes other than authentication, disclosure made pursuant to a court order or in the interest of national security. Here, the Bill has acknowledged the standards of protection of sensitive personal information established under Section 43A of the Information Technology Act, 2000. The Bill has also laid down several penal provisions for acts that include impersonation at the time of enrolment, unauthorised access to the Central Identities Data Repository, unauthorised use by requesting entity, noncompliance with intimation requirements, etc.

Key Issues

1. Identification without Consent

Before the Aadhaar project it was not possible for the Indian government to identify citizens without their consent. But once the government has created a national centralized biometric database it will be possible for the government to identify any citizen without their consent. Hi-resolution photography and videography make it trivial for governments and also any other actor to harvest biometrics remotely. In other words, the technology makes consent irrelevant. A German ministers fingerprints were captured by hackers as she spoke using hand gesture at at conference. In a similar manner the government can now identify us both as individuals and also as groups without requiring our cooperation. This has direct implications for the right to privacy as we will be under constant government surveillance in the future as CCTV camera resolutions improve and there will be chilling effects on the right to free speech and the freedom of association. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used as band-aid on really badly designed technology.

2. Fallible Technology

The technology used for collection and authentication as been said to be fallible. It is understood that the technology has been feasible for a population of 200 million. The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population.

We know that the Aadhaar number has been issued to dogs, trees (with the Aadhaar letter containing the photo of a tree). There have been slip-ups in the Aadhaar card enrolment process, some cards have ended up with pictures of an empty chair, a tree or a dog instead of the actual applicants. An RTI application has revealed that the Unique Identification Authority of India (UIDAI) has identified more than 25,000 duplicate Aadhaar numbers in the country till August 2015.

At the stage of authentication, the accuracy of biometric identification depends on the chance of a false positiveâ€” the probability that the identifiers of two persons will match. For the current population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. In a recent paper in EPW by Hans Mathews, a mathematician with CIS, shows that as per UIDAI's own statistics on failure rates, the programme would badly fail to uniquely identify individuals in India. [1]

Endnote

[1] See: http://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process

For more details visit https://cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken

An Urgent Need for the Right to Privacy

sumandro — 2016-03-17T07:40:12Z

Along with a group of individuals and organisations from academia and civil society, we have drafted and are signatories to an open letter addressed to the Union government and urging the same to "urgently take steps to uphold the constitutional basis to the right to privacy and fulfil it’s constitutional and international obligations." Here we publish the text of the open letter. Please follow the link below to support it by joining the signatories.

Read and sign the open letter.

Text of the Open Letter

As our everyday lives are conducted increasingly through electronic communications the necessity for privacy protections has also increased. While several countries across the globe have recognised this by furthering the right to privacy of their citizens the Union Government has adopted a regressive attitude towards this core civil liberty. We urge the Union Government to take urgent measures to safeguard the right to privacy in India.

Our concerns are based on a continuing pattern of disregard for the right to privacy by several governments in the past. This trend has increased as can be plainly viewed from the following developments.

In 2015, the Attorney General in the case of *K.S. Puttaswamy v. Union of India*, argued before the Hon’ble Supreme Court that there is no right to privacy under the Constitution of India. The Hon'ble Court was persuaded to re-examine the basis of the right to privacy upsetting 45 years of judicial precedent. This has thrown the constitutional right to privacy in doubt and the several judgements that have been given under it. This includes the 1997 PUCL Telephone Tapping judgement as well. We urge the Union Government to take whatever steps are necessary and urge the Supreme Court to hold that a right to privacy exists under the Constitution of India.

Recently Mr. Arun Jaitley, Minister for Finance introduced the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This bill was passed on March 11, 2016 in the middle of budget discussion on a short notice as a money bill in the Lok Sabha when only 73 of 545 members were present. Its timing and introduction as a money bill prevents necessary scrutiny given the large privacy risks that arise under it. This version of the bill was never put up for public consultation and is being rushed through without adequate discussion. Even substantively it fails to give accountable privacy safeguards while making Aadhaar mandatory for availing any government subsidy, benefit, or service.

We urge the Union Government to urgently take steps to uphold the constitutional basis to the right to privacy and fulfil it’s constitutional and international obligations. We encourage the Government to have extensive public discussions on the Aadhaar Bill before notifying it. We further call upon them to constitute a drafting committee with members of civil society to draft a comprehensive statute as suggested by the Justice A.P. Shah Committee Report of 2012.

Signatories:

Amber Sinha, the Centre for Internet and Society
Japreet Grewal, the Centre for Internet and Society
Joshita Pai, Centre for Communication Governance, National Law University
Raman Jit Singh Chima, Access Now
Sarvjeet Singh, Centre for Communication Governance, National Law University
Sumandro Chattapadhyay, the Centre for Internet and Society
Sunil Abraham, the Centre for Internet and Society
Vanya Rakesh, the Centre for Internet and Society

For more details visit https://cis-india.org/internet-governance/blog/an-urgent-need-for-the-right-to-privacy

The New Aadhaar Bill in Plain English

Amber Sinha, Vanya Rakesh and Vipul Kharbanda — 2016-03-11T04:41:38Z

We have put together a plain English version of the The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016

Chapter I. PRELIMINARY

Section 1

This Act is called Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.
It will be applicable in whole of India (except the state of Jammu and Kashmir).
It will become applicable on a date to be notified by the Central Government.

Section 2

“Aadhaar number” is the identification number issued to an individual under the Act;
“Aadhaar number holder” is the person who has been given an Aadhaar number;
“authentication” is the process of verifying the Aadhaar number, demographic information and biometric information of any person by the Central Identities Data Repository (CIDR);
“authentication record” is the record of the authentication which will contain the identity of the requesting entity and the response of the CIDR;
“Authority” or “UIDAI” refers to the Unique Identification Authority of India established under this Act;
“benefit” means any relief or payment which may be notified by the Central Government;
“biometric information” means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations;
“Central Identities Data Repository” or “CIDR” means a centralised database containing all Aadhaar numbers, demographic information and biometric information and other related information;
“Chairperson” means the Chairperson of the UIDAI;
“core biometric information” means fingerprint, Iris scan, or any biological attributes specified by regulations;
“demographic information” includes information relating to the name, date of birth, address and other relevant information as specified by regulations. This information will not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history;
“enrolling agency” means an agency appointed by the UIDAI or a Registrar for collecting demographic and biometric information of individuals for issuing Aadhaar numbers;
“enrolment” means the process of collecting demographic and biometric information from individuals for the purpose of issuing Aadhaar numbers;
“identity information” in respect of an individual, includes his Aadhaar number, his biometric information and his demographic information;
“Member” includes the Chairperson and Member of the Authority appointed under section 12;
“notification” means a notification published in the Official Gazette and the expression “notified” with its cognate meanings and grammatical variations will be construed accordingly;
“prescribed” means prescribed by rules made by the Central Government under this Act;
“records of entitlement” means the records of benefits, subsidies or services provided to any individual under any government programme;
“Registrar” means any person authorized by the UIDAI to enroll individuals under the Act;
“regulations” means the regulations made by the UIDAI under this Act;
“requesting entity” means an agency that submits the Aadhaar number and other information of an individual to the CIDR for authentication;
“resident” means a person who has resided in India for atleast 182 days in the last twelve months before the date of application for enrolment;
“service” means any facility or assistance provided by the Central Government in any form;
“subsidy” means any form of aid, support, grant, etc. in cash or kind as notified by the Central Government.

Chapter II. ENROLMENT

Section 3

Every resident is entitled to get an Aadhaar number.
At the time of enrollment, the enrolling agency will inform the individual of the following details—

how their information will be used;
what type of entities the information will be shared with; and
that they have a right to see their information and also tell them how they can see their information.

After collecting and verifying the information given by the individuals, the UIDAI will issue an Aadhaar number to each individual.

Section 4

Once an Aadhaar number has been issued to a person, it will not be re-assigned to any other person.
An Aadhaar number will be a random number and will not contain any attributes or identity of the Aadhaar number holder.
if adopted by a service provider, an Aadhaar number may be accepted as proof of identity of the person.

Section 5

The UIDAI will take special measures to issue Aadhaar number to women, children, senior citizens, persons with disability, unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent residence and similar categories of individuals.

Section 6

The UIDAI may require Aadhaar number holders to update their Aadhaar information, so that it remains accurate.

Chapter III. AUTHENTICATION

Section 7

As a condition for receiving subsidy for which the expenditure is incurred from the Consolidated Fund of India, the Government may require that a person should be authenticated or give proof of the Aadhaar number to establish his/her identity. In the case a person does not have an Aadhaar number, he/she should make an application for enrolment. If an Aadhaar number is not assigned, the person will be offered viable and alternate means of identification for receiving the subsidy, benefit or service.

Section 8

The UIDAI will authenticate the Aadhaar information of people as per the conditions prescribed by the government and may also charge a fees for doing so.
Any requesting entity will— (a) take consent from the individual before collecting his/her Adhaar information; (b) use the information only for authentication with the CIDR;
The entity requesting authentication will also inform the individual of the following— (a) what type of information will be shared for authentication; (b) what will the information be used for; and (c) whether there is any alternative to submitting the Aadhaar information to the requesting entity.
The UIDAI will respond to the authentication request with yes, no, or other appropriate response and share identity information about the Aadhaar number holder but not share any biometric information.

Section 9

The Aadhaar number or its authentication will not be a proof of citizenship or domicile.

Section 10

The UIDAI may engage any number of entities to establish and maintain the CIDR and to perform any other functions specified by the regulations.

Chapter IV. UNIQUE IDENTIFICATION AUTHORITY OF INDIA

Section 11

The UIDAI will be established by the Central Government to be responsible for the processes of enrolment and authentication of Aadhaar numbers.
The UIDAI will be a body corporate with the power to buy and sell property, to enter into contracts and to sue or be sued.
The head office of the UIDAI will be in New Delhi.
The UIDAI may establish its offices at other places in India.

Section 12

The UIDAI will have a Chairperson, two part-time Members and a chief executive officer, who to be appointed by the Central Government.

Section 13

The Chairperson and Members will be competent people with at least 10 years experience and knowledge in technology, governance, law, development, economics, finance, management, public affairs or administration.

Section 14

The Chairperson and the Members will be appointed for 3 years and can be re-appointed after their term. But no Member or Chairperson will be more than 65 years of age.
The Chairperson and Members will take an oath of office and of secrecy.
The Chairperson or Member may— (a) resign from office, by giving an advance written notice of at least 30 days; or (b) be removed from his office because she/he gets disqualified on any of the grounds mentioned in section 15.
The salaries and allowances of the Members and Chairperson will be prescribed under the government.

Section 15

The Central Government may remove a Chairperson or Member, who—
(a) has gone bankrupt;
(b) is physically or mentally unable to do his/her job;
(c) has been convicted of an offence involving moral turpitude;
(d) has a financial conflict of interest in performing his/her functions; or
(e) has abused his/her position so that the government needs to remove him/her in public interest.
The Chairperson or a Member will be given a chance to present his/her side of the story before being removed, unless he/she is being removed on the grounds of bankruptcy or criminal conviction.

Section 16

An Ex-Chairperson or Ex-Member will have to take the approval of the Central Government,—

to accept any job in any entity (other than a government organization) which was associated with any work done for the UIDAI while that person was a Chairperson or Member, for a period of three years after ceasing to hold office;
to act or advise any entity on any particular transaction for which that person had provided advice to the UIDAI while he/she was the Chairperson or a Member;
to give advice to any person using information which was obtained as the Chairperson or a Member which is not available to the public in general; or
to accept any offer of employment or appointment as a director of any company with which he/she had direct and significant official dealings during his/her term of office, for a period of three years.

Section 17

The Chairperson will preside over the meetings of the UIDAI and have the powers and perform the functions of the UIDAI.

Section 18

The chief executive officer (CEO) of the UIDAI will not be below the rank of Additional Secretary to the Government of India.
The chief executive officer will be responsible for— (a) the day-to-day administration of the UIDAI; (b) implementing the programmes and decisions of the UIDAI; (c) making proposals for the UIDAI; (d) preparation of the accounts and budget of the UIDAI; and (e) performing any other functions prescribed in the regulations.
The CEO will annually submit the following things to the UIDAI for its approval — (a) a general report covering all the activities of the Authority in the previous year; (b) programmes of work; (c) the annual accounts for the previous year; and (d) the budget for the coming year.
The CEO will have administrative control over the officers and other employees of the Authority.

Section 19

The time and place of the meetings of the UIDAI and the rules and procedures of those meetings will be prescribed by regulations.
The meetings will be presided by the Chairperson, and if they are absent, then the senior most Member of the UIDAI.
All decisions at the meetings of the UIDAI will be taken by a majority vote. In case of a tie, the person presiding the meeting will have the casting vote.
All decisions of the UIDAI will be signed by the Chairperson or any other Member or the Member-Secretary authorised by the UIDAI in this behalf.
If any Member, who is a director of a company and because of this has any financial interest in matters coming up for consideration at a meeting, that member should disclose the financial interest and not take any further part in the discussions and decision on that matter.

Section 20

No actions or proceeding of the UIDAI will become invalid merely because of—

any vacancy in, or any defect in the constitution of, the UIDAI;
any defect in the appointment of a person as Chairperson or Member of the Authority; or
any irregularity in the procedure of the Authority not affecting the merits of the case.

Section 21

The UIDAI, with the approval of the Government, can decide on the number and types of officers and employees that it would require.
The salaries and allowances of the employees, officer and chief executive officer will be prescribed under the government.

Section 22.

Once the UIDAI is establishment—

all the assets and liabilities of the existing Unique Identification Authority of India, established by the Government of India through notification dated the 28th January, 2009, will stand transferred to the new UIDAI.
all data and information collected during enrolment, all details of authentication performed, by the existing Unique Identification Authority of India will be deemed to have been done by the UIDAI. All debts, liabilities incurred and all contracts entered into by the Unique Identification Authority of India will be deemed to have been entered into by the UIDAI;
all money due to the existing Unique Identification Authority of India will be deemed to be due to the UIDAI; and
all suits and other legal proceedings instituted by or against such Unique Identification Authority of India may be continued by or against the UIDAI.

Section 23

The UIDAI will develop the policy, procedure and systems for issuing Aadhaar numbers to individuals and perform their authentication. The powers and functions of the UIDAI include—

specifying the demographic information and biometric information required for enrolment and the processes for collection and verification of that information;
collecting demographic information and biometric information from people seeking Aadhaar numbers;
appointing of one or more entities to operate the CIDR;
generating and assigning Aadhaar numbers to individuals;
performing authentication of Aadhaar numbers;
maintaining and updating the information of individuals in the CIDR;
omitting and deactivating an Aadhaar number;
specifying the manner of use of Aadhaar numbers for the purposes of providing or availing of various subsidies and other purposes for which Aadhaar numbers may be used;
specifying the terms and conditions for appointment of Registrars, enrolling agencies and service providers and revocation of their appointments;
establishing, operating and maintaining of the CIDR;
sharing the information of Aadhaar number holders;
calling for information and records, conducting inspections, inquiries and audit of the operations of the CIDR, Registrars, enrolling agencies and other agencies appointed under this Act;
specifying processes relating to data management, security protocols and other technology safeguards under this Act;
specifying the conditions/procedures for issuance of new Aadhaar number to existing Aadhaar number holder;
levying and collecting the fees or authorising the Registrars, enrolling agencies or other service providers to collect fees for the services provided by them under this Act;
appointing committees necessary to assist the Authority in discharge of its functions;
promoting research and development for advancement in biometrics and related areas;
making and specifying policies and practices for Registrars, enrolling agencies and other service providers;
setting up facilitation centres and grievance redressal mechanisms;
other powers and functions as prescribed.

The Authority may,— (a) enter into agreements with various state governments and Union Territories for collecting, storing, securing or processing of information or delivery of Aadhaar numbers to individuals or performing authentication; (b) appoint Registrars, engage and authorize agencies to collect, store, secure, process information or do authentication or perform other functions under this Act. The Authority may engage consultants, advisors and other persons required for efficient discharge of its functions.

Chapter V. GRANTS, ACCOUNTS AND AUDIT AND ANNUAL REPORT

Section 24

The Central Government may grant money to the UIDAI as it may decide, upon due appropriation by Parliament.

Section 25

Fees/revenue collected by the UIDAI will be credited to the Consolidated Fund of India

Section 26

The UIDAI will prepare an annual statement of accounts in the format prescribed by Central Government
The Comptroller and Auditor-General will audit the account of the UIDAI annually at intervals decided by him, at the UIDAI’s expense.
The Comptroller and Auditor-General or his appointees will have the same powers of audit they usually have to audit Government accounts.
The UIDAI will forward the statement of accounts certified by the Comptroller and Auditor-General and the audit report, to the Central Government who will lay it before both houses of Parliament.

Section 27

The UIDAI will provide returns, statements and particulars as sought, to the Central Government, as and when required.
The UIDAI will prepare an annual report containing the description of work for previous years, annual accounts of previous year, and the programmes of work for coming year.
The copy of the annual report will be laid before both houses of Parliament by the Central Government.

Chapter VI. PROTECTION OF INFORMATION

Section 28

The UIDAI will ensure the security and confidentiality of identity information and authentication records.
The UIDAI will take measures to ensure that all information with the UIDAI, including CIDR records is secured and protected against access, use or disclosure and against destruction, loss or damage.
The UIDAI will adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons.
Unless otherwise provided, the UIDAI or its agents will not reveal any information in the CIDR to anyone.
An Aadhaar number holders may request UIDAI to provide access his information (excluding the core biometric information) as per the regulations specified.

Section 29

The core biometric information collected will not be a) shared with anyone for any reason, and b) used for any purpose other generation of Aadhaar numbers and authentication.
Identity information, other than core biometric information, may be shared only as per this Act and regulations specified under it.
Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual’s consent.
Aadhaar numbers or core biometric information will not be made public except as specified by regulations.

Section 30

All biometric information collected and stored in electronic form will be deemed to be “electronic record” and “sensitive personal data or information” under Information Technology Act, 2000 and its provisions and rules will apply to it in addition to this Act.

Section 31

If the demographic or biometric information about any Aadhaar number holder changes, is lost or is found to be incorrect, they may request the UIDAI to make changes to their record in the CIDR, as necessary.
The identity information in the CIDR will not be altered, except as provided in this Act.

Section 32

The UIDAI will maintain the authentication records in the manner and for as long as specified by regulations.
Every Aadhaar number holder may obtain his authentication record as specified by regulations.
The UIDAI will not collect, keep or maintain any information about the purpose of authentication.

Section 33

The UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. Any such order may only be made after UIDAI is allowed to appear in a hearing.
The confidentiality provisions in Sections 28 and 29 will not apply with respect to disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose.
An Oversight Committee comprising Cabinet Secretary, and Secretaries of two departments — Department of Legal Affairs and DeitY— will review every direction under 33 B above.
Any directions under 33 B above are valid for 3 months, after which they may be extended following a review by the Oversight Committee.

Chapter VII. OFFENCES AND PENALTIES

Section 34

Impersonating or attempting to impersonate another person by providing false demographic or biometric information will punishable by imprisonment of up to three years, and/or fine of up to ten thousand rupees.

Section 35

Changing or attempting to change any demographic or biometric information of an Aadhaar number holder by impersonating another person (or attempting to do so), with the intent of i) causing harm or mischief to an Aadhaar number holder, or ii) appropriating the identity of an Aadhaar number holder, is punishable with imprisonment up to three years and fine up to ten thousand rupees.

Section 36

Collection of identity information by one not authorised by this Act, by way of pretending otherwise, is punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 37

Intentional disclosure or dissemination of identity information, to any person not authorised under this Act, or in violation of any agreement entered into under this Act, will be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 38

The following intentional acts, when not authorised by the UIDAI, will be punishable with imprisonment up to three years and a fine not less than ten lakh rupees:

accessing or securing access to the CIDR;
downloading, copying or extracting any data from the CIDR;
introducing or causing any virus or other contaminant into the CIDR;
damaging or causing damage to the data in the CIDR;
disrupting or causing disruption to access to CIDR;
causing denial of access to an authorised to the CIDR;
revealing information in breach of (D) in Section 28, or Section 29;
destruction, deletion or alteration of any files in the CIDR;
stealing, destruction, concealment or alteration of any source code used by the UIDAI.

Section 39

Tampering of data in the CIDR or removable storage medium, with the intention to modify or discover information relating to Aadhaar number holder will be punishable with imprisonment up to three years and a fine up to ten thousand rupees.

Section 40

Use of identity information in violation of Section 8 (3) by a requesting entity will be punishable with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 41

Violation of Section 8 (3) or Section 3 (2) by a requesting entity or enrolling agency will be punishable with imprisonment up to one year and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 42

Any offence against this Act or regulations made under it, for which no specific penalty is provided, will be punishable with be punishable with imprisonment up to one year and/or a fine up to twenty five thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 43

In case of an offence under Act committed by a Company, all person in charge of and responsible for the conduct of the company will also be held to be guilty and liable for punishment unless they can prove lack of knowledge of the offense or that they had exercised all due diligence to prevent it.
In case an offence is committed by a Company with the consent, connivance or neglect of a director, manager, secretary or other officer of a company, they will also be held guilty of the offence.

Section 44

This Act will also apply to offences committed outside of India by any person, irrespective of their nationality, if the offence involves any data in the CIDR.

Section 45

Offences under this Act will not be investigated by police officers below the rank of Inspector of Police.

Section 46

Penalties imposed under this Act will not prevent imposition of any other penalties or punishment under any other law in force.

Section 47

Courts will take cognizance of offences under this Act only upon complaint being made by the UIDAI or any officer authorised by it.
No court inferior to that of a Chief Metropolitan Magistrate or a Chief Judicial Magistrate will try any offence under this Act.

Chapter VIII. MISCELLANEOUS

Section 48

Central Government has the power to supersede the UIDAI, through a notification, not for longer than six months, in the following circumstances: i) In case of circumstances beyond the control of the UIDAI, ii) The UIDAI has defaulted in complying with directions of the Central Government, affecting financial position of the UIDAI, iii) Public emergency
Upon publication of notification, Chairperson and Members of the UIDAI must vacate the office
Powers, functions and duties will be performed by person(s) authorised by the President.
Properties controlled and owned by UIDAI will vest in the Central Government.
Central Government will reconstitute the UIDAI upon expiration of supersession, with fresh appointment of Chairperson and Members.

Section 49

Chairperson, members, employees etc. are deemed to be public servants within the meaning of section 21 of the Indian Penal Code.

Section 50

Central Government has the power to issue directions to the UIDAI on questions of policy (to be decided by the Government), except technical and administrative matters and the UIDAI will be bound by it.
The UIDAI will be given an opportunity to express views before direction is given.

Section 51

The UIDAI may delegate its powers and functions to a Member or officer of the UIDAI.

Section 52

No suit, prosecution or other legal proceedings will lie against the Central Government, UIDAI, Chairperson, any Member, officer, or other employees of the UIDAI for an act done in good faith.

Section 53

The Central Government has the power to makes Rules for matters prescribed under this provision.

Section 54

UIDAI has the power to make regulations for matters prescribed under this provision.

Section 55

Rules and regulations under this Act will be laid before each House of Parliament for a total period of thirty days, both Houses must agree in making modification, and then the Rules will come into effect.

Section 56

Provisions of this Act are in addition to, and not in derogation of any other law currently in effect.

Section 57

This Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies.

Section 58

The Central Government may pass an order to remove a difficulty in giving effect to the provisions of this Act, not beyond three years from the commencement of this Act.

Section 59

Action take by Central Government under the Resolution of the Government of India for setting up the UIDAI or by the Department of Electronics and Information Technology under the notification including the UIDAI under the Ministry of Communications and Information Technology will be deemed to have been validly done or taken.

STATEMENT OF OBJECTS AND REASONS

Correct identification of targeted beneficiaries for delivery of subsidies, services, frants, benefits, etc has become a challenge for the Government
This has proved to be a major hindrance for successful implementation of these programmes.
In the absence of a credible system to authenticate identity of beneficiaries, it is difficult to ensure that the subsidies, benefits and services reach to intended beneficiaries.
The UIDAI was established to lay down policies and implement the Unique Identification Scheme of the Government, by which residents of India were to be provided unique identity number.
Upon successful authentication, this number would serve as proof of identity for identification of beneficiaries for transfer of benefits, subsidies, services and other purposes.
With increased use of the Aadhaar number, steps to ensure security of such information need to be taken and offences pertaining to certain unlawful actions, created.
It has been felt that the processes of enrolment, authentication, security, confidentiality and use of Aadhaar related information must be made statutory.
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 seeks to provide for issuance of Aadhaar numbers to individuals on providing his demographic and biometric information to the UIDAI, requiring Aadhaar numbers for identifying an individual for delivery of benefits, subsidies, and services, authentication of the Aadhaar number, establishment of the UIDAI, maintenance and updating the information of individuals in the CIDR, state measures pertaining to security, privacy and confidentiality of information in possession or control of the UIDAI including information stored in the Central Identities Data Repository and identify offences and penalties for contravention of relevant statutory provisions.

For more details visit https://cis-india.org/internet-governance/blog/the-new-aadhaar-bill-in-plain-english

The Uncertain Future of India's Plan to Biometrically Identify Everyone

praskrishna — 2014-09-08T05:31:28Z

Last Sunday an 11-year-old boy in Andhra Pradesh, a state in southeast India, hung himself from a ceiling fan as his family slept.

Jessica Mckenzie's blog post was published in Techpresident on August 28, 2014. Sunil Abraham gave his inputs.

He was allegedly driven to this act after being denied an Aadhaar card—formally known as Unique Identification (UID)—which he was told he needed to attend school. The card is one arm of India's sprawling scheme to collect the biometric data, including fingerprints and iris scans, of its 1.2 billion citizens and residents, and is quickly becoming practically, if not legally, mandatory, for nearly every aspect of life, from getting married to buying cooking gas to opening a bank account. More than 630 million residents have already enrolled and received their unique 12-digit identification number.

Since its launch in 2010, people have raised a number of questions and concerns about Aadhaar, citing its effects on privacy rights, potential security flaws, and failures in functionality. India's poor, who were supposed to be the biggest beneficiaries of the program, are actually most at risk of being excluded from UID, and there is no evidence that biometric identification has curtailed corruption. The newly-elected Prime Minister Narendra Modi lambasted the UID program as a candidate but in July did an about-face, calling for the enrollment process to be expedited and supporting a UID-linked social assistance program. In all likelihood, the world's largest experiment in biometric identification will continue.

There are still a number of unanswered questions about the future of the program. Although created in large part as a way of more efficiently and less corruptly dispersing government subsidies, last year the Supreme Court ruled that the Aadhaar card could not be made mandatory to receive government assistance. The Unique Identification Authority of India (UIDAI) operates in a kind of legal limbo. Modi is said to have instructed his Finance Minister Arun Jaitley to resolve these legal problems.

Sorting out the legal issues is imperative if UID numbers are going to be linked to Modi's proposed financial inclusion program that aims to bring 75 million additional households into the country's banking system by 2018.

There is also the possibility that UID will be merged, absorbed or superseded by the National Population Register (NPR), yet another biometric identification system. The NPR, unlike Aadhaar, is mandatory for all residents. In addition to fingerprints and iris scans, NPR collects information on familial relationships, nationality, occupation and education level. There is a great deal of overlap between the two programs, which has been a source of conflict between government agencies in the past. The home ministry, for example, argues that government subsidies should be disbursed through NPR, not UID.

There is also speculation that UID could be picked up as part of Digital India, Modi's ambitious plan to modernize India by building national broadband infrastructure, ensuring universal mobile service access, creating e-government services, and establishing a “cradle-to-grave digital identity for every citizen of the country—unique, lifelong, online and authenticable [sic].”

In spite of UID's tenuous position and uncertain future, it has become “essential” in nearly every facet of life. The Delhi government is rolling out a suite of e-government services, starting with marriage registration, that will require a UID. Fishermen in Gujarat have been told they cannot go out to sea without biometric identification.

Then there is Kora Balakrishna, the 11-year-old who committed suicide after being denied an Aadhaar card because he has webbed fingers. His school headmaster had instructed him to get one as a prerequisite for study and, per one news outlet, a mid-day meal. An investigation into the incident has been ordered. Pravin Kumar, a local administrative official, said webbed fingers are not a legitimate reason for rejection from the program.

For more details visit https://cis-india.org/internet-governance/news/tech-president-jessica-mckenzie-august-28-2014-the-uncertain-future-of-indias-plan-to-biometrically-identify-everyone